Installing a Firewall

[networkmanager]

The LEA currently supplies my school with a 10MB Internet Connection which comes in via a Firewall which I haven't got access to. The gateway interface address on this Firewall is local to my hosts so it's used as the Default Gateway Address.

The LEA remotely logs into do SIMS upgrade and maintenance etc when the need arises. At the moment I use logmein for remote access.

I just wondered if there's a way I can 'install' my firewall as we are thinking of rolling out Remote Access via Terminal Services to 'selected' staff - I'm thinking along the lines of having our own VPN.

Any ideas please?

Thanks.

[ICTNUT]

The firewall that you do not have access to is this at your site?

To be honest you could put your own firewall in but this would sit after the firewall that is supplied via the LEA and if there are rules in place to restrict access no amount of playing with your firewall will allow you access.

[powdarrmonkey]

Which LEA are you?

[matt40k]

Yer, what LEA?

I won't touch the "firewall" personally, it's prob part of E2BN (or whatever), and if you start changing stuff, or adding additional vpn's, your'll get disconnect.

I know Cambridgeshire has VPN access avalible, but it's stupid, they end up putting in a Cisco PIX and creating another VLAN, anyway, they do offer remote access, which is a java web client that connects to your terminal server.

I know Suffolk council has a few high schools with a sort VLAN\Terminal server setup, I belive this was just pilot stuff tho.

PS: By firewall I assume you mean router (Cisco 2611?), LEA don't tent to put firewalls in at the schools, they keep them at the other end. E2BN(?) are looking at it, I mean they've only just started putting in cache boxs!!

[ssiruuk2]

you want an ssl vpn by the sounds of it... And a firewall if you currently just have a router like most schools. Forget ipsec or any other type of vpn for remote access for staff they are just too cumbersome to use and maintain.
Check out juniper.net. Fantastic way of giving secure access to your network. V Simple for the end user too as its clientless and they just use a web browser.

[dhicks]

At the moment I use logmein for remote access.

Neatly demonstrating how useless the county-supplied firewall is - when people wind up using third-party applications that circumvent firewalls, you'd think county would twig that they're maybe a bit behind in the services they're providing.

You can probably find a VPN system that works in a similar way to LogMeIn and similar applications, i.e. uses an HTTP / HTTPS tunnel for traffic.

we are thinking of rolling out Remote Access via Terminal Services to 'selected' staff

Your other option is to have an external server and mirror the files between your that and your internal server. Makes good sense for file server, but a bit tricky for stuff like SIMS.

--
David Hicks

[matt40k]

David, SSL in encrypted.. if the county could decrypt it, I think the US government would be tapping them on the shoulder.

The point is with LogMeIn etc is that the person inside the firewall as to make the connection, they can't remote in.

Have files hosted publicly = loads of extra security. I doube anyone would like to say they've done it securely. If they would, PM me, I like a change.

SIMS is MSSQL 2005, get the full bloat and you can load balance, so you COULD create a SSL tunnel, using stunnel, to a dedi\vps, then have get it sync (remembering to set it to low connection speed mode )

[ICTNUT]

I would agree don't touch the county firewall as it will come abck and bite you.

Remote SSL VPN is good as it uses just a web browser and port 80 & 443 these will already be open on the county firewall.

Tak a look at the SonicWall SSL VPN 2000, this is what I use here, AD intergration, 2 factor Authentication builtin, and you can setup portals depending on the users AD group making access very granular.

My suppliers are happy to give out demo units, if you want thier details PM me

[matt40k]

You'll need to have words with your LEA anyway asking for an public IP, you would then use this to access from outside.

The LEA would then route the external IP to your Internal IP.

As the LEA gets the internet from region, (who have a private and JANET connections) they would have to put in a request for a port to be open, so yes, 443 (HTTPS SSL) would be a good idea, it should turn your 3 month request into a week. Note you would have to put a case in first, proving that it would be secure.

Basically,

External IP >> You guys >> Our server
84.xxx.xxx.xxx >> whatever >> 10.xx.xxx.xx
Using port 443
SSL AES256BIT encryption, with valid cert. (are bout £30 py)
Traffic would be... kb per connect
Would like into AD
max of x users,
students\staff

[Michael]

I just wondered if there's a way I can 'install' my firewall as we are thinking of rolling out Remote Access via Terminal Services to 'selected' staff - I'm thinking along the lines of having our own VPN.

Sounds suspiciously like Birmingham's setup. They've put Cisco's into each school which provides either a 10Mbps or 100Mbps internet connection. Schools can subscribe to a VPN service (for a small fee), which gives staff access to their workstation and/or files within school.

Once you're logged into the Cisco client, I then use Remote Desktop to connect to workstations/servers either by name or IP and it's as simple as that really. I would recommend you talk to your LA as chances are, they probably do provide VPN access of some kind.

[dhicks]

David, SSL in encrypted.. if the county could decrypt it, I think the US government would be tapping them on the shoulder.

Sorry, not quite with you?

The point is with LogMeIn etc is that the person inside the firewall as to make the connection, they can't remote in.

Which is kind of the problem - I know when I worked in Cambridge, county simply refused to open up any incoming ports whatsoever (things might have moved on fractionally by now, of course). The only way I could think of getting remote access to our system was to write a proxy that worked in a similar way to Skype or LogMeIn - i.e. tunnel other traffic over an outgoing HTTP connection, with incoming traffic being sent inside the reply to another HTTP request. Stupendously wasteful of bandwidth, but there you go.

Have files hosted publicly = loads of extra security.

I figured it'd be secure enough to let teachers and pupils have access to curriculum work - let pupils open and save homework, etc. You'd have to get through to staff that they shouldn't store any data about pupils, though - that's the kind of thing that should be kept in SIMS or similar.

--
David Hicks

[networkmanager]

Many thanks all for your priceless responses. Most appreciated.
It's Solihull LEA.

As suggested I'll have a word with them to see if they do VPN 'packages' also will be having a look at juniper.net and SonicWall SSL VPN 2000 as suggested above.

Having a second ISDN Internet Feed with a public IP address (not from the LA) might also be worth looking at.

Cheers all!

[dhicks]

Having a second ISDN Internet Feed with a public IP address (not from the LA) might also be worth looking at.

But check with the LEA first (or hide it really well...) as they might consider that a breach of their security.

--
David Hicks

[joe90bass]

But check with the LEA first (or hide it really well...) as they might consider that a breach of their security.

--
David Hicks

Yes! I know I'd get a severe beating for doing that here!

[kennylang74]

If you are looking at SSL VPN's, then SSL Explorer may be the low cost answer:

SourceForge.net: SSL-Explorer

Cheers,

Kenny