Many of today’s houses of worship run surprisingly sophisticated networks. All of the same attributes of an enterprise IT infrastructure are present: sophisticated informational websites, broadcast video, interactive classes, etc. With the societal impact of COVID-19, the demands on IT infrastructure have escalated, forcing many churches to seek outside help with designing, implementing and even managing the services required to support their congregations. This is the exact business of Advanced Church Technology Systems Group (ACTS). For over 30 years, ACTS has been providing professional IT consulting and support to churches, church schools, and denominational offices - enabling them to more efficiently operate and extend their ministries.
Their value add is simple. Finding the right IT hardware, software, hosting, and service implementation can quickly become complex for those who don’t do it every day. Common support requests include:
- “We need to upgrade or replace legacy hardware or software solutions. What is the best choice for us given the dizzying array of available options?”
- “Running our own data center is no longer practical or cost-effective. But we have some custom needs. Is there a managed data center option that caters more towards ministries?”
ACTS is uniquely qualified to assist as all technical staff are 1) Microsoft certified and 2) experienced in the day-to-day details of working with ministries of all sizes.
James Krueger, a Senior Systems Engineer, has been with ACTS for 14 years. James focuses on ensuring the ACTS cloud infrastructure meets the needs of its customers. Obviously, routing and security are key elements. ACTS has always leveraged open-source router/firewall solutions for church edge needs. Some time ago ACTS moved away from IPCop, a Linux-based open source firewall, in favor of pfSense software based on FreeBSD. pfSense software was not only a major upgrade from IPCop, Krueger shared that “pfSense was by far the most superior firewall/router solution available, even in comparison to Cisco solutions.”
More recently, ACTS has shifted to providing a host of cloud-based services including:
- Windows and Linux web site design and hosting
- SMTP and Exchange Email
- Spam and Anti-Virus Protection
- Windows Server Data Hosting
And with this shift came the need for ACTS to ensure it had appropriate cloud connectivity, security, and network infrastructure redundancy in place. Again, ACTS has leaned on pfSense software.
Almost all organizations are shifting to cloud computing, only differing by speed and scope. Houses of worship are no different. In order to arrive at the best deployment architecture for each customer, ACTS typically addresses four key secure networking questions for clients:
-
How do I securely connect from my premises to my cloud application / workload?
Connectivity starts at customer-premises location(s). ACTS customers usually have some type of edge device already deployed. As you might imagine, this device is often due for a performance or connection capacity upgrade. There are really three distinct options: legacy / proprietary brand, open source software on 3rd party hardware (which includes DIY), and turnkey, open source appliance solution (in this case, Netgate). ACTS finds no compelling reason to advocate for expensive, proprietary hardware, e.g., Cisco or Sonicwall. So when onboarding clients with legacy brands, it recommends replacing (to avoid expensive maintenance / upgrade arrangements) or upgrading legacy brands with devices running pfSense software (superior price-performance, ease of use, feature expansion, etc).
Next, a decision must be made circa 3rd party hardware or turnkey (Netgate) appliances with pfSense software. Recently, ACTS has been recommending Netgate appliances over 3rd party alternatives given the business assurance advantage. Netgate appliances are designed, built, and shipped pre-loaded with an optimized version of pfSense software for streamlined installations and reliable software upgrades - and, of course, Netgate is the engineering force behind pfSense software.
Next, the premises appliance must be securely connected to the cloud. Clients rely on either IPsec or OpenVPN tunnels running between their premises-based pfSense firewall and the ACTS cloud.
Finally, at the cloud edge, ACTS leverages two pfSense software VMs - managed by a KVM Proxmox hypervisor for encrypted tunnel termination.
-
How are premises-to-cloud connections made resilient?
For clients wanting maximum a highly resilient network connection, ACTS deploys pairs of pfSense appliances in the cloud and on-premises and uses Common Address Redundancy Protocol (CARP) to manage redundancy between appliances at each end of the network.
-
Where will my application(s) or workload(s) actually run?
With premises-to-cloud edge connectivity securely established, clients choose a compute preference for handling the actual IT workload. The options are simple: privately-hosted VMs, or dedicated hardware. VMs are more cost-effective and nimble, but some customers retain a preference for dedicated servers.
-
What other pfSense software features and packages should I be running to maximize security?
In addition to routing, NAT, 1:1 NAT, port forwarding, network rules, CARP, etc. ACTS encourages clients to take advantage of these options:
- pfBlockerNG - enables country, IP address block and URL list blocking
- Domain Name System-based Blackhole List (DNSBL) - a service which checks whether a sending IP address is on a blacklist of IP addresses reputed to send email spam
- Snort - a free open source network intrusion detection / intrusion prevention system
With strong secure networking from premises to cloud - made possible by pfSense software - ACTS can assure each and every house of worship customer a fast and smooth transition to the powerful, scalable, cost-effective world of cloud computing - enabling ministries to continue their work unabated, in even the most challenging of times.
At Netgate, we are proud of helping each and every one of our customers in their mission. If we can help you meet your secure networking challenges fast and cost-effectively, connect with us here.