186 Chapter 5: Security Recommendations
That is, the SP should provision separate PEs for VPN versus Internet access even if the
backbone P routers are convergent.Also, the interconnections between the VPN (intranet)
and Internet PEs should be unique and preferably be terminated on separate CE routers.
This allows for the greatest degree of conﬁguration ﬂexibility (thereby policy control) and
will reduce the concern that Internet-launched DoS attacks will have an immediate impact
on the VPN performance. Internet trafﬁc can also be directed through DMZ facilities at
centralized customer sites where ﬁrewall-based control and intrusion detection systems can
be readily deployed. Internet access can then be provided to other sites with default routing
propagated through the corporate VPN.
The use of default routing to direct trafﬁc through the DMZ ensures that corporate security
policies are applied to trafﬁc that traverses the Internet, and additionally provides a single
connection point where problems can be identiﬁed and controlled. Also, this approach
minimizes the memory usage on the PE and CE routers that would be considerable if the
entire Internet table were propagated.
Sharing End-to-End Resources
Sharing end-to-end resources ensures that the network deployment costs are minimized, at
least from a hardware and facilities perspective.
However, this approach is fraught with considerable security risks. It is essential that
both services (MPLS VPN and Internet access) are tightly controlled so as to avoid any
adverse interactions. In this scenario, the SP backbone, the PE router, the interconnection
facility between the CE and PE, and the CE router itself are shared resources with respect
to both the VPN and Internet trafﬁc ﬂows. The CE router needs to implement some
mechanism to groom VPN and Internet trafﬁc into different channels. The Internet trafﬁc
must be directed through a ﬁrewall device before remerging with the corporate trafﬁc.
Policy-based routing or Multi-lite VRF may be utilized to perform the trafﬁc direction.
Indeed, some security perspectives suggest the use of doubled ﬁrewalls to try to provide an
additional level of protection.
No matter which approach you choose for providing Internet and MPLS VPN services, the
use of intrusion detection systems (IDSs) is highly recommended to provide early warnings
and information leading to quicker resolution of Internet-driven attacks.
Clearly, ﬁrewalling should be viewed as a necessary component of any Internet access,
whether accomplished by any of the following means:
• Firewall at central site with centralized Internet access
• Firewall at each CE site
• Firewalling through an SP service offering, either through stacked or shared