Justify Security on a point to point circuit

angel-moon · ‎10-01-2008

Hello Everyone,

on a point to point curcuit from the Telco is there justification for putting in a firewall and IDS/IPS? Telco is saying "No" but I'm not so sure. Opinions?

All replies rated! Thanks in advance!

Collin Clark · ‎10-01-2008

We're required to follow NIST security policies and P2P circuits do not require encryption/firewall/IPS unless the demarc is not in a secured area. IMO encryption should be enough and a firewall /IPS is not needed (unless you use a FW for encryption).

Hope that helps.

mhellman · ‎10-02-2008

Well, first of all I'm assuming that the curcuit is to support a connection to another network in your administrative domain (i.e. another one of your companies offices).

It depends on your requirements(including those that come from regulations/expectations/auditors/etc). What kind of traffic will go over the circuit(i.e. how sensitive is it)? Is is already encrypted (depending on where this happens, it can make IDS/IPS superfluous)? I'm not aware of any regulations that specifically require a firewall and/or IDS/IPS or even encryption of sensitive data on "private" networks like frame-relay and point-to-point.

However, if you're in the Pharmaceutical business and you have trade secrets you want to protect, you'd probably at least encrypt (ipsec, whatever) and maybe use IDS/IPS and a firewall. A bank might do the same. If you're selling toys and use the link to upload inventory, then you might not.

IMHO, you should assume that your service provider CAN and regularly DOES see your traffic. That's a problem best solved by encryption, not firewall/IDS/IPS.