Internet Related/Filtering/Firewall Thread, LGfL 2.0 Problems in Technical; Originally Posted by Shaun_Dark_Lord
I'm not alowed to give any details ...
Why ever not?
Actually, I can guess....
19th June 2012, 02:16 PM #121
- Rep Power
Why ever not?
Originally Posted by Shaun_Dark_Lord
Actually, I can guess.
19th June 2012, 09:50 PM #122
Maybe one thing to help you LGfL 2.0 people is they need to look around them at what others are doing, I know @GrumbleDook has spent time with schools looking at the future and many discussion has happened on here about options in the Northants area, but also look around the country.
From knowing @Soulfish well I know his issues and some of the systems LGfL 2.0 has and it seem draconion in my opinion, where as here in Yorkshire we have now got basically a complete open system which most would be envious of, all schools have connections (various speeds) and a Smoothwall UTM, and so long as your Head / Chair of Governors signs a form off you have a completely unfiltered unrestricted connection, yes that right you choose what you do with it and how. I have a block of IPs and just do as needed, so if I want to RDC to a PC for a couple of days I just do the changes in Smoothwall and job done, publish a website no issues, open a firewall port for some weird software yep that is my choice.
Our LA found it VERY hard going as its a major change from central farms, proxies, systems etc... but working with Smoothwall has been great, complaints (once initial teething issues were ironed out and training provided) have gone down, IT Managers are much happier as are schools, some are running very simple systems, other such as us as publishing apps, servers, remote systems etc... it has great flexability for us to use ICT to enhance teaching and learning as we need to and how we want to rather than be dictated to by someone who believe they know best.
My opinion as an outsider reading about LGfL 2.0 is they went to 1997 and said right what do we want and they just picked ideas from back then.
20th June 2012, 10:13 AM #123
It appears to me that they implemented the technical protections mandated by the Cabinet Office Security policy framework in areas they had control over (i.e. the network between the edge of the lan and the internet)
Remote access is locked down because the free services potentially allowed un-auditable remote access by ex-employees.
SMTP is blocked for quite valid reasons - though I don't know why they won’t allow imaps and smtps to cloud service providers - this does seem backward, but in line with the Cabinet office guidance.
In general the filtering is much better, though restrictions always trip some people up. Having some categories that cannot be overridden is reasonable for very limit values of 'some'.
The mandated IP scheme can even be accommodated - use one subnet as external to your local firewall and the other as a sort of DMZ location to land inbound LGfL services, such as VOIP and WIFI. If you have per user filtering then you can keep your own mechanism. If you don't and are willing to move to their subnets then you get it for free.
On IP's: LGfL made a strategic error in not securing its own net block long ago - they are apparently very hard to come by now. A problem that they do face apparently is that they regularly are under DDOS attack both internally originated and externally, this has been a motivator for the lock down. Just musing now, but I do wonder why they didn't build the v2 service as ipv6 internally - every school is supposed to have its own ipv6 net block, then just NAT at the edges for v4 and peer with the v6 networks. /musing
The real issue is their tendency for opacity, and a failure to understand that the end users of the service are significant stakeholders in their future now that 50% of their secondary school users are free to walk at the end of the contract and the other 50% could terminate on conversion to academy status. For those who attended the Nominated Contact training day and the LGfL 2 conference this opacity has diminished - but it remains.
I applaud those who are taking a proactive and structured approach to getting LGfL to listen and adjust their policies to better meet the needs of their user base. While some of this work has to go on in the background it is really valuable to gain support through the public forums of the user base, and though this thread is mostly negative in tone it has generated the Survey over in the LGfL forum, hopefully this will help evidence our needs and strengthen the case for openness and flexibility in LGfL.
20th June 2012, 10:40 AM #124
I have to agree with John, the best move for the schools in LGFl is to step out manage your own line \ filtering \ firewall. I have done this with 3 schools now and they are all over the moon. Flexibility and being able to react are key to delivering a good IT service to support teaching and learning. We saved a heap of money in the process too.
20th June 2012, 10:44 AM #125
- Rep Power
Who did you use as internet service provider? The last time I priced things up LGfL were pretty competitive ...
20th June 2012, 10:52 AM #126
I use BT, (CN21 )
I am not based in the LGFL area, we moved away from YHGFL.
