Need firewall?

Unanswered Question
Apr 23rd, 2007

Hey guys

I know very little about MPLS except it provides a company connectivity to

its global offices. I have a client that is going for to AT&T for MPLS

service for its 15 global locations. My question is:

Do I need a firewall to protect this company from AT&T's other customers?

Note: The company wants unrestricted IP connectivity between its offices

I do understand that using MPLS tags, no other AT&T customer would be able

to send traffic to my client's network as MPLS is kind of a VPN (private

network connected via public backbone). However, do most engineers rely

fully on this security or they prefer to have a firewall at each office


Thank you

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mohammedmahmoud Tue, 04/24/2007 - 03:08

Hi there,

As you said, MPLS VPN uses tags (labels) and other stuff to make sure that the customers are secure and completely isolated from each other (we can say that MPLS is highly secure. It's security is equivalent to that found in traditional Layer 2 networks such as Frame Relay or ATM), however if you have an internet access or your security policy requires a detailed security measures you can then use a firewall, but most of the customers rely on MPLS VPNs without firewalls.

HTH, please rate if it does help,

Mohammed Mahmoud.

Jon Marshall Tue, 04/24/2007 - 04:22


Agree with everything Mohammed said. What i would add is that it really depends on what level of security your customer requires. Some companies with high levels of security implement IPSEC VPN's across their MPLS VPN which adds a further layer of protection in terms of security.

It is unlikely but it just takes a misconfiguration by the SP and your traffic could be leaked to another customer and vice-versa.

Having said that we use an SP MPLS network and we rely purely on the MPLS VPN for segregation of traffic.



ciscors Tue, 04/24/2007 - 05:42

Taking both your points, what if the customer is passing confidential data over the MPLS VPN and wants to make sure that even the service provider doesn't have the capability to view that data. In that case, his requirement would definitely dictate IPsec as the service provider definitely retains the capability to look into that data since its passing through their routers.

Jon Marshall Tue, 04/24/2007 - 05:55


Correct and that is another reason that customers might well run IPSEC over the top of the MPLS VPN.

Of course it gets to the point that if you really have that high a level of security you may end up putting your own links in.




This Discussion