+ Post New Thread
Page 13 of 14 FirstFirst ... 391011121314 LastLast
Results 181 to 195 of 210
Internet Related/Filtering/Firewall Thread, LGfL 2.0 Problems in Technical; Hi All A quick update on where we are. We've been running LGfL2 Option 2 since the beginning of September ...
  1. #181
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13

    Smile Option 2

    Hi All

    A quick update on where we are.

    We've been running LGfL2 Option 2 since the beginning of September with no issues. Remote support and mail hosting are working fine, and our new Palo Alto firewall is the dog's doodahs!

    Attached should be the latest powerpoint from LGfL giving a very rough overview of the service.

    Happy to answer any questions.

    Shaun
    Attached Files Attached Files

  2. Thanks to Shaun_Dark_Lord from:

    psydii (17th October 2012)

  3. #182

    Join Date
    Apr 2012
    Location
    Leeds
    Posts
    290
    Thank Post
    0
    Thanked 62 Times in 50 Posts
    Rep Power
    35
    ha that PDF made me laugh. There's nothing like a bit of scaremongering!

  4. #183
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Hi David

    I understand their stance. They don't want everyone signing up for option 2 without understanding the risks. Not all schools have the technical capability to implement this in-house, and there's a huge risk to outsourcing your edge security.

    Option 2 works brilliantly. But I would never have seriously considered it an option without a enterprise class next-gen firewall or the ability to manage it myself.

    Shaun

  5. #184

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    497
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    20
    Shaun,

    Which model of Palo Alto firewall have you got?

    Cheers

    Adam.

  6. #185
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Hi Adam

    We went for the 2050, as we're looking to upgrade to 1Gb fairly soonish.

    Shaun

  7. #186

    Join Date
    Apr 2009
    Location
    London
    Posts
    56
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    One thing to consider when you take up Option 2: there are ten internet trunks into Option 2 and your connection will be on one of them. This essentially means that you have a 10% chance of being taken out by a dDOS of an Option 2 site. dDOS used to be a significant problem for LGfL 1 - have you considered this risk for your site?

  8. #187

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    10,986
    Thank Post
    850
    Thanked 2,653 Times in 2,253 Posts
    Blog Entries
    9
    Rep Power
    764
    Quote Originally Posted by Eric View Post
    One thing to consider when you take up Option 2: there are ten internet trunks into Option 2 and your connection will be on one of them. This essentially means that you have a 10% chance of being taken out by a dDOS of an Option 2 site. dDOS used to be a significant problem for LGfL 1 - have you considered this risk for your site?
    If they bothered to implement a BGP AS that the schools could peer to then this should be mitigated.

  9. #188

    Join Date
    Jan 2009
    Location
    England
    Posts
    1,479
    Thank Post
    297
    Thanked 304 Times in 263 Posts
    Rep Power
    82
    Quote Originally Posted by Shaun_Dark_Lord View Post
    Hi All

    A quick update on where we are.

    We've been running LGfL2 Option 2 since the beginning of September with no issues. Remote support and mail hosting are working fine, and our new Palo Alto firewall is the dog's doodahs!

    Attached should be the latest powerpoint from LGfL giving a very rough overview of the service.

    Happy to answer any questions.

    Shaun
    Got to agree about the PA firewalls. We got a PA-4020 in the summer for our new 1gb connection (we moved away from LGfL) and it's absolutely brilliant .

    SSL VPN could be a bit better, but the firewall side is absolutely amazing

  10. #189
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Hi Eric

    Yes - We understand the risks, which again is why decent next-gen firewalling is essential for all sites considering Option 2.

    Have you considered that LGfL 2 Option 1 is a far more attractive target for a DDoS attack, and that Atomwide's plan to just turn off connections and wait for the attack to stop isn't really ideal in the event of a large, coordinated attack?

    Only time will tell. I know we shouldn't really compare LGfL2 with LGfL1, but how much of the LGfL1 Option 1 downtime was due to internal/external attacks, and how much was due to reactive last-minute global policy changes which were not published until after implementation and broke something important?

    Shaun

  11. #190
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Quote Originally Posted by Soulfish View Post
    Got to agree about the PA firewalls. We got a PA-4020 in the summer for our new 1gb connection (we moved away from LGfL) and it's absolutely brilliant .

    SSL VPN could be a bit better, but the firewall side is absolutely amazing
    You pretty much sold me on Palo before I'd even tried the kit. Everything else we demoed either had Palo's features "coming soon" or were cloud based because the box couldn't handle it.

    I'm also loving SSL decrypt - That more than doubled the amount of dropped traffic from our student's BYOD vlan

  12. #191

    Join Date
    Apr 2007
    Location
    Croydon
    Posts
    497
    Thank Post
    18
    Thanked 31 Times in 30 Posts
    Rep Power
    20
    Shaun,

    Another couple of questions....

    1) Other than the cost of the firewall, is there any other costs associated with moving to Option 2?

    2) Do you (and can you) still use the LGfL assigned IP range?

    Cheers

    Adam.

  13. #192
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Quote Originally Posted by adamf View Post
    Shaun,

    Another couple of questions....

    1) Other than the cost of the firewall, is there any other costs associated with moving to Option 2?

    2) Do you (and can you) still use the LGfL assigned IP range?

    Cheers

    Adam.
    Hi Adam

    The main cost is time - The next gen firewalls do so much more that you will be looking at a few weeks to get everything up and running. With the Palo, there's also annual support and software subscriptions which cost a fair bit.

    Do you mean the internal or external IP ranges? Internally, you can use whatever you want. Externally, you'll get a new range of IP's, and and MIPs you have setup will be removed, so you will need to make DNS changes for anything you're hosting. Atomwide reduced our TTL, so we had all of 5 minutes downtime for the DNS changeover.

    Shaun

  14. #193

    Join Date
    Apr 2009
    Location
    London
    Posts
    56
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by Shaun_Dark_Lord View Post
    Yes - We understand the risks, which again is why decent next-gen firewalling is essential for all sites considering Option 2.
    Doesn't protect you against dDOS, though.

    Quote Originally Posted by Shaun_Dark_Lord View Post
    Have you considered that LGfL 2 Option 1 is a far more attractive target for a DDoS attack, and that Atomwide's plan to just turn off connections and wait for the attack to stop isn't really ideal in the event of a large, coordinated attack?

    Only time will tell. I know we shouldn't really compare LGfL2 with LGfL1, but how much of the LGfL1 Option 1 downtime was due to internal/external attacks, and how much was due to reactive last-minute global policy changes which were not published until after implementation and broke something important?
    Shaun
    I agree, we don't really know what caused LGfL1's downtime. It didn't need to be coordinated dDOS, though: it could easily happen as a result of an attack on a particular IP in a school. The continuing risk with Option 2 is that an attack like that will still take you down.

    As you say, time will tell.

  15. #194
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Quote Originally Posted by Eric View Post
    Doesn't protect you against dDOS, though.
    Getting a Handle on DDoS ‹ Palo Alto Networks BlogPalo Alto Networks Blog

  16. #195
    budgester's Avatar
    Join Date
    Jan 2006
    Location
    Enfield, Middlesex
    Posts
    485
    Thank Post
    4
    Thanked 37 Times in 30 Posts
    Rep Power
    24
    Wow this is the first time I'd heard of option 2 on LGFL 2.0 were they hiding it ?

    Just gone over to LGFL2.0 and it's been a complete nightmare since last wednesday.

    And not being allowed to request a MIPS for ANY/ANY over port 22/ssh but allowing ANY/ANY over port 21/FTP, is a complete joke and a shambles.

    They also seem to expect every computer in the organisation to have a staticly assigned IP address, I mean haven't they heard of DHCP.

SHARE:
+ Post New Thread
Page 13 of 14 FirstFirst ... 391011121314 LastLast

Similar Threads

  1. LGFL South london problems
    By nicholab in forum London Grid for Learning (LGfL)
    Replies: 0
    Last Post: 21st May 2010, 01:51 PM
  2. Intermitent problems with logging on
    By alexknight in forum Wireless Networks
    Replies: 27
    Last Post: 22nd August 2005, 04:01 AM
  3. Problems with Google Earth
    By Dos_Box in forum Educational Software
    Replies: 8
    Last Post: 19th August 2005, 02:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •