186 Chapter 5: Security Recommendations
That is, the SP should provision separate PEs for VPN versus Internet access even if the
backbone P routers are convergent.Also, the interconnections between the VPN (intranet)
and Internet PEs should be unique and preferably be terminated on separate CE routers.
This allows for the greatest degree of configuration flexibility (thereby policy control) and
will reduce the concern that Internet-launched DoS attacks will have an immediate impact
on the VPN performance. Internet traffic can also be directed through DMZ facilities at
centralized customer sites where firewall-based control and intrusion detection systems can
be readily deployed. Internet access can then be provided to other sites with default routing
propagated through the corporate VPN.
The use of default routing to direct traffic through the DMZ ensures that corporate security
policies are applied to traffic that traverses the Internet, and additionally provides a single
connection point where problems can be identified and controlled. Also, this approach
minimizes the memory usage on the PE and CE routers that would be considerable if the
entire Internet table were propagated.
Sharing End-to-End Resources
Sharing end-to-end resources ensures that the network deployment costs are minimized, at
least from a hardware and facilities perspective.
However, this approach is fraught with considerable security risks. It is essential that
both services (MPLS VPN and Internet access) are tightly controlled so as to avoid any
adverse interactions. In this scenario, the SP backbone, the PE router, the interconnection
facility between the CE and PE, and the CE router itself are shared resources with respect
to both the VPN and Internet traffic flows. The CE router needs to implement some
mechanism to groom VPN and Internet traffic into different channels. The Internet traffic
must be directed through a firewall device before remerging with the corporate traffic.
Policy-based routing or Multi-lite VRF may be utilized to perform the traffic direction.
Indeed, some security perspectives suggest the use of doubled firewalls to try to provide an
additional level of protection.
Additional Security
No matter which approach you choose for providing Internet and MPLS VPN services, the
use of intrusion detection systems (IDSs) is highly recommended to provide early warnings
and information leading to quicker resolution of Internet-driven attacks.
Clearly, firewalling should be viewed as a necessary component of any Internet access,
whether accomplished by any of the following means:
Firewall at central site with centralized Internet access
Firewall at each CE site
Firewalling through an SP service offering, either through stacked or shared

Get MPLS VPN Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.