Church IT Podcast Discussions Episode 15 September 6th, 2007
JASON
This is Church IT Podcast Episode 15, September 6th, 2007. Today is open forum, for those of you who didn’t get the message I left on my blog. Our SharePoint thing fell through, my fault on that. We’ll try to get some SharePoint gurus scheduled for the next podcast and we’re also looking to use Adobe Connect potentially with that so we can do screen-sharing, so as we’re talking about SharePoint, you can actually see it in action. If you missed it and you’re listening to this after the fact, we had a interesting dialogue about caffeine addiction prior to the record button, so be part of these discussions instead of just listening to it afterwards.
We have a Wiki for notes and whatnots at www.churchitpodcast.com You can register to be a contributor.
One thing I want to go over, I want to remind everybody of MinistryCOM next week, and I know Tony Dye will be there, Dean will be there, anybody else? OK. I would encourage you, we are going to be doing a church IT Roundtable the evening of Thursday, you don’t have to be coming to MinistryCOM to be part of that, just hit Tony’s blog www.tonydye.net and he’s got a link at the top. There is a lunch on Friday at the host church. Leave a comment on Tony’s blog if you are going to be coming to that lunch.
Kansas City, the big dog IT Roundtable October 3rd and 4th. I haven’t heard yet how many people are registered but I encourage you to do that. I got to talk with Ian Byer, we chatted about what they are going to try to pull off at the Roundtable. I’ll also plug the IT Roundtable here at Granger on September 26th, Dean’s coming, Jason Lee is bringing some people. We got the great room here so we can pack it. Hit my blog www.jasonpowell.net
Tony Dye
Everything you want to know about anything is on my blog. Anything I know of that is.
Jason
Tony, you’ve got something coming up for the Atlanta folks.
Tony
Coming up on the 18th at First Baptist to talk about voice IP stuff.
Jason
And you guys just had a deal with VMware and SANmelody, right?
Tony
Bill Loyd just did a thing, Jeffrey just posted that as a podcast. I’ve got a presentation I will be posting shortly that goes with that so you can pretend you were there, flip through the slides, and it’ll be like being there, except different. Very interesting presentation if you are still trying to figure out storage virtualization. It is hard stuff to understand but he explained it so well. Very affordable way to get into VMware and other things. And SAN without doing a SAN.
Jason
SANtastic!
Tony
Have we got anybody from Church of the Resurrection online? No…, cause Cliff sent me some stuff. I said OK if you guys can’t make it to the podcast, I tried to pressure them into coming, they said OK but if we’re not, here’s the important things that need to be said. So I will read off direct from Cliff why you need to be in Kansas City. Your peers will be there. Vendors – Shelby, ACS (go Dean!), Ministry Management Solutions, and others. MinistryTECH will be there. Registration will close end of the day Monday, Sept 24. Steve Hewitt is getting ready to invite readers (of Church Computing Magazine). Get registered! You don’t want to miss it.
Jason
Anybody else have any Roundtable news? Andrew are you still doing local stuff there in DC?
Andrew
Yes, we just have a meeting two weeks ago, went well. 4 or 5 of us, moving along, we have a wide variety of different expertise there.
Jason
Somebody just sent me an email recently wondering about stuff happening in the Texas area. I think the name of the group was Archchurch, I’m not familiar with them but basically this organization, not part of the IT Roundtable stuff, separate from what Chris was doing, I can’t find it now but I’ll do a blog on it later, something about large churches in Texas.
Jason Lee I see you put in the chat window asking if the Wiki is open, Yes it is. Anybody that has registered, you should be able to go to www.zoho.com and log in and hit the zoho writer page and add your 2 cents. If you’re in the chat window, slap in your name, church, and blog address or whatever. I encourage everybody to log in. Let me know if you need log in access and I’ll add you. I need to add a link to the zoho writer. Writer.zoho.com after you log in.
I’ll put a plug in for zoho, they’ve got some really sweet online tools. As I’ve played with them and Google Docs stuff, I like zoho stuff better. Zoho wiki is just awesome. I wish they had a version you could download.
There will be some interesting news coming out about the MinistryCOM/Ministry TECH thing soon.
Also, Mike Gould from Willow Creek is working on a cool project, I can’t tell you about it but it’s cool.
Topics to discuss today. What do you want to throw out on the table?
