VLAN Configuration

[AnthonyBowers]

Right now the Meraki Router/Firewall and Access Points are all controlled by church headquarters. However there is no documentation or instruction about configuring the devices for security purposes such as adding separate VLANs, DHCP guard, layer 2 filtering, etc.

Right now I have big security concerns with all of my buildings simply due to lack of documentation and all of the computers and wireless access points on the same broadcast domain using dumb (non-managed) layer 2 switches to network everything together.

With the new program replacing MLS and ward leaders wishing to print from their office (ex: temporary recommends), wireless printers are being requested and approved for purchase. Granted, wireless connectivity will have to be disabled for security purposes, but scanning will be a thing that all ward and stake clerk's will need access. Since the church will not be purchasing scanners for wards that will need them for the new program, wards are going to be purchasing their own multifunction printers. I found out Xerox scanners do not transmit scans over USB directly to the computer , so that is another thing I have to be wary about.

Lastly, as I know that not every tech-savvy person knows how VLANs work and are configured, I cannot simply replace dumb switches with managed switches and leave. I can leave documentation and hope someone knows what to do , but also the church and FM group do not supply managed switches

1) Is there ready documentation explaining all the rules in place on the firewall/routers? (Yes I know about the dumbed down version)
2) Is there ready documentation explaining all the rules in place on the access points?
3) Is there a way to put individual LANs/broadcast domains on each router port (get the church to configure it)? That way I could put one broadcast domain on one port and another broadcast domain on another port and have everything run through the firewall, separating wireless and wired devices.
4) Would it be possible to put all ward offices on their own VLAN?
5) Is there a reason why the church purchases routers and access points for each building but not managed switches?

[russellhltn]

Right now the Meraki Router/Firewall and Access Points are all controlled by church headquarters. However there is no documentation or instruction about configuring the devices for security purposes such as adding separate VLANs, DHCP guard, layer 2 filtering, etc.

I'm sure there's documentation, they just don't share it with the STS.

Right now I have big security concerns with all of my buildings simply due to lack of documentation and all of the computers and wireless access points on the same broadcast domain using dumb (non-managed) layer 2 switches to network everything together.

I share the concern - especially if for some reason the administrative share on the computer gets turned on. That's easy to do unintentionally trying to make some feature work. I have all mine disabled off.

With the new program replacing MLS and ward leaders wishing to print from their office (ex: temporary recommends), wireless printers are being requested and approved for purchase.

I'll refer you to the Meetinghouse Technology Policy

5.1.3 Local Unit Provided Equipment: Local unit budgets should not be used to purchase any printers, copiers, and multifunction devices. The costs for repairing, upgrading, and replacing any equipment not provided as part of new building construction or by the FM group are the responsibility of the local unit.

I'd also reference Handbook 1: 14.7.2.2 which prohibits units from using funds to buy computers. (In the context, it raises question of it includes pritners as well)

scanning will be a thing that all ward and stake clerk's will need access. Since the church will not be purchasing scanners for wards that will need them for the new program, wards are going to be purchasing their own multifunction printers.

No doubt, some people are going to go "whole hog" on the electronic thing, but as someone who's day job is building document scanning systems, scanning is more work than filing. Given the points above, it might be best to wait and see what the church comes up with.

1) Is there ready documentation explaining all the rules in place on the firewall/routers? (Yes I know about the dumbed down version)

None that I've ever seen - at least made available to an STS.

2) Is there ready documentation explaining all the rules in place on the access points?

Sames as #1.

3) Is there a way to put individual LANs/broadcast domains on each router port (get the church to configure it)? That way I could put one broadcast domain on one port and another broadcast domain on another port and have everything run through the firewall, separating wireless and wired devices.

You might call support and ask if they can enable the Special Purpose (SP) zone for your buildings. Typically it's used for a FHC, but that's probably about as close as you're going to get for what you want. Everyone in the SP zone is assigned a unique church-wide 10.x.x.x IP separate from the 192.168.x.x of the "unwashed masses" (User zone). Port 2 will become the SP port. However, I don't think it's a good idea to put any APs on this zone.

4) Would it be possible to put all ward offices on their own VLAN?

See #3

5) Is there a reason why the church purchases routers and access points for each building but not managed switches?

Probably cost. I notice that TM seems to support "switches", so I assume managed switches are supplied for some situations. I'd guess it's to get multiple zones at a remote spot without having to run separate cabling for each zone.

[drepouille]

Wild guess here. The church uses managed switches in office buildings and other non-meetinghouse locations where you don't want random people attaching random computers to the network. Security first.

[AnthonyBowers]

Right, but meeting houses are transmitting sensitive information back and forth between Salt Lake. Are they expecting security through obscurity to work? For the most part it does, but you need something at least at Stake Centers. I mean, the entirety of the building network is built on an unmanaged switch and basically open to the public (protected by a password known to pretty much every member).

While I know that the policy for technology purchases is there, the last our stake has heard from Salt Lake about getting scanners for the new program (I don't remember what it is called) replacing MLS was that Salt Lake and the FM Group will not be supplying printers with scanners.

[russellhltn]

My understanding is that the database files and transmission is encrypted. I wouldn't call it security though obscurity.

By policy, confidential information shouldn't be stored on the computer but in removable storage locked away.

Dispite my exalted title, I'm just another STS. You need to bend the ear of either support or your presiding authority to take up with their presiding authority.

[drepouille]

Salt Lake and the FM Group will not be supplying printers with scanners.

Because clerks can use either cell phone cameras or the multi-function printer in the library to scan receipts?
I believe our new Xerox B405 copier allows us to scan directly to a flash drive.

[AnthonyBowers]

Because clerks can use either cell phone cameras or the multi-function printer in the library to scan receipts?

Yes, however if you have ever seen elderly clerks fumble with cellular devices, you would question why that is an acceptable answer. I'm sure if President Nelson were to try doing it, he would also be asking for a bigger screen.

I believe our new Xerox B405 copier allows us to scan directly to a flash drive.

Yes you can transfer scans over a USB flash drive. Now what happens if that flash drive were to end up in someone else's hands and did a file recovery? All those deleted (if deleted) are now available. Xerox MFPs need replaced with something that will transmit over USB cable straight to the computer.

My understanding is that the database files and transmission is encrypted. I wouldn't call it security though obscurity.

How many of you trust Windows firewall to protect your computer from the Internet?

Dispite my exalted title, I'm just another STS. You need to bend the ear of either support or your presiding authority to take up with their presiding authority.

My hope isn't to get some immediate action. I have aired my opinions towards the local stake leaders who vocalize their 2nd handed recount to the area leaders so on and so on. I am hoping to bring to attention many security flaws that no one has answers to. I also hope that others will do the same.

[drepouille]

Interesting points. When I was stake clerk, back when multiple members used the admin computer to enter data into MLS using a single Windows account, I cautioned all the ward clerks to always save confidential documents to a flash drive, never onto the hard drive, and to always store the flash drive in a locked cabinet. My counsel was very rarely followed.

These days, the only folks who use the admin computer are the bishopric, clerks, and maybe the exec sec. So physical security and account security have improved. I'm not really concerned about network security, although our use of a Pre-Shared Key for the Wi-Fi is a clear and present danger.

I don't know, but I wonder if Sophos Firewall is much superior to Windows Firewall. Let's hope so, given the higher license costs of Sophos. But this goes back to your point of local control. Does anyone at the local level have control, training, or experience configuring Sophos and locking it down?

[AnthonyBowers]

I'm not really concerned about network security, although our use of a Pre-Shared Key for the Wi-Fi is a clear and present danger.

Look up layer 2 attacks and you will see there are a variety of attacks that are easy to use.

I don't know, but I wonder if Sophos Firewall is much superior to Windows Firewall. Let's hope so, given the higher license costs of Sophos.

Again, if you feel your Windows computer would be completely safe exposed to the Internet by itself, please do so. I accidentally left my management laptop exposed for 1 day and it got hacked, with a reputable Antivirus and Anti-Malware service. I put it back on my network and it took my entire network down. Didn't even try to fix it, just re-installed Windows it to keep it off the network and prevent additional devices (such as flash drives) from getting exposed. It would be a fun experiment to try with Sophos

[russellhltn]

Again, if you feel your Windows computer would be completely safe exposed to the Internet by itself, please do so.

The admin computers are not exposed to the internet. To everyone on the WiFi in the same meetinghouse, yes. But that's not quite the same.