The meetinghouse firewall is the most important component for secure, filtered meetinghouse internet. The firewall blocks malicious users on the internet from accessing meetinghouse computers. It also prevents users from accessing inappropriate sites on the internet. Church policy states that meetinghouse internet must be filtered through an approved meetinghouse firewall.
Facilities management groups are responsible for ordering and installing meetinghouse firewalls correctly. Installation may be delegated to technology specialists.
Technology specialists are responsible for making sure that the meetinghouse firewall remains in place, remains properly configured, and does not get bypassed. It is recommended that firewalls be checked at least quarterly.
Proper firewall function can be checked by following the steps on the “Meetinghouse Internet Filter Check” article.
The Meraki MX64 is the only approved firewall for meetinghouses worldwide. Any other firewall deployed in meetinghouses should be replaced with the Meraki. Available features associated with this firewall include:
- Simplified self-activation through Technology Manager (tm.ChurchofJesusChrist.org).
- Facilities zone for internet-enabled appliances (click here for details).
- Special-purpose zone for family history centers and other nonmeetinghouse applications.
- Church-approved internet content filtering.
- Advanced troubleshooting resources and tools for the Global Service Center.
- Improved network management and reporting tools.
Meraki MX64 Hardware Features:
- Gigabit ethernet LAN interfaces.
- Increased maximum internet throughput up to 250 Mbps.
- Cellular USB WAN interface.
Note: The standard meetinghouse firewall should not be installed in PCI-compliant locations where credit cards are used.
The meetinghouse firewall must be situated between the internet service provider (ISP) modem and all devices on the meetinghouse network. No device other than the meetinghouse firewall should ever connect directly to the ISP modem. Wireless capabilities on ISP modems must be disabled.
Facilities managers make the final decisions regarding placement of meetinghouse firewalls. The following should be considered in determining where to place the firewall:
- Secure Location: Firewalls and ISP modems should be placed in secure areas that do not get a lot of traffic. Avoid locations where people have easy access to bypass the firewall. Attics, drop ceilings, and lockable closets are preferred (unless the attic gets too hot).
- Good Operating Environment: Avoid locations that restrict airflow or that reach temperatures outside of the operating range of the firewall (32°F to 104°F / 0°C to 40°C).
- Port Accessibility: The ports and the status lights on the ISP modem and the firewall should be easy to access and view so the stake technology specialist and facilities management group can troubleshoot problems and verify connections.
- Close to ISP: The meetinghouse firewall is usually placed near the ISP termination point (the demarcation point) and where the network is distributed to the rest of the building. The meetinghouse firewall can be placed on a shelf or surface-mounted to a wall or ceiling.
The Meraki MX64 firewall has five network ports on the back of the device. Each port is configured as follows:
- Ports 1, 2, and 3*—Public Zone: These ports provide “public” internet access. Examples of devices that should be connected to these ports include clerk or MLS PCs, ward or stake printers, webcast equipment, and wireless access points.
*Port 3: On some meetinghouse firewalls are configured with a special-purpose zone. This configuration is for family history centers and other nonmeetinghouse applications. If the firewall has a special-purpose zone, public devices noted above should be connected only to ports 1 and 2. Port configuration information is available in Technology Manager under “Zone Subnets.”
- Port 4—FAC Zone: This port is reserved for internet-enabled appliances and should not be used for any other purpose. Only the facilities manager should connect devices to this port. This port should not have any public devices connected to it.
- Internet Port: The cable coming out of the ISP modem should go directly into this port.
Once a meetinghouse has internet service and a firewall, the challenge becomes extending internet access to the rest of the building. “Networking Overview” for the meetinghouse includes information on doing this.