1 SSL-Proxy und SSL-VPN von Blue Coat Systems Technology Day bei eXecure AG, 31. Januar 2007 Blue Coat Corporate Overview presentation. Dated Sept 3, 2003.Michael HartmannTerritory Sales Director DACH & EEBlue Coat Systems GmbH
2 “The Power of the Proxy” CONTROLUmfassende Policies für Anwendungen, Protokolle, Inhalte und BenutzerGranulares LoggingFlexible Authentifizierung+ACCELERATEMultiprotocol Accelerated Caching Hierarchy (MACH)Bandbreiten-Mgt, Kompression, Protokoll- OptimierungByte-, Object- & Predictive Caching+PROTECTErkennt Spyware, Malware und VirenStoppt DoS-AttackenSchützt Schwach-stellen in IE, IM etc.Protokoll-Terminierung = Volle Kontrolle aller InhalteHTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS, TCPAnecdotesUSAF, SaudiZentrale Instanz für die Unternehmens-Kommunikation
3 Verschiedene “Rollen” des Proxies InternetKundenStreamingWebWebPartnerForwardProxyReverseProxyExchangeIMCentralized PolicyAnd ReportingP2PTCPNetworkMitarbeiterFileAccessProxy/RASo coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of:The breadth of applications (web / file / exchange / streaming / TCP, etc.)The fact that the Internet is both a friend / foeOnly Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy.One vendor – one OS – one management platform – etc…..(NOTE – the framework on the side shows the circle around all the of columns / rows)Data CenterProxy/Mach5StreamingWeb
5 Like many users, the first stop after logging on is the Internet… Notice Bob likes to personalize his work environment (this is a picture of the sunset from his backyard)……and not surprisingly, he likes to do a lot of personal activities while at work.Like many users, the first stop after logging on is the Internet…Bob doesn’t waste any time and fires up his browser….Internet Explorer Browser starten Sucht und zeigt Informationen und Websites im Internet an.10:45
6 10:46Microsoft Corporation – Microsoft Internet ExplorerBob visits Yahoo as his default home page…but before delivering the Yahoo page, bob notices something new…[MOUSE CLICK]
7 Internet-Nutzung – Mitarbeiter-Vereinbarung Edge Corp new AUP - Microsoft Internet ExplorerInternet-Nutzung – Mitarbeiter-VereinbarungSie sind eingