psydii (17th October 2012)
A quick update on where we are.
We've been running LGfL2 Option 2 since the beginning of September with no issues. Remote support and mail hosting are working fine, and our new Palo Alto firewall is the dog's doodahs!
Attached should be the latest powerpoint from LGfL giving a very rough overview of the service.
Happy to answer any questions.
psydii (17th October 2012)
ha that PDF made me laugh. There's nothing like a bit of scaremongering!
I understand their stance. They don't want everyone signing up for option 2 without understanding the risks. Not all schools have the technical capability to implement this in-house, and there's a huge risk to outsourcing your edge security.
Option 2 works brilliantly. But I would never have seriously considered it an option without a enterprise class next-gen firewall or the ability to manage it myself.
Which model of Palo Alto firewall have you got?
We went for the 2050, as we're looking to upgrade to 1Gb fairly soonish.
One thing to consider when you take up Option 2: there are ten internet trunks into Option 2 and your connection will be on one of them. This essentially means that you have a 10% chance of being taken out by a dDOS of an Option 2 site. dDOS used to be a significant problem for LGfL 1 - have you considered this risk for your site?
Yes - We understand the risks, which again is why decent next-gen firewalling is essential for all sites considering Option 2.
Have you considered that LGfL 2 Option 1 is a far more attractive target for a DDoS attack, and that Atomwide's plan to just turn off connections and wait for the attack to stop isn't really ideal in the event of a large, coordinated attack?
Only time will tell. I know we shouldn't really compare LGfL2 with LGfL1, but how much of the LGfL1 Option 1 downtime was due to internal/external attacks, and how much was due to reactive last-minute global policy changes which were not published until after implementation and broke something important?
I'm also loving SSL decrypt - That more than doubled the amount of dropped traffic from our student's BYOD vlan
Another couple of questions....
1) Other than the cost of the firewall, is there any other costs associated with moving to Option 2?
2) Do you (and can you) still use the LGfL assigned IP range?
The main cost is time - The next gen firewalls do so much more that you will be looking at a few weeks to get everything up and running. With the Palo, there's also annual support and software subscriptions which cost a fair bit.
Do you mean the internal or external IP ranges? Internally, you can use whatever you want. Externally, you'll get a new range of IP's, and and MIPs you have setup will be removed, so you will need to make DNS changes for anything you're hosting. Atomwide reduced our TTL, so we had all of 5 minutes downtime for the DNS changeover.
As you say, time will tell.
Wow this is the first time I'd heard of option 2 on LGFL 2.0 were they hiding it ?
Just gone over to LGFL2.0 and it's been a complete nightmare since last wednesday.
And not being allowed to request a MIPS for ANY/ANY over port 22/ssh but allowing ANY/ANY over port 21/FTP, is a complete joke and a shambles.
They also seem to expect every computer in the organisation to have a staticly assigned IP address, I mean haven't they heard of DHCP.
There are currently 1 users browsing this thread. (0 members and 1 guests)