extremely high network security

Dear Experts

We have hosted application server which is web based in the head office and this application has to be accessed from remote site’s which are located at a distance, the remote site 1 and remote site 2 users to login to the application and work but they have to be limited to use this application only from within the remote site office premise network, should design the network extremely highly secured, following options I think of and as well few challenges and suggestion
1.Connect the Head office and two remote sites with MPLS VPN network with reputed service providers so that remote site users will access the application server within mpls vpn network
2. If in case service provider says mpls vpn connection is not feasible at remote sites then we have to go for the leased line circuit at all the three locations that is head office where the application server is hosted and at the remote site office 1 and at remote site office 2 and install strong firewall and connect all the 3 locations as site to site vpn connectivity we can go for cisico firewall or sonic.
3.If mpls vpn and also leased line both are not possible due to non-feasibility from service providers and we have left with an option broad band connectivity OR data cards/Dongle then how to achieve the extremely high security,  below is what I can think but I request an experts inputs and suggestions and possibility and recommendation
a) in this case users from the remote sites to be allowed to access application server through either broad band connectivity OR through the dongle/data card connectivity but my concern and worry is how to put extremely highly security, please suggest is it like hardware firewall at Head office to be configured to setup VPN client and end users at remote site can connect the application server only if they login through VPN client , please suggest the best security connectivity here and can it be really secured
b)Is there any other best technology to handle this we are okay if we have to invest money, something like if there are some service may be VPN service like Strong VPN https://strongvpn.com/ where dedicated IP will be assigned when used our subscribed account even we connected with broad band or data card/dongle and this is allowed in the head office firewall, I am not clear please guide and recommend best here
c)Though the users connect to the internet through the data card/dongle or broad band please let me know Is there way possible to setup highly secured encryption layer and keys exchanged from the remote site users system to head office firewall, if matches then allows the access the application server, can you please suggest such solution we are okay to invest
request the experts support please, thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
this application has to be accessed from remote site’s which are located at a distance, the remote site 1 and remote site 2 users to login to the application and work but they have to be limited to use this application only from within the remote site office premise network

So at a very high planning level, put in Site to Site VPN tunnels between Head Office and Remote 1, Remote 2.  Do not provide any client access into these VPN boxes - just Site to Site connections.

Do not try to do this without VPN or equivalent security.

Do not use Dongles for access as that needs client to gateway VPN and you specifically excluded that.

The first thing for you to do is find out what connectivity capabilities you have for Remote 1 and Remote 2
I would actually do this a little different..

Instead of MPLS, I would go Layer 2 if cost is a factor.

I would install a Layer 2 circuit at each location,
I would then put in redundant internet circuts at two different sites
I would connect all of that using BGP and setup the redundant zones
I would setup a VPN secured by a 2FA mechanism such as duo security https://duo.com/

I would then setup site specific polcies in ADSS and then secure that using GPO and my Firewall Rules.

Hope this helps.
My above response will work with MPLS and other Internet circuit types.. Layer 2 is a much more economical way to provide the service and affords you "FULL" control over your circuit and the changes you make to it. IE you don't have to wait 2 weeks to add an additional address to an interface or route on your MPLS or other connection type, you can do it yourself.
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

nociSoftware EngineerCommented:
MPLS Vpns are not always encrypted. (VPN as such doesn't mean encrypted).
If needed use at least Site 2 Site encryption (IPSEC is a very good way to do that as it preserves all IP semantics).
Other VPN technologies not all ways respect that.  OpenVPN is often used across TCP links which violates  UDP expectancies.

If needed IPSEC can also be used System - System.  With modern CPU's this is not a huge penalty on compute power.
JohnBusiness Consultant (Owner)Commented:
IPSEC can also be used System - System.  With modern CPU's this is not a huge penalty on compute power.

We have no issue with modern equipment and IPsec.
MPLS Vpns are not always encrypted. (VPN as such doesn't mean encrypted).
If needed use at least Site 2 Site encryption (IPSEC is a very good way to do that as it preserves all IP

Maybe I am missing the point, but why do they need to be? MPLS and Layer 2 consist of two "separate"
 types of connection..

An MPLS uses IPVPN circuits at each location and in one location uses an additional Internet Circuit which is used as the gateway.

All IPVPN segments are completely isolated from the internet except though the gateway at the focal point of the network.
Each IPVPN segment has : ISP set static routes to each of the other segments of the MPLS Coupled with QOS built into the connection.

There is no danger of traffic going "directly" to a segment of a IPVPN circuit. Rather all External Traffic MUST pass though the Gateway or Internet Circuit and then be routed to the proper IPVPN segment. Adding an additional layer of security to the IPVPN isn't necessary as it is Isolated and can only be seen by other locations on "YOUR" network.

