1.29k likes | 2.76k Views
Blue Coat Systems. Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com. Agenda. Company Corporate data Solutions Client Proxy Solution Blue Coat Webfilter SSL Proxy Reverse Proxy MACH5 Products ProxySG, ProxyAV, Director, Reporter K9, - Blue Coat Webfilter at home for free.
E N D
Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com
Agenda • Company • Corporate data • Solutions • Client Proxy Solution • Blue Coat Webfilter • SSL Proxy • Reverse Proxy • MACH5 • Products • ProxySG, ProxyAV, Director, Reporter • K9, - Blue Coat Webfilter at home for free
Integrated Solution for Acceleration & Security About Blue Coat • Innovative leader in secure content & application delivery • 500+ employees; $146M annual revenue run rate • 25,000+ appliances shipped worldwide to more than 4,000 customers • #1 (37%) market leader in Secure Content & Application Delivery (IDC) • Founded in 1996 with a focus on Acceleration • Accelerating Web applications…making Internet applications faster • Innovative proxy caching appliance with object pipelining, adaptive content refresh • Expanded in 2002 to include Policy Control &Security • Rich policy framework integrated with performance engine for visibility and control of users, content and applications • Visibility: Who, what, where, when, how • Control: accelerate, deny, limit, scan, strip, transform…
Integrated Solution for Acceleration & Security About Blue Coat • Strategic Investments • March 1996 Scalable Software (HTTP and OS Kernel) • September 1999 Invertex (SSL Hardware Encryption) • June 2000 Springbank Networks (Hardware Design and Routing Protocols) • December 2000 Entera (Streaming and Content Distribution) • November 2003 Ositis (Virus scanning appliance) • 2004 – Cerberian (Content filtering) • 2006 – Permeo Technologies (SSL VPN & client security)
Client Proxy Byte Caching Protocol detection Logging BW management Authentication Policy Internet Clients Caching Antivirus Protocol optimization Compression URL-Filtering
Application proxy AOL-IM Streaming Yahoo-IM HTTP & HTTPS FTP MSN-IM Internet MAPI .mp3 .xxx ? gral.se CIFS P2P DNS TCP-Tunnel SOCKS Telnet/Shell
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Authentication NT, W2000 or W2003DC RADIUS Server Netegrity SiteMinder Policy Substitution AD Directory Directory Directory Clients Internet LDAP Client Certifficate On box Database Oblix Directory X509/CA List Directory
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy
Content Filtering • Organizations need to control what users are doing when accessing the internet to protect from legal liability and productivity risks • Blue Coat and our partners enable enterprise-class content filtering • Powerful granular user control using Blue Coat’s Policy Processing Engine • By user, group, destination IP and/or URL, time of day, site, category, lots more • Multiple logging and reporting options • Integrates with all authentication (LDAP, RADIUS, NTLM, AD, 2-factor, etc) • Coaching, warnings, etc. • High performance with integrated caching • Drop-in appliance for easy to deploy and manage • De-facto industry content filtering platform
DRTR Content filtering databases Optenet IWF InterSafe Digital Arts WebWasher Proventia Smartfilter SurfControl Websense Clients Internet BlueCoat webfilter Your lists exceptions
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
Core ProxySG Edge ProxySG compressed uncompressed compressed compressed compressed compressed uncompressed uncompressed uncompressed uncompressed HTTP Compression ProxySG can support a mixed mode of HTTP compression operation Original Content Server (OCS) or Core ProxySG can send either (de)compressed content to edge or core ProxySG using GZIP or Deflate algorithms Remote Office HQ Office ProxySG Enterprise Internet
Bandwidth Management (BWM) OBJECTIVE Classify, control and limit the amount of bandwidth used by a class of network traffic • BENEFITS • Protect performance of mission critical applications • SAP, ERP apps • Prevent bandwidth greedy applications from impacting other applications • P2P • Provision bandwidth for applications that require a per-session amount of bandwidth • Streaming • Balance necessary and important, bandwidth intensive, applications • HTTP, IM
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network via HTTP, HTTPS and FTP is stripped or scanned by ProxyAV.
Virus, Code & Script scanning Other ICAP servers Clients Internet Sophos McAfee ProxyAV Kaspersky Panda
ProxySG & ProxyAV • Large Enterprise/Network Core • Scan once, serve many (cache benefit) Internet Internal Network • Virus Scans HTTP, FTP with caching benefit • ProxySG Load Balances ProxyAV ProxySG ProxyAV • Purpose-built appliances for speed • “Scan once, serve many” to increase performance • High-availability & load-balancing • Purpose built operating systems
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure.
Internet ProxySG Internal Network ProxyAV BlueCoat Spyware Prevention Solution • Stopsspyware installations • Detect drive-by installers • Blocks spyware websites • On-Proxy URL categorization • Scans for spyware signatures • High-performance Web AV • Detects suspect systems • Forward to cleansing agent
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure. IM Traffic Control: IM traffic is subjected to policies and is logged
IM Control with Blue Coat ProxySG • Granular IM policy control • By enterprise, group or user level • Control by IM feature (IM only, chat, attachments, video, etc.), internal or external IM, time of day, etc. • Control IM options include deny connection, strip attachment, log chat (including attachment) • Key word actions include send alert to IT or manager, log, strip, send warning message to user • Drop-in appliance for easy to deploy and manage IM control
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure. IM Traffic Control: IM traffic is subjected to policies and is logged Caching: Acceptable, clean content is stored in cache and delivered to requestor.
Streaming acceleration • Streaming • Microsoft Streaming & Native RTSP • Live Stream split, VOD Stream cache • Rich Streaming features, Unicast-Multicast • Scheduling live streaming from VOD • Enhancements • Store, Cache & distribute Video On Demand • Schedule VOD content to be played as Live Content • Convert between Multicast-Unicast • Authenticate Streaming usersTo NTLM, Ldap, RADIUS+Onbox
How We Secure the Web IntranetWebServer PublicWebServer Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure. IM Traffic Control: IM traffic is subjected to policies and is logged Caching: Acceptable, clean content is stored in cache and delivered to requestor. Reporting: All browser, streaming, IM & virus activity, can be reported using Bluecoat's highly configurable reporter.
The Internet The internet today consists of 350 million webservers. A large ammount of these conatain information you don’t want in your organisation. A cleaver solution would be to use Content Filtering. BlueCoat now introduces Generation 3 of content filtering, BlueCoat Webfilter. 350 Million
Generation 1 The first generation of content filters consisted of static manually managed lists of popular pornographic and unproductive websites. Very often retreived from access logs, popular bad sites where banned. The intended purpose was to save bandwidth and warn users that inapropriate behaviour was logged. People got together and distributed their lists in free lists compatible with proxies such as Squid. The distributed list where in the size of a million URL:s 1 Million 349 Million
Generation 2 Corporations relised they could make money of a list and started to collect lists and logs from the web, manually rating these in larger scale. More categories where added to increase value. The systems started to collect URL:S autmatically and download new lists periodicly. Some of them even many times every day. Special categories where added for static security threats placed on known webservers, spyware phishing etc. Other than bad sites where added such as Economy, business, news etc. to present statistics of Internet usage. 15 Million 335 Million
Generation 2 Number of URL:s was in the numbers of 10-20 millions. Hitrates in logsystems presented was in the numbers of 50-80%. Regular expression on URL:s and other tricks sometimes gave a false picture of rating over 90%. But in fact less than 5% of the Internet was covered. 15 Million 335 Million
Generation 3 The dynamics of internet and new security risks urged for a new way of categorizing the Internet, Dynamic rating of uncategorized websites can today rate most websites, the ones thats impossible to rate could be stripped down to present only html and images to reduce risk. The static URL database are constantly updated like any Generation 2 filter. This database is cached in some systems (ProxySG) to increase performance. The rest (95%) of the Internet is categorised using dynamic rating. 15 Million 335 Million
RS language 1 language 2 language 3 Language detection To background rating language 4 44µs language 5 DBR HR language n DRTR DXD Dynamic Real Time Rating Servers Internet G2 Clients BlueCoat Customer * The picture is simplified, all systems are redundant.
Internet InternalNetwork Apps SSL SSL User SSL Proxy: Policy Enforcement • Control web content, applications, and services…regardless of encryption • Block, allow, throttle, scan, accelerate, insert, strip, redirect, transform … • Apply the same policies to encrypted traffic as to normal traffic • Stops/controls rogue applications that take advantage of SSL • Protect the enterprise from SSL-borne threats • Stop spyware and secured phishing • SSL-secured webmail and extranets – virus transmissions • SSL-borne malicious and inappropriate content • Accelerate critical applications • Enables a variety of acceleration techniques (e.g., caching) Policy
Client Proxy Server Algorithms I support. Connection Request. Algorithms I support. Connection Request. Use this algorithm. Server’s digital certificate. Let’s use this algorithm. Emulated certificate. Verify certificate and extract (proxy’s) public key. Verify certificate and extract server’s public key. CompleteAuthentication. CompleteAuthentication. CompleteAuthentication. CompleteAuthentication. Tunnel Established Tunnel Established Blue Coat: Visibility and Context Client-Proxy Connection Server-Proxy Connection
Internet TCP TCP SSL User Flexible Configurations • Trusted applications passed through • Sensitive, known, financial or health care • No cache, visibility • Awareness of network-level information only Option 1 Control Apps
Internet TCP TCP SSL User Flexible Configurations • Initial checks performed • Valid user, valid application • Valid server cert • User/application traffic passed through after initial checks • No cache • Visibility and context of network-level info, certificates, user, and applications • Can warn user, remind of AUP, and offer opt-out Option 2 Control Apps
Internet TCP TCP SSL SSL User Flexible Configurations • Initial checks performed • Valid user, valid application • Valid server cert • User/application traffic proxied after initial checks • Full caching and logging options • Visibility and context of network-level info, certificates, user, applications, content, etc. • Full termination/proxy • Can warn user, remind of AUP, and offer opt-out Option 3 Control Apps
Reverse Proxy Policy Logging Authentication URL-rewrite Internet Clients Servers AV SSL/Certificate Caching
PROTECTS Web Servers • Secure, object-based OS • Controls access to web apps • Web AV scanning • ACCELERATES Web Content • Intelligent caching • Compression and bandwidth mgt. • TCP & SSL offload Users • SIMPLIFIES Operations • Scalable, optimized appliance • Easy policy creation & management • Complete logging & reporting Secure & Accelerate Web Applications Reverse Proxy WebServers ProxySG Firewall Internal Network Public Internet Users
HTTPS Termination • HTTPS Termination (Client ProxySG) • Off-load secure website or portal • HTTPS Origination (ProxySG Server) • Secure channel to content server for clients • Man-in-the-Middle (Termination & Origination) • Allows caching, policy and virus scanning • Secure credential acquisitions • SSL Hardware Acceleration Cards • 800 RSA transactions per second per card • SSL v2.0, v3.0, and TLS v1 support • Off-load web application servers to improve performance
Example Scenarios for Reverse Proxy • Secure and Accelerate Public Websites • Improves content delivery with integrated caching • Services legitimate users while resisting DoS attacks • High-performance SSL • Secure Corporate Webmail • Securely isolates Web servers from direct Internet access • Proxy authentication for additional layer of protection • Plug-n-play SSL • Scanning Uploaded Files for Viruses • Simple integration with ProxyAV™ • Real-time scanning of uploaded content • Protects Web infrastructure from malware
+ Increased application traffic + Inefficient application protocols + Highly distributed users + Narrow bandwidth links = Poor Application Performance Recipe for Branch Performance Problems Server Consolidation
Complete Solution Requires More Minimum for Application Acceleration • Optimize use of existing WAN bandwidth • Reduce latency associated with applications • Improve the efficiency of application protocols • Prioritize the applications that matter most • Re-use and compress data where possible • Accelerate File Sharing, Email, and browser-based enterprise applications
File Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL) Platform for Application Acceleration Multiprotocol Accelerated Caching Hierarchy Bandwidth Management Protocol Optimization Object Caching Byte Caching Compression