Large MPLS Deployment -- Content Filtering Ideas

[slowbiznatch]

We're deploying an MPLS solution across 15 locations within the next few months and I'm at a loss for how to couple a content filter with it.

The way it stands now, we have 14 locations connecting to our headquarters with Cisco 871 routers and DMVPN connections. All HTTP and HTTPS traffic is filtered using a SecureComputing SmartFilter solution.

I don't think we'll be able to continue using this because we're doing away with our Cisco 871s for a managed solution from Paetec.

We don't want to funnel all HTTP/HTTPS traffic through a single bottleneck -- we'd rather use the managed firewall solution from Paetec that allows each location to browse on its independent circuit. I was hoping for something that acts like a managed antivirus solution -- where a client is loaded on the system that does all the filtering, but it is centrally managed by a server in our headquarters.

Anyway, I'm sure I'm not providing enough information, but what do you guys suggest? What do you do for content filtering amongst many locations?

 

[Deleted member 109755]

We run MPLS between about 10 locations and we have no trouble doing content filtering with our Barracuda Networks web filter, centrally located. I don't know if this helps but I'd imagine Paetec won't want to build you your own routes to the internet out those T1's, or atleast not for free. We were originally going to use Paetec with our deployment but we felt it better to run directly with AT&T. Additionally if you run AD you can have the barracuda tie into ldap for user management

 

[slowbiznatch]

We run MPLS between about 10 locations and we have no trouble doing content filtering with our Barracuda Networks web filter, centrally located. I don't know if this helps but I'd imagine Paetec won't want to build you your own routes to the internet out those T1's, or atleast not for free. We were originally going to use Paetec with our deployment but we felt it better to run directly with AT&T.

We're using their Managed Firewall solution that will give us the ability to route the traffic through each location (or so their engineers tell us). Is the Barracuda Web Filter located at one of the nodes or is it located at the MPLS router?

 

[MorfiusX]

Websense has a client based solution that will protect/filter a client regardless of location. So, it still works when not connected to the corporate.

 

[Deleted member 109755]

Put it at the MPLS hosting location.

 

[WesM63]

I'm late to the party, but one of my customers is a 40 site MPLS deployment. They also do content filtering at the NOC without issues. (Then again, they also have a DS3 into the MPLS cloud at the NOC. 1-2 T's at each locations)

 

[jratzo]

We have a 5 site MPLS network with all of the Internet going through the main site. We have Websense at the main site for content filtering.

 

[just2cool]

We have thousands of MPLS sites that tie back to their closest geographic region to access an HA proxy cluster for filtering. Americas, london, pacrim, etc..

In your case, I wouldn't want to tie back the default routes on your independent circuit back to a central appliance unless there was a real good reason to (e.g. big investment in it already). Although, I'm not too familiar with the agent based solutions, so it's hard for me to recommend a particular one...

 

[MikeTrike]

Is Untangle a feasible option? www.untangle.com

Though I'm not sure if it will work for you, but check it out if you have not already.

 

[slowbiznatch]

Thanks for all the replies -- I just got back from a weekend in Tampa.

Paetec won't let us install a filtering solution at the NOC, so that's why I wanted a client-server type of solution.

Untangle won't work at each site -- it just doesn't make sense to install a UTM at each site.

Anyone else have an idea?

 

[Deleted member 109755]

What do you mean Paetec won't allow you to install filtering, it's YOUR network for crying out loud. Are you talking about at THEIR noc or at YOUR MPLS hosting site?

 

[slowbiznatch]

What do you mean Paetec won't allow you to install filtering, it's YOUR network for crying out loud. Are you talking about at THEIR noc or at YOUR MPLS hosting site?

They won't allow us to install a filtering device on THEIR hosting site. It's all a managed service, so the MPLS cloud is all managed and hosted by them.

 

[Deleted member 109755]

Right but you don't have to put anything on their site, you put it on yours and route all web traffic out that device.