+ Post New Thread
Page 14 of 14 FirstFirst ... 41011121314
Results 196 to 210 of 210
Internet Related/Filtering/Firewall Thread, LGfL 2.0 Problems in Technical; Originally Posted by budgester Wow this is the first time I'd heard of option 2 on LGFL 2.0 were they ...
  1. #196
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Quote Originally Posted by budgester View Post
    Wow this is the first time I'd heard of option 2 on LGFL 2.0 were they hiding it ?

    Just gone over to LGFL2.0 and it's been a complete nightmare since last wednesday.

    And not being allowed to request a MIPS for ANY/ANY over port 22/ssh but allowing ANY/ANY over port 21/FTP, is a complete joke and a shambles.

    They also seem to expect every computer in the organisation to have a staticly assigned IP address, I mean haven't they heard of DHCP.
    I can see why they would not allow an any/any for SSH - The majority of naughty traffic now runs over SSH to avoid detection and processing by last-gen firewalls and content filters. It's the kind of traffic that has to be controlled.

    I assume that you're running your own firewalls inside the LGfL2 firewall to handle the SSH traffic, and the any/any rule was just to allow you to add additional firewall interfaces in the future? If so, just add some unused addresses to the MIP, and they'll be ready when you need them.

    Not sure about the static IP issue - What were you trying to setup?

  2. #197

    Join Date
    May 2012
    Posts
    49
    Thank Post
    0
    Thanked 6 Times in 6 Posts
    Rep Power
    6
    Quote Originally Posted by budgester View Post
    Wow this is the first time I'd heard of option 2 on LGFL 2.0 were they hiding it ?

    Just gone over to LGFL2.0 and it's been a complete nightmare since last wednesday.

    And not being allowed to request a MIPS for ANY/ANY over port 22/ssh but allowing ANY/ANY over port 21/FTP, is a complete joke and a shambles.

    They also seem to expect every computer in the organisation to have a staticly assigned IP address, I mean haven't they heard of DHCP.
    I agree letting 21/ftp in but not 22/ssh is a bit of an odd one Ė personally Iíd not do either but run them both down RAV3 so itís ALL authenticated.

    I donít see how DHCP fitís into this as you can have an Ďanyí inside the network Ė itís the any side on the Internet that they will not let you do.

    Just run up RAV3 and run the whole lot down that Ė whatís wrong with that ?

    Or failing that just do the OPT2 bit with LGfL and look after your own security.

  3. #198

    Join Date
    Apr 2009
    Location
    London
    Posts
    57
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    By the time the dDOS traffic reaches your firewall it has filled up the pipe (your "last mile" if you like.) It doesn't matter how much bad inbound traffic Palo Alto drops for you: your usable downlink bandwidth is hosed. This is why your referenced page says:

    ... its [sic] very important to acknowledge that DDoS protection must begin before traffic ever reaches your network. ISPs are increasingly important partners in the fight against dDoS, and they have the ability to keep some DDoS traffic from reaching the intended target.
    and this is why I said, "Doesn't protect you against dDOS ..."

    Effective dDOS mitigation has to be done at the edges of an ISP with an inbound capacity which dwarfs the traffic which the DOS perpetrators can achieve. This means that your ISPs inbound capacity is still sufficient to supply you, and all the rest of its customers, after dDOS traffic has been removed. I believe that some dDOS attacks are now generating such large amounts of traffic that finding an ISP that can cope (and is willing to try) must be getting harder.

  4. #199
    budgester's Avatar
    Join Date
    Jan 2006
    Location
    Enfield, Middlesex
    Posts
    486
    Thank Post
    4
    Thanked 37 Times in 30 Posts
    Rep Power
    24
    Quote Originally Posted by Nodrog View Post
    I agree letting 21/ftp in but not 22/ssh is a bit of an odd one Ė personally Iíd not do either but run them both down RAV3 so itís ALL authenticated.
    It's not IN, it's OUT traffic.

    I can't ssh OUTbound on my network unless I set up the ip address it's going to.

    But apparently I am allowed to ftp out, from ANY/ANY.

    Lets assume my workstations addresses are all DHCP configured, and that I could be logging into any PC on my network, or hell I could be a student.

    So lets say I want to deploy some software to my webserver, or teach the kids good practice by using SCP or SSH to get to a remote server, or I want to update a git branch.

    I have to complete a MIPS request, for every site I connect to.

    Quote Originally Posted by Nodrog View Post
    I donít see how DHCP fitís into this as you can have an Ďanyí inside the network Ė itís the any side on the Internet that they will not let you do.
    So you can have
    ANY<>1
    1<>1
    1 <> ANY ?
    ANY<>ANY ?

