To Secure Private WAN
I have a private WAN which comprise of mixes of SDH network & MPLS VPN network. This network does not connect to Internet.
The management is not satisfied with the network security, wanted to implemented security measure to the network. They want a perimiter defense to be implemented. A group of people advise to implement Firewall. But, I did not agree as it is not cost effective as the network is not discoverable from the Internet and basically there are no external threat. Attach is a basic network diagram how its look like.
Question: What are the best security measure should this network implement to have high security assurance.
Private-WAN.pdf
The management is not satisfied with the network security, wanted to implemented security measure to the network. They want a perimiter defense to be implemented. A group of people advise to implement Firewall. But, I did not agree as it is not cost effective as the network is not discoverable from the Internet and basically there are no external threat. Attach is a basic network diagram how its look like.
Question: What are the best security measure should this network implement to have high security assurance.
Private-WAN.pdf
ASKER
Jfer,
Not all are RF. In SDF network some are RF, some are normal leased line.
There is MPLS VPN that connected some of the sites.
What is Solar Winds - what is the purpose?
What about question on Firewall - Is it correct that Firewall is not required.
RF payload is not encrypted. Is there possibility someone earsdrop/sniff in this point to point RF fixed network?
Not all are RF. In SDF network some are RF, some are normal leased line.
There is MPLS VPN that connected some of the sites.
What is Solar Winds - what is the purpose?
What about question on Firewall - Is it correct that Firewall is not required.
RF payload is not encrypted. Is there possibility someone earsdrop/sniff in this point to point RF fixed network?
Solar Winds is a management GUI that maps all your network resources,
http://www.solarwinds.com/indexb.aspx
it's very expensive though
Firewall are generally used to thwart external threats, it becomes difficult to audit your lan because It seems you are protecting your networks against your own employees, correct?
Sniffing RF is un-common, at level 2, but if you use proprietary RF Equipment, like Motorola, the burst in which it is transmitted, provides certain security.
It is possible to sniff, decrypt, RF, of course, would anyone spend the time to target your company in particular, not necessarily
Jfer
http://www.solarwinds.com/indexb.aspx
it's very expensive though
Firewall are generally used to thwart external threats, it becomes difficult to audit your lan because It seems you are protecting your networks against your own employees, correct?
Sniffing RF is un-common, at level 2, but if you use proprietary RF Equipment, like Motorola, the burst in which it is transmitted, provides certain security.
It is possible to sniff, decrypt, RF, of course, would anyone spend the time to target your company in particular, not necessarily
Jfer
ASKER
Hi Jfer,
Thanks on the info on solarwind.
I am not worried about the SDH network and RF, as the possiblity of someone sniff or hack is almost negligible.
As I mention there is MPLS network. What kind of external threat that we are facing on MPLS? (There NO connection to Internet). What kind of security measure should I implement.
Protecting network from internal threat - what are the most cost effective solutions would you recommend?
Thanks on the info on solarwind.
I am not worried about the SDH network and RF, as the possiblity of someone sniff or hack is almost negligible.
As I mention there is MPLS network. What kind of external threat that we are facing on MPLS? (There NO connection to Internet). What kind of security measure should I implement.
Protecting network from internal threat - what are the most cost effective solutions would you recommend?
Firewalling MPLS traffic is an option - although may not be worth the effort if traffic such as SMB is to be permitted.
It's worth looking at traffic that you need to be permitted in order to decide whether other types of traffic pose a risk.
In terms of securing the network...i'd be more concerned with mitigating internal risks, such as the use of USB keys, CDR/W's etc to prevent the removal of data from the network, and strong policies to prevent the installation of third party software by staff on the network.
It's worth looking at traffic that you need to be permitted in order to decide whether other types of traffic pose a risk.
In terms of securing the network...i'd be more concerned with mitigating internal risks, such as the use of USB keys, CDR/W's etc to prevent the removal of data from the network, and strong policies to prevent the installation of third party software by staff on the network.
I agree with Roachy1979,
physical security concerns for your equipment are very important
In my opinion, seems your network would be best protected against itself, than external threats
physical security concerns for your equipment are very important
In my opinion, seems your network would be best protected against itself, than external threats
ASKER
Jfer & Roachy,
Thanks. Sorry for the delay in responding to both of you.