In just over two years I have had zero down time in terms of Internet connectivity. The cost savings were a bonus; it’s the flexibility / time saving/ reliability that have made such a difference to the schools that I look after.
20th June 2012, 01:05 PM #127
One of my schools is going over on 29th and we are trying to retract the ones that have not had any work done.
We have been in contact with Brian and he has been very quick to respond and detailed in his answers but it hasn't really done much to address our concerns. For example we asked about potential port unblocking rejections for other email providers and his answer was essentially 'use staff mail'. We asked about Logmein and his answer was 'use the alternative'. We asked about filtering and he sent us a link where apparently ‘Ticking the box below will remove your school from LA filtering control and prevent their settings from affecting your school.’ This link didn't work for me though (maybe because I am not a head teacher or because the school has not migrated yet. Other than this he kept pushing the courses but who is going to pay for my time to attend. Also, I have to attend the one about the USO system (which I have been using for years and already know) in Kent before I can attend the one on filtering. I have a full week, working all day and most nights, I don't have time to attend courses on anything, let alone stuff like this. Taking a whole day out to learn about a filtering system seems like a huge waste of time to me.
My point still remains - Whatever LGFL say, there is going to be work involved in making our system anything like it currently is once we have migrated. This work takes time and time costs the school money.
20th June 2012, 03:08 PM #128
You make your point re conversations with Brian very well. I think the filtering option didn't work for us until we moved over.
It sounds like you are stretched too thin for your sites to manage a reasonable rate of change. If you cannot get time for training something is very wrong.
There is work to be done and before any change the key stakeholders should be fully trained. Generally the work is not too onerous and it has been well signposted for many months. Most Secondary School LANs I have seen are of two broad types: rely on the LGfL assigned subnets - in which case just get your MIPs right, remove proxy entries and you're away, or they have their own firewall and subnets behind that, in which case DNS and SMTP and the 'external' IP interfaces of the firewall need to be added to the list.
1 day planning, 1 day implementing. 1 day supervising the various elements of the install.
Compared to BSF this is a walk in the park.
20th June 2012, 08:04 PM #129
I am stretched thin but I am on my own with a small business and I am at that critical expansion stage where I have to balance not turning work away with meeting customer expectation. In order to keep my service levels to the standard I expect of myself something has to give and that is my own professional development at the moment hence, no training for me. Moreover, I don't see why I should take time out of my day and burn Diesel to go and have training on something I am not interested in, don't want to be a part of and don't think is appropriate for my customers.
I don't support secondary schools, only primary. The thing to remember is that we are at the mercy of Atomwide in some respects. A colleague of mine at a school which has migrated submitted a request to have ports open for other email, such as Gmail and Hotmail. Atomwide simply said no.
To be honest, I would probably find something like BSF more interesting and engaging but I don't envy you
20th June 2012, 08:18 PM #130
To be quite honest, I wouldn't advocate the use of personal mail systems such as hotmail/yahoo/gmail for school correspondence. Atomwide in their defence does provide a pretty good mail system in StaffMail which although has its problems is pretty adequate for a primary school. As a parent, I would consider it more professional to receive an email from firstname.lastname@example.org instead of email@example.com. If these accounts aren't being used for school correspondence then perhaps they shouldn't be used in the workplace anyway.
Originally Posted by strawberry7
Anyway, hotmail/yahoo/gmail is available after you migrate to LGfL2 but only with the web interfaces, you can allow the policy for "web email" in the local categories section of webscreen2 on the support site, you may have to opt out of LA policies first if they deem to have them blocked.
20th June 2012, 08:35 PM #131
I totally agree with you but it isn't always as black and white as that. Consider a staff member using their personal iPhone or iPad (protected with pass codes of course) to check their staff mail. Isn't it nice to allow them to check their personal email through the school network at the same time? Without them having to constantly switch to 3G? What is the problem if they do?
Consider also the situation where a school wishes to host their own domain through Google apps (as I do for my business). What about a situation where a school is using a Google calendar system and takes advantage of Google's exchange sync options for the iPad? Would this need a MIP request?
What about head teachers that communicate through their personal email systems sometimes because they are friends as well as colleagues. As I am sure you find yourself, not everything in a day to day work environment can always be separated so clearly from 'work' and 'personal'. I still come back to what I have been saying all along - what is wrong with the existing system that we have all been using for years?
