Page 2 of 2

Posted: Sun Aug 17, 2008 11:51 pm
by Mikerowaved
jdlessley wrote:Do we unwisely expend financial resources as work-arounds for a solution that should require little more than a configuration change? I am hoping not.
Unfortunately, I think it will take more than just a configuration change. Although I'm not versed in Cisco licensing, I believe running 3 full VLANS would force an upgrade from the "Base" license to the "Security Plus" license and I'm guessing the Church would want the same license structure on all their ASA's in the field.

Posted: Sun Aug 17, 2008 11:58 pm
by jdlessley
Mikerowaved wrote:Unfortunately, I think it will take more than just a configuration change. Although I'm not versed in Cisco licensing, I believe running 3 full VLANS would force an upgrade from the "Base" license to the "Security Plus" license and I'm guessing the Church would want the same license structure on all their ASA's in the field.
I am pretty sure it is technically feasible. But you may be right about the licensing. I didn't think of that.

Posted: Tue Sep 23, 2008 8:07 am
by rknelson
As I understand it there are 2 fundamental reasons for the church firewall: "The firewall will provide required network security and Web content filtering for meetinghouse users." (from "Meetinghouse Internet Implementation Plan 3").

Certainly no filtering is foolproof, but if the slightly more relaxed restrictions of the PIX filtering provide adequate risk management for buildings with Family History Centers, why not make that level of filtering available as a third choice along with "Restricted" and "Extended Access"?

I guess it is possible that the PIX filter is a licensed service while the ASA supported extended access filter is a large no cost / lower cost white list.

Posted: Tue Sep 23, 2008 8:22 am
by aebrown
rknelson wrote:As I understand it there are 2 fundamental reasons for the church firewall: "The firewall will provide required network security and Web content filtering for meetinghouse users." (from "Meetinghouse Internet Implementation Plan 3").

Certainly no filtering is foolproof, but if the slightly more relaxed restrictions of the PIX filtering provide adequate risk management for buildings with Family History Centers, why not make that level of filtering available as a third choice along with "Restricted" and "Extended Access"?

I guess it is possible that the PIX filter is a licensed service while the ASA supported extended access filter is a large no cost / lower cost white list.

The filters on both PIX and ASA firewall devices use Websense, so I don't think it is a cost option. Rather, it is a conscious decision to have different filtering options.

See this post to see another request for what you asked. Then this post gives an indication that the Church product managers made specific decisions to make the filtering different. Finally, this post suggests the possibility of some changes in the works.

Posted: Tue Sep 23, 2008 11:27 pm
by rknelson
Alan_Brown wrote:The filters on both PIX and ASA firewall devices use Websense, so I don't think it is a cost option. Rather, it is a conscious decision to have different filtering options.

See this post to see another request for what you asked. Then this post gives an indication that the Church product managers made specific decisions to make the filtering different. Finally, this post suggests the possibility of some changes in the works.
Thanks for the links. With Family History Centers in 2 out of 5 buildings in our stake, I can see that there will be some inequity and challenges with the more restrictive access.

Posted: Wed Sep 24, 2008 9:04 am
by zaneclark
"Keep in mind that if your facility already has Internet connection, for example, to support a FHC, Institute, or Church employee offices, you are to share those services rather then install a new Internet connection."

I guess that CES is not included in the above statement. The office for the local CES/Seminary is in our building with an internet connection. I asked the coordinator about sharing and he saw no problem but said I would have to talk to CES in Salt Lake.... They flatly refused...end of discussion...

Posted: Wed Sep 24, 2008 12:17 pm
by russellhltn
Check the document Installing the Church-Managed Firewall.
NOTE: If a Church-managed firewall or wireless network for Internet use is already in the building, contact the facility manager to share the existing service.

It is Church policy to share existing filtered Internet connections between ecclesiastical units (wards, stakes, districts, and branches) and field office units (family history centers, seminaries and institutes, facilities management offices, LDS Employment Resource Centers, etc.).
Note that it says to go to the "facility manager". In most cases that would be the FM group. Unless it's an unusual situation, CES may have no say in the matter.