Currently our network is in a hub-and-spoke topology. At each hub site, there is a Checkpoint firewall serving as a choke point; therefore core (hub-hub) links are protected by this choke point at each hub site.
However, in a couple month, we are migrating toward MPLS VPN solution. With any-to-any nature of MPLS, there is no choke point to enforce. Buying brand new firewalls for each spoke sites (350 of them) is just not cost effective. I have some ideas on how to firewalling branch traffic in MPLS VPN environment:
1. An idea is to run IOS firewall at each branch site since it is already paid for. Could we have management issue to manage that many IOS firewalls?
2. Redirect all spoke traffic to somewhere else, inspect by the firewalls, and firewalls spit the "clean" traffic out (no idea how to do that).
3. Enforce hub-and-spoke topology within MPLS cloud. Inspect branch traffic at the data centers. However, "dirty" traffic could still "contiminates" other spoke sites.
What's the current industry best practice to firewalling branch traffic in MPLS VPN environment? Any other ideas or white papers to guide me?
If you were looking for some white papers have you consulted the Design Zone for Security?
It outlines best practices for a secure branch, secure campus, secure data centre etc.
My experience is similar to Jon's in that one of the company's I worked for firewalled the core infrastructure in the data centre only. Branches were considered to be trusted sites.
How do you do firewalling in your company? Just in the data centers?
Yes, last company i worked for we used FWSM to firewall in DCs because that is where the vast majority of traffic from remote sites was going. We didn't firewall between remote sites except in circumstance where there was a sensitive protected network in a remote site. But that was us and your security requirements may differ significantly.
I have come across companies where there is a lot of inter-departmental and inter-site firewalling but you usually find they have a a sizeable security/network security dept. to cover the amount of work involved.