Loading ...
Sorry, an error occurred while loading the content.
 

RE: [fhctech] Wireless routers, access points, etc. & printers for wireless

Expand Messages
  • Bill Henderson
    I write this with some trepidation because of all the commentary it generates. However, here goes...   I have attached two files to this message: one
    Message 1 of 24 , Sep 27, 2008
      I write this with some trepidation because of all the commentary it generates. However, here goes...
       
      I have attached two files to this message: one graphically displaying how my FHC is setup to use wireless networking with laptops and wireless printing. The other is a user agreement, explaining their usage, limitations, and the WEPs encryption key to be used if they want to connect to our wireles net.  More about these later.
       
      A couple years ago the church sent out PCs with wireless network connections to be plugged into FHC computers and used with Cisco Aironet wireless access points and Odessey encription software, similar to what is used on college campuses.  The reason for the wireless setup is because most FHC sites are not prewired for ethernet cable access. So, wireless was to be used to avoid people from tripping over ethernet cables.  PIX firewalls and the Aironet access point hardware were to be installed and managed by LDS' Global Services (GSD).  However, the Aironet installations took a year or more to get installed. 
       
      About the same time the Church established a Virtual Private Network (VPN) using the 10.xxx.xxx.xxx IP addresses.  Each FHC should have their own unique set of addresses ( about 60 per FHC unless the FHC is huge).  Also the PIX firewall was limited to 10 licenses (a license is permision to use an IP address).  This can be increased to 50 licenses by request (and justification) to GSD.  Not having really studied the Aironet hardware, it may or may not have routing capabilities.  If not, then all it does is convert ethernet cable addresses and data to wireless (radio waves) for use by a wireless transceiver.  
       
      A router (wireless or not) possesses a Network Address Translator (NAT) which translates one IP address received from outside of it to another IP address used within the local net supported by the router.  Most IP addresses are public (i.e. Internet addresses.  www.yahoo.com is actually 76.xxx.xxx.xxx.  DNS servers translate www... names to IP addresses and vice versa. Further esplanation here is beyond the scope of this letter).  Three IP address groups are private addresses (they cannot be sent beyond the router supporting that local net).  They are 10.xxx.xxx.xxx, 172,16.xxx.xxx, and 192.168.xxx.xxx. 10.xxx... can contain around 7 million IP addresses (the Church uses it thru a VPN to reach your FHC).  172.16... has about 1 million available addresses, and 192.168... has about 65,000 addresses (unless you know how to configure a router, the available 192... addresses is limited to 256 which is more than enough for most of us).  Your PIX firewall is a router. It has two primary functions.  1) restricting undesireable transmission and receptions from the Internet. 2) pass the Church's private network stuff between the Church and the FHCs.  Remember the 10... network normally cannot be sent outside of the router. But, since it is a VPN, the entire Church network is one great big local network.
       
      So, the PIX connects to the Internet and to the Church VPN and is sent to the PC requesting the info.  Internet stuff can't get to the Church's VPN (they are isolated from each other). 
       
      After carefully reading the memos and guidelines sent out to the FHC, I determined that users can use their personal devices for FHC purposes so long as they don't/can't connect to the Church's VPN.  In order to do this, the wireless network I set up was restricted to the 192.168... subnet.  The wireless router translates the incoming info from the Internet to 192.168... net and local 192.168... wireless info is sent to the Internet and cannot touch the 10... VPN, thus fulfilling the restriction by the church.  My FHC also has a wireless printserver connected to an ethernet printer permitting our wireless user to print their files. We have successfully, operated this way for two years.  
       
      I ran a field strength test on our wireless net and verified that the wireless signals ended about 30 beyond the FHC's front door (about where the first row of cars are parked outside in the ward's parking lot.  Inside the church, the signal faded at he first hallway inside the meeting hall.  You can use a wireless laptop as a field strenght tool.  Just connect to the wireless net and walk outward from the wireless router and see when the connection fails.  The walls of our meeting house is reinforced concrete blocks (they contain reinforcing bars and concrete in all the block holes) and is a limiter of radio (wireless) signals.  Since the wireless signal barely gets out the door, a WEP encryption is all that is needed, and that mainly to restrict access to our net without first signing a usage agreement.  The MAC address of the users device is also part of the agreement.  Originally that was in order to restrict access only to those signed the agreement.  But, I found that I didn't use those MAC addresses, they weren't needed.  However, if I choose to I can use the MAC address to deny access to that device (and theorethically that user) if he/she has been found to abuse our service.  Changing to WPA (a stronger encryption) would not prove a difficult chore as mentioned.  The reason for WEP vs WPA is because older laptops did not have that level of encryption.  Almost everyone's laptop has it now.
       
      We use a Belkin Wireless router, but any name brand will do.  The wireless printserver comes from D-Link. 
       
      As far as the ending of prohibition mentioned by brother Vester, I would like to see a copy of any documentation he has on it.  I have a System Admin Manual (SAM) and would like a copy to incude in it.  Everyone reading this should keep a copy too. 
       
      The issue concerning possible interfering with existing wireless net, is not a problem either.  The church uses the 10... net. So, setting up a 192.168... net solves that issue.  They won't see each other or talk to each other.  Both can be connected to the back of the PIX.  Since the PCs in my FHC are hardwired ethernet there is no problem with users connecting to Heritage Quest or other software thru our wireless net (unless they have purchased their own license).  Even if I installed an Aironet/Odessey wireless network there would be no cross connection or interference.  If your wireless signal extends outside of the FHC grounds,  the stronger WPA is strongly suggested.  Our FHC is for the benefit of our patrons only and that is how we will keep it.

      --- On Thu, 9/11/08, Dan <dvester@...> wrote:
      From: Dan <dvester@...>
      Subject: RE: [fhctech] Wireless routers, access points, etc.
      To: fhctech@yahoogroups.com
      Date: Thursday, September 11, 2008, 8:50 PM

      Actually, allowing Patron access to any wireless device was strictly prohibited until the Spring of 2008, when the new guidelines were issued. I know some of you were doing it under a mis-interpretation of the old guidelines, but having had meetings personally at Church headquarters with the staff there specifically about this issue, I can assure you that wireless patron access has always been prohibited until the
      Spring of this year. It's a moot point now, but don't kid yourself into thinking you've been doing this within the guidelines. You haven't. Allowing patron access with HARDWIRED access was permitted under the old guidelines, but certainly not WIRELESS access. If I dug through my email archive, I could find the emails from CHQ that specifically address this issue and stated unequivicoly (sp?) that wireless access to partons was absolutely prohibited, it was never a 'local option' that was given to any local priesthood leader. Those thinking that this was a local option simply are mis-interpreting the policy in a way that was never intended by SLC.
       
      Even under the new guidelines issued in the spring of 2008, any patron access wireless networks must be set up with WPA access (not WEP, it must be WPA), with the password (passphrase) controlled to prevent unauthorized access. If any Family History Center is running an unsecured or WEP protected network, it is in violation of current, and previous, church policy. The ONLY Family History facility that is authorized to run an unsecured wireless network for patron access (or any other reason) is the Family History Library in Salt Lake City at temple square.
       
      Also under the new policy, any patron access wireless networks must not interfere with any existing wireless networks that are being operated under the Odyssey Client services, which is how wireless access was done (and still is) in many FHC's, including ours. The intention of the new guidelines released in the spring of 2008 is to provide INTERNET access only to members, leaders, clerks, and library patrons. The new guidelines are not meant to provide access to the portal services (Heritage quest, footnotes, etc.). Those services are only to be provided to library patrons through church owned computers running Landesk. Salt Lake is using IP tracking now to verify that Landesk is only being accessed through church ISP connections. Emails were recently sent to quite a few FHC's that were in violation of this.
       
      Fortunately, at one of my recent meetings at CHQ, I was shown the IP tracking for our FHC, and in doing so we discovered that one of our staff had installed Landesk on his personal computer and was accessing the portals from at home. I was kindly warned that this needed to be corrected before the audits started, or our FHC would run the risk of having access to the portal services from all of our FHC computers revoked. The audits are now underway. I got the problem corrected upon my return home from that trip.
       
      This is a licensing issue for the church.. Allowing patron access in violation of these policies (i.e. running unsecured wireless networks for patron access) can potentially place the Church in a very embarassing position. If any of you are running unsecured (or WEP secured) networks, I would strongly encourage you to cease immediately, and get your networks in compliance with the established and published policies.
       
      Why is WEP no longer acceptable, why is WPA now required? Because the information is readily available on the internet to anyone who wants it on how to hack a 128bit WEP key in a little under 20 minutes while parked on the street outside your facility with a laptop. Several million teenagers (most of whom know far more about networking than 99% of us on this forum) can now do this, and they do so on a very regular basis.
       
      All it would take to place the church, your stake president, your FHC directory, and other church members in a very bad light is for some local newspaper reporter with malice towards the church to get a local teenager to hack (or use your unsecured network) into your WEP secured network, and then use if for some unsavory purpose (easily done in spite of the firewall-pix box) and run the story in the paper.
       
      Come on folks, don't place us in that position. The policies are there for a reason, quit trying to skate around them, you're only risking damage to all the rest of us... it's just not worth it.
       
      Dan Vester
      Prescott Arizona FHC STS
       
      -----Original Message-----
      From: fhctech@yahoogroups .com [mailto:fhctech@ yahoogroups. com] On Behalf Of David Wardell
      Sent: Thursday, September 11, 2008 2:44 PM
      To: fhctech@yahoogroups .com
      Subject: RE: [fhctech] Wireless routers, access points, etc.

      Most likely, the wireless segment of the router and the wired part are using different IP ranges.  If the two were consolidated, all the resources should be available.

      However, I wouldn’t do it for the “mischief-related” reasons you mention.

      We have a wireless network that we operate for patrons separate from both SLC’s 10.xxx WAN (which is required) and our own LAN.  The setup has been running for some time and works fine.  According to the 2006 FHC Computer Policy document, opening the local network for appropriate patron use is a local option.

      BTW:

      As an aside, I don’t know very many people who thought that installing wireless networks in meetinghouses( not just within the FHC) was going to work very well.  A number of us said so at the time.

      All the best,

      David Wardell

      McLean Virginia FHC

      From: fhctech@yahoogroups .com [mailto:fhctech@ yahoogroups. com] On Behalf Of Russell Hltn
      Sent: Thursday, September 11, 2008 4:40 PM
      To: fhctech@yahoogroups .com
      Subject: Re: [fhctech] Wireless routers, access points, etc.

      On Thu, Sep 11, 2008 at 9:20 AM, Harrison Temple <htemp33@yahoo. com> wrote:
      > however, the patron can only access the Internet
      > via this method and not the devices on the Local Area Network.

      It's because you're using the router in the wireless router. Frankly
      this sounds like a feature, not a bug. <grin>

      While I can see advantages to allowing some access to the local
      resources, I think the staff would end up playing tech support as well
      as the risk of tracking in viruses, etc.



      __________ NOD32 3436 (20080911) Information __________

      This message was checked by NOD32 antivirus system.
      http://www.eset. com

    • register
      Good morning, I am looking for additional information re LANDesk updates. Let me try a few questions to focus my concerns: 1. Do my FHC computers check in
      Message 2 of 24 , Oct 25, 2008

         

        Good morning, I am looking for additional information re LANDesk updates.  Let me try a few questions to focus my concerns:

         

        1.  Do my FHC computers check in with LANDesk or does LANDesk check in with the FHC computers?

        2.  How often and at what time does the above check in occur?

        3.  What is your advice regarding leaving our computers running or turning them off?

         

        Thanks for your help.

         

        Eric Abell

        Director, Victoria FHC

        Victoria, BC, Canada

         

        No virus found in this incoming message.
        Checked by AVG - http://www.avg.com
        Version: 8.0.169 / Virus Database: 270.7.3/1693 - Release Date: 9/26/2008 6:55 PM

      • Russell Hltn
        We may have to wait until Monday for official word from Lynn, but my understanding is that the computers check-in with LANDesk. It s not at a fixed time and
        Message 3 of 24 , Oct 25, 2008
          We may have to wait until Monday for official word from Lynn, but my
          understanding is that the computers check-in with LANDesk. It's not
          at a fixed time and day but on a periodic schedule - for example if
          it's been more then a week since the last check-in.

          My advice on the computers is to start them up when the center is
          opened and shut them down when you close up.

          Everything *should* work OK with that, but I know there's been times
          that LANDesk fails to update itself and things stagnate. But that's a
          different topic.


          On Sat, Oct 25, 2008 at 2:24 AM, register <emregister@...> wrote:
          >
          >
          > Good morning, I am looking for additional information re LANDesk updates.
          > Let me try a few questions to focus my concerns:
          >
          >
          >
          > 1. Do my FHC computers check in with LANDesk or does LANDesk check in with
          > the FHC computers?
          >
          > 2. How often and at what time does the above check in occur?
          >
          > 3. What is your advice regarding leaving our computers running or turning
          > them off?
          >
          >
          >
          > Thanks for your help.
          >
          >
          >
          > Eric Abell
          >
          > Director, Victoria FHC
          >
          > Victoria, BC, Canada
          >
          >
        • Alan Whitcomb
          My understanding was that the computers checked in with LANDesk and got updates, etc. when they first connected to the internet. That is why sometimes people
          Message 4 of 24 , Oct 25, 2008
            My understanding was that the computers checked in with LANDesk and got updates, etc. when they first connected to the internet.  That is why sometimes people have commented in the past about the system acting really slowly (it's busy getting it's updates) after turning it on.
             
            Alan

             
            On 10/25/08, Russell Hltn <RussellHltn@...> wrote:

            We may have to wait until Monday for official word from Lynn, but my
            understanding is that the computers check-in with LANDesk. It's not
            at a fixed time and day but on a periodic schedule - for example if
            it's been more then a week since the last check-in.

            My advice on the computers is to start them up when the center is
            opened and shut them down when you close up.

            Everything *should* work OK with that, but I know there's been times
            that LANDesk fails to update itself and things stagnate. But that's a
            different topic.

