Consortium Conference 13 July 2012 Operational Developments Ian Lehmann Chief Operations Officer London Grid for Learning

LGfL 2.0 Network

LGfL 2.0 Network Design

LGfL 2.0 firewall delivers Standard Networks: Admin Curriculum Optional Networks VC VOIP Wireless

LGfL 2.0 Option 1 MIP/Firewall Rules Allow In FTP WAIS UDP TCP/UDP 53 SIP IPSEC NAT-T Ranger Outpost Allow Out UDP 53 FTP WAIS 1433 UDP Blackberry TCP 53 SIP IPSEC NAT-T Ranger Outpost Deny Out Deny In Wont work will not NAT FTPS GRE ESP AH Refer to LGfL 3389 Large Range PPTP

Information, guidance and safeguards on the use of remote access products Web based remote access categories Head Teacher authorisation Two-factor authentication (USO-OTP) LGfL USO-Authenticated Log Me In RDP Gateway Service LGfL Security Guidance

Option 2 OPTION 2 – Public IP addresses with school’s own managed firewall This option is suitable where a school would wish to have total control and responsibility for network security. LGfL will supply the school with a quantity of public IP addresses for use on its firewall. The quantity of IP addresses supplied will be based on the current and expected usage. All firewall policies and Network Address Translation (NAT) are the responsibility of the school.

LGfL 2.0 Option 2

Option 2 Does not have MIPS or firewall rules on LGfL 2.0 firewall. Access to all LGfL 2.0 services where possible. – VMB Network Statistic Portal instead of on LGfL support site. (1 day course) – No relay & No outgoing MailProtect without conforming to port 25 rules. (See next slide.)

Option 2 Mail Server If a school based mail server is hosted on Option 2 which means it has a public IP, it can receive and post on port 25 going to and from the Internet given the schools firewall rules allows it to and the schools dns server points the mx records to the school based mail server. After the schools domain is configured on the LGfL content control, If the school wants to use LGfL content control for incoming scanning, it changes the schools dns server to point the mx records at the LGfL content control. The LGfL content control then delivers to the school based mail server via its public IP address. The schools dns controls which way mail is delivered into the school. The school based mail server and the schools firewall control the mail route out of the school.

LGfL 2.0 Option 2 Advantages Complete control over all ports interacting with the internet. No waiting for firewall ports & MIP configuration. Closest thing to ‘Raw Internet’. There is only one return path from the internet. Maybe easier transtion for LGfL1 Option 2 schools.

LGfL 2.0 Option 2 Disadvantages Complete exposure of all ports interacting with the internet and other Option 2 LGfL schools. Attack Bandwidth from other schools will be the smallest of bandwidth of both schools. Attack Bandwidth from the internet will be the bandwidth of the school. Restricted access over Janet UK due to Janet UK policy.

Services for the London Grid for Learning community provided by: LGfL MailProtect 2.0 Protection against borne threat including: -Viruses -Spam -Pornography -Phishing and Denial of Service attacks Hosted on resilient, fault tolerant servers within the core LGfL 2.0 infrastructure

Services for the London Grid for Learning community provided by: LGfL MailProtect 2.0 -View a log of scanned messages -See details of s blocked by MailProtect -Release ‘false positives’ ( -Add trusted senders to a personal ‘allow’ list -Opt in/or out of daily ‘spam digest’ s -Nominated Contacts, with appropriate permissions, can perform tasks on behalf of their users

Services for the London Grid for Learning community provided by: LGfL MailProtect 2.0

Services for the London Grid for Learning community provided by: LGfL 2.0….more than just broadband Option 2