Before I closed, I still don't understand this:-
1."Firewalling MPLS traffic is an option - although may not be worth the effort if traffic such as SMB is to be permitted"
Why Firewall it is an option? Is it worth it? Can I asked them to use IPSec "host to host" implementation instead. What is SMB traffic?
2."It's worth looking at traffic that you need to be permitted in order to decide whether other types of traffic pose a risk"
You mean the company need to decide what are allowable/permitted traffic, then deny all others?
Physical Security & Stringent Policy should be the best option.
I am still looking for technical solution to show that the technical team have some security solutioning to be implemented.
Thanks. Sorry for the delay in responding to both of you.
Before I closed, I still don't understand this:-
1."Firewalling MPLS traffic is an option - although may not be worth the effort if traffic such as SMB is to be permitted"
Why Firewall it is an option? Is it worth it? Can I asked them to use IPSec "host to host" implementation instead. What is SMB traffic?
2."It's worth looking at traffic that you need to be permitted in order to decide whether other types of traffic pose a risk"
You mean the company need to decide what are allowable/permitted traffic, then deny all others?
Physical Security & Stringent Policy should be the best option.
I am still looking for technical solution to show that the technical team have some security solutioning to be implemented.
SMB traffic is server message block traffic - used for windows file sharing.....with this permitted, effectively you have a huge security hole, if the goal is to protect the private network.
It might be possible to restrict this traffic from clients to servers, but still it's a vulnerability. In most cases on Windows networks though this is required for things to function properly.
In response to point 2, yes - that is best practice and should be adhered to. Deny everything and then allow services one at a time on a required basis. A firewall would be useful to implement this policy....but again I would emphasise the need for the on-site physical security (USB keys, etc)...
It might be possible to restrict this traffic from clients to servers, but still it's a vulnerability. In most cases on Windows networks though this is required for things to function properly.
In response to point 2, yes - that is best practice and should be adhered to. Deny everything and then allow services one at a time on a required basis. A firewall would be useful to implement this policy....but again I would emphasise the need for the on-site physical security (USB keys, etc)...
ASKER
Roachy,
Thanks on SMB traffic vulnerability.
Hi All,
Again, my question - should we implement firewall on MPLS network and on point to point network? If yes, I need a concrete justification, If not I also need a concrete reasons. I am nervous to face the IT team & management team. BTW, I am in risk management. Appreciate definite answer.
I did not expect external threat to the network. Am I correct to say that.
Thanks on SMB traffic vulnerability.
Hi All,
Again, my question - should we implement firewall on MPLS network and on point to point network? If yes, I need a concrete justification, If not I also need a concrete reasons. I am nervous to face the IT team & management team. BTW, I am in risk management. Appreciate definite answer.
I did not expect external threat to the network. Am I correct to say that.
Yes- you are safe from directly external threats.
Your question depends very much on the type of traffic you have though. If you have vulnerable data on the private network segment then you should firewall and restrict traffic to and from the hosts/networks, allowing only the traffic required on a port-by-port basis. This will (to some degree) protect you from INTERNAL threats, and external threats that have compromised vulnerabilities on Internet Connected internal machines.
Assume the worst case scenario that an Internet connected machine is compromised - you don't want that machine to then have unrestricted access to the private network (on all ports and services). Of course, without more detail on services you are running on the private segment and software and OS on the public and private networks I can't comment on vulnerabilities and risks...
Your question depends very much on the type of traffic you have though. If you have vulnerable data on the private network segment then you should firewall and restrict traffic to and from the hosts/networks, allowing only the traffic required on a port-by-port basis. This will (to some degree) protect you from INTERNAL threats, and external threats that have compromised vulnerabilities on Internet Connected internal machines.
Assume the worst case scenario that an Internet connected machine is compromised - you don't want that machine to then have unrestricted access to the private network (on all ports and services). Of course, without more detail on services you are running on the private segment and software and OS on the public and private networks I can't comment on vulnerabilities and risks...
ASKER
Roachy & all,
I am not sure what do you mean by "vulnerable data on the private network segment then you should firewall and restrict traffic to and from" .
As mention before there are no Internet connection to this private WAN. The network is connecting about 15 LAN located in saparate different geograhic location.