21st June 2012, 08:36 AM #132
- Rep Power
I had the same thing with Google Mail in an Apple based school - the trick here was to specify the ranges to talk to and I believe LGfL now have a range of address and ports that they open up to support Gmail via an ipad and all the other stuff.
I think the trick here is never to ask for a firewall rule that involves the word 'any' in it that’s what LGfL don't like - the moment you are specific about rules then it all starts to happen - can't really argue with that - opening everything upon a network to the internet is a bit dangerous and it dose not take much effort to work out specifically what you want to talk to.
What was wrong with the existing system ?? That’s easy - can't you remember in LGfL 1 when the whole network came to a halt on how many occasions because the core single firewall was being attacked by some random hackers from miles away or when outbound email was trapped because a workstation in a school was infected and spamming the universe which got the whole wan added to global spam lists or again when the core firewall fell over because an entire LA was firing conficker at everything ..... That’s what was wrong with the existing system and why there are firewalls and security all over the new system.
Security is a good thing when it's deployed carefully and making use of the technology available - it's a bad thing when short cut's are taken to make a quick win that looses in the long run.
BTW - VNC - this runs down RAV3 perfectly well
21st June 2012, 10:12 AM #133
Oddly no i can't, but that returns me to my comments about thier opacity. However I have bought into their logic.
What was wrong with the existing system ?? That’s easy - can't you remember in LGfL 1 when
As for head teachers using thier personal emails - I draw your attention to exibit a BBC News - Michael Gove loses 'private email' battle
S7 have you considered that the pan-london shared services and USO system of LGfL could be saving you a lot of work - and give you capacity to take on more clients? Sophos, Netsweeper, Live@ are all properly world class solutions. If you operate in London then consider the net benefit to your clients in having the same systems across not only the sites you look after but also those that you don't?
I appreciate that it isn't the sexiest service around, but by being able to represent a number of schools who can be presented as 'wanting to engage' you can gain leverage with Brian et al.
21st June 2012, 10:27 AM #134
I totally understand what you are saying although when I asked Atomwide how to construct the MIP request once we migrate, they did say to specify 'any'. Are you talking about being specific with the internal IP section?
Originally Posted by Nodrog
Can't say I remember that specifically, although we did have times that our connection went down for a while. I kind of came to expect th
Originally Posted by Nodrog
I totally agree with you. When I think of security, I always think of the old saying 'the safest computer is one that is switched off'. I find that security and usability are almost always at war, it's about balance.
Originally Posted by Nodrog
Can you do that with an iOS device? I have used VNC on my iPad and iPhone and found it a bit rubbish compared to Logmein to be honest but then I am used to Logmein
Originally Posted by Nodrog
21st June 2012, 10:45 AM #135
I think you maybe misunderstand my previous statement. I am not talking about head teachers wanting to evade any 'official channels' I am only talking about ease of getting jobs done. A head teacher might drop a personal email saying 'how was your daughters play last night?', they might then engage in a friendly conversation and then the replying head might mention an AV system in use at the play and ask the other head if they have something similar in their school. This conversation has now started to branch into work/school related topics. It is a little far removed from what we are talking about here but friendly chat between people during work time isn't always a 'waste of time'.
Originally Posted by psydii
Oh, please don't misunderstand, all of my schools do use LGFL services right now. I totally understand the ease as an administrator of using standard universal tools, such as all my schools using Logmein. I can grab my iPad, hit the app, be in a server within 20 seconds, check what I need to and get out. I understand that LGFL systems can provide similar experiences, although products such as Sophos still have a couple of simple things to do that would make administrators lives a lot easier. I have to put my customers needs before my own though and initially I was very keen for all of my schools to pick up the service. If I am going to have a situation where the day after we migrate, 90% of my teachers have at least 1 lesson out of the window due to YouTube being blocked for example, then that is a situation I (and they) don't want.
Originally Posted by psydii
By nicholab in forum London Grid for Learning (LGfL)
Last Post: 21st May 2010, 01:51 PM
By alexknight in forum Wireless Networks
Last Post: 22nd August 2005, 04:01 AM
By Dos_Box in forum Educational Software
Last Post: 19th August 2005, 02:32 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread