+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Wireless Networks Thread, Installing a Firewall in Technical; The LEA currently supplies my school with a 10MB Internet Connection which comes in via a Firewall which I haven't ...
  1. #1
    networkmanager's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    39
    Thank Post
    4
    Thanked 5 Times in 3 Posts
    Rep Power
    16

    Installing a Firewall

    The LEA currently supplies my school with a 10MB Internet Connection which comes in via a Firewall which I haven't got access to. The gateway interface address on this Firewall is local to my hosts so it's used as the Default Gateway Address.

    The LEA remotely logs into do SIMS upgrade and maintenance etc when the need arises. At the moment I use logmein for remote access.

    I just wondered if there's a way I can 'install' my firewall as we are thinking of rolling out Remote Access via Terminal Services to 'selected' staff - I'm thinking along the lines of having our own VPN.

    Any ideas please?

    Thanks.

  2. #2
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    63
    The firewall that you do not have access to is this at your site?

    To be honest you could put your own firewall in but this would sit after the firewall that is supplied via the LEA and if there are rules in place to restrict access no amount of playing with your firewall will allow you access.

  3. #3

    powdarrmonkey's Avatar
    Join Date
    Feb 2008
    Location
    Alcester, Warwickshire
    Posts
    4,867
    Thank Post
    412
    Thanked 778 Times in 651 Posts
    Rep Power
    183
    Which LEA are you?

  4. #4

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,524
    Thank Post
    375
    Thanked 677 Times in 551 Posts
    Rep Power
    166
    Yer, what LEA?

    I won't touch the "firewall" personally, it's prob part of E2BN (or whatever), and if you start changing stuff, or adding additional vpn's, your'll get disconnect.

    I know Cambridgeshire has VPN access avalible, but it's stupid, they end up putting in a Cisco PIX and creating another VLAN, anyway, they do offer remote access, which is a java web client that connects to your terminal server.

    I know Suffolk council has a few high schools with a sort VLAN\Terminal server setup, I belive this was just pilot stuff tho.

    PS: By firewall I assume you mean router (Cisco 2611?), LEA don't tent to put firewalls in at the schools, they keep them at the other end. E2BN(?) are looking at it, I mean they've only just started putting in cache boxs!!

  5. #5

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    you want an ssl vpn by the sounds of it... And a firewall if you currently just have a router like most schools. Forget ipsec or any other type of vpn for remote access for staff they are just too cumbersome to use and maintain.
    Check out juniper.net. Fantastic way of giving secure access to your network. V Simple for the end user too as its clientless and they just use a web browser.

  6. #6

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by networkmanager View Post
    At the moment I use logmein for remote access.
    Neatly demonstrating how useless the county-supplied firewall is - when people wind up using third-party applications that circumvent firewalls, you'd think county would twig that they're maybe a bit behind in the services they're providing.

    You can probably find a VPN system that works in a similar way to LogMeIn and similar applications, i.e. uses an HTTP / HTTPS tunnel for traffic.

    we are thinking of rolling out Remote Access via Terminal Services to 'selected' staff
    Your other option is to have an external server and mirror the files between your that and your internal server. Makes good sense for file server, but a bit tricky for stuff like SIMS.

    --
    David Hicks

  7. #7

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,524
    Thank Post
    375
    Thanked 677 Times in 551 Posts
    Rep Power
    166
    David, SSL in encrypted.. if the county could decrypt it, I think the US government would be tapping them on the shoulder.

    The point is with LogMeIn etc is that the person inside the firewall as to make the connection, they can't remote in.

    Have files hosted publicly = loads of extra security. I doube anyone would like to say they've done it securely. If they would, PM me, I like a change.

    SIMS is MSSQL 2005, get the full bloat and you can load balance, so you COULD create a SSL tunnel, using stunnel, to a dedi\vps, then have get it sync (remembering to set it to low connection speed mode )

  8. #8
    ICTNUT's Avatar
    Join Date
    Jul 2005
    Location
    Hereford
    Posts
    1,419
    Thank Post
    196
    Thanked 249 Times in 122 Posts
    Rep Power
    63
    I would agree don't touch the county firewall as it will come abck and bite you.

    Remote SSL VPN is good as it uses just a web browser and port 80 & 443 these will already be open on the county firewall.

    Tak a look at the SonicWall SSL VPN 2000, this is what I use here, AD intergration, 2 factor Authentication builtin, and you can setup portals depending on the users AD group making access very granular.

    My suppliers are happy to give out demo units, if you want thier details PM me

  9. #9

    matt40k's Avatar
    Join Date
    Jun 2008
    Location
    Ipswich
    Posts
    4,524
    Thank Post
    375
    Thanked 677 Times in 551 Posts
    Rep Power
    166
    You'll need to have words with your LEA anyway asking for an public IP, you would then use this to access from outside.

    The LEA would then route the external IP to your Internal IP.

    As the LEA gets the internet from region, (who have a private and JANET connections) they would have to put in a request for a port to be open, so yes, 443 (HTTPS SSL) would be a good idea, it should turn your 3 month request into a week. Note you would have to put a case in first, proving that it would be secure.

    Basically,

    External IP >> You guys >> Our server
    84.xxx.xxx.xxx >> whatever >> 10.xx.xxx.xx
    Using port 443
    SSL AES256BIT encryption, with valid cert. (are bout £30 py)
    Traffic would be... kb per connect
    Would like into AD
    max of x users,
    students\staff

  10. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,345
    Thank Post
    242
    Thanked 1,602 Times in 1,278 Posts
    Rep Power
    346
    I just wondered if there's a way I can 'install' my firewall as we are thinking of rolling out Remote Access via Terminal Services to 'selected' staff - I'm thinking along the lines of having our own VPN.
    Sounds suspiciously like Birmingham's setup. They've put Cisco's into each school which provides either a 10Mbps or 100Mbps internet connection. Schools can subscribe to a VPN service (for a small fee), which gives staff access to their workstation and/or files within school.

    Once you're logged into the Cisco client, I then use Remote Desktop to connect to workstations/servers either by name or IP and it's as simple as that really. I would recommend you talk to your LA as chances are, they probably do provide VPN access of some kind.

  11. #11

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by matt40k View Post
    David, SSL in encrypted.. if the county could decrypt it, I think the US government would be tapping them on the shoulder.
    Sorry, not quite with you?

    The point is with LogMeIn etc is that the person inside the firewall as to make the connection, they can't remote in.
    Which is kind of the problem - I know when I worked in Cambridge, county simply refused to open up any incoming ports whatsoever (things might have moved on fractionally by now, of course). The only way I could think of getting remote access to our system was to write a proxy that worked in a similar way to Skype or LogMeIn - i.e. tunnel other traffic over an outgoing HTTP connection, with incoming traffic being sent inside the reply to another HTTP request. Stupendously wasteful of bandwidth, but there you go.

    Have files hosted publicly = loads of extra security.
    I figured it'd be secure enough to let teachers and pupils have access to curriculum work - let pupils open and save homework, etc. You'd have to get through to staff that they shouldn't store any data about pupils, though - that's the kind of thing that should be kept in SIMS or similar.

    --
    David Hicks

  12. #12
    networkmanager's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    39
    Thank Post
    4
    Thanked 5 Times in 3 Posts
    Rep Power
    16
    Many thanks all for your priceless responses. Most appreciated.
    It's Solihull LEA.

    As suggested I'll have a word with them to see if they do VPN 'packages' also will be having a look at juniper.net and SonicWall SSL VPN 2000 as suggested above.

    Having a second ISDN Internet Feed with a public IP address (not from the LA) might also be worth looking at.

    Cheers all!

  13. #13

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,772
    Thank Post
    1,308
    Thanked 804 Times in 698 Posts
    Rep Power
    247
    Quote Originally Posted by networkmanager View Post
    Having a second ISDN Internet Feed with a public IP address (not from the LA) might also be worth looking at.
    But check with the LEA first (or hide it really well...) as they might consider that a breach of their security.

    --
    David Hicks

  14. #14
    joe90bass's Avatar
    Join Date
    Oct 2007
    Location
    S Wales
    Posts
    1,355
    Thank Post
    329
    Thanked 107 Times in 96 Posts
    Rep Power
    51
    Quote Originally Posted by dhicks View Post
    But check with the LEA first (or hide it really well...) as they might consider that a breach of their security.

    --
    David Hicks
    Yes! I know I'd get a severe beating for doing that here!

  15. #15

    Join Date
    Jul 2007
    Location
    Falkirk
    Posts
    33
    Thank Post
    2
    Thanked 0 Times in 0 Posts
    Rep Power
    17
    If you are looking at SSL VPN's, then SSL Explorer may be the low cost answer:

    SourceForge.net: SSL-Explorer

    Cheers,

    Kenny



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Installing ISA firewall client....
    By mrbios in forum Windows
    Replies: 8
    Last Post: 15th July 2008, 04:08 PM
  2. 2 networks, 1 firewall
    By Wizzer in forum Wireless Networks
    Replies: 10
    Last Post: 17th November 2006, 02:54 AM
  3. no firewall etc
    By ptrainor1 in forum Wireless Networks
    Replies: 15
    Last Post: 22nd October 2006, 10:34 PM
  4. Endian firewall
    By plexer in forum *nix
    Replies: 16
    Last Post: 2nd October 2006, 11:15 AM
  5. Windows Firewall
    By GrumbleDook in forum Windows
    Replies: 16
    Last Post: 31st August 2005, 01:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •