Chapter 7 · ETH Zurich – Distributed Computing – Roger Wattenhofer Practice: Large Systems Chapter 7
Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer [email protected].
-
Upload
beverly-chandler -
Category
Documents
-
view
233 -
download
4
Transcript of Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer [email protected].
![Page 2: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/2.jpg)
CompanyCompany Corporate dataCorporate data
SolutionsSolutions Client Proxy SolutionClient Proxy Solution Blue Coat WebfilterBlue Coat Webfilter SSL ProxySSL Proxy Reverse ProxyReverse Proxy MACH5MACH5
ProductsProducts ProxySG, ProxyAV, Director, ReporterProxySG, ProxyAV, Director, Reporter K9, - Blue Coat Webfilter at home for freeK9, - Blue Coat Webfilter at home for free
Agenda
![Page 3: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/3.jpg)
Company
![Page 4: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/4.jpg)
About Blue Coat
• Innovative leader in secure content & application delivery– 500+ employees; $146M annual revenue run rate
– 25,000+ appliances shipped worldwide to more than 4,000 customers
– #1 (37%) market leader in Secure Content & Application Delivery (IDC)
• Founded in 1996 with a focus on Acceleration– Accelerating Web applications…making Internet applications faster
– Innovative proxy caching appliance with object pipelining, adaptive content refresh
• Expanded in 2002 to include Policy Control & Security– Rich policy framework integrated with performance engine for visibility and control of
users, content and applications• Visibility: Who, what, where, when, how• Control: accelerate, deny, limit, scan, strip, transform…
Integrated Solution for Acceleration & SecurityIntegrated Solution for Acceleration & Security
![Page 5: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/5.jpg)
About Blue Coat
– Strategic Investments – March 1996 Scalable Software (HTTP and OS Kernel)
– September 1999 Invertex (SSL Hardware Encryption)
– June 2000 Springbank Networks (Hardware Design and Routing Protocols)
– December 2000 Entera (Streaming and Content Distribution)
– November 2003 Ositis (Virus scanning appliance)
– 2004 – Cerberian (Content filtering)
– 2006 – Permeo Technologies (SSL VPN & client security)
Integrated Solution for Acceleration & SecurityIntegrated Solution for Acceleration & Security
![Page 6: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/6.jpg)
Client Proxy Solution
![Page 7: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/7.jpg)
Caching
Client Proxy
Antivirus URL-Filtering
InternetClients
LoggingAuthentication
Protocol optimization
BW manageme
nt
Compression
Policy
Protocol detection
Byte Caching
![Page 8: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/8.jpg)
Application proxy
AOL-IM
FTP
HTTP & HTTPS
MSN-IM
Streaming Yahoo-IM
?TCP-Tunnel SOCKS
Internet
CIFS
.mp3.xxxP2P
Telnet/Shell DNS
gral.se
MAPI
![Page 9: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/9.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
![Page 10: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/10.jpg)
List
On boxDatabase
Authentication
Directory
LDAP
X509/CA
Client Certifficate
InternetClients
AD
NT, W2000 or W2003
DCDirector
y
RADIUSServer
Directory
NetegritySiteMinder
Directory
Oblix
Directory
PolicySubstitutio
n
![Page 11: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/11.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
![Page 12: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/12.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
![Page 13: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/13.jpg)
Content Filtering
• Organizations need to control what users are doing when accessing the internet to protect from legal liability and productivity risks
• Blue Coat and our partners enable enterprise-class content filtering– Powerful granular user control using
Blue Coat’s Policy Processing Engine• By user, group, destination IP and/or URL,
time of day, site, category, lots more
– Multiple logging and reporting options
– Integrates with all authentication (LDAP, RADIUS, NTLM, AD, 2-factor, etc)
– Coaching, warnings, etc.
– High performance with integrated caching
– Drop-in appliance for easy to deploy and manage
– De-facto industry content filtering platform
![Page 14: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/14.jpg)
Content filtering databases
Websense
InternetClients
Smartfilter SurfControl
Your listsexception
s
BlueCoatwebfilter
WebWasher
Proventia
Digital Arts
InterSafe Optenet
DRTR
IWF
![Page 15: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/15.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
![Page 16: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/16.jpg)
HTTP Compression
compressedCore ProxySG
uncompressed
ProxySG can support a mixed mode of HTTP compression operation
Original Content Server (OCS) or Core ProxySG can send either (de)compressed content to edge or core ProxySG using GZIP or Deflate algorithms
compressed
uncompressed
Edge ProxySGcompressed
uncompressed
ProxySGcompressed
uncompressed
compressed
uncompressed
Remote Office HQ Office
EnterpriseInternet
![Page 17: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/17.jpg)
Bandwidth Management (BWM)
OBJECTIVE
Classify, control and limit the amount of bandwidth used by a class of network traffic
BENEFITS
Protect performance of mission critical applications• SAP, ERP apps
Prevent bandwidth greedy applications from impacting other applications
• P2P
Provision bandwidth for applications that require a per-session amount of bandwidth
• Streaming
Balance necessary and important, bandwidth intensive, applications• HTTP, IM
![Page 18: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/18.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
Web Virus scanning: Potentially harmful content entering network via HTTP, HTTPS and FTP is stripped or scanned by ProxyAV.
![Page 19: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/19.jpg)
Virus, Code & Script scanning
InternetClients
ProxyAV
Other ICAP servers
Sophos
Panda
McAfee
Kaspersky
![Page 20: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/20.jpg)
ProxyAV
ProxySG & ProxyAV- Large Enterprise/Network Core- Scan once, serve many (cache benefit)
Internet
Internal Network
ProxyAVProxySG
• Virus Scans HTTP, FTP with caching benefit• ProxySG Load Balances
• Purpose-built appliances for speed
• “Scan once, serve many” to increase performance
• High-availability & load-balancing
• Purpose built operating systems
![Page 21: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/21.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV.
Spyware: Prevention is better than a cure.
![Page 22: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/22.jpg)
BlueCoat Spyware Prevention Solution
• Stops spyware installations– Detect drive-by installers
• Blocks spyware websites– On-Proxy URL categorization
• Scans for spyware signatures– High-performance Web AV
• Detects suspect systems– Forward to cleansing agent
Internet
Internal Network
ProxyAVProxySG
![Page 23: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/23.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV.
Spyware: Prevention is better than a cure.
IM Traffic Control: IM traffic is subjected to policies and is logged
![Page 24: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/24.jpg)
IM Control with Blue Coat ProxySG
• Granular IM policy control– By enterprise, group or user level
– Control by IM feature (IM only, chat, attachments, video, etc.), internal or external IM, time of day, etc.
– Control IM options include deny connection, strip attachment, log chat (including attachment)
– Key word actions include send alert to IT or manager, log, strip, send warning message to user
• Drop-in appliance for easy to deploy and manage IM control
![Page 25: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/25.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV.
Spyware: Prevention is better than a cure.
IM Traffic Control: IM traffic is subjected to policies and is loggedCaching: Acceptable, clean content is stored in cache and delivered to requestor.
![Page 26: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/26.jpg)
• Streaming– Microsoft Streaming & Native RTSP
– Live Stream split, VOD Stream cache
– Rich Streaming features, Unicast-Multicast
– Scheduling live streaming from VOD
• Enhancements– Store, Cache & distribute
Video On Demand
– Schedule VOD content to be played as Live Content
– Convert between Multicast-Unicast
– Authenticate Streaming usersTo NTLM, Ldap, RADIUS+Onbox
Streaming acceleration
![Page 27: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/27.jpg)
How We Secure the Web
AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
Policy Processing Engine: All user web application requests are subjected to granular security policy
Content Filtering: Requests for content are controlled using content filtering based on granular policy
PublicWeb
Server
IntranetWeb
Server
Public InternetInternal Network
Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV.
Spyware: Prevention is better than a cure.
IM Traffic Control: IM traffic is subjected to policies and is loggedCaching: Acceptable, clean content is stored in cache and delivered to requestor. Reporting: All browser, streaming, IM & virus activity, can be reported using Bluecoat's highly configurable reporter.
![Page 28: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/28.jpg)
Reporter
![Page 29: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/29.jpg)
Blue Coat Webfilter
![Page 30: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/30.jpg)
The Internet
The internet today consists of 350 million webservers.
A large ammount of these conatain information you don’t want in your organisation.
A cleaver solution would be to use Content Filtering.
BlueCoat now introduces Generation 3 of content filtering, BlueCoat Webfilter.
350 Million
![Page 31: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/31.jpg)
Generation 1
The first generation of content filters consisted ofstatic manually managed lists of popular pornographicand unproductive websites. Very often retreived fromaccess logs, popular bad sites where banned.
The intended purpose was to save bandwidth and warn users that inapropriate behaviour was logged.
People got together and distributed their lists in freelists compatible with proxies such as Squid.
The distributed list where in the size of a million URL:s349 Million
1 Million
![Page 32: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/32.jpg)
Generation 2
335 Million
15 Million
Corporations relised they could make money of a listand started to collect lists and logs from the web, manuallyrating these in larger scale. More categories where addedto increase value. The systems started to collect URL:Sautmatically and download new lists periodicly. Some of them even many times every day.
Special categories where added for static security threatsplaced on known webservers, spyware phishing etc. Otherthan bad sites where added such as Economy, business,news etc. to present statistics of Internet usage.
![Page 33: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/33.jpg)
Generation 2
335 Million
15 Million
Number of URL:s was in the numbers of 10-20 millions.Hitrates in logsystems presented was in the numbers of50-80%. Regular expression on URL:s and other trickssometimes gave a false picture of rating over 90%. But in fact less than 5% of the Internet was covered.
![Page 34: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/34.jpg)
Generation 3
335 Million
15 Million
The dynamics of internet and new security risks urged for a new way of categorizing the Internet, Dynamic rating of uncategorized websites can today rate most websites, the ones thats impossible to rate could be stripped down to present only html and images to reduce risk.
The static URL database are constantly updated like any Generation 2 filter. This database is cached in some systems (ProxySG) to increase performance.The rest (95%) of the Internet is categorised using dynamic rating.
![Page 35: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/35.jpg)
Dynamic Real Time Rating
Servers
Clients
G2
44µs
RS
DXD
* The picture is simplified, all systems are redundant.
HRDBR
DRTR
language 1
language 2
language 3
language 4
language 5
language n
Lang
uage
det
ectio
n
To
back
grou
nd r
atin
g
Customer BlueCoat
Internet
![Page 36: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/36.jpg)
SSL Proxy
![Page 37: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/37.jpg)
SSLSSL
Internet
PolicyPolicy SSLSSL
InternalNetwork
User
Apps
SSL Proxy: Policy Enforcement
• Control web content, applications, and services…regardless of encryption– Block, allow, throttle, scan, accelerate, insert, strip, redirect, transform …
– Apply the same policies to encrypted traffic as to normal traffic
– Stops/controls rogue applications that take advantage of SSL
• Protect the enterprise from SSL-borne threats– Stop spyware and secured phishing
– SSL-secured webmail and extranets – virus transmissions
– SSL-borne malicious and inappropriate content
• Accelerate critical applications– Enables a variety of acceleration techniques (e.g., caching)
![Page 38: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/38.jpg)
Verify certificate and extract server’s
public key.
Blue Coat: Visibility and Context
Use this algorithm.Server’s digital
certificate.
CompleteAuthentication.
Client-Proxy ConnectionClient-Proxy Connection Server-Proxy ConnectionServer-Proxy Connection
Tunnel Established Tunnel Established
CompleteAuthentication.
CompleteAuthentication.
CompleteAuthentication.
ProxyProxy ServerServerClientClient
Algorithms I support.Connection Request.
Algorithms I support.Connection Request.
Verify certificate and extract (proxy’s)
public key.
Let’s use this algorithm.
Emulated certificate.
![Page 39: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/39.jpg)
Flexible Configurations
SSLSSL
TCPTCP
User
Internet
Apps
TCPTCP
• Trusted applications passed through– Sensitive, known, financial or health care
• No cache, visibility
• Awareness of network-level information only
Control
Option 1
![Page 40: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/40.jpg)
SSLSSL
TCPTCP
User
Internet
Apps
TCPTCP
Flexible Configurations
• Initial checks performed– Valid user, valid application– Valid server cert
• User/application traffic passed through after initial checks
• No cache• Visibility and context of network-level info,
certificates, user, and applications• Can warn user, remind of AUP, and
offer opt-out Control
Option 2
![Page 41: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/41.jpg)
Flexible Configurations
SSLSSL
Internet
Apps
User
TCPTCP TCPTCP
SSLSSL
• Initial checks performed– Valid user, valid application– Valid server cert
• User/application traffic proxied after initial checks• Full caching and logging options• Visibility and context of network-level info,
certificates, user, applications, content, etc.– Full termination/proxy
• Can warn user, remind of AUP, and offer opt-out Control
Option 3
![Page 42: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/42.jpg)
Reverse Proxy
![Page 43: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/43.jpg)
Caching
Reverse Proxy
AV SSL/Certificate
InternetClients
Authentication
LoggingPolicy
Servers
URL-rewrite
![Page 44: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/44.jpg)
ACCELERATES Web Content• Intelligent caching• Compression and bandwidth mgt.• TCP & SSL offload
PROTECTS Web Servers• Secure, object-based OS• Controls access to web apps• Web AV scanning
SIMPLIFIES Operations• Scalable, optimized appliance• Easy policy creation & management• Complete logging & reporting
WebServers
Internal Network
Users
FirewallUsers
ProxySG
Public Internet
Secure & Accelerate Web ApplicationsSecure & Accelerate Web Applications
Reverse Proxy
![Page 45: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/45.jpg)
HTTPS Termination
• HTTPS Termination (Client ProxySG)– Off-load secure website or portal
• HTTPS Origination (ProxySG Server)– Secure channel to content server for clients
• Man-in-the-Middle (Termination & Origination)– Allows caching, policy and virus scanning
• Secure credential acquisitions• SSL Hardware Acceleration Cards
– 800 RSA transactions per second per card– SSL v2.0, v3.0, and TLS v1 support
• Off-load web application servers to improve performance
![Page 46: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/46.jpg)
Example Scenarios for Reverse Proxy
• Secure and Accelerate Public Websites– Improves content delivery with integrated caching
– Services legitimate users while resisting DoS attacks
– High-performance SSL
• Secure Corporate Webmail– Securely isolates Web servers from direct Internet
access
– Proxy authentication for additional layer of protection
– Plug-n-play SSL
• Scanning Uploaded Files for Viruses – Simple integration with ProxyAV™
– Real-time scanning of uploaded content
– Protects Web infrastructure from malware
![Page 47: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/47.jpg)
Accelerate Applications – All Users – All Locations
![Page 48: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/48.jpg)
Recipe for Branch Performance Problems
Server Consolidation
Increased application traffic+
Narrow bandwidth links+
Highly distributed users+
Inefficient application protocols+
== Poor Application PerformancePoor Application Performance
![Page 49: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/49.jpg)
Complete Solution Requires MoreComplete Solution Requires More
Minimum for Application Acceleration
Optimize use of existing WAN bandwidth
Reduce latency associated with applications
Improve the efficiency of application protocols
Prioritize the applications that matter most
Re-use and compress data where possible
Accelerate File Sharing, Email, and browser-based enterprise applications
![Page 50: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/50.jpg)
Platform for Application Acceleration
Multiprotocol Accelerated Caching Hierarchy
BandwidthManagement
ProtocolOptimization
ObjectCaching
ByteCaching Compression
File Services (CIFS), Web (HTTP), Exchange (MAPI), File Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL)Video/Streaming (RTSP, MMS), Secure Web (SSL)
![Page 51: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/51.jpg)
Source: Blue Coat Customer Surveys
New Requirement: SSL Acceleration
• Nearly 50% of all corporate Web application traffic is SSL
• 70% of all mobile and teleworkers use SSL for secure application delivery
• 68% of Blue Coat customers depend on externally hosted Web applications
SS
L T
raffi
c
InternallyHosted Apps
ExternallyHosted Apps
More and More SSL…
![Page 52: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/52.jpg)
New Requirement: Video Acceleration
• Enterprise users becoming more distributed– Mobile, teleworker, and branch/
remote offices
– Regulatory and cost drivers
• Remote employee training becoming a necessity– Live (streaming) and on-demand video
• Performance quality becoming a requirement– Network and application issues must be
addressed
– Control and acceleration of video is needed
![Page 53: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/53.jpg)
Bandwidth Management
• Divide user and application traffic into classes
• Guarantee min and/or max bandwidth for a class
• Align traffic classes to business priorities
Sales Automation App Priority 1
Min 400Kb, Max 800Kb
File Services Priority 3
Min 400Kb, Max 800Kb
E-Mail Priority 2Min 100Kb, Max 400Kb
General Web Surfing Priority 4Min 0Kb, Max 200Kb
![Page 54: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/54.jpg)
Protocol Optimization
![Page 55: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/55.jpg)
Protocol Optimization
10-100X Faster10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCPIncludes CIFS, MAPI, HTTP, HTTPS, TCP
![Page 56: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/56.jpg)
Object Caching
• Built on high-level applications and protocols– HTTP/Web caching
– Streaming caches
– CIFS cache
• Advantages– Fastest response times
– Offload work from servers (and networks)
– Can be deployed asymmetrically
• Limitations– Application-specific
– All or nothing: No benefit if whole object not found or changed
![Page 57: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/57.jpg)
Byte Caching
…..11011111001110011...111001111001100101011101100100001101001100111001000001111000111001100011000001001111000000110111101001000011011000101111100101010101110011010011101001111001000000000000111001011100101101101101001010110010110011110001111111111000000000
…..11011111001110011...111001111001100101011101100100001101001100111001000001111000111001100011000001001111000000110111101001000011011000101111100101010101110011010011101001111001000000000000111001011100101101101101001010110010110011110001111111111000000000
110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100
[R1]0010010[R2]100101111100110100111011010011[R3]
110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100
Local History Cache Remote History Cache
Sequences are found in the local
history cache
Sequences are found in the local
history cache
They are transmitted as
small references over
the WAN
They are transmitted as
small references over
the WAN
The original stream is
reconstructed using the
remote history cache
The original stream is
reconstructed using the
remote history cache
Local LAN Remote LANWAN Link
Proxies keep a history of all
bytes sent and received
Proxies keep a history of all
bytes sent and received
![Page 58: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/58.jpg)
Compression
110111110011100100100101110011001010111011001000010011001110010000011110001110011000110000010011
110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100010100100101010101010100010111
COMPRESSIONCOMPRESSION
110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100010100100101010101010100010111
• Industry-standard gzip algorithm compresses all traffic
• Removes predictable “white space” from content and objects being transmitted
![Page 59: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/59.jpg)
MACH5 Techniques Work Together
Object Caching• Caches repeated, static app-level data; reduces BW and latency
Byte Caching• Caches any TCP application using
similar/changed data; reduces BWCompression
• Reduces amount of data transmitted; saves BW
Bandwidth Management• Prioritize, limit, allocate, assign DiffServ – by user
or application
Protocol Optimization• Remove inefficiencies, reduce latency
![Page 60: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/60.jpg)
Object Caching
• Object caches are built on higher level applications and protocols– HTTP/Web caching– Streaming caches– CIFS cache
• Object cache advantages– Fastest response times– Offload work from servers– Can be deployed asymmetrically
• Object cache disadvantages– Works with limited set of applications– Works on limited range of data inside applications– All or nothing: No benefit if whole object not found or changed
![Page 61: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/61.jpg)
Object vs. Byte Caching
Object Caching Byte Cache
Proxy?HTTP(S), FTP,
Streaming, CIFS Built on TCP
Protocol Optimization Integration X
Server Offload X
Network Offload X X
Incremental Updates X
No App Integration X
End User Performance Best Good
Scope Focused Broad
![Page 62: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/62.jpg)
Products
![Page 63: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/63.jpg)
MACH5 Ships with Blue Coat SGOS 5
SG400 Series
SG800 Series
SG8000 Series
Rem
ote
Off
ice
sC
orpo
rate
Hea
dqua
rte
rs
SG200 Series • GA April 2006
• Appliances start at US$1,995
Branch Office Enterprise CoreBranch Office Enterprise Core
![Page 64: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/64.jpg)
ProxyAV Appliances
400-E Series
Performance
Remote Offices
