Sharing end-to-end resources ensures that the network deployment costs are minimized, at least from a hardware and facilities perspective.
However, this approach is fraught with considerable security risks. It is essential that both services (MPLS VPN and Internet access) are tightly controlled so as to avoid any adverse interactions. In this scenario, the SP backbone, the PE router, the interconnection facility between the CE and PE, and the CE router itself are shared resources with respect to both the VPN and Internet traffic flows. The CE router needs to implement some mechanism to groom VPN and Internet traffic into different channels. The Internet traffic must be directed through a firewall device before remerging with the corporate traffic. Policy-based routing or Multi-lite VRF may be utilized to perform the traffic direction. Indeed, some security perspectives suggest the use of doubled firewalls to try to provide an additional level of protection.
No matter which approach you choose for providing Internet and MPLS VPN services, the use of intrusion detection systems (IDSs) is highly recommended to provide early warnings and information leading to quicker resolution of Internet-driven attacks.
Clearly, firewalling should be viewed as a necessary component of any Internet access, whether accomplished by any of the following means:
Firewall at central site with centralized Internet access
Firewall at each CE site
Firewalling through an SP service offering, either through stacked or shared approaches
Many current implementations of customer networks have been based on the use of private address space. Interconnecting to the Internet requires the use of global addresses that generally necessitate some form of network address translation (NAT). In addition to firewalls, this NAT functionality can be implemented either through shared services provided at a central customer site or by the SP.