Firewalls and MPLS

I am getting quotes to upgrade our current WAN.  Right now we have all Internet access going through the main office.   In the office I have the usual a router, firewall and IDS.   I received a quote from New Edge Networks for a MPLS solution with Internet access from their cloud.

When I asked about security and the need for firewalls I was told I did not need a local firewall because they already block all incoming traffic before it gets to our network.  

I was looking for opinions on the need for a local firewall at each of our locations.

Thanks for any information.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Depends on your trust level and what you need to be able to do.  Basically they are playing a big "trust me" card.  As long as they are *really* doing things correctly from a security perspective you are going to be fine.  But if they are not, you and every other customer that accepted the "trust me" card are vulnerable.

Also depends on what you will do with your firewall.  Are you running VPN connections, using a DMZ for edge servers, letting certain services through, blocking viruses at the firewall, etc?  If the answer is yes, you probably want to administer your own firewall instead of relying on New Edge to set these things up and maintain them for you.

I personally am not the trusting type.  I always, always, always set up my own firewall on Internet connections.  In fact, I don't run my MPLS circuits with Internet access.  Call me old school, but I view MPLS as a cost effective way to obtain inter-office WAN connectivity.  And I view a second Internet line with firewall as the right way to get secure, flexible Internet connectivity.
qvfpsAuthor Commented:
Thanks for the comment.  I was not real comfortable with completely removing my security for Internet access which is why I asked this question. The only outside connections I have at the moment are a VPN server which I was planning on keeping and external access to email.

I will think about getting separate local internet access at each location as well.   It will come down to cost and how much I can justify it to management.  Some of the locations are in out of the way places where the only real option is a T1 for which they charge an arm, a leg and anything else they can get..  
Let each site have independent Internet access.
Use the MPLS as a separate independent private connection between the sites  with the Internet not availble through it,...MPLS = private only.
The MPLS Routers will become the Default Gateway of each respective LAN,...then the MPLS Router uses the Firewall as the Default Gateway per each site.  Don't be confused by that,...a Default Gateway is for unknown traffic (aka the Internet),....only known traffic is to move over the MPLS.  However the Provider has to setup their routers correctly because they probably would normally have the MPLS Router'sDefault Gateway pointing to another device out in their cloud.  Ths becomes much less complicated if each site has at least two subnets and already has a LAN Router of their own which would serve as the Default Gateway instead of the MPLS routers.
....And if everythig I have just said confuses the MPLS provider then you don't want them,...they should immedeiately know exactly what I am trying the say,..if they don't then stay away from them
You probably will not need local internet for each location -- unless you really need that level of redundancy.  The MPLS circuit will connect all of your locations.  You can put Internet at one of the locations with your firewall then route all Internet traffic from other locations through it.

Now, if budget can put that Internet and firewall at each site then use VPN as a backup route for when the MPLS goes down!  You just need to set up the appropriate routing protocals and this will work like a charm.

pwindell -- you are *technically* correct on the MPLS.  However, some telco's are providing MPLS bundled with Internet.  Basically they extend your private MPLS cloud to give you Internet access (then promise that they are securing your network from the Internet).  My telco offered this and I said "NO WAY IN YOU KNOW WHERE!".

Did I mention that I'm not the trusting type ;-)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pwindell -- you are *technically* correct on the MPLS.  However, some telco's are providing MPLS bundled with Internet.  Basically they extend your private MPLS cloud to give you Internet access (then promise that they are securing your network from the Internet).
Yea, in fact the only one I have presonally dealth with was that way.  But in the particular case of the facilities I was dealing with it fit the business model and was a good solution for them.  But it would not be for me,..the same as you said.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Architecture

From novice to tech pro — start learning today.