Up to 250 users 100-2000 users 1000 -50,000+ users
WAN Bandwidth
ConnectedUsers
Sub 1.5Mbps Bandwidth
1.5Mbps- 45MbpsBandwidth
150Mbps +Bandwidth
Corporate Headquarters
2000-E Series
![Page 65: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/65.jpg)
400-E1
• One Model: 400-E1
• RAM: 512 MB
• CPU: 1.26GHz PIII
• Disk drive 40 GB IDE
• Network Interfaces (2 on board) 10/100 Base-T Ethernet
• 19" Rack-mountable
![Page 66: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/66.jpg)
Software
Reporter (SW)Reporter (SW) Advanced Java application to generate statistics from logsAdvanced Java application to generate statistics from logs
![Page 67: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/67.jpg)
Licenced products
Licensed productsLicensed products StreamingStreaming
Real Networks, Real Networks, Microsoft, Microsoft, QuicktimeQuicktime Instant MessagingInstant Messaging
MSN, Yahoo, AOLMSN, Yahoo, AOL Optional Security (HW+SW bundle)Optional Security (HW+SW bundle)
SSL termination/proxySSL termination/proxy
![Page 68: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/68.jpg)
Licenced products
Licensed productsLicensed products Content filteringContent filtering
BlueCoat WebfilterBlueCoat Webfilter ICAP AV ScannerICAP AV Scanner
ProxyAV (McAfee, Sophos, Panda, Kaspersky, Ahn Labs)ProxyAV (McAfee, Sophos, Panda, Kaspersky, Ahn Labs)
![Page 69: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/69.jpg)
Full Protocol Termination = Total Visibility & Context(HTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS)
Policy Control• Fine-grained policy for applications,
protocols, content & users (allow, deny, transform, etc)
• Granular, flexible logging• Authentication integration
The Power of the Proxy
+ +
Ultimate Control Point for CommunicationsUltimate Control Point for Communications
Web Security• Prevent spyware,
malware & viruses• Stop DoS attacks• IE vulnerabilities,
IM threats
Accelerated Applications• Multiprotocol
Accelerated Caching Hierarchy
• BW mgmt, compression, protocol optimization
• Byte & object caching
![Page 70: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/70.jpg)
Management
![Page 71: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/71.jpg)
• User Interface– HTTP (HTTPS), web GUI Interface
– Telnet (Cisco CLI)
– SSH & Serial console
– Java Policy interface
– CPL, Policy Language
– SNMP MIBII + Traps
– Monitor network status and statistics
• Reporting tools– BlueCoat Reporter
• Scalable management– Centralized configuration management in Director
Management
![Page 72: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/72.jpg)
Reporting (example)Reporting (example)
18.2 % Spyware (gator)16.5 % Aftonbladet9.5 % Ad’s (in top 40)6.8 % https (encrypted)
![Page 73: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/73.jpg)
![Page 74: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/74.jpg)
![Page 75: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/75.jpg)
![Page 76: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/76.jpg)
![Page 77: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/77.jpg)
System-wide Management and Control
• Blue Coat Director– Centralized configuration of Blue Coat
appliances – set up, policy, etc
– Centralized monitoring – appliance health, application use, user experience
• Blue Coat Reporter– Enterprise roll-up and analysis of application
delivery information: appliances, application use, user experience
Both Director and Reporter are proven, with Both Director and Reporter are proven, with thousands of nodes under managementthousands of nodes under management……
![Page 78: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/78.jpg)
Director configuration Management
Director
(1) Configure and test “profile” system
(2) Snapshot profile and save on Director
(4) Push profiles and overlays to one or more systems
“Profile” system
Production systems
(3) Create and edit overlays using GUI or CLI.
Work-station
Remotely and securely manage via GUI or CLI. • Configuration Management
• Policy Management
• Disaster protection centrally Configuration Management
• Monitor and control
• Resource Management
• Monitor network status and statistics
• Profile Management
• Backup configuration
• Create overlays using GUI or CLI. Automate changes
• License Management
![Page 79: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/79.jpg)
Content Delivery Network
WWWServers
1 Publish content
Content Owners
Users
5 Deliver the content.
4 Pull content from origin
servers.
Director
2 Tell Directorabout new
content
EdgeSystems
3 Tell caches to update content
![Page 80: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/80.jpg)
Director GUI
![Page 81: Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com.](https://reader036.fdocuments.in/reader036/viewer/2022062407/56649de85503460f94ae287c/html5/thumbnails/81.jpg)
K9 – For free
If you want to protect your family with Content FilteringBlue Coat is now giving it away, read more at:
http://www.getk9.com/refer/Roger.Gotthardsson
Please send this link to anyone you want !!!!