To Secure Private WAN

I have a private WAN which comprise of mixes of SDH network & MPLS VPN network. This network does not connect to Internet.
The management is not satisfied with the network security, wanted to implemented security measure to the network. They want a perimiter defense to be implemented. A group of people advise to implement Firewall. But, I did not agree as it is not cost effective as the network is not discoverable from the Internet and basically there are no external threat. Attach is a basic network diagram how its look like.
Question: What are the best security measure should this network implement to have high security assurance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


is this a Point 2 Point Network via RF?

Password protecting boxes at both ends should be enough.

It seems maybe they just want a management app like Solar Winds to feel reassured

If it is via RF, is the payload encrypted?


ArifnorAuthor Commented:

Not all are RF. In SDF network some are RF, some are normal leased line.
There is MPLS VPN that connected some of the sites.
What is Solar Winds - what is the purpose?
What about question on Firewall - Is it correct that Firewall is not required.
RF payload is not encrypted. Is there possibility someone earsdrop/sniff in this point to point RF fixed network?  
Solar Winds is a management GUI that maps all your network resources,

it's very expensive though

Firewall are generally used to thwart external threats, it becomes difficult to audit your lan because It seems you are protecting your networks against your own employees, correct?

Sniffing RF is un-common, at level 2, but if you use proprietary RF Equipment, like Motorola, the burst in which it is transmitted, provides certain security.

It is possible to sniff, decrypt, RF, of course, would anyone spend the time to target your company in particular, not necessarily

10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ArifnorAuthor Commented:
Hi Jfer,

Thanks on the info on solarwind.
I am not worried about the SDH network and RF, as the possiblity of someone sniff or hack is almost negligible.

As I mention there is MPLS network. What kind of external threat that we are facing on MPLS? (There NO connection to Internet). What kind of security measure should I implement.

Protecting network from internal threat - what are the most cost effective solutions would you recommend?
Firewalling MPLS traffic is an option - although may not be worth the effort if traffic such as SMB  is to be permitted.

It's worth looking at traffic that you need to be permitted in order to decide whether other types of traffic pose a risk.

In terms of securing the network...i'd be more concerned with mitigating internal risks, such as the use of USB keys, CDR/W's etc to prevent the removal of data from the network, and strong policies to prevent the installation of third party software by staff on the network.
I agree with  Roachy1979,

physical security concerns for your equipment are very important

In my opinion, seems your network would be best protected against itself, than external threats
ArifnorAuthor Commented:
Jfer & Roachy,

Thanks. Sorry for the delay in responding to both of you.

Before I closed, I still don't understand this:-

1."Firewalling MPLS traffic is an option - although may not be worth the effort if traffic such as SMB  is to be permitted"

Why Firewall it is an option? Is it worth it? Can I asked them to use IPSec "host to host" implementation instead. What is SMB traffic?

2."It's worth looking at traffic that you need to be permitted in order to decide whether other types of traffic pose a risk"

You mean the company need to decide what are allowable/permitted traffic, then deny all others?

Physical Security & Stringent Policy should be the best option.
I am still looking for technical solution to show that the technical team have some security solutioning to be implemented.
SMB traffic is server message block traffic - used for windows file sharing.....with this permitted, effectively you have a huge security hole, if the goal is to protect the private network.

It might be possible to restrict this traffic from clients to servers, but still it's a vulnerability.  In most cases on Windows networks though this is required for things to function properly.

In response to point 2, yes - that is best practice and should be adhered to.  Deny everything and then allow services one at a time on a required basis.  A firewall would be useful to implement this policy....but again I would emphasise the need for the on-site physical security (USB keys, etc)...

ArifnorAuthor Commented:

Thanks on SMB traffic vulnerability.

Hi All,
Again, my question - should we implement firewall on MPLS network and on point to point network? If yes, I need a concrete justification, If not I also need a concrete reasons. I am nervous to face the IT team & management team. BTW, I am in risk management. Appreciate definite answer.

I did not expect external threat to the network. Am I correct to say that.
Yes- you are safe from directly external threats.

Your question depends very much on the type of traffic you have though.  If you have vulnerable data on the private network segment then you should firewall and restrict traffic to and from the hosts/networks, allowing only the traffic required on a port-by-port basis.  This will (to some degree) protect you from INTERNAL threats, and external threats that have compromised vulnerabilities on Internet Connected internal machines.

Assume the worst case scenario that an Internet connected machine is compromised - you don't want that machine to then have unrestricted access to the private network (on all ports and services).  Of course, without more detail on services you are running on the private segment and software and OS on the public and private networks I can't comment on vulnerabilities and risks...
ArifnorAuthor Commented:
Roachy & all,

I am not sure what do you mean by "vulnerable data on the private network segment then you should firewall and restrict traffic to and from" .  
As mention before there are no Internet connection to this private WAN. The network is connecting about 15 LAN located in saparate different geograhic location.
The IT guys is recommending Firewall to be install at all locations and use IPSec  features in the FW (gateway to gateway). I was also told by them that IPsec host to host implementation don't work in practice. Is this true? The justification given: there are external threat to MPLS network, intruder can connect to the network from Service Provider network (which make me curious and doubt of the claim) and as an isolation mechanism to all other LAN if one of the LAN is compromised (which make me further question the function of the firewall - which is to filter unwanted external traffic, and to separate untrusted network to trusted network).  I argue that those are internal threat, and the risk can be mitigated through proper physical security mechanism.
In all the LAN we have mixes of Servers, and host of Window OS and also custom Linux. These servers and host sending and recieving traffic to other hosts in other LAN.
Appreciate your further comments and explainations to clear my doubt.
Thanks for clarifying - I am starting to understand where the IT team are coming from  a little better now. To sumarise the risks to the network.

1) Any network is vulnerable to service providers who have access to that network.  If you are sending data over a 3rd parties equipment (whether that 3rd party is a telco, ISP or hosting provider) then that data can be sniffed, captured, interrogated, modified and used.  The exception to this is when the data is encrypted.

2) Internal risks include staff at any site, with unrequited access to the MPLS network.  These staff, without access control could pose a risk to the data at any site.

3) External risks - If site A has no internet access but site B does, a machine at site B could be compromised and used to attack or gather data from site A.  

I suspect that your IT team are referring to the use of IPSEC between sites on the MPLS network because they feel that data may be vulnerable in transit between sites. IPSEC traffic between sites would reduce the risks mentioned in point 1.  This is not a common risk scenrio as MPLS networks are considered secure, in so far as a duty of trust is placed upon the MPLS provider that they have appropriate audit and review of staff actions, and that the staff they employ are screened, checked and trustworthy.  Potentially data could be sniffed at any router on the MPLS network, but I would regard this as highly unlikely - and your data would need to be highly sensitive for the effort involved to capture it (think bribing or placing an employee within the service provider with this specific goal in mind).

Effectively, the firewall at each site would restrict traffic to only that which should be permitted, and IPSEC would provide encryption of traffic between the sites, thus preventing any sniffing of data on the wire....but remember that these are effectively point-to-point links and this traffic is not travelling over the public Internet in effect, and therefore I would assume the risk to be low.

Extra security mechanisms in place cannot be a bad thing (unless they prevent staff from doing their jobs), but in your position I would be asking why the MPLS provider is considered untrustworthy, as that would appear to be where your IT team are targetting the extra layer of security.

perhaps you might be over-killing security though,

the best way to thwart internal attacks would be to log and review unauthorized use attempts,and make sure accounts exist that identify personnel individuals, to identify perpetrators

for instance, only one admin account used by the account admin, other high privileged accounts should be named and attached to only one person.

The likely hood of attack on a closed network is very low

I understand that you want to protect your assets the best way possible, but this step would really require much investment, and is probably already available in your current setup

You would be amazed to find out how lax some admin's are about sharing their accounts with other staff members

Verify that the practice isn't so abused in your company

ArifnorAuthor Commented:
Thanks Roachy,

Isn't it expensive (not cost effective) to install firewall for each of 15 sites (knowing that there is no external connection, i.e Internat)? You can use IPSec in other manner. That is why I ask about host to host implementation.
I did ask about " IPsec host to host implementation don't work in practice. Is this true?" IT guys said that theory sometimes does not work - I don't buy this.
I am looking at cost and its benifits, and also return on investment perspective. Secure but not expensive and not over do it (if the probability of happening is extremely low)
Cost depends on the type of implementation you are looking at.  If you want to encrypt  traffic on a host-host basis between all servers at remote sites then I would say that you would have a higher TCO (Total Cost of Ownership) than LAN-LAN IPSEC implementation.  The management overheads of such connections are likely to be significantly higher than if the encryption was happening at a single perimeter device, which is, I suspect why your IT team have stated that host-host IPSEC will not work in practice.

Cost also depends on the type of firewall you are looking to use - obviously if you go for a branded appliance (Cisco/Juniper, etc) then licencing for IPSECs as well as hardware are a cost consideration, but similar functionality could also be achieved purely on the cost of hardware and implementation time using a Linux or Unix based solution (and judging by the fact that you are running some *nix servers I'm assuming you have this experience in-house).  A solution could be built in a cost effective fashion in-house (using OpenSwan for IPSEC), or a firewall distribution could be used to achieve your goals (look at pfSense for example).  Doing things this way mean that functionality can also be added further down the line as well.

Even if the functionality is required, it can be done at relatively low cost - and have some pretty impressive features (high-availability, traffic and load monitoring, etc, etc)
ArifnorAuthor Commented:
I agree with you Jfer, . We already implementing those controls within the network.
However, they insist on having Firewall on all sites, and use IPSec between sites.

Roachy suggest an OpenSource for IpSec and Firewall. That will definitely reduce the cost. However, the IT guys decided to buy Juniper (it is costly).

From numerous comments it seems that using Firewall is an over-kill for private & closed network.

What will be the definite solution for this?
A. Opensource Firewall & IPSec for all sites since the cost is not expensive.
B. Applying layers of security controls for Internal Threats inclusive of Physical Security.
There are many ways to skin a cat as it were.

Put in this position, my personal viewpoint would be:

A. Either use pfsense with high-availability built in (using the CARP module), or build your own solution from the ground up....but to use Openswan ( for the IPSEC functionality without restriction on number of IPSEC connections.  This will provide protection from "on-the-wire" sniffing on the MPLS network if you regard this to be a risk.  Secure any unused ports using these firewalls. Also install an IDS solution, such as Snort at various points on the network

B. Apply strong password policy and access control, physical access control (electronic keypads with auditing functionality), CCTV at entrances of sensitive areas, use Group Policy to restrict application use and effectively turn client machines into reduced functionality boxes (only permitting required applications and services). Disable USB ports at BIOS and password protect BIOS. Disable unused SATA/IDE channels at BIOS, and remove any optical drives, and employ port security on all switches. Random bag searches on all employees entering areas may also help.  

Of course this is a perfect world scenario for data protection and some or all of this may not be financially viable or practical....but again, if there is serious concern about data being sniffed off the MPLS circuit, then I would also consider all of the above to be equally important.

ArifnorAuthor Commented:
Hi Roachy,

Your recommendation really does help my understanding.

Before I close this question, I still have this doubt. From your experience and proffesional point of view do you consider someone can sniff MPLS network. From all the reading it seems impossible. And you said that - "on-the-wire" sniffing on the MPLS network if you regard this to be a risk". It seems that you have doubt that there is any probability of this going to happen.

When I said "on-the-wire" sniffing on the MPLS network if you regard this to be a risk" I was referring to the duty of trust placed upon the carrier.  Effectively an MPLS network is an unencrypted IP network - the identification of the network that a packet belongs to is via a tag in the packet header.  Because this data is unencrypted, data can be captured at any device that the data transverses - much like any internet traffic.  This traffic is susceptible to man-in-the middle attacks and simple sniffing - but only from within the carriers network - if you trust the carrier, then it is safe to assume that your data is protected - if you do not trust the carrier, then encryption should be employed to prevent this area of vulnerability from being exploited...

There are some discussion papers available for review here :

There is also a document pertaining to the misconfiguration (deliberate or accidental) of MPLS tagging here: which may also provide some insight...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ArifnorAuthor Commented:
Thanks a lot. Now I have better understanding of IPSec, MPLS, Firewall, and Security.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.