04-23-2007 08:08 AM
Hey guys
I know very little about MPLS except it provides a company connectivity to
its global offices. I have a client that is going for to AT&T for MPLS
service for its 15 global locations. My question is:
Do I need a firewall to protect this company from AT&T's other customers?
Note: The company wants unrestricted IP connectivity between its offices
I do understand that using MPLS tags, no other AT&T customer would be able
to send traffic to my client's network as MPLS is kind of a VPN (private
network connected via public backbone). However, do most engineers rely
fully on this security or they prefer to have a firewall at each office
anyways?
Thank you
04-24-2007 03:08 AM
Hi there,
As you said, MPLS VPN uses tags (labels) and other stuff to make sure that the customers are secure and completely isolated from each other (we can say that MPLS is highly secure. It's security is equivalent to that found in traditional Layer 2 networks such as Frame Relay or ATM), however if you have an internet access or your security policy requires a detailed security measures you can then use a firewall, but most of the customers rely on MPLS VPNs without firewalls.
HTH, please rate if it does help,
Mohammed Mahmoud.
04-24-2007 04:22 AM
Hi
Agree with everything Mohammed said. What i would add is that it really depends on what level of security your customer requires. Some companies with high levels of security implement IPSEC VPN's across their MPLS VPN which adds a further layer of protection in terms of security.
It is unlikely but it just takes a misconfiguration by the SP and your traffic could be leaked to another customer and vice-versa.
Having said that we use an SP MPLS network and we rely purely on the MPLS VPN for segregation of traffic.
HTH
Jon
04-24-2007 05:42 AM
Taking both your points, what if the customer is passing confidential data over the MPLS VPN and wants to make sure that even the service provider doesn't have the capability to view that data. In that case, his requirement would definitely dictate IPsec as the service provider definitely retains the capability to look into that data since its passing through their routers.
04-24-2007 05:55 AM
Hi
Correct and that is another reason that customers might well run IPSEC over the top of the MPLS VPN.
Of course it gets to the point that if you really have that high a level of security you may end up putting your own links in.
HTH
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide