extremely high network security
Dear Experts
We have hosted application server which is web based in the head office and this application has to be accessed from remote site’s which are located at a distance, the remote site 1 and remote site 2 users to login to the application and work but they have to be limited to use this application only from within the remote site office premise network, should design the network extremely highly secured, following options I think of and as well few challenges and suggestion
1.Connect the Head office and two remote sites with MPLS VPN network with reputed service providers so that remote site users will access the application server within mpls vpn network
2. If in case service provider says mpls vpn connection is not feasible at remote sites then we have to go for the leased line circuit at all the three locations that is head office where the application server is hosted and at the remote site office 1 and at remote site office 2 and install strong firewall and connect all the 3 locations as site to site vpn connectivity we can go for cisico firewall or sonic.
3.If mpls vpn and also leased line both are not possible due to non-feasibility from service providers and we have left with an option broad band connectivity OR data cards/Dongle then how to achieve the extremely high security, below is what I can think but I request an experts inputs and suggestions and possibility and recommendation
a) in this case users from the remote sites to be allowed to access application server through either broad band connectivity OR through the dongle/data card connectivity but my concern and worry is how to put extremely highly security, please suggest is it like hardware firewall at Head office to be configured to setup VPN client and end users at remote site can connect the application server only if they login through VPN client , please suggest the best security connectivity here and can it be really secured
b)Is there any other best technology to handle this we are okay if we have to invest money, something like if there are some service may be VPN service like Strong VPN https://strongvpn.com/ where dedicated IP will be assigned when used our subscribed account even we connected with broad band or data card/dongle and this is allowed in the head office firewall, I am not clear please guide and recommend best here
c)Though the users connect to the internet through the data card/dongle or broad band please let me know Is there way possible to setup highly secured encryption layer and keys exchanged from the remote site users system to head office firewall, if matches then allows the access the application server, can you please suggest such solution we are okay to invest
request the experts support please, thanks in advance.
We have hosted application server which is web based in the head office and this application has to be accessed from remote site’s which are located at a distance, the remote site 1 and remote site 2 users to login to the application and work but they have to be limited to use this application only from within the remote site office premise network, should design the network extremely highly secured, following options I think of and as well few challenges and suggestion
1.Connect the Head office and two remote sites with MPLS VPN network with reputed service providers so that remote site users will access the application server within mpls vpn network
2. If in case service provider says mpls vpn connection is not feasible at remote sites then we have to go for the leased line circuit at all the three locations that is head office where the application server is hosted and at the remote site office 1 and at remote site office 2 and install strong firewall and connect all the 3 locations as site to site vpn connectivity we can go for cisico firewall or sonic.
3.If mpls vpn and also leased line both are not possible due to non-feasibility from service providers and we have left with an option broad band connectivity OR data cards/Dongle then how to achieve the extremely high security, below is what I can think but I request an experts inputs and suggestions and possibility and recommendation
a) in this case users from the remote sites to be allowed to access application server through either broad band connectivity OR through the dongle/data card connectivity but my concern and worry is how to put extremely highly security, please suggest is it like hardware firewall at Head office to be configured to setup VPN client and end users at remote site can connect the application server only if they login through VPN client , please suggest the best security connectivity here and can it be really secured
b)Is there any other best technology to handle this we are okay if we have to invest money, something like if there are some service may be VPN service like Strong VPN https://strongvpn.com/ where dedicated IP will be assigned when used our subscribed account even we connected with broad band or data card/dongle and this is allowed in the head office firewall, I am not clear please guide and recommend best here
c)Though the users connect to the internet through the data card/dongle or broad band please let me know Is there way possible to setup highly secured encryption layer and keys exchanged from the remote site users system to head office firewall, if matches then allows the access the application server, can you please suggest such solution we are okay to invest
request the experts support please, thanks in advance.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
My above response will work with MPLS and other Internet circuit types.. Layer 2 is a much more economical way to provide the service and affords you "FULL" control over your circuit and the changes you make to it. IE you don't have to wait 2 weeks to add an additional address to an interface or route on your MPLS or other connection type, you can do it yourself.
MPLS Vpns are not always encrypted. (VPN as such doesn't mean encrypted).
If needed use at least Site 2 Site encryption (IPSEC is a very good way to do that as it preserves all IP semantics).
