Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dedicated fiber :need firewall?

We ran a fiber cable which has 48 fibers between our facilities for many isolated communications paths about 20 miles apart. So we own the cable and it is not shared with anyone. My question is do you feel we should have a firewall on each end? We are split here 2 to 2 on have that. I don't think we do because it is our dedicated fiber and no one else is going to be in between and its almost like our LAN just a longer distance. The other 2 people think its a security risk and anything leaving the building should have a firewall. Its not like someone can break open a 48 fiber cable and pick the right two fibers.

Any comments would be greatly appreciated.

7 REPLIES

Re: Dedicated fiber :need firewall?

If you own the fiber I don't think you need a firewall at each end (we don't do it either).

New Member

Re: Dedicated fiber :need firewall?

I would agree that you don't need to firewall this connection. Typically there will be a fiber splice about every 2 miles or so due simply to the amount of fiber cable that can fit on a spool and back of truck, but there shouldn't be any electronics at any of these splice points and pretty secure physical access (if any) to the fiber itself. I would recommend making these communications paths layer 3 paths rather than extending lan segments or vlans across the fiber. In doing that, you can add security to the connection as needed for each communication path. Things such as password-protecting routing protocol neighbors, etc. can be used as a compromise here.

New Member

Re: Dedicated fiber :need firewall?

They feel that it is a security risk that someone might break into the fiber cable and catch the data reflection. Even if it was layer two, it is a closed network so I think it is the same as a LAN or am I wrong in saying that besides the distance.

Gold

Re: Dedicated fiber :need firewall?

It would make sense to document the perceived/potential risk and then decide what controls are necessary/feasible, if any. How does a firewall protect them from the risk of data reflection (I assume this refers to a mechanism used to eavesdrop)?

New Member

Re: Dedicated fiber :need firewall?

Yes they think someone can break into fiber and eavesdrop and the firewalls will protect it. If that was the case then I would just want to use a hardware VPN tunnel. But Id rather do neither because I think it is being to paranoid.

Re: Dedicated fiber :need firewall?

I agree with mhellman that firewall couldn't prevent eavesdropping as well as data replay & repudation. The security requirement need to take into consideration the sensitivity & value of your info/data, nature of your business, business competition/rivalry and available $$.

IPSec VPN (full feature) is good for data confidentiality, anti-reply/repudation and to to verify peer on the other side. Firewall is mainly used to control incoming and outgoing traffic based on src/destination IP and service ports when they entered or leaving the box (but lot more features with newer PIX/ASA). Firewall & VPN complement each other.

What you might need is some kind of security policy/assessment (in-house or enggage consultant) to qualify all threats, including the eavesdropping or possibility someone might cut the fiber and put their own L2 device in between to listen on the traffic. This is also applicable for physical and system/logical threats.

But I believed you should have some kind of monitoring system to detect data/communication link failure via that fiber. For a simple start, you might need to take note why the fiber link suddenly down (not a device failure), and up after certain time (time taken by intruder to cut & connect the fiber with any type of connectors to their listening devices).

Anyway, there could be many possibilities here. The security assessment can give you final results.

HTH

AK

New Member

Re: Dedicated fiber :need firewall?

I don't know your building security, but I'll assume it is a cheaper to walk in your building, give a presentation of a useless product and place a WLAN router on a LAN jacket than knowing about the fiber link, dig it up, eavesdrop and then hack the network.

Devices need to eavesdrop a fiber link about USD 10.000

sneak in and place a WLAN router about USD 70.

being paranoid at the right moment, priceless

Greetings Rafiki

313
Views
0
Helpful
7
Replies