We ran a fiber cable which has 48 fibers between our facilities for many isolated communications paths about 20 miles apart. So we own the cable and it is not shared with anyone. My question is do you feel we should have a firewall on each end? We are split here 2 to 2 on have that. I don't think we do because it is our dedicated fiber and no one else is going to be in between and its almost like our LAN just a longer distance. The other 2 people think its a security risk and anything leaving the building should have a firewall. Its not like someone can break open a 48 fiber cable and pick the right two fibers.
I would agree that you don't need to firewall this connection. Typically there will be a fiber splice about every 2 miles or so due simply to the amount of fiber cable that can fit on a spool and back of truck, but there shouldn't be any electronics at any of these splice points and pretty secure physical access (if any) to the fiber itself. I would recommend making these communications paths layer 3 paths rather than extending lan segments or vlans across the fiber. In doing that, you can add security to the connection as needed for each communication path. Things such as password-protecting routing protocol neighbors, etc. can be used as a compromise here.
They feel that it is a security risk that someone might break into the fiber cable and catch the data reflection. Even if it was layer two, it is a closed network so I think it is the same as a LAN or am I wrong in saying that besides the distance.
It would make sense to document the perceived/potential risk and then decide what controls are necessary/feasible, if any. How does a firewall protect them from the risk of data reflection (I assume this refers to a mechanism used to eavesdrop)?
Yes they think someone can break into fiber and eavesdrop and the firewalls will protect it. If that was the case then I would just want to use a hardware VPN tunnel. But Id rather do neither because I think it is being to paranoid.
I agree with mhellman that firewall couldn't prevent eavesdropping as well as data replay & repudation. The security requirement need to take into consideration the sensitivity & value of your info/data, nature of your business, business competition/rivalry and available $$.
IPSec VPN (full feature) is good for data confidentiality, anti-reply/repudation and to to verify peer on the other side. Firewall is mainly used to control incoming and outgoing traffic based on src/destination IP and service ports when they entered or leaving the box (but lot more features with newer PIX/ASA). Firewall & VPN complement each other.
What you might need is some kind of security policy/assessment (in-house or enggage consultant) to qualify all threats, including the eavesdropping or possibility someone might cut the fiber and put their own L2 device in between to listen on the traffic. This is also applicable for physical and system/logical threats.
But I believed you should have some kind of monitoring system to detect data/communication link failure via that fiber. For a simple start, you might need to take note why the fiber link suddenly down (not a device failure), and up after certain time (time taken by intruder to cut & connect the fiber with any type of connectors to their listening devices).
Anyway, there could be many possibilities here. The security assessment can give you final results.
I don't know your building security, but I'll assume it is a cheaper to walk in your building, give a presentation of a useless product and place a WLAN router on a LAN jacket than knowing about the fiber link, dig it up, eavesdrop and then hack the network.
Devices need to eavesdrop a fiber link about USD 10.000
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...