Provider (P) devices are trusted; that is, these devices do not interface to any untrusted platforms. Consequently, the P exposure is rather limited. Provider devices must be fully secured, using measures as described under the section "Generic Router Security Measures," earlier in this chapter. The key security point is that if a P node is compromised (for example, via internal exploits), the security of the PEs and the attached VPNs may also be compromised as a consequence.
Best practice access for P nodes, as for any other router, is out-of-band security, and it must be tightly secured because access is often possible via the public telephone system.
Like with PE routers, P routers must be located in physically secure locations to avoid password recovery using a console connection.