Securing the Edge facing router should however be of upmost concern and that is where you would control the SSLVPN or IPSEC policies as well as your Firewall traffic and zone policies allowing Internet facing connections into and out of your network..
nociSoftware EngineerCommented:
IMHO "Highly Secure" means one also wants to protect against eavesdropping MitM etc. so Encryption is almost #1 on the priority list .
Besides that Encryption als means that sender and receiver agree they both have their respective roll ...
Encryption ensures: Integrity & Confidentiality with KNOWN endpoints.
MPLS is "just" a way to expedite packets with the right route built into the packets (i know  to short of a description) in the right direction..
This does nothing for confidentiality, and partly intergrity.and nothing for endpoints.

So it comes down to the question "is it IMPOSSIBLE with MPLS to have some point in the middle somewhere (ISP Exchange f.e.)  on a router, to get a copy of the stream involved  to be sent somewhere else???. Think Copy or Span port on a switch... or even use a switch with a copy/span port in the mix...?"
(Why not hijack the complete stream INCLUDING the MPLS frames and using analyzer software to strip the MPLS layers and get to the data...)
Not encrypting means one has to blindly trust the ISP to do the right thing....
I think in the USofA it was AT&T that had complete taprooms to fascilitate the NSA?... so how to prevent eavesdropping.
IMHO there cannot be enough encryption for data at rest or data in transit

And then the title of the Q is about extremely high network security so system-system encryption might be the right way to even prevent eaves dropping on premises.
VPN providers like StrongVPN  offer to take your traffic halfway around the globe and then release it on the internet.
THis more or less hides the REAL data location. Nice addition for public facing traffic,  unusable for internal traffic.

ISP's have multiple levels of checks and balanaces as well as permissions and Roles and Responsibilities. It is very unlikely that they are going to purposely highjack the data of a business customer, but you make a point, IF and highly unlike IF someone could gain access to the ISP's system and have enough priviledges to add themseleves to the BGP route group and VPN that your network is a part of then yes it would be possible to execute a Man in the middle attack on your network. by the scenario presented above. This would require "ADMIN" privledges at the ISP level as well as expert switching knowledge. In short it could be done by a senior transport engineer at the ISP. The chances of this happening are very slim however but sure, if you see that as a High level threat and want to take the performance hit go right ahead an implement it.

Any other experts want to chime in? For or against?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
There are numerous places where MPLS is not a current option. So while your way is one way (of several), the options shown above securely service locations with standard broadband. There is more than one to do things correctly.

Agreed 100% personally I prefer the layer 2 solution to MPLS. It is much more configurable and cost effective.. You could do the same thing with S2S VPN and a standard broadband connection.. That is very true.
JohnBusiness Consultant (Owner)Commented:
VPN hardware has become so inexpensive that any savings would be less than a days work.

Depends on the performance and the throughput you need from that hardware.. For instance, running VOIP across an Encrypted VPN is not Ideal in alot of areas. However running just data across an encrypted VPN would be fine in that case.

Alot of time Broadband solutions have high latency and jitter not making them ideal for alot of scenarios.
JohnBusiness Consultant (Owner)Commented:
We have VOIP on separate circuits not using VPN.
D_wathiAuthor Commented:
for broadband users and dongle/data card users who work from remote is it recommend to setup they login though the vpn client to access the web based application and also go for 2FA mechanism such as such as duo security https://duo.com/
please suggest.
personally I prefer DUO to a lot of other options out there due to the simplicity of the end user interaction required.
JohnBusiness Consultant (Owner)Commented:
If you use IPSec you can use split tunnel and then remote users do not need to use VPN to get internet
Technical EngeneerTechnical Support SpecialistCommented:
Holy magical llama, I don't know how proactive network monitoring practices didn't come mentioned. One thing is setting up roadblocks (firewalls, vpns, encryption, tons of other stuff), but the model "set-and-go-away" is by far outdated.

If network security is on your mind, being proactive is the key between "something suspicious might be happening" vs. "oh crap, data leaked". The only issue is keeping a pulse on what's going on, network and systems-wise.

AdRem published a decent article regarding proactive network monitoring best practices in regards to GDPR. However, I think it would apply in just about any security-focused setup: https://www.adremsoft.com/blog/view/blog/10905819293987/7-proactive-ways-of-monitoring-your-network-in-order-to-stay-compliant-with-gdprhttps://www.adremsoft.com/blog/view/blog/10905819293987/7-proactive-ways-of-monitoring-your-network-in-order-to-stay-compliant-with-gdpr

A decent network and systems monitor (especially one which is polic-based) should do the trick. If you don't have the time to invest and configure everything by hand with open-source (something like OpenNMS), definitely look into NetCrunch.
nociSoftware EngineerCommented:
sorry not  answer @ITguy65 before:
BGP hijack might be easier than breaking in into an ISP:


The BGP protocol needs an addendum.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.