Consortium Conference
13 July 2012
Ian Lehmann
Chief Operations Officer
London Grid for Learning

Standard Networks:
• Admin
• Curriculum
Optional Networks
• VC
• VOIP
• Wireless

Allow Out
80
443
3389
UDP 53
FTP
WAIS
1433
UDP 1194
8443
Blackberry
22
23
TCP 53
SIP
IPSEC NAT-T
Ranger Outpost
Allow In
80
443
FTP
WAIS
UDP 1194
8080
143
110
993
995
22
TCP/UDP 53
SIP
IPSEC NAT-T
Ranger Outpost
Deny Out
25
110
143
993
995
Deny In
25
135
139
587
Wont work will not NAT
FTPS
GRE
ESP
AH
Refer to LGfL
3389
Large Range
PPTP

LGfL Security Guidance
Information, guidance and safeguards on the use of remote access products
Web based remote access categories
Head Teacher authorisation
Two-factor authentication (USO-OTP)
LGfL USO-Authenticated Log Me In
RDP Gateway Service

OPTION 2 – Public IP addresses with school’s own managed firewall
This option is suitable where a school would wish to have total control and responsibility for network security. LGfL will supply the school with a quantity of public IP addresses for use on its firewall. The quantity of IP addresses supplied will be based on the current and expected usage. All firewall policies and Network Address Translation (NAT) are the responsibility of the school.

• Does not have MIPS or firewall rules on LGfL
2.0 firewall.
• Access to all LGfL 2.0 services where possible.
– VMB Network Statistic Portal instead of on LGfL support site. (1 day course)
– No Email relay & No outgoing MailProtect without conforming to port 25 rules. (See next slide.)

If a school based mail server is hosted on Option 2 which means it has a public IP, it can receive and post email on port 25 going to and from the Internet given the schools firewall rules allows it to and the schools dns server points the mx records to the school based mail server.
After the schools domain is configured on the LGfL email content control, If the school wants to use LGfL email content control for incoming scanning, it changes the schools dns server to point the mx records at the LGfL email content control. The LGfL email content control then delivers to the school based mail server via its public IP address.
The schools dns controls which way mail is delivered into the school.
The school based mail server and the schools firewall control the mail route out of the school.

• Complete control over all ports interacting with the internet.
• No waiting for firewall ports & MIP configuration.
• Closest thing to ‘Raw Internet’.
• There is only one return path from the internet.
• Maybe easier transtion for LGfL1 Option 2 schools.

• Complete exposure of all ports interacting with the internet and other Option 2 LGfL schools.
• Attack Bandwidth from other schools will be the smallest of bandwidth of both schools.
• Attack Bandwidth from the internet will be the bandwidth of the school.
• Restricted access over Janet UK due to Janet
UK policy.

LGfL MailProtect 2.0
Protection against email borne threat including:
- Viruses
- Spam
- Pornography
- Phishing and Denial of Service attacks
Hosted on resilient, fault tolerant servers within the core LGfL 2.0 infrastructure
Services for the London Grid for Learning community provided by:

LGfL MailProtect 2.0
- View a log of scanned messages
- See details of emails blocked by MailProtect
- Release ‘false positives’ (
- Add trusted senders to a personal ‘allow’ list
- Opt in/or out of daily
‘spam digest’ emails
- Nominated Contacts, with appropriate permissions, can perform tasks on behalf of their users
Services for the London Grid for Learning community provided by:

LGfL MailProtect 2.0
Services for the London Grid for Learning community provided by:

LGfL 2.0….more than just broadband
Option 2
Services for the London Grid for Learning community provided by: