MPLS Security Design

Alex Li · ‎02-26-2015

Hello All,

I am trying to get a better idea of how to improve security between my MPLS sites.

I currently have 10 MPLS sites sharing a 100 Mb backbone, each location is connected physically

using a L3 Switch provided by the Telco. I simply plug that L3 switch into my L3 Switch and distribute my networks using OSPF.

Should I add an ASA between L3 switches to improve security ?

Jon Marshall · ‎02-26-2015

Colin

It depends on your security requirements.

MPLS is a private network so many companies do not firewall their connections to it because it is only their internal users who have access to the network.

Obviously that doesn't necessarily mean you don't need firewalling for critical internal servers but that is a separate issue from the MPLS side of things.

If you don't trust your SP then you should probably be thinking about a new SP rather than firewalling.

Some companies do encrypt traffic over their MPLS connections but again this is to address specific security concerns which many other companies don't have.

Jon

bsiapco · ‎02-27-2015

Hi, Colin Tennyson.

Definitely agree with Jon. However,adding a security appliance would secure your connection in your network. This is advisable as connecting through different sites, im sure that security would pose an issue.

Happy to Serve!

Barry

Jon Marshall · ‎02-28-2015

Barry

Definitely agree with Jon

This is advisable as connecting through different sites, im sure that security would pose an issue

The second statement pretty much contradicts the first.

Can you expand on what you mean by your second statement ?

What are the issues you are referring to ?

If every company firewalled it's private WAN connections then yes it would definitely mean a lot more firewalls were sold but it's not something most companies do in my experience so what is your reasoning for recommending it ?

Just curious really as it's not something I have come across before.

Jon