    Quote Originally Posted by Nodrog View Post
    Just run up RAV3 and run the whole lot down that Ė whatís wrong with that ?
    RAV3 being incoming, that I understand

    Quote Originally Posted by Nodrog View Post
    Or failing that just do the OPT2 bit with LGfL and look after your own security.
    How about if they just got a clue.

    We came from an option 2 on LGFL 1.0 but was told there was no option 2 on LGFL 2.0, I only just found out about option 2 a couple of days ago.

    So not really any time to get a firewall ordered and installed(although I could have just used my IPCOP install that has been running fine) , let alone find a budget for it.

  5. #200
    hit
    hit is offline
    hit's Avatar
    Join Date
    Mar 2008
    Location
    London
    Posts
    324
    Thank Post
    47
    Thanked 50 Times in 48 Posts
    Rep Power
    50
    Quote Originally Posted by budgester View Post
    It's not IN, it's OUT traffic.

    I can't ssh OUTbound on my network unless I set up the ip address it's going to.

    But apparently I am allowed to ftp out, from ANY/ANY.
    I'm having the same problem, we have some software we wrote sitting on all of our schools SIMS servers that send via SFTP back to us some reports twice a day to feed into our parent portal. Schools that have gone over to LGFL2 no longer can connect to us even though the rest of the world can. We have two more schools to migrate and then apparently we can have static routes set up to our receiving server, until then we have to run up RAV3 to each of the schools that has migrated and pull the data!

  6. #201
    budgester's Avatar
    Join Date
    Jan 2006
    Location
    Enfield, Middlesex
    Posts
    486
    Thank Post
    4
    Thanked 37 Times in 30 Posts
    Rep Power
    24
    And lets not get me started on so called SSO.

    Single sign on to what ? Yes that right it sign on to there resources on the LGFL.
    Does it allow sign on to fronter ? No
    Does it allow sign on to my network ? No
    Does it allow sign on to SIMS ? No
    Does it allow sign on to my RDP sessions ? No

    Or any of my other online resources... No.

    Why not just call it, ASO. (Another Sign on).

  7. Thanks to budgester from:

    Edu-IT (16th October 2012)

  8. #202

    Join Date
    May 2012
    Posts
    49
    Thank Post
    0
    Thanked 6 Times in 6 Posts
    Rep Power
    6
    Quote Originally Posted by budgester View Post
    And lets not get me started on so called SSO.

    Single sign on to what ? Yes that right it sign on to there resources on the LGFL.
    Does it allow sign on to fronter ? No
    Does it allow sign on to my network ? No
    Does it allow sign on to SIMS ? No
    Does it allow sign on to my RDP sessions ? No

    Or any of my other online resources... No.

    Why not just call it, ASO. (Another Sign on).
    Hi - I'm afraid you have this lot completely wrong.

    Making the assumption your actually talking about USO in LGfL then you can feed USO from your sims system using AutoUpdate, Fronter can sync to USO, USO can sync into an AD locally in the school using Adsync your RDP server can use the local AD to do authentication as can your edge server that presents RDP over https - if you don’t want to run a local https gateway then there is one in the core of LGfL you can use and that’s glued into USO so I'm afraid it's most certainly NOT ASO but really does glue all these things together and makes them work on a single username and password that you can disable in one place and kill everything off.

  9. #203

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,254
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    to further Nodrog's post: It also isn't billed as 'single sign on' as that implies that you sign in once and it works everywhere. The branding is Unified Sign On. One username and password sync'd to all your systems.

    And in that context it can do every thing you say it can't. The key to success though is ADSync - since most systems have an LDAP connector, and people always know their Windows username and password. I will say though, it can feel like quite a big step giving up control over the creation of usernames and passwords, and their location in AD. I've managed five AD's in the last 12 years, and ADSync would have fitted neatly into everything except CC4. Certainly though the business case for its adoption was (for us) quite clear.

  10. #204

    Join Date
    Jul 2006
    Location
    London
    Posts
    1,254
    Thank Post
    111
    Thanked 242 Times in 193 Posts
    Blog Entries
    1
    Rep Power
    74
    I was about to raise an eyebrow about the ban on SSH... however.... looking at my rules I can see why I can SSH OUT from where ever I want to...

    Only a very limited number of users (or computers) are likely to have need to SSH to remote sites. These can be specifically enabled via the Firewall Change request form. For us, the set of computers that perform roles that require SSH ->External access is within the set of computers that have static IP (or in the case of my own laptop - a DHCP reservation).

    Unrestricted SSH is one of those mechanisms that can leak data etc, and provide a back door into your network. By creating a specific rule per requirement, it provides an audit trail, and also an easy way of locking down in the event of a breach etc.

    Of course this approach is undermind somewhat if FTP->Any is allowed.
    Last edited by psydii; 17th October 2012 at 01:34 PM. Reason: grammar

  11. #205
    Shaun_Dark_Lord's Avatar
    Join Date
    May 2008
    Location
    Bexley
    Posts
    46
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    13
    Quote Originally Posted by Eric View Post
    By the time the dDOS traffic reaches your firewall it has filled up the pipe (your "last mile" if you like.) It doesn't matter how much bad inbound traffic Palo Alto drops for you: your usable downlink bandwidth is hosed. This is why your referenced page says:

    and this is why I said, "Doesn't protect you against dDOS ..."

    Effective dDOS mitigation has to be done at the edges of an ISP with an inbound capacity which dwarfs the traffic which the DOS perpetrators can achieve. This means that your ISPs inbound capacity is still sufficient to supply you, and all the rest of its customers, after dDOS traffic has been removed. I believe that some dDOS attacks are now generating such large amounts of traffic that finding an ISP that can cope (and is willing to try) must be getting harder.
    Hi Eric

    I completely agree. Virgin Business do indeed do DDoS mitigation at their end. Why Atomwide are convinced that they don't is beyond me.

  12. #206

    Join Date
    May 2012
    Posts
    49
    Thank Post
    0
    Thanked 6 Times in 6 Posts
    Rep Power
    6
    Quote Originally Posted by psydii View Post
    Of course this approach is undermind somewhat if FTP->Any is allowed.
    Yep - it's a base policy I believe because people don't really understand it and if they banned it they would have even more people complaining ..... I've had outbound ftp blocked on my schools but it's a bit brutal

  13. #207

    Join Date
    Oct 2011
    Location
    England
    Posts
    15
    Thank Post
    6
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    The latest and greatest is that this week some of their switches blew and 32 schools across London were left without internet. Nice Infrastructure.

    I seem to be having an issue with their Outlook Profiles for user downloaded via the staffmail support. Seems to be struggling to authenticate and once they're all set up some users are only getting partial downloads, some are getting it all but everytime they close outlook it loses the password settings. Some sites on 2010 just refuse to authenticate altogether when trying to find the exchange servers, Anyone else getting this? Worked find before the changeover and recent issues...

  14. #208

    Join Date
    Apr 2009
    Location
    London
    Posts
    57
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by Iamthelaw View Post
    I seem to be having an issue with their Outlook Profiles for user downloaded via the staffmail support. Seems to be struggling to authenticate and once they're all set up some users are only getting partial downloads, some are getting it all but everytime they close outlook it loses the password settings. Some sites on 2010 just refuse to authenticate altogether when trying to find the exchange servers...
    I have always had problems with users losing part of their Staffmail logon credentials and this is continuing now we are using Office 2010. Specifically some users constantly have to re-insert LGFLMAIL\ in front of their username.

    It is fairly extraordinary that LGfL support documentation explains how to set up a Staffmail user "by hand," when we are working at the enterprise level. Getting better automation of email account setup is one possible attraction of moving to our own Exchange server, which would significantly diminish the utility of Staffmail.

  15. #209

    Join Date
    Sep 2008
    Location
    Middlesex
    Posts
    9
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    We are in the same boat and I know a number of schools in Hillingdon are fed up with the restrictions imposed by Atomwide. I was given some info by LGFL that there may be a solution which will only work if you have your own firewall. Luckily we are in that boat but if you only have their firewall.. youre stuffed.
    Other than that I was / may look at alternative providers.. BETT is just around the corner so I'll be knocking on a few doors with other ISP's.

  16. #210

    Join Date
    Apr 2009
    Location
    London
    Posts
    57
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0

    Case law relating to image distribution

    Quote Originally Posted by GrumbleDook View Post
    The distribution of illegal images also come under different laws to those dealing with copyright as well. I have asked for specific case law references and when (if) I get them I'll stick them up.
    Grumbledook,

    I have stumbled upon this thread again. Do you now have case law references in this area, please? I would be very interested in them.

SHARE:
+ Post New Thread
Page 14 of 14 FirstFirst ... 41011121314

Similar Threads

  1. LGFL South london problems
    By nicholab in forum London Grid for Learning (LGfL)
    Replies: 0
    Last Post: 21st May 2010, 01:51 PM
  2. Intermitent problems with logging on
    By alexknight in forum Wireless Networks
    Replies: 27
    Last Post: 22nd August 2005, 04:01 AM
  3. Problems with Google Earth
    By Dos_Box in forum Educational Software
    Replies: 8
    Last Post: 19th August 2005, 02:32 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •