There are many aspects to network security assuming that you are buying a L3VPN service from the SP delivered over MPLS? As you may already know, MPLS provides no encryption to the traffic which means that all traffic is sent in the clear unless the application itself uses a technology such as SSL or TLS. This may or may not be a concern for you but I thought it was worth mentioning.
If we look at MPLS L3VPN which uses VPN label (BGP) and transport label (LDP) to forward the traffic, it is a secure way of separating customer traffic. There is always the possibility of someone accidentally or intentionally leaking traffic between different VPNs (customers) but if someone has access to the devices, then that would hold true for other technologies as well.
In the end it’s up to you and your security policy if you deem the network to be secure or not. Do you consider external threats as the biggest risk and how would you protect against internal threats?
If all traffic between sites passes your main sites, then all traffic would be inspected which would be more secure compared to if traffic can flow freely between sites. On the other hand, sending all traffic to a central site would increase latency and the bandwidth need at the main sites as well as putting more stress on the firewalls there. Design is always a tradeoff and you have to consider what is most important to you.
The central firewalls will not mitigate local issues though where a virus may spread on a local subnet or a network worm which may utilize all of your WAN bandwidth.
In the end it comes down to how much money you are willing to spend compared to how you grade the risk of something happening and how seriously an incident would impact your business.
One option could be to have a small firewall at each site and run IPSec. On the other hand that would mean that you have 100+ firewalls to manage all of a sudden. From a management standpoint therefore it makes more sense to either send traffic to central sites or if the SP offers a firewalled service. ibm/SEIMless through its Exodus product line has addressed these concerns with “PIET”. Contact us at: in**@ib**********.com for more information.
