+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 22
Internet Related/Filtering/Firewall Thread, LEA denying access to our firewall for configuration in Technical; Hello, We're building a new domain currently, for deployment over the summer, with any luck and we'd like to do ...
  1. #1
    ben604's Avatar
    Join Date
    Jan 2010
    Posts
    314
    Thank Post
    81
    Thanked 29 Times in 24 Posts
    Rep Power
    22

    LEA denying access to our firewall for configuration

    Hello,

    We're building a new domain currently, for deployment over the summer, with any luck and we'd like to do some testing of the new domain safe in the knowledge that we can't do any harm to our current network.

    We'd like to separate out our hardware LANs, but retain internet connectivity to both, so we asked the LEA to set up a new port on our Juniper SSG5 firewall to just serve internet and deny access to the rest of our LAN, which we'd run a little 5 port switch off to our new mini domain for testing.

    They've described it as a "project" though, and can't help us with any great haste, so we're quickly running out of time to test and iron out any issues before the summer. They suggested using IPCop as an alternative, but that involves using another machine for which we'd have to buy another NIC, more money!

    Would the Juniper SSG5 do what we proposed easily? Should they give us access to the configuration of that unit as we actually bought the thing off them and we pay for their services, ie. we're the customer and should get what we want!!

    Any thoughts?

  2. #2
    cpjitservices's Avatar
    Join Date
    Jul 2010
    Location
    Hessle
    Posts
    2,419
    Thank Post
    507
    Thanked 282 Times in 258 Posts
    Rep Power
    81
    Yes, the SSG5 is a router/firewall IF you can get into configuration you can set it up exactly how you want, in failing that stick another machine on your network with 2 NIC's on, setup and use PFsense, all you need to do is route the internet traffic between the two networks should be easily done.

  3. #3
    rh91uk's Avatar
    Join Date
    Sep 2008
    Location
    UK
    Posts
    871
    Thank Post
    137
    Thanked 132 Times in 114 Posts
    Rep Power
    35
    If it is hardware on your network you should be given access (full root access) and you should be controlling the access you give the LA!

  4. #4

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,802
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224
    If you own the hardware and have physical access to it I don't see the problem? Just reset the device and reconfigure it to how you want it to work?

  5. #5
    Diello's Avatar
    Join Date
    Jun 2005
    Location
    Kent, England
    Posts
    1,063
    Thank Post
    112
    Thanked 228 Times in 128 Posts
    Rep Power
    74
    RBC's can be a right pain for this - I'd be tempted to ask the Head to write a letter to the Head of the RBC clearing stating what is required, and the deadline when it will be done by, and that if this cannot be done, access should be provided to the school forthwith. Some RBC's get it in their heads that they're somehow doing US a favour... they forget we're paying for a service and we expect it to support what the SCHOOL requires, not them.

  6. #6

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,922
    Thank Post
    1,332
    Thanked 1,774 Times in 1,101 Posts
    Blog Entries
    19
    Rep Power
    593
    Ok ... let's calm down a little and think carefully about this. The routers on RBCs are set up in certain ways for a reason. It will vary from RBC to RBC but the reason why *they* want complete control is that there are standard configs on most routers to allow them to be monitored and maintained as part of a service. If you have anything different to the norm it can create a lot more work to keep the same level of service and it can even mean that SLAs will no longer be honoured.

    You also have to face the fact that although many here have a good knowledge of network infrastructure the knowledge around WAN infrastructures will be varied. If they give you access (once you have shown that you know what you are doing) then what about the next school who has someone who is simply eager and makes a cock up? Where does the responsibility lie? You can bet that no matter how much you get the Head to agree to write that letter to say that you will take complete control and no liability / responsibility sits with the LA / RBC ... you know who will get the bad press.

    Also consider that mistakes you make on the router could have a negative effect on other schools, such as mistakenly allocating their IP onto your router ... It happens.

    A managed services works when it is a managed service. Call it a compromise based on other things it provides instead. It is not out of order for the LA to ask for you to explain / plan what you are doing and put in a change request. The fact that you want it immediately and are not willing to wait is not really their fault (unless they don't readily tell you the timescales for changes, of course).

    In other threads we will see members saying that poor preparation on the part of others does not warrant an emergency on ours. It applies both ways. Can you not put in the request and get things running when it is available?
    Last edited by GrumbleDook; 28th February 2012 at 07:04 PM. Reason: tyop

  7. #7


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by GrumbleDook View Post
    Ok ... let's calm down a little and think carefully about this....snip
    THis argument can be entirely bypassed by simply going to a commercial provider.
    Chances are you'll save money and get a better service. We did. We were with RM and it doesn't get much worse than that YMMV.

  8. #8

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,529
    Thank Post
    513
    Thanked 2,406 Times in 1,862 Posts
    Blog Entries
    24
    Rep Power
    822
    @GrumbleDook - Your argument only holds water if the LA in question here is reasonable and responsive. For a firewall change request like this, I'd fully expect it to be dealt with within a couple of days.

    I've been in one LA which took over a month to make a change to a firewall for the school, which is completely unacceptable.

  9. #9

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,922
    Thank Post
    1,332
    Thanked 1,774 Times in 1,101 Posts
    Blog Entries
    19
    Rep Power
    593
    Quote Originally Posted by CyberNerd View Post
    THis argument can be entirely bypassed by simply going to a commercial provider.
    Chances are you'll save money and get a better service. We did. We were with RM and it doesn't get much worse than that YMMV.
    It might cost less in pounds on the order, but more in time to administer ... and yes YMMV.

  10. #10

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,922
    Thank Post
    1,332
    Thanked 1,774 Times in 1,101 Posts
    Blog Entries
    19
    Rep Power
    593
    Quote Originally Posted by localzuk View Post
    @GrumbleDook - Your argument only holds water if the LA in question here is reasonable and responsive. For a firewall change request like this, I'd fully expect it to be dealt with within a couple of days.

    I've been in one LA which took over a month to make a change to a firewall for the school, which is completely unacceptable.
    Fully agree with that, which is why I put in about the timescales.

  11. #11


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by GrumbleDook View Post
    It might cost less in pounds on the order, but more in time to administer ... and yes YMMV.
    It used to take me longer to get a change request from the RBC than it takes to make a simple config file
    literally: request change form, fill in form, print, sign, fax, wait for request to be acknowledged (they often were not), wait, wait, wait, wait more for LEA to sign of the request, wait some more for RBC to do the configuration.
    I appreciate they have to go through CAB processes in order to ensure service reliability, but sometimes it borders on the ridiculous. I go through a CAB process too (in line with ITIL/FITS): I get a ticket, discuss with team, optionally write a config and roll back the config if it doesn't work.

  12. #12

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    I'm on GDs apparently reasonable side e.g. what subnet goes on that little LAN and how does that get routed to your school, or will they have to NAT that bit and how does that fit with what happens with the main LAN and so on and so forth - it isn't necessarily straight-forward.

    I guess you can get links without managed routers, but I haven't ever been near a commercial link in this country where I could play with the router that one way or another the org has paid for.

    we're the customer and should get what we want!! Any thoughts?
    "Carnage" springs to mind. Doing what customers want isn't often a winning strategy, figuring out what they really want and suggesting a solution with some finesse is usually much better.
    Last edited by PiqueABoo; 28th February 2012 at 07:48 PM.

  13. #13

    glennda's Avatar
    Join Date
    Jun 2009
    Location
    Sussex
    Posts
    7,786
    Thank Post
    272
    Thanked 1,130 Times in 1,026 Posts
    Rep Power
    348
    Quote Originally Posted by localzuk View Post
    @GrumbleDook - Your argument only holds water if the LA in question here is reasonable and responsive. For a firewall change request like this, I'd fully expect it to be dealt with within a couple of days.

    I've been in one LA which took over a month to make a change to a firewall for the school, which is completely unacceptable.
    This is the main reason we are ditching our LEA. 15 working days for a ccr to open a port (443) on an existing ip Nat which has port 80 open. The other problem we have is they aim to do it on the 15th day rather then sort ot as soon as possible!

  14. #14


    Join Date
    Jan 2006
    Posts
    8,202
    Thank Post
    442
    Thanked 1,032 Times in 812 Posts
    Rep Power
    339
    Quote Originally Posted by PiqueABoo View Post
    I guess you can get links without managed routers, but I haven't ever been near a commercial link in this country where I could play with the router that one way or another the org has paid for.
    Ask for 'wires only'.

  15. #15

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    115
    Quote Originally Posted by CyberNerd View Post
    Ask for 'wires only'.
    If I had that option I wouldn't take it - far better if the link provider controls the kit at both end i.e. when the link is broken there can be no argument about whose fault it is and who gets to fix it.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Deny Access to all printers on a print server?
    By SkreeM1980 in forum Windows Server 2000/2003
    Replies: 3
    Last Post: 6th May 2011, 01:35 PM
  2. Mobile Access to Google Calendar for school
    By rocknrollstar in forum Netbooks, PDA and Phones
    Replies: 2
    Last Post: 22nd September 2010, 03:43 PM
  3. Denied Access to Playback and Recording Devices
    By vehmeier in forum Windows Vista
    Replies: 2
    Last Post: 9th March 2010, 01:56 PM
  4. Deny access to RDP & CMD
    By mcloum in forum Wireless Networks
    Replies: 10
    Last Post: 12th January 2009, 01:50 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •