We present a new system to protect IoT devices in multiple premises by a single Virtual Network Function (VNF) deployed in the ISP network. The system is based on the Manufacturer Usage Description (MUD) framework, a white-list IoT protection scheme that has been proposed in recent years.While MUD is designed for on-premise deployment, here we adapt it to work as a scalable, managed service in the ISP level. Our service does not require any cooperation or installation on the client premise or on the IoT devices themselves. Furthermore, it monitors the IoT traffic and detects malicious behavior, including outgoing DDoS traffic, without being on the critical path, and it filters bad traffic by ACLs on either the POP router or the client CPE. The CPE itself is considered an IoT device and traffic destined or that originates at the CPE is monitored as well. For the white-list method we extend the MUD architectural framework to support peer to peer communicating IoT devices (e.g., direct mobile device to IoT device communication).The system includes a mechanism to distinguish between flows of different devices at the ISP level despite the fact that most home networks (and their IoT devices) are behind a NAT and all the flows from the same home come out with the same source IP address. Moreover, the NFV system needs to receive only the first packet of each flow/connection at the VNF, and rules space is proportional to the number of unique types of IoT devices rather than the total number of IoT devices (which is much larger).A PoC with a large national level ISP proves that our technology works as expected, identifying the various IoT devices that are connected to the network and detecting any unauthorized communications.