Stephen
Hi Jason, this is Stephen from Meadowbrook Church. I had emailed you about how you configured your VLANs, I just was trying to figure out some answers to that. I know you can set up static VLANs but are you actually doing dynamic to DHCP and authentication through RADIUS and all that to where when they log in it goes to a web page and once they log in, it depends on what VLAN it will place them on? Is that right?
Jason
That’s where we want to end up. Yes, we’d like it to be where somebody plugs a network cable in anywhere in the building, and you get DHCP, you get DMZ as well so you’re not physically able to touch anything we don’t want you to touch. We started down that road and wow is it complicated. Then we got sidetracked, so it’s on our list.
Stephen
Currently are you just doing static now?
Jason
Yes. Our wireless traffic is all VLANed, our public wireless has its own separate VLAN. I still think that having the network segmented up in to lots of VLANs is a smart way to approach traffic management, but it just requires major management.
Stephen
Now as far as management, from what I’ve found, we are using all ?? switches currently, they’ve got a network director that it does a map and you just click on the areas you want to assign whatever VLAN, assign it and you’re done. The problem I was running into is that we’ve got so many jacks throughout the building, anybody can plug in, I wanted to be able to have them plug in and they have no access until they actually have a username and password to authenticate.
David Szpunar
I had a blog post about that a while ago, I don’t have it up and running for the hardwire ports so I just leave the switch unplugged right now, but we have the RADIUS authentication up and running for our internal wireless. We have several VLANs for a variety of things like our nursery check in system is separated out, our security cameras in our new building are all feeding back to the video server on their own VLAN, etc. I think there are one or two others that separate critical things out away from the main network. And we’re using ISA as our firewall as well. I don’t have a separate box to do routing right now. And I like the logging and the firewall capabilities it gives me between different VLANs because I can set it so that my administrative work stations can access all those hidden VLANs but block anybody else from any sort of access.
Speaker
I like the Issess (??I don’t know what they are saying??) shows everything, with it being the router, it shows you a ton of information and helps.
David S.
But you do have to set up everything manually if you don’t allow all traffic. We only allow the stuff that is configured outbound. SMTP only comes from our Exchange server and it only comes in to our Exchange server from our spam filtering host.
Speaker
I’ve been using a tool called remote task manager and I can actually monitor if someone started a program, it would open a port and tell me instantly what port was open. I’ll send the link to remote task manager up on the chat message. Remote task manager runs on my Vista machine, Vista has one small issue with it. The feature I use to let me know what connections were there is netstat. The neat tool you can restart machines, you can look at the event viewers, devises, processes, helped me find spyware, stuff like that.
Jason
Cool tool! Anybody else doing cool stuff with VLANs?
Chris
This is Chris at Calvary Melbourne, we’ve got a bunch of them but we actually have a big layer-three (?) switch sitting on the back end before we route out our internet, so we have a lot of different ones. We’re not doing anything exceptionally cool, yet. The same as you guys, researching a lot of ideas.
David S.
With your layer-three switch, where is the DHCP coming from?
Chris
You have to configure something called DHCP Relay. I’m more than willing to help you with that offline, we have about 10-15 VLANs that are all getting their DHCP from one server. So one DHCP server sits on my VLAN 10 on our server network and it serves the IPs to everthing across the whole network.
Speaker
So it’s a way of telling Windows server which network to hand IP out for.
Chris
Actually when you cross a layer-three boundary, the reason it’s called DHCP Relay is it is broadcast-based, so when the broadcast hits the layer-three switch, it takes that packet and the network that it came from and sends it directly to your DHCP server. Then your DHCP server responds to the layer-three router or switch, so it’s more of a switch feature than a Windows feature.
David S. (probably)
How does Windows know which subnet to hand out the DHCP for or the IP address for if you’re on different subnets?
Chris
That’s what DHTP Relay does, it actually sends the subnet that the broadcast came from because when it hits your layer-three switch or router it will hit a specific port with a specific IP address, so that’s the network it will respond to. It’s a router function.
Jason
What switches are you guys using Chris?
Chris
We are using all Dell switches.
Jason
We are moving to HP ProCurve from our Dells. We’ve had a number of issues with Dell switches, locking up. The 53-24s. We had four of them. Back in the spring when we had a network nightmare, these switches would just lock up. We’d trace it back to a Dell switch. So we started looking elsewhere. We firmwared everything, we also replaced the core switch with the big giant HP, I still think that it’s Mac related. There’s some kind of broadcast thing that the Macs do if you install certain software and I’ve just got a suspicion that there’s something about these Dell switches that the Mac didn’t like that traffic.
Speaker
I’m curious about that because I have an interesting problem, we’ve got 10-15 Macs, I have done this years ago, hooked up wireless routers and AP, but anytime I hook up one now, I verify the IP address, and then I set a static IP, so I can get to it and manage it, and after about 5 minutes, it’s dead with network traffic and I just have to unplug it and reset it, I have not figured out what’s on the network that’s causing that.
Jason
I want to say, for some reason, the word Bonjour is in my mind.
Speaker
Hey, for the guy who said his switch is locking up and he can’t figure out why, I’d throw a plug out for EtherReal for anybody out there www.ethereal.com if you get stuck and you can’t figure it out, especially if only one segment of your network is having a problem, throw ethereal in between your core switch and your perimeter one and look at all the traffic and it can give you statistical feedback on everything. It’s great.
Jason
I think Ethereal has forked into Wireshark. The Ethereal website still works.
So there are churches that are smaller listening wondering what’s a VLAN? Why should I VLAN? Who can throw out a quick summarization of VLANs?
David Szpunar
I would say security and reduced broadcast traffic, are the two main reasons why we’re doing, and we’re probably smaller than a lot of the people here, but it still makes sense to keep the important things separated out so they don’t cause problems, worms won’t spread, etc. And with the large network broadcast traffic, it doesn’t cross the VLAN barrier.
Jason
The big boon to me is the security aspect, that I can have traffic on the same physical switch but they are not able to talk to each other. That was really important when I was in the school system, I didn’t want the students having access to anything on the faculty or administration side. So those of you that have schools, I would assume that you have academy or school vland and something for your staff site as well. If not, put that on your To Do list.
Speaker
We lock our students down extremely, if they need or want to run a program, it won’t run unless I add it.
Jason
If you want to find a hole in your security, I can’t say about church schools, I came from public school system, and we were even a Novell shop, if those students didn’t find interesting ways to subvert the system.
David Szpunar
Jason have you heard of the Casting From the Server Room podcast? (??not sure what he said??) It’s a few guys in New York who work for a company that the school systems contract out to to do their IT work, it’s interesting. I find a lot of information from them even though they are school-based and not church-based but it sounds like it’s up your old alley.
Jason
I found that IT-wise, public schools and churches are very similar, verses a business. I guess non-profit is the common thing.
Speaker
We talked about it once before, our biggest problem isn’t from our school, it’s from our youth center. We have a youth building that they wanted to put computers in and you wanna talk about something, put unsupervised teenagers in front of computers and see how secure things are.
David Szpunar
Actually we did that recently. We have four stations in our new youth area and we haven’t had any problems, all they can run is Firefox. I stuck it on our free public WiFi VLAN so they are hardwired but they are on the WiFi VLAN, so it must go through our filtering which has the adult blocking turned on.
Jason
That was one of my tasks in the school system, every morning the first thing I did was look at the logs from the prior day, we were using N2H2 at one point, their best server technology, then we switched to Border Manager, I’d look through the logs at the top 20 and sure enough, a new Victorian’s website, block! Some kid would find some site and they would start telling their friends because you could see the number of hits increasing as the day went on.
Speaker
Now how do you deal with that in the needs of ministry as opposed to protecting the users, how do you balance that out in your network.
Speaker
We just went through a debate on My Space and Facebook, our Sonic wall contents filter marks them as adult content so they were blocked, but obviously youth and college ministries wanted access to those, then they came in and said, “Can you turn it on from 1:00-5:00 Monday-Thursday?” So I started looking at programming a schedule, I talked to a couple of churches that have opened them up and that’s finally what we did but we are monitoring it. How do the rest of you guys handle that?
Speaker
We are a strict NO My Space shop! I can’t stand My Space, I have one youth leader who is right on board with me. I think we are teaching our children that it’s ok to go to a place where porn stars and every other garbage on the planet allows people to freely express their views. From our Senior Pastor down, we have banned it, it will not be on this campus.
Speaker
I wish it was gone too but our youth leader’s perspective was, “hey if I can find a kid out there on it and bring them to the Lord…” ok.
Jason
We are probably the most liberal of all the churches I’ve talked to. Basically we were not blocking anything until a year ago, it was wide open, but we are not running a school or anything. So the only thing we are doing now, on our Sonic wall, the worst of the worst is blocked, everything else is on. That’s something that each place has got to wrestle with, so far it hadn’t been a problem. If it becomes a problem, we’ll talk about doing something about it.
Speaker
For those using the Sonic wall filtering, keep in mind the next go around of the update for their firewall device is making single sign-on work for the filtering so you can do a lot more granularity and that’s probably the route we are going to go. Right now our leadership had elected not to utilize those sites but our ministry teams are talking about the need for it, so one thing we are looking at is utilizing the new features coming out, it’s in Beta right now, you can see it on the Sonic wall site, I think that will alleviate some of our stress, we can give it more granularity to who gets access to what. Our problem is we are using the same content folder for our public wifi as we are our core network and that’s where the rub is for us right now.
Speaker
I have one firewall at the end of our incoming web, it’s the Sonic wall specific content folder 2100, I’m trying to get my VMs set up because there is an active directory agent that you can load then you can set specific groups for each one of those based on the users. It’s going to be a good tool if I can figure out how to make it manageable.
Jason
Anything else on content filtering?
Tony
What does anybody do for notebooks for content filtering when they’re roaming?
Speaker
We just started using Covenant Eyes and it’s got its good and bad points. It reports everything, so if you go to a website and an add pops up for lingerie, it reports it to your partner with a list notifying you.
Tony
We’re trying to think about something similar, it’s one of those things, we used to, everybody was always behind our firewall so it was easy, we’re realizing that just isn’t the case, it’s something we completely overlooked, it just snuck up on us, we forgot about the real world out there. We’re looking at Triple X Watch, the price is right but it sometimes reports CNN as a dangerous site, so some poor fellow, me, has to read through all those logs and figure out if somebody was doing something they weren’t supposed to do. So I was hoping somebody had a great answer.
Speaker
It’s all going to depend on how you guys handle that as far as, if it’s one of your leaders and you have a policy in place that says we’re going to watch where you’re going, but another possible solution would be you guys could use OpenDNS and override the DNS settings, you’d still leave your DHCP settings where they are but override DNS settings and wherever they would go roaming, they would still be using the OpenDNS, no never mind, that won’t work.
Speaker
With Covenant Eyes, you don’t have to look through the log, you set up a covenant partner and that covenant partner gets an emailed report IF you reach a score level that was high, and then there’s a main admin that gets the email as well and he can look through it. The only problem I’ve discovered is we’ve got about 3 Vista machines, they need to come up with a patch because with it install on Vista, our technology filter wants to redirect them but because it can’t, it lets it straight through and doesn’t report, so some Vista differences, but other than that, it emails the user if they’ve gone over a certain or gray area.
Jason
Why not just tell them that you are monitoring it but don’t really do anything about it.
Tony
That actually works to some degree. Before we were actively monitoring, I had a bunch of guys come and say we’re so sorry, they had accidentally clicked on an add or something, but that was 5 or 6 years ago.
David Szpunar
There are services you can force laptops to go through even when they are not connected to the network but I can’t recall the name of the one I’ve seen, but I think they have a device you can put on your network to do filtering and/or run through their proxy servers and apply your users policy so no matter where your laptops are, they go through the filter.
Tony
That sounds like the Scrub-It type concept. I’ll look into it some more. Thanks.
Speaker
I guess I wonder Tony, what is the thought behind it for needing to do content filtering off campus, is it more of an integrity of the system or of your people and at what level are you deciding, is that a leadership level, is that an IT level making that decision. I’m just wondering. I’m just coming from the perspective that it’s not something I want to be Big Brother about when they’re off campus and just wondering.
Tony
Same situation, this came from some of our leadership, but a number of people at different levels have sent me an emails telling me that they clicked on some site and all kinds of awful stuff came up, how come you aren’t protecting me? So I’ve had the request to do that protection. They said it’s good accountability.
Speaker
We’ve had the same experience here, we’re had our pastors asking for us to put something on their computer so that when they are not here, garbage isn’t coming up or popping up.
Jason
Have you guys seen the free K9 software?
David S.
Yes, I’ve recommended that to some of our pastors’ home computers but I’ve never used it myself. The guys who make it are a top rated content filtering group. It’s a great free tool.
Speaker
We are using Websense, it does a cool remote filtering, so we’ve been looking at evaluating that and it extends the same content filtering out to your laptop so that even when they off the network, the filtering policies are still in force.
David S.
Has anyone used Smoothwall Guardian for content filtering since it does more content based and not pre-defined blacklist based filtering? And it’s cheaper.
Tony
On our secondary firewall, we’ve done that. We’ve got a separate firewall that we use for our public network and for our staff network, more for routing stuff, and the guys built up an Indian firewall that’s got all the Smoothwall Guardian stuff in it and it’s really been impressive and the price is right.
Speaker
I’d say the same thing. I used it at another job, I was really impressed with the Smoothwall stuff.
Speaker
You guys just inspired me to test my 2100. I did a reverse lookup for an IP and put it in and the 2100 does do IP blocking, it doesn’t even convert it to a name, it does a pretty good job. I think they are on their 2200.
Jason
Now if you have a large school system or a large facility, I know a lot of the big school systems, use 8E6 Technologies for their content filtering and acceleration, that was 4 or 5 years ago. Check into them. Sweet product, high price tag.
Speaker
We had a Sonicwall with content filtering, I decided I wanted something more powerful. We you buy the content filter license, it also provides a limited spyware antivirus device on it too, like the antivirus only has like 4000 signature and the spyware you can turn on and off but it checks every packet coming in and out and it does block some, even if you go to Google images and do a search, this new will block even the thumbnails, you only get a square with a red x in it. It’s not terribly expensive, it’s all wrapped in to one device. It pretty much handles it all.
Jason
How many people are using ISA? It’s cheap for non-profits, under $200.
Speaker
We’ve been using a Juniper firewall.
Jason
Their SSL VPN is cool.
Speaker
What were you using for that image filtering?
Speaker
I’ll throw a plug in for Websense, it does a good job handling the Google and the Yahoo images, it will force safe-mode for all the searches so they can’t go to Google and turn it off.
David S. (probably)
There was also a feature in the Smoothwall product like that.
Travis
Travis Kent [I think that’s what he said] with New Community, on top of that Smoothwall stuff, we’re running the free version here for a little bit until we transfer over to vm ware, they have an appliance for a proxy server with content filtering, we’re using the free version and that works really well, but you have to do a bit to get it working, you can set up multiple groups, that’s in Version 2. In 3.0 will have it integrated as a package so that’s something to think about if you’re looking for content filtering.
I also found this product called Untangle and they’re pushing it as a commercial replacement to Sonicwall and it looks interesting, kinda for free under the open source umbrella, we’re gonna play with that as well.
Jason
We’re just over an hour. I’ve got to step away, Tony took off already. One of the things I’d like you guys to start thinking about is I’ve gotten a number of requests from people listening to the podcast but we are a small church so would you guys just spend a day or a podcast just talking about small church situations, maybe just starting, or new to the IT church world, what are some of the best practices for smaller churches. So think about that and jot down things for a small church, building network for first time, what kind of things would you do, etc. From when should you go to a domain, back-up solutions, helpful stuff to chat about.
Speaker
That could take two sessions!
Jason
I’m sure there are a number of people who are going to zone out when we start talking about vms on the front end.
Speaker
That would be useful. I look back at the mistakes I made and the money we wasted, we could save the smaller churches some money and some time to get up and going, that should be one of our missions as a group.
Speaker
Going from 30 users to 200, being able to know what works and what doesn’t, that would help too.
David S.
I could see a lot of that being helpful even to me because one day a week I work at our Assemblies of God district office locally here and that’s about a 20 person office and we have about 40-50 users here at Lakeview with about 80 computers and they have 20 computers and one server compared to 10 servers.
Jason
I’m glad you guys are thinking along those lines too. I just got to go to Willow Creek and ask questions about a church much bigger and has a network a lot bigger so I’d like to be able to help people smaller than us. We can help them. Let’s plan on that, I want to reserve the next one for a Sharepoint discussion but if everybody could stick on their To Do list to start writing down things that would be helpful to smaller churches or new church IT people. We should write a book.
David S.
We could compile a book from blog entries across several blogs. It would be an interesting collaboration.
Jason
Any last questions? Thanks everybody! Interesting dialog. Next time is September 16. Check out MinistryCOM, the Roundtable. The phone line will stay open as well as the chat window.
Uploading ....