Bexley - LGfL Hosting - London Grid for Learning
Download
Report
Transcript Bexley - LGfL Hosting - London Grid for Learning
Consortium Conference
13 July 2012
Operational Developments
Ian Lehmann
Chief Operations Officer
London Grid for Learning
LGfL 2.0 Network
LGfL 2.0 Network Design
LGfL 2.0 firewall delivers
Standard Networks:
• Admin
• Curriculum
Optional Networks
• VC
• VOIP
• Wireless
LGfL 2.0 Option 1 MIP/Firewall Rules
Allow Out
80
443
3389
UDP 53
FTP
WAIS
1433
UDP 1194
8443
Blackberry
22
23
TCP 53
SIP
IPSEC NAT-T
Ranger Outpost
Allow In
Deny Out
80
25
443
110
FTP
143
WAIS
993
UDP 1194
995
8080
143
110
993
995
22
TCP/UDP 53
SIP
IPSEC NAT-T
Ranger Outpost
Deny In
25
135
139
587
Wont work will not NAT
FTPS
GRE
ESP
AH
Refer to LGfL
3389
Large Range
PPTP
LGfL Security Guidance
Information, guidance and safeguards on
the use of remote access products
Web based remote access categories
Head Teacher authorisation
Two-factor authentication (USO-OTP)
LGfL USO-Authenticated Log Me In
RDP Gateway Service
Option 2
OPTION 2 – Public IP addresses with school’s own
managed firewall
This option is suitable where a school would wish to
have total control and responsibility for network
security. LGfL will supply the school with a quantity
of public IP addresses for use on its firewall. The
quantity of IP addresses supplied will be based on
the current and expected usage. All firewall policies
and Network Address Translation (NAT) are the
responsibility of the school.
LGfL 2.0 Option 2
Option 2
• Does not have MIPS or firewall rules on LGfL
2.0 firewall.
• Access to all LGfL 2.0 services where possible.
– VMB Network Statistic Portal instead of on LGfL
support site. (1 day course)
– No Email relay & No outgoing MailProtect without
conforming to port 25 rules. (See next slide.)
Option 2 Mail Server
If a school based mail server is hosted on Option 2 which means it has
a public IP, it can receive and post email on port 25 going to and from
the Internet given the schools firewall rules allows it to and the schools
dns server points the mx records to the school based mail server.
After the schools domain is configured on the LGfL email content
control, If the school wants to use LGfL email content control for
incoming scanning, it changes the schools dns server to point the mx
records at the LGfL email content control. The LGfL email content
control then delivers to the school based mail server via its public IP
address.
The schools dns controls which way mail is delivered into the school.
The school based mail server and the schools firewall control the mail
route out of the school.
LGfL 2.0 Option 2 Advantages
• Complete control over all ports interacting
with the internet.
• No waiting for firewall ports & MIP
configuration.
• Closest thing to ‘Raw Internet’.
• There is only one return path from the
internet.
• Maybe easier transtion for LGfL1 Option 2
schools.
LGfL 2.0 Option 2 Disadvantages
• Complete exposure of all ports interacting
with the internet and other Option 2 LGfL
schools.
• Attack Bandwidth from other schools will be
the smallest of bandwidth of both schools.
• Attack Bandwidth from the internet will be the
bandwidth of the school.
• Restricted access over Janet UK due to Janet
UK policy.
LGfL MailProtect 2.0
Protection against email borne threat including:
- Viruses
- Spam
- Pornography
- Phishing and Denial of Service attacks
Hosted on resilient, fault tolerant
servers within the core LGfL 2.0
infrastructure
Services for the London Grid for Learning community provided by:
LGfL MailProtect 2.0
- View a log of scanned messages
- See details of emails blocked by MailProtect
- Release ‘false positives’
- Add trusted senders to a
personal ‘allow’ list
- Opt in/or out of daily
‘spam digest’ emails
- Nominated Contacts, with
appropriate permissions,
can perform tasks on behalf
of their users
Services for the London Grid for Learning community provided by:
(
LGfL MailProtect 2.0
Services for the London Grid for Learning community provided by:
LGfL 2.0….more than just broadband
Option 2
Services for the London Grid for Learning community provided by: