Thank you

farhadsultani · ‎07-01-2017

Dear All,

Hope all is well.

We are an ISP of 2 Gbps backbone bandwidth, and want to have a security appliance on our backbone to keep our own and our customers network secure.

What would you guys recommend?

Thanks in advance for your replies.

Marvin Rhoads · ‎07-03-2017

A lot depends on your requirements.

Do you want customers to be able to have unique policies and view status of their security?

Or do you want something that's invisible to them with only you having the visibility?

Do you need to protect against DDOS?

What's your budget? What's your expertise level? Do you have existing vendor relationships?

farhadsultani · ‎07-03-2017

we want something that's invisible to customers with only we have the visibility?

We need to protect against DDOS.

Our budget can go up to 10000$

Marvin Rhoads · ‎07-03-2017

At that budget level and throughput you are best off putting operational and configuration best practices into place to protect against DDOS. i.e. monitor your traffic levels for unusual patterns, rate limit syn packets, filter RFC 1918 address space, filter bogons etc.

These are specified in RFC 2827 / BCP 38.

https://www.ietf.org/rfc/rfc2827.txt

https://tools.ietf.org/pdf/bcp38.pdf

http://www.internetsociety.org/deploy360/blog/2014/07/anti-spoofing-bcp-38-and-the-tragedy-of-the-commons/

Putting a Cisco security appliance inline (with redundancy) for 2 Gbps of inspected throughtput would require something like a pair of FirePOWER 4110 appliances and cost over 10x your budget.

farhadsultani · ‎07-03-2017

Thank you

ISP (Internet Service Provider) Security Appliance Recommendation