LEA denying access to our firewall for configuration

Hello,

We're building a new domain currently, for deployment over the summer, with any luck and we'd like to do some testing of the new domain safe in the knowledge that we can't do any harm to our current network.

We'd like to separate out our hardware LANs, but retain internet connectivity to both, so we asked the LEA to set up a new port on our Juniper SSG5 firewall to just serve internet and deny access to the rest of our LAN, which we'd run a little 5 port switch off to our new mini domain for testing.

They've described it as a "project" though, and can't help us with any great haste, so we're quickly running out of time to test and iron out any issues before the summer. They suggested using IPCop as an alternative, but that involves using another machine for which we'd have to buy another NIC, more money!

Would the Juniper SSG5 do what we proposed easily? Should they give us access to the configuration of that unit as we actually bought the thing off them and we pay for their services, ie. we're the customer and should get what we want!!

Any thoughts?

Yes, the SSG5 is a router/firewall IF you can get into configuration you can set it up exactly how you want, in failing that stick another machine on your network with 2 NIC's on, setup and use PFsense, all you need to do is route the internet traffic between the two networks should be easily done.

If it is hardware on your network you should be given access (full root access) and you should be controlling the access you give the LA!

If you own the hardware and have physical access to it I don't see the problem? Just reset the device and reconfigure it to how you want it to work?

RBC's can be a right pain for this - I'd be tempted to ask the Head to write a letter to the Head of the RBC clearing stating what is required, and the deadline when it will be done by, and that if this cannot be done, access should be provided to the school forthwith. Some RBC's get it in their heads that they're somehow doing US a favour... they forget we're paying for a service and we expect it to support what the SCHOOL requires, not them.

Ok ... let's calm down a little and think carefully about this. The routers on RBCs are set up in certain ways for a reason. It will vary from RBC to RBC but the reason why *they* want complete control is that there are standard configs on most routers to allow them to be monitored and maintained as part of a service. If you have anything different to the norm it can create a lot more work to keep the same level of service and it can even mean that SLAs will no longer be honoured.

You also have to face the fact that although many here have a good knowledge of network infrastructure the knowledge around WAN infrastructures will be varied. If they give you access (once you have shown that you know what you are doing) then what about the next school who has someone who is simply eager and makes a cock up? Where does the responsibility lie? You can bet that no matter how much you get the Head to agree to write that letter to say that you will take complete control and no liability / responsibility sits with the LA / RBC ... you know who will get the bad press.

Also consider that mistakes you make on the router could have a negative effect on other schools, such as mistakenly allocating their IP onto your router ... It happens.

A managed services works when it is a managed service. Call it a compromise based on other things it provides instead. It is not out of order for the LA to ask for you to explain / plan what you are doing and put in a change request. The fact that you want it immediately and are not willing to wait is not really their fault (unless they don't readily tell you the timescales for changes, of course).

In other threads we will see members saying that poor preparation on the part of others does not warrant an emergency on ours. It applies both ways. Can you not put in the request and get things running when it is available?

Quote:

---

Originally Posted by GrumbleDook

Ok ... let's calm down a little and think carefully about this....snip

---

THis argument can be entirely bypassed by simply going to a commercial provider.
Chances are you'll save money and get a better service. We did. We were with RM and it doesn't get much worse than that YMMV.

@GrumbleDook - Your argument only holds water if the LA in question here is reasonable and responsive. For a firewall change request like this, I'd fully expect it to be dealt with within a couple of days.

I've been in one LA which took over a month to make a change to a firewall for the school, which is completely unacceptable.

Quote:

---

Originally Posted by CyberNerd

THis argument can be entirely bypassed by simply going to a commercial provider.
Chances are you'll save money and get a better service. We did. We were with RM and it doesn't get much worse than that YMMV.

---

It might cost less in pounds on the order, but more in time to administer ... and yes YMMV.

Quote:

---

Originally Posted by localzuk

@GrumbleDook - Your argument only holds water if the LA in question here is reasonable and responsive. For a firewall change request like this, I'd fully expect it to be dealt with within a couple of days.

I've been in one LA which took over a month to make a change to a firewall for the school, which is completely unacceptable.

---

Fully agree with that, which is why I put in about the timescales.

Quote:

---

Originally Posted by GrumbleDook

It might cost less in pounds on the order, but more in time to administer ... and yes YMMV.

---

It used to take me longer to get a change request from the RBC than it takes to make a simple config file
literally: request change form, fill in form, print, sign, fax, wait for request to be acknowledged (they often were not), wait, wait, wait, wait more for LEA to sign of the request, wait some more for RBC to do the configuration.
I appreciate they have to go through CAB processes in order to ensure service reliability, but sometimes it borders on the ridiculous. I go through a CAB process too (in line with ITIL/FITS): I get a ticket, discuss with team, optionally write a config and roll back the config if it doesn't work.

I'm on GDs apparently reasonable side e.g. what subnet goes on that little LAN and how does that get routed to your school, or will they have to NAT that bit and how does that fit with what happens with the main LAN and so on and so forth - it isn't necessarily straight-forward.

I guess you can get links without managed routers, but I haven't ever been near a commercial link in this country where I could play with the router that one way or another the org has paid for.

Quote:

---

we're the customer and should get what we want!! Any thoughts?

---

"Carnage" springs to mind. Doing what customers want isn't often a winning strategy, figuring out what they really want and suggesting a solution with some finesse is usually much better.

Quote:

---

Originally Posted by localzuk

@GrumbleDook - Your argument only holds water if the LA in question here is reasonable and responsive. For a firewall change request like this, I'd fully expect it to be dealt with within a couple of days.

I've been in one LA which took over a month to make a change to a firewall for the school, which is completely unacceptable.

---

This is the main reason we are ditching our LEA. 15 working days for a ccr to open a port (443) on an existing ip Nat which has port 80 open. The other problem we have is they aim to do it on the 15th day rather then sort ot as soon as possible!

Quote:

---

Originally Posted by PiqueABoo

I guess you can get links without managed routers, but I haven't ever been near a commercial link in this country where I could play with the router that one way or another the org has paid for.

---

Ask for 'wires only'.

Quote:

---

Originally Posted by CyberNerd

Ask for 'wires only'.

---

If I had that option I wouldn't take it - far better if the link provider controls the kit at both end i.e. when the link is broken there can be no argument about whose fault it is and who gets to fix it.