Enterprise level IDS, IPS and URL filtering



  • Hello Forum,
    We are an ISP and we have around 50,000 customers registered with us. Government will be sending us list of URLs that has to be blocked by ISP. Apart from that we are planning to implement IDS, IPS to monitor our network without compromising the speed of the internet for the customers. We are planning to use Pfsense at the enterprise level which includes IDS, IPS and URL filtering. As a newbie to this kind of setup I am not sure about the feasible hardware configuration for this, can anyone provide me what will be the best configuration to implement this kind of monitoring system?

    Let me repeat we want to implement IDS, IPS and URL filtering for around 50,000 customers


  • LAYER 8 Netgate

    I will come out and say what everyone else is thinking:

    A "newbie" setting up an IDS/IPS/URL filter for 50,000(!) ISP customers with some apparently significant compliance requirements posting on a forum for help designing said system with free, open source software?

    Really?



  • @Derelict:

    I will come out and say what everyone else is thinking:

    A "newbie" setting up an IDS/IPS/URL filter for 50,000(!) ISP customers posting on a forum for help with free, open source software?

    Really?

    Sir I know you are being sarcastic and thinking I am the crazy guy. I am part of the team which will be working on implementing IDS and IPS and as a part of the team of I have posted this question to the forum. We don't want to go for commercial firewalls and want to achieve the same results with open source software.


  • LAYER 8 Netgate

    No, actually, I'm not being sarcastic.  I'm dead serious.  You posted to a forum asking it to design a system for a 50K-user ISP with significant government compliance requirements.

    Please make a call to ESF on Monday morning (GMT-6) and pose your question to them so they can properly handle your request and give you an estimate.

    Your scope of work is WAY beyond what you might expect from a forum response.

    Or maybe you'll get a PM from someone who says they can design it for you for less.



  • @Derelict:

    No, actually, I'm not being sarcastic.  I'm dead serious.  You posted to a forum asking it to design a system for a 50K-user ISP with significant government compliance requirements.

    Please make a call to ESF on Monday morning (GMT-6) and pose your question to them so they can properly handle your request and give you an estimate.

    Your scope of work is WAY beyond what you might expect from a forum response.

    Or maybe you'll get a PM from someone who says they can design it for you for less.

    I was just trying to know the rough estimate for our requirements and thought I will get the response here.
    Really sorry to misunderstand your post and I will do as you say sir.
    Thank you for the response  :)


  • LAYER 8 Netgate

    You will certainly save cash using FOSS and there is no better FOSS than pfSense and it sounds like it is a great choice for your situation, but this sounds like a significant project that requires professional design and implementation.

    And we would all love to hear a "success story" when you've implemented successfully.



  • @Derelict:

    You will certainly save cash using FOSS and there is no better FOSS than pfSense and it sounds like it is a great choice for your situation, but this sounds like a significant project that requires professional design and implementation.

    Right Now we have implemented Pfsense for our office network with URL filtering enforced using Squid and SquidGuard and it is working just fine. So we thought of using it to the enterprise level and enforce it even to our customers. Going with professional firewalls is way beyond our budget and we want go for FOSS and achieve the same success rate as that of professional firewalls.



  • Where is this located?

    It will matter.  If you plan to use it in a place like a remote corner of the Philippines without much competition, you can probably piece together a network and keep customers.

    But in a more developed place, it will be difficult.



  • @kejianshi:

    Where is this located?

    It will matter.  If you plan to use it in a place like a remote corner of the Philippines without much competition, you can probably piece together a network and keep customers.

    But in a more developed place, it will be difficult.

    Sir we are from India and as far as I know not many companies are using pfsense at the enterprise level. Probably we will be the first to use it in such a big scale and we want to do it a cost-effective manner.


  • LAYER 8 Netgate

    How many ISPs are using pfSense doesn't matter.  What kej was getting at is that with little to no competition, you can afford to screw it up a bit, have 48-72-hour outages.  With heavy competition, you can't and expect to remain a viable solution for your customers.



  • @Derelict:

    How many ISPs are using pfSense doesn't matter.  What kej was getting at is that with little to no competition, you can afford to screw it up a bit, have 48-72-hour outages.  With heavy competition, you can't and expect to remain a viable solution for your customers.

    Yes we do have a competition with other companies and yes we can't afford to remain viable solution during power outages.
    I think we need a professional support to set it up in proper manner.



  • Yeah - At least one really good person who is always on the clock or like he was saying, ESF professional paid assistance.


Log in to reply