            On Sat, Oct 25, 2008 at 2:24 AM, register <emregister@...> wrote:
            >
            >
            > Good morning, I am looking for additional information re LANDesk updates.
            > Let me try a few questions to focus my concerns:
            >
            >
            >
            > 1. Do my FHC computers check in with LANDesk or does LANDesk check in with
            > the FHC computers?
            >
            > 2. How often and at what time does the above check in occur?
            >
            > 3. What is your advice regarding leaving our computers running or turning
            > them off?
            >
            >
            >
            > Thanks for your help.
            >
            >
            >
            > Eric Abell
            >
            > Director, Victoria FHC
            >
            > Victoria, BC, Canada
            >
            >


          • James W Anderson
            That s odd, I was switching one off at my FHC the other night, and it said there were Windows updates, it had not gotten the updates the rest of them had
            Message 5 of 24 , Oct 25, 2008
              That's odd, I was switching one off at my FHC the other night, and it said there were Windows updates, it had not gotten the updates the rest of them had gotten the night before, even though that one had been on that night as well (I saw it on then).



              --- On Sat, 10/25/08, Alan Whitcomb <alan.whitcomb@...> wrote:
              From: Alan Whitcomb <alan.whitcomb@...>
              Subject: Re: [fhctech] LANDesk
              To: fhctech@yahoogroups.com
              Date: Saturday, October 25, 2008, 1:30 PM

              My understanding was that the computers checked in with LANDesk and got updates, etc. when they first connected to the internet.  That is why sometimes people have commented in the past about the system acting really slowly (it's busy getting it's updates) after turning it on.
               
              Alan

               
              On 10/25/08, Russell Hltn <RussellHltn@ gmail.com> wrote:

              We may have to wait until Monday for official word from Lynn, but my
              understanding is that the computers check-in with LANDesk. It's not
              at a fixed time and day but on a periodic schedule - for example if
              it's been more then a week since the last check-in.

              My advice on the computers is to start them up when the center is
              opened and shut them down when you close up.

              Everything *should* work OK with that, but I know there's been times
              that LANDesk fails to update itself and things stagnate. But that's a
              different topic.

              On Sat, Oct 25, 2008 at 2:24 AM, register <emregister@shaw. ca> wrote:
              >
              >
              > Good morning, I am looking for additional information re LANDesk updates.
              > Let me try a few questions to focus my concerns:
              >
              >
              >
              > 1. Do my FHC computers check in with LANDesk or does LANDesk check in with
              > the FHC computers?
              >
              > 2. How often and at what time does the above check in occur?
              >
              > 3. What is your advice regarding leaving our computers running or turning
              > them off?
              >
              >
              >
              > Thanks for your help.
              >
              >
              >
              > Eric Abell
              >
              > Director, Victoria FHC
              >
              > Victoria, BC, Canada
              >
              >



            • Russell Hltn
              ... There s probably truth to that. I d expect it to tend to check in on start-up or shortly thereafter, but only if it s been too long since the last
              Message 6 of 24 , Oct 25, 2008
                On Sat, Oct 25, 2008 at 9:30 AM, Alan Whitcomb <alan.whitcomb@...> wrote:
                > My understanding was that the computers checked in with LANDesk and got
                > updates, etc. when they first connected to the internet. That is why
                > sometimes people have commented in the past about the system acting really
                > slowly (it's busy getting it's updates) after turning it on.
                >
                > Alan


                There's probably truth to that. I'd expect it to tend to check in on
                start-up or shortly thereafter, but only if it's been "too long" since
                the last check-in. For example, I wouldn't expect it to check-in
                after the first boot-up of the day. But by the time the next time the
                FHC is open, it may be "too-long" and it checks in when first booted.

                As for slow startup part of it I'm sure is Symantec AV. It tends to
                do a quick scan on boot-up All that disk activity really drains the
                machine
              • Russell Hltn
                On Sat, Oct 25, 2008 at 9:37 AM, James W Anderson ... Windows update is a different story. Yes, different machines tend to get theirs at different times. I m
                Message 7 of 24 , Oct 25, 2008
                  On Sat, Oct 25, 2008 at 9:37 AM, James W Anderson
                  <genealogy248@...> wrote:
                  > That's odd, I was switching one off at my FHC the other night, and it said
                  > there were Windows updates, it had not gotten the updates the rest of them
                  > had gotten the night before, even though that one had been on that night as
                  > well (I saw it on then).
                  >
                  >

                  Windows update is a different story. Yes, different machines tend to
                  get theirs at different times. I'm sure it's deliberate or else
                  Internet connections would overload from all the machines checking at
                  the same time. That would really tick off the corporate users - and
                  Microsoft knows better then that.
                Your message has been successfully submitted and would be delivered to recipients shortly.