Solved

Firewalls and MPLS

Posted on 2010-08-18
5
582 Views
Last Modified: 2012-05-10
I am getting quotes to upgrade our current WAN.  Right now we have all Internet access going through the main office.   In the office I have the usual a router, firewall and IDS.   I received a quote from New Edge Networks for a MPLS solution with Internet access from their cloud.

When I asked about security and the need for firewalls I was told I did not need a local firewall because they already block all incoming traffic before it gets to our network.  

I was looking for opinions on the need for a local firewall at each of our locations.

Thanks for any information.
0
Comment
Question by:qvfps
  • 2
  • 2
5 Comments
 
LVL 14

Expert Comment

by:mds-cos
ID: 33471974
Depends on your trust level and what you need to be able to do.  Basically they are playing a big "trust me" card.  As long as they are *really* doing things correctly from a security perspective you are going to be fine.  But if they are not, you and every other customer that accepted the "trust me" card are vulnerable.

Also depends on what you will do with your firewall.  Are you running VPN connections, using a DMZ for edge servers, letting certain services through, blocking viruses at the firewall, etc?  If the answer is yes, you probably want to administer your own firewall instead of relying on New Edge to set these things up and maintain them for you.

I personally am not the trusting type.  I always, always, always set up my own firewall on Internet connections.  In fact, I don't run my MPLS circuits with Internet access.  Call me old school, but I view MPLS as a cost effective way to obtain inter-office WAN connectivity.  And I view a second Internet line with firewall as the right way to get secure, flexible Internet connectivity.
0
 

Author Comment

by:qvfps
ID: 33475283
Thanks for the comment.  I was not real comfortable with completely removing my security for Internet access which is why I asked this question. The only outside connections I have at the moment are a VPN server which I was planning on keeping and external access to email.

I will think about getting separate local internet access at each location as well.   It will come down to cost and how much I can justify it to management.  Some of the locations are in out of the way places where the only real option is a T1 for which they charge an arm, a leg and anything else they can get..  
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33488093
Let each site have independent Internet access.
Use the MPLS as a separate independent private connection between the sites  with the Internet not availble through it,...MPLS = private only.
The MPLS Routers will become the Default Gateway of each respective LAN,...then the MPLS Router uses the Firewall as the Default Gateway per each site.  Don't be confused by that,...a Default Gateway is for unknown traffic (aka the Internet),....only known traffic is to move over the MPLS.  However the Provider has to setup their routers correctly because they probably would normally have the MPLS Router'sDefault Gateway pointing to another device out in their cloud.  Ths becomes much less complicated if each site has at least two subnets and already has a LAN Router of their own which would serve as the Default Gateway instead of the MPLS routers.
....And if everythig I have just said confuses the MPLS provider then you don't want them,...they should immedeiately know exactly what I am trying the say,..if they don't then stay away from them
0
 
LVL 14

Accepted Solution

by:
mds-cos earned 250 total points
ID: 33494136
You probably will not need local internet for each location -- unless you really need that level of redundancy.  The MPLS circuit will connect all of your locations.  You can put Internet at one of the locations with your firewall then route all Internet traffic from other locations through it.

Now, if budget allows....you can put that Internet and firewall at each site then use VPN as a backup route for when the MPLS goes down!  You just need to set up the appropriate routing protocals and this will work like a charm.


pwindell -- you are *technically* correct on the MPLS.  However, some telco's are providing MPLS bundled with Internet.  Basically they extend your private MPLS cloud to give you Internet access (then promise that they are securing your network from the Internet).  My telco offered this and I said "NO WAY IN YOU KNOW WHERE!".

Did I mention that I'm not the trusting type ;-)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 33503520
pwindell -- you are *technically* correct on the MPLS.  However, some telco's are providing MPLS bundled with Internet.  Basically they extend your private MPLS cloud to give you Internet access (then promise that they are securing your network from the Internet).
Yea, in fact the only one I have presonally dealth with was that way.  But in the particular case of the facilities I was dealing with it fit the business model and was a good solution for them.  But it would not be for me,..the same as you said.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now