Web Filtering for ISP's, who would you recommend?

Question: I'm working on a Regulation to allow the content Regulator to issue website blocking requests to ISP's in ......... Blocking of a few websites is not a problem, but blocking an entire category of websites on the other hand (such as "pornography", for example) should be made possible.

The regulation will specify technical solutions (whether software or hardware based) that are acceptable and recognized of being capable of complying with individual, and blanket, blocking requests. Most of the solutions I've found online are tailored towards enterprises for managing employee access to websites; what I'm looking for, however, must be capable of handling access requests from all users of a given ISP. Given the fact that a single URL could have multiple IP addresses, the recommended solution should robust enough to deal with such complexities.

What would you recommend? How was your experience with it? A brief summary would do just fine, there's no need to take a lot of your time in answering this question.


Answer: We have been deploying web filtering solutions for TELCOs for a while. In the TelCo world the requirements are different from the enterprise:
1- No authentication is required
2- Performance and scalability is a major decision criteria
3- Pricing is important when the userbase is over 100K.
4- URL categories must fit your requirements, when needed you should be able to apply more than 1 filter database.
5- Management should not require an army of engineers.
6- Not too many pie charts are required for reporting

http://mediaproducts.gartner.com/reprints/securecomputing/160130.html
Is a good start for checking vendors

Big enterprise appliance based solutions usually have a custom ISP product.
Blue Coat, Ironport, SecureComputing (Now McAfee) , MI5 Networks and Optenet are used commonly at TelCos.

I do work with Blue Coat appliances since it is stable, scaleable and it does support 3rd party URL databases like Websense. But this combination can burn your budget. Blue Coat is in use at several neighboring states for you. Blue Coat also offers its own URL database:
http://www.bluecoat.com/

I have seen large ISP deployments with Optenet (the pricing options were good)
http://www.optenet.com/en-us/ispproducts.asp

Load balancing is a key issue, I am not sure how these ISPs are interconnected to Internet backbone but you will need to load balance content filters. You can check F5, Cisco, Citrix, Radware etc for L4-7 load balancing switches.

And a few recommendations: Do not get ambitious stay away from content AV. It does not scale at ISP level.
DNS poisoning , TCP resets are not very effective go with the content gateway.
Because of you specific requirements, in the cloud services like webroot and Scansafe may not be the best option.
This is a commodity market you have so many alternatives like 8e6, Barracuda, Clearswift et al.

If you have a specific vendor or design question, please let me know,
Regards,
- yinal ozkan