We have 6 remote branches that connect to the main site via MPLS.
The Main site has a connection to the Internet.
All of these branches use the Main site for their Internet access.
We recently had a security audit and they mentioned putting access-lists on the serial interfaces of all of the MPLS links.
If the remote branches are using the main site internet connection, the inbound traffic at the remote branch could be potentially from ANY ip address.
Is there any practical way to do what the audit suggests?