Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer [email protected]

Blue Coat Systems

Roger GotthardssonSr. Systems [email protected]

CompanyCompany Corporate dataCorporate data

SolutionsSolutions Client Proxy SolutionClient Proxy Solution Blue Coat WebfilterBlue Coat Webfilter SSL ProxySSL Proxy Reverse ProxyReverse Proxy MACH5MACH5

ProductsProducts ProxySG, ProxyAV, Director, ReporterProxySG, ProxyAV, Director, Reporter K9, - Blue Coat Webfilter at home for freeK9, - Blue Coat Webfilter at home for free

Agenda

Company

About Blue Coat

• Innovative leader in secure content & application delivery– 500+ employees; $146M annual revenue run rate

– 25,000+ appliances shipped worldwide to more than 4,000 customers

– #1 (37%) market leader in Secure Content & Application Delivery (IDC)

• Founded in 1996 with a focus on Acceleration– Accelerating Web applications…making Internet applications faster

– Innovative proxy caching appliance with object pipelining, adaptive content refresh

• Expanded in 2002 to include Policy Control & Security– Rich policy framework integrated with performance engine for visibility and control of

users, content and applications• Visibility: Who, what, where, when, how• Control: accelerate, deny, limit, scan, strip, transform…

Integrated Solution for Acceleration & SecurityIntegrated Solution for Acceleration & Security

About Blue Coat

– Strategic Investments – March 1996 Scalable Software (HTTP and OS Kernel)

– September 1999 Invertex (SSL Hardware Encryption)

– June 2000 Springbank Networks (Hardware Design and Routing Protocols)

– December 2000 Entera (Streaming and Content Distribution)

– November 2003 Ositis (Virus scanning appliance)

– 2004 – Cerberian (Content filtering)

– 2006 – Permeo Technologies (SSL VPN & client security)

Integrated Solution for Acceleration & SecurityIntegrated Solution for Acceleration & Security

Client Proxy Solution

Caching

Client Proxy

Antivirus URL-Filtering

InternetClients

LoggingAuthentication

Protocol optimization

BW manageme

nt

Compression

Policy

Protocol detection

Byte Caching

Application proxy

AOL-IM

FTP

HTTP & HTTPS

MSN-IM

Streaming Yahoo-IM

?TCP-Tunnel SOCKS

Internet

CIFS

.mp3.xxxP2P

Telnet/Shell DNS

gral.se

MAPI

How We Secure the Web

AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.

PublicWeb

Server

IntranetWeb

Server

Public InternetInternal Network

List

On boxDatabase

Authentication

Directory

LDAP

X509/CA

Client Certifficate

InternetClients

AD

NT, W2000 or W2003

DCDirector

y

RADIUSServer

Directory

NetegritySiteMinder

Directory

Oblix

Directory

PolicySubstitutio

n



Policy Processing Engine: All user web application requests are subjected to granular security policy

PublicWeb

Server

IntranetWeb

Server





Content Filtering: Requests for content are controlled using content filtering based on granular policy

PublicWeb

Server

IntranetWeb

Server


Content Filtering

• Organizations need to control what users are doing when accessing the internet to protect from legal liability and productivity risks

• Blue Coat and our partners enable enterprise-class content filtering– Powerful granular user control using

Blue Coat’s Policy Processing Engine• By user, group, destination IP and/or URL,

time of day, site, category, lots more

– Multiple logging and reporting options

– Integrates with all authentication (LDAP, RADIUS, NTLM, AD, 2-factor, etc)

– Coaching, warnings, etc.

– High performance with integrated caching

– Drop-in appliance for easy to deploy and manage

– De-facto industry content filtering platform

Content filtering databases

Websense

InternetClients

Smartfilter SurfControl

Your listsexception

s

BlueCoatwebfilter

WebWasher

Proventia

Digital Arts

InterSafe Optenet

DRTR

IWF





PublicWeb

Server

IntranetWeb

Server


Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.

HTTP Compression

compressedCore ProxySG

uncompressed

ProxySG can support a mixed mode of HTTP compression operation

Original Content Server (OCS) or Core ProxySG can send either (de)compressed content to edge or core ProxySG using GZIP or Deflate algorithms

compressed

uncompressed

Edge ProxySGcompressed

uncompressed

ProxySGcompressed

uncompressed

compressed

uncompressed

Remote Office HQ Office

EnterpriseInternet

Bandwidth Management (BWM)

OBJECTIVE

Classify, control and limit the amount of bandwidth used by a class of network traffic

BENEFITS

Protect performance of mission critical applications• SAP, ERP apps

Prevent bandwidth greedy applications from impacting other applications

• P2P

Provision bandwidth for applications that require a per-session amount of bandwidth

• Streaming

Balance necessary and important, bandwidth intensive, applications• HTTP, IM





PublicWeb

Server

IntranetWeb

Server



Web Virus scanning: Potentially harmful content entering network via HTTP, HTTPS and FTP is stripped or scanned by ProxyAV.

Virus, Code & Script scanning

InternetClients

ProxyAV

Other ICAP servers

Sophos

Panda

McAfee

Kaspersky

ProxyAV

ProxySG & ProxyAV- Large Enterprise/Network Core- Scan once, serve many (cache benefit)

Internet

Internal Network

ProxyAVProxySG

• Virus Scans HTTP, FTP with caching benefit• ProxySG Load Balances

• Purpose-built appliances for speed

• “Scan once, serve many” to increase performance

• High-availability & load-balancing

• Purpose built operating systems





PublicWeb

Server

IntranetWeb

Server



Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV.

Spyware: Prevention is better than a cure.

BlueCoat Spyware Prevention Solution

• Stops spyware installations– Detect drive-by installers

• Blocks spyware websites– On-Proxy URL categorization

• Scans for spyware signatures– High-performance Web AV

• Detects suspect systems– Forward to cleansing agent

Internet

Internal Network

ProxyAVProxySG





PublicWeb

Server

IntranetWeb

Server





IM Traffic Control: IM traffic is subjected to policies and is logged

IM Control with Blue Coat ProxySG

• Granular IM policy control– By enterprise, group or user level

– Control by IM feature (IM only, chat, attachments, video, etc.), internal or external IM, time of day, etc.

– Control IM options include deny connection, strip attachment, log chat (including attachment)

– Key word actions include send alert to IT or manager, log, strip, send warning message to user

• Drop-in appliance for easy to deploy and manage IM control





PublicWeb

Server

IntranetWeb

Server





IM Traffic Control: IM traffic is subjected to policies and is loggedCaching: Acceptable, clean content is stored in cache and delivered to requestor.

• Streaming– Microsoft Streaming & Native RTSP

– Live Stream split, VOD Stream cache

– Rich Streaming features, Unicast-Multicast

– Scheduling live streaming from VOD

• Enhancements– Store, Cache & distribute

Video On Demand

– Schedule VOD content to be played as Live Content

– Convert between Multicast-Unicast

– Authenticate Streaming usersTo NTLM, Ldap, RADIUS+Onbox

Streaming acceleration





PublicWeb

Server

IntranetWeb

Server





IM Traffic Control: IM traffic is subjected to policies and is loggedCaching: Acceptable, clean content is stored in cache and delivered to requestor. Reporting: All browser, streaming, IM & virus activity, can be reported using Bluecoat's highly configurable reporter.

Reporter

Blue Coat Webfilter

The Internet

The internet today consists of 350 million webservers.

A large ammount of these conatain information you don’t want in your organisation.

A cleaver solution would be to use Content Filtering.

BlueCoat now introduces Generation 3 of content filtering, BlueCoat Webfilter.

350 Million

Generation 1

The first generation of content filters consisted ofstatic manually managed lists of popular pornographicand unproductive websites. Very often retreived fromaccess logs, popular bad sites where banned.

The intended purpose was to save bandwidth and warn users that inapropriate behaviour was logged.

People got together and distributed their lists in freelists compatible with proxies such as Squid.

The distributed list where in the size of a million URL:s349 Million

1 Million

Generation 2

335 Million

15 Million

Corporations relised they could make money of a listand started to collect lists and logs from the web, manuallyrating these in larger scale. More categories where addedto increase value. The systems started to collect URL:Sautmatically and download new lists periodicly. Some of them even many times every day.

Special categories where added for static security threatsplaced on known webservers, spyware phishing etc. Otherthan bad sites where added such as Economy, business,news etc. to present statistics of Internet usage.

Generation 2

335 Million

15 Million

Number of URL:s was in the numbers of 10-20 millions.Hitrates in logsystems presented was in the numbers of50-80%. Regular expression on URL:s and other trickssometimes gave a false picture of rating over 90%. But in fact less than 5% of the Internet was covered.

Generation 3

335 Million

15 Million

The dynamics of internet and new security risks urged for a new way of categorizing the Internet, Dynamic rating of uncategorized websites can today rate most websites, the ones thats impossible to rate could be stripped down to present only html and images to reduce risk.

The static URL database are constantly updated like any Generation 2 filter. This database is cached in some systems (ProxySG) to increase performance.The rest (95%) of the Internet is categorised using dynamic rating.

Dynamic Real Time Rating

Servers

Clients

G2

44µs

RS

DXD

* The picture is simplified, all systems are redundant.

HRDBR

DRTR

language 1

language 2

language 3

language 4

language 5

language n

Lang

uage

det

ectio

n

To

back

grou

nd r

atin

g

Customer BlueCoat

Internet

SSL Proxy

SSLSSL

Internet

PolicyPolicy SSLSSL

InternalNetwork

User

Apps

SSL Proxy: Policy Enforcement

• Control web content, applications, and services…regardless of encryption– Block, allow, throttle, scan, accelerate, insert, strip, redirect, transform …

– Apply the same policies to encrypted traffic as to normal traffic

– Stops/controls rogue applications that take advantage of SSL

• Protect the enterprise from SSL-borne threats– Stop spyware and secured phishing

– SSL-secured webmail and extranets – virus transmissions

– SSL-borne malicious and inappropriate content

• Accelerate critical applications– Enables a variety of acceleration techniques (e.g., caching)

Verify certificate and extract server’s

public key.

Blue Coat: Visibility and Context

Use this algorithm.Server’s digital

certificate.

CompleteAuthentication.

Client-Proxy ConnectionClient-Proxy Connection Server-Proxy ConnectionServer-Proxy Connection

Tunnel Established Tunnel Established




ProxyProxy ServerServerClientClient

Algorithms I support.Connection Request.

Algorithms I support.Connection Request.

Verify certificate and extract (proxy’s)

public key.

Let’s use this algorithm.

Emulated certificate.

Flexible Configurations

SSLSSL

TCPTCP

User

Internet

Apps

TCPTCP

• Trusted applications passed through– Sensitive, known, financial or health care

• No cache, visibility

• Awareness of network-level information only

Control

Option 1

SSLSSL

TCPTCP

User

Internet

Apps

TCPTCP


• Initial checks performed– Valid user, valid application– Valid server cert

• User/application traffic passed through after initial checks

• No cache• Visibility and context of network-level info,

certificates, user, and applications• Can warn user, remind of AUP, and

offer opt-out Control

Option 2


SSLSSL

Internet

Apps

User

TCPTCP TCPTCP

SSLSSL

• Initial checks performed– Valid user, valid application– Valid server cert

• User/application traffic proxied after initial checks• Full caching and logging options• Visibility and context of network-level info,

certificates, user, applications, content, etc.– Full termination/proxy

• Can warn user, remind of AUP, and offer opt-out Control

Option 3

Reverse Proxy

Caching

Reverse Proxy

AV SSL/Certificate

InternetClients

Authentication

LoggingPolicy

Servers

URL-rewrite

ACCELERATES Web Content• Intelligent caching• Compression and bandwidth mgt.• TCP & SSL offload

PROTECTS Web Servers• Secure, object-based OS• Controls access to web apps• Web AV scanning

SIMPLIFIES Operations• Scalable, optimized appliance• Easy policy creation & management• Complete logging & reporting

WebServers

Internal Network

Users

FirewallUsers

ProxySG

Public Internet

Secure & Accelerate Web ApplicationsSecure & Accelerate Web Applications

Reverse Proxy

HTTPS Termination

• HTTPS Termination (Client ProxySG)– Off-load secure website or portal

• HTTPS Origination (ProxySG Server)– Secure channel to content server for clients

• Man-in-the-Middle (Termination & Origination)– Allows caching, policy and virus scanning

• Secure credential acquisitions• SSL Hardware Acceleration Cards

– 800 RSA transactions per second per card– SSL v2.0, v3.0, and TLS v1 support

• Off-load web application servers to improve performance

Example Scenarios for Reverse Proxy

• Secure and Accelerate Public Websites– Improves content delivery with integrated caching

– Services legitimate users while resisting DoS attacks

– High-performance SSL

• Secure Corporate Webmail– Securely isolates Web servers from direct Internet

access

– Proxy authentication for additional layer of protection

– Plug-n-play SSL

• Scanning Uploaded Files for Viruses – Simple integration with ProxyAV™

– Real-time scanning of uploaded content

– Protects Web infrastructure from malware

Accelerate Applications – All Users – All Locations

Recipe for Branch Performance Problems

Server Consolidation

Increased application traffic+

Narrow bandwidth links+

Highly distributed users+

Inefficient application protocols+

== Poor Application PerformancePoor Application Performance

Complete Solution Requires MoreComplete Solution Requires More

Minimum for Application Acceleration

Optimize use of existing WAN bandwidth

Reduce latency associated with applications

Improve the efficiency of application protocols

Prioritize the applications that matter most

Re-use and compress data where possible

Accelerate File Sharing, Email, and browser-based enterprise applications

Platform for Application Acceleration

Multiprotocol Accelerated Caching Hierarchy

BandwidthManagement

ProtocolOptimization

ObjectCaching

ByteCaching Compression

File Services (CIFS), Web (HTTP), Exchange (MAPI), File Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL)Video/Streaming (RTSP, MMS), Secure Web (SSL)

Source: Blue Coat Customer Surveys

New Requirement: SSL Acceleration

• Nearly 50% of all corporate Web application traffic is SSL

• 70% of all mobile and teleworkers use SSL for secure application delivery

• 68% of Blue Coat customers depend on externally hosted Web applications

SS

L T

raffi

c

InternallyHosted Apps

ExternallyHosted Apps

More and More SSL…

New Requirement: Video Acceleration

• Enterprise users becoming more distributed– Mobile, teleworker, and branch/

remote offices

– Regulatory and cost drivers

• Remote employee training becoming a necessity– Live (streaming) and on-demand video

• Performance quality becoming a requirement– Network and application issues must be

addressed

– Control and acceleration of video is needed

Bandwidth Management

• Divide user and application traffic into classes

• Guarantee min and/or max bandwidth for a class

• Align traffic classes to business priorities

Sales Automation App Priority 1

Min 400Kb, Max 800Kb

File Services Priority 3

Min 400Kb, Max 800Kb

E-Mail Priority 2Min 100Kb, Max 400Kb

General Web Surfing Priority 4Min 0Kb, Max 200Kb

Protocol Optimization

Protocol Optimization

10-100X Faster10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCPIncludes CIFS, MAPI, HTTP, HTTPS, TCP

Object Caching

• Built on high-level applications and protocols– HTTP/Web caching

– Streaming caches

– CIFS cache

• Advantages– Fastest response times

– Offload work from servers (and networks)

– Can be deployed asymmetrically

• Limitations– Application-specific

– All or nothing: No benefit if whole object not found or changed

Byte Caching

…..11011111001110011...111001111001100101011101100100001101001100111001000001111000111001100011000001001111000000110111101001000011011000101111100101010101110011010011101001111001000000000000111001011100101101101101001010110010110011110001111111111000000000

…..11011111001110011...111001111001100101011101100100001101001100111001000001111000111001100011000001001111000000110111101001000011011000101111100101010101110011010011101001111001000000000000111001011100101101101101001010110010110011110001111111111000000000

110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100

[R1]0010010[R2]100101111100110100111011010011[R3]

110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100

Local History Cache Remote History Cache

Sequences are found in the local

history cache

Sequences are found in the local

history cache

They are transmitted as

small references over

the WAN

They are transmitted as

small references over

the WAN

The original stream is

reconstructed using the

remote history cache

The original stream is

reconstructed using the

remote history cache

Local LAN Remote LANWAN Link

Proxies keep a history of all

bytes sent and received

Proxies keep a history of all

bytes sent and received

Compression

110111110011100100100101110011001010111011001000010011001110010000011110001110011000110000010011

110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100010100100101010101010100010111

COMPRESSIONCOMPRESSION

110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100010100100101010101010100010111

• Industry-standard gzip algorithm compresses all traffic

• Removes predictable “white space” from content and objects being transmitted

MACH5 Techniques Work Together

Object Caching• Caches repeated, static app-level data; reduces BW and latency

Byte Caching• Caches any TCP application using

similar/changed data; reduces BWCompression

• Reduces amount of data transmitted; saves BW

Bandwidth Management• Prioritize, limit, allocate, assign DiffServ – by user

or application

Protocol Optimization• Remove inefficiencies, reduce latency

Object Caching

• Object caches are built on higher level applications and protocols– HTTP/Web caching– Streaming caches– CIFS cache

• Object cache advantages– Fastest response times– Offload work from servers– Can be deployed asymmetrically

• Object cache disadvantages– Works with limited set of applications– Works on limited range of data inside applications– All or nothing: No benefit if whole object not found or changed

Object vs. Byte Caching

Object Caching Byte Cache

Proxy?HTTP(S), FTP,

Streaming, CIFS Built on TCP

Protocol Optimization Integration X

Server Offload X

Network Offload X X

Incremental Updates X

No App Integration X

End User Performance Best Good

Scope Focused Broad

Products

MACH5 Ships with Blue Coat SGOS 5

SG400 Series

SG800 Series

SG8000 Series

Rem

ote

Off

ice

sC

orpo

rate

Hea

dqua

rte

rs

SG200 Series • GA April 2006

• Appliances start at US$1,995

Branch Office Enterprise CoreBranch Office Enterprise Core

ProxyAV Appliances

400-E Series

Performance

Remote Offices

Up to 250 users 100-2000 users 1000 -50,000+ users

WAN Bandwidth

ConnectedUsers

Sub 1.5Mbps Bandwidth

1.5Mbps- 45MbpsBandwidth

150Mbps +Bandwidth

Corporate Headquarters

2000-E Series

400-E1

• One Model: 400-E1

• RAM: 512 MB

• CPU: 1.26GHz PIII

• Disk drive 40 GB IDE

• Network Interfaces (2 on board) 10/100 Base-T Ethernet

• 19" Rack-mountable

Software

Reporter (SW)Reporter (SW) Advanced Java application to generate statistics from logsAdvanced Java application to generate statistics from logs

Licenced products

Licensed productsLicensed products StreamingStreaming

Real Networks, Real Networks, Microsoft, Microsoft, QuicktimeQuicktime Instant MessagingInstant Messaging

MSN, Yahoo, AOLMSN, Yahoo, AOL Optional Security (HW+SW bundle)Optional Security (HW+SW bundle)

SSL termination/proxySSL termination/proxy

Licenced products

Licensed productsLicensed products Content filteringContent filtering

BlueCoat WebfilterBlueCoat Webfilter ICAP AV ScannerICAP AV Scanner

ProxyAV (McAfee, Sophos, Panda, Kaspersky, Ahn Labs)ProxyAV (McAfee, Sophos, Panda, Kaspersky, Ahn Labs)

Full Protocol Termination = Total Visibility & Context(HTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS)

Policy Control• Fine-grained policy for applications,

protocols, content & users (allow, deny, transform, etc)

• Granular, flexible logging• Authentication integration

The Power of the Proxy

+ +

Ultimate Control Point for CommunicationsUltimate Control Point for Communications

Web Security• Prevent spyware,

malware & viruses• Stop DoS attacks• IE vulnerabilities,

IM threats

Accelerated Applications• Multiprotocol

Accelerated Caching Hierarchy

• BW mgmt, compression, protocol optimization

• Byte & object caching

Management

• User Interface– HTTP (HTTPS), web GUI Interface

– Telnet (Cisco CLI)

– SSH & Serial console

– Java Policy interface

– CPL, Policy Language

– SNMP MIBII + Traps

– Monitor network status and statistics

• Reporting tools– BlueCoat Reporter

• Scalable management– Centralized configuration management in Director

Management

Reporting (example)Reporting (example)

18.2 % Spyware (gator)16.5 % Aftonbladet9.5 % Ad’s (in top 40)6.8 % https (encrypted)

System-wide Management and Control

• Blue Coat Director– Centralized configuration of Blue Coat

appliances – set up, policy, etc

– Centralized monitoring – appliance health, application use, user experience

• Blue Coat Reporter– Enterprise roll-up and analysis of application

delivery information: appliances, application use, user experience

Both Director and Reporter are proven, with Both Director and Reporter are proven, with thousands of nodes under managementthousands of nodes under management……

Director configuration Management

Director

(1) Configure and test “profile” system

(2) Snapshot profile and save on Director

(4) Push profiles and overlays to one or more systems

“Profile” system

Production systems

(3) Create and edit overlays using GUI or CLI.

Work-station

Remotely and securely manage via GUI or CLI. • Configuration Management

• Policy Management

• Disaster protection centrally Configuration Management

• Monitor and control

• Resource Management

• Monitor network status and statistics

• Profile Management

• Backup configuration

• Create overlays using GUI or CLI. Automate changes

• License Management

Content Delivery Network

WWWServers

1 Publish content

Content Owners

Users

5 Deliver the content.

4 Pull content from origin

servers.

Director

2 Tell Directorabout new

content

EdgeSystems

3 Tell caches to update content

Director GUI

K9 – For free

If you want to protect your family with Content FilteringBlue Coat is now giving it away, read more at:

http://www.getk9.com/refer/Roger.Gotthardsson

Please send this link to anyone you want !!!!

Documents

Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer [email protected]