The IT guys is recommending Firewall to be install at all locations and use IPSec features in the FW (gateway to gateway). I was also told by them that IPsec host to host implementation don't work in practice. Is this true? The justification given: there are external threat to MPLS network, intruder can connect to the network from Service Provider network (which make me curious and doubt of the claim) and as an isolation mechanism to all other LAN if one of the LAN is compromised (which make me further question the function of the firewall - which is to filter unwanted external traffic, and to separate untrusted network to trusted network). I argue that those are internal threat, and the risk can be mitigated through proper physical security mechanism.
In all the LAN we have mixes of Servers, and host of Window OS and also custom Linux. These servers and host sending and recieving traffic to other hosts in other LAN.
Appreciate your further comments and explainations to clear my doubt.
I am not sure what do you mean by "vulnerable data on the private network segment then you should firewall and restrict traffic to and from" .
As mention before there are no Internet connection to this private WAN. The network is connecting about 15 LAN located in saparate different geograhic location.
The IT guys is recommending Firewall to be install at all locations and use IPSec features in the FW (gateway to gateway). I was also told by them that IPsec host to host implementation don't work in practice. Is this true? The justification given: there are external threat to MPLS network, intruder can connect to the network from Service Provider network (which make me curious and doubt of the claim) and as an isolation mechanism to all other LAN if one of the LAN is compromised (which make me further question the function of the firewall - which is to filter unwanted external traffic, and to separate untrusted network to trusted network). I argue that those are internal threat, and the risk can be mitigated through proper physical security mechanism.
In all the LAN we have mixes of Servers, and host of Window OS and also custom Linux. These servers and host sending and recieving traffic to other hosts in other LAN.
Appreciate your further comments and explainations to clear my doubt.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Roachy,
Isn't it expensive (not cost effective) to install firewall for each of 15 sites (knowing that there is no external connection, i.e Internat)? You can use IPSec in other manner. That is why I ask about host to host implementation.
I did ask about " IPsec host to host implementation don't work in practice. Is this true?" IT guys said that theory sometimes does not work - I don't buy this.
I am looking at cost and its benifits, and also return on investment perspective. Secure but not expensive and not over do it (if the probability of happening is extremely low)
Isn't it expensive (not cost effective) to install firewall for each of 15 sites (knowing that there is no external connection, i.e Internat)? You can use IPSec in other manner. That is why I ask about host to host implementation.
I did ask about " IPsec host to host implementation don't work in practice. Is this true?" IT guys said that theory sometimes does not work - I don't buy this.
I am looking at cost and its benifits, and also return on investment perspective. Secure but not expensive and not over do it (if the probability of happening is extremely low)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I agree with you Jfer, . We already implementing those controls within the network.
However, they insist on having Firewall on all sites, and use IPSec between sites.
Roachy suggest an OpenSource for IpSec and Firewall. That will definitely reduce the cost. However, the IT guys decided to buy Juniper (it is costly).
From numerous comments it seems that using Firewall is an over-kill for private & closed network.
What will be the definite solution for this?
A. Opensource Firewall & IPSec for all sites since the cost is not expensive.
B. Applying layers of security controls for Internal Threats inclusive of Physical Security.
However, they insist on having Firewall on all sites, and use IPSec between sites.
Roachy suggest an OpenSource for IpSec and Firewall. That will definitely reduce the cost. However, the IT guys decided to buy Juniper (it is costly).
From numerous comments it seems that using Firewall is an over-kill for private & closed network.
What will be the definite solution for this?
A. Opensource Firewall & IPSec for all sites since the cost is not expensive.
B. Applying layers of security controls for Internal Threats inclusive of Physical Security.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Roachy,
Your recommendation really does help my understanding.
Before I close this question, I still have this doubt. From your experience and proffesional point of view do you consider someone can sniff MPLS network. From all the reading it seems impossible. And you said that - "on-the-wire" sniffing on the MPLS network if you regard this to be a risk". It seems that you have doubt that there is any probability of this going to happen.
Your recommendation really does help my understanding.
Before I close this question, I still have this doubt. From your experience and proffesional point of view do you consider someone can sniff MPLS network. From all the reading it seems impossible. And you said that - "on-the-wire" sniffing on the MPLS network if you regard this to be a risk". It seems that you have doubt that there is any probability of this going to happen.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot. Now I have better understanding of IPSec, MPLS, Firewall, and Security.
is this a Point 2 Point Network via RF?
Password protecting boxes at both ends should be enough.
It seems maybe they just want a management app like Solar Winds to feel reassured
If it is via RF, is the payload encrypted?
Jfer