Other VPN technologies not all ways respect that. OpenVPN is often used across TCP links which violates UDP expectancies.
If needed IPSEC can also be used System - System. With modern CPU's this is not a huge penalty on compute power.
If needed use at least Site 2 Site encryption (IPSEC is a very good way to do that as it preserves all IP semantics).
Other VPN technologies not all ways respect that. OpenVPN is often used across TCP links which violates UDP expectancies.
If needed IPSEC can also be used System - System. With modern CPU's this is not a huge penalty on compute power.
IPSEC can also be used System - System. With modern CPU's this is not a huge penalty on compute power.
We have no issue with modern equipment and IPsec.
We have no issue with modern equipment and IPsec.
MPLS Vpns are not always encrypted. (VPN as such doesn't mean encrypted).
If needed use at least Site 2 Site encryption (IPSEC is a very good way to do that as it preserves all IP
Maybe I am missing the point, but why do they need to be? MPLS and Layer 2 consist of two "separate"
types of connection..
An MPLS uses IPVPN circuits at each location and in one location uses an additional Internet Circuit which is used as the gateway.
All IPVPN segments are completely isolated from the internet except though the gateway at the focal point of the network.
Each IPVPN segment has : ISP set static routes to each of the other segments of the MPLS Coupled with QOS built into the connection.
There is no danger of traffic going "directly" to a segment of a IPVPN circuit. Rather all External Traffic MUST pass though the Gateway or Internet Circuit and then be routed to the proper IPVPN segment. Adding an additional layer of security to the IPVPN isn't necessary as it is Isolated and can only be seen by other locations on "YOUR" network.
Securing the Edge facing router should however be of upmost concern and that is where you would control the SSLVPN or IPSEC policies as well as your Firewall traffic and zone policies allowing Internet facing connections into and out of your network..
IMHO "Highly Secure" means one also wants to protect against eavesdropping MitM etc. so Encryption is almost #1 on the priority list .
Besides that Encryption als means that sender and receiver agree they both have their respective roll ...
Encryption ensures: Integrity & Confidentiality with KNOWN endpoints.
MPLS is "just" a way to expedite packets with the right route built into the packets (i know to short of a description) in the right direction..
This does nothing for confidentiality, and partly intergrity.and nothing for endpoints.
So it comes down to the question "is it IMPOSSIBLE with MPLS to have some point in the middle somewhere (ISP Exchange f.e.) on a router, to get a copy of the stream involved to be sent somewhere else???. Think Copy or Span port on a switch... or even use a switch with a copy/span port in the mix...?"
(Why not hijack the complete stream INCLUDING the MPLS frames and using analyzer software to strip the MPLS layers and get to the data...)
Not encrypting means one has to blindly trust the ISP to do the right thing....
I think in the USofA it was AT&T that had complete taprooms to fascilitate the NSA?... so how to prevent eavesdropping.
IMHO there cannot be enough encryption for data at rest or data in transit
And then the title of the Q is about extremely high network security so system-system encryption might be the right way to even prevent eaves dropping on premises.
VPN providers like StrongVPN offer to take your traffic halfway around the globe and then release it on the internet.
THis more or less hides the REAL data location. Nice addition for public facing traffic, unusable for internal traffic.
Besides that Encryption als means that sender and receiver agree they both have their respective roll ...
Encryption ensures: Integrity & Confidentiality with KNOWN endpoints.
MPLS is "just" a way to expedite packets with the right route built into the packets (i know to short of a description) in the right direction..
This does nothing for confidentiality, and partly intergrity.and nothing for endpoints.
So it comes down to the question "is it IMPOSSIBLE with MPLS to have some point in the middle somewhere (ISP Exchange f.e.) on a router, to get a copy of the stream involved to be sent somewhere else???. Think Copy or Span port on a switch... or even use a switch with a copy/span port in the mix...?"
(Why not hijack the complete stream INCLUDING the MPLS frames and using analyzer software to strip the MPLS layers and get to the data...)
Not encrypting means one has to blindly trust the ISP to do the right thing....
I think in the USofA it was AT&T that had complete taprooms to fascilitate the NSA?... so how to prevent eavesdropping.
IMHO there cannot be enough encryption for data at rest or data in transit
And then the title of the Q is about extremely high network security so system-system encryption might be the right way to even prevent eaves dropping on premises.
VPN providers like StrongVPN offer to take your traffic halfway around the globe and then release it on the internet.
THis more or less hides the REAL data location. Nice addition for public facing traffic, unusable for internal traffic.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are numerous places where MPLS is not a current option. So while your way is one way (of several), the options shown above securely service locations with standard broadband. There is more than one to do things correctly.
@John
Agreed 100% personally I prefer the layer 2 solution to MPLS. It is much more configurable and cost effective.. You could do the same thing with S2S VPN and a standard broadband connection.. That is very true.
Agreed 100% personally I prefer the layer 2 solution to MPLS. It is much more configurable and cost effective.. You could do the same thing with S2S VPN and a standard broadband connection.. That is very true.
VPN hardware has become so inexpensive that any savings would be less than a days work.
@John
Depends on the performance and the throughput you need from that hardware.. For instance, running VOIP across an Encrypted VPN is not Ideal in alot of areas. However running just data across an encrypted VPN would be fine in that case.
Alot of time Broadband solutions have high latency and jitter not making them ideal for alot of scenarios.
Depends on the performance and the throughput you need from that hardware.. For instance, running VOIP across an Encrypted VPN is not Ideal in alot of areas. However running just data across an encrypted VPN would be fine in that case.
Alot of time Broadband solutions have high latency and jitter not making them ideal for alot of scenarios.
We have VOIP on separate circuits not using VPN.
ASKER
for broadband users and dongle/data card users who work from remote is it recommend to setup they login though the vpn client to access the web based application and also go for 2FA mechanism such as such as duo security https://duo.com/
please suggest.
please suggest.
personally I prefer DUO to a lot of other options out there due to the simplicity of the end user interaction required.
If you use IPSec you can use split tunnel and then remote users do not need to use VPN to get internet
Holy magical llama, I don't know how proactive network monitoring practices didn't come mentioned. One thing is setting up roadblocks (firewalls, vpns, encryption, tons of other stuff), but the model "set-and-go-away" is by far outdated.
If network security is on your mind, being proactive is the key between "something suspicious might be happening" vs. "oh crap, data leaked". The only issue is keeping a pulse on what's going on, network and systems-wise.
AdRem published a decent article regarding proactive network monitoring best practices in regards to GDPR. However, I think it would apply in just about any security-focused setup: https://www.adremsoft.com/blog/view/blog/10905819293987/7-proactive-ways-of-monitoring-your-network-in-order-to-stay-compliant-with-gdprhttps://www.adremsoft.com/
A decent network and systems monitor (especially one which is polic-based) should do the trick. If you don't have the time to invest and configure everything by hand with open-source (something like OpenNMS), definitely look into NetCrunch.
If network security is on your mind, being proactive is the key between "something suspicious might be happening" vs. "oh crap, data leaked". The only issue is keeping a pulse on what's going on, network and systems-wise.
AdRem published a decent article regarding proactive network monitoring best practices in regards to GDPR. However, I think it would apply in just about any security-focused setup: https://www.adremsoft.com/blog/view/blog/10905819293987/7-proactive-ways-of-monitoring-your-network-in-order-to-stay-compliant-with-gdprhttps://www.adremsoft.com/
A decent network and systems monitor (especially one which is polic-based) should do the trick. If you don't have the time to invest and configure everything by hand with open-source (something like OpenNMS), definitely look into NetCrunch.
sorry not answer @ITguy65 before:
BGP hijack might be easier than breaking in into an ISP:
https://www.bishopfox.com/blog/2015/08/an-overview-of-bgp-hijacking/
https://krebsonsecurity.com/tag/bgp-hijacking/
The BGP protocol needs an addendum.
BGP hijack might be easier than breaking in into an ISP:
https://www.bishopfox.com/blog/2015/08/an-overview-of-bgp-hijacking/
https://krebsonsecurity.com/tag/bgp-hijacking/
The BGP protocol needs an addendum.
So at a very high planning level, put in Site to Site VPN tunnels between Head Office and Remote 1, Remote 2. Do not provide any client access into these VPN boxes - just Site to Site connections.
Do not try to do this without VPN or equivalent security.
Do not use Dongles for access as that needs client to gateway VPN and you specifically excluded that.
The first thing for you to do is find out what connectivity capabilities you have for Remote 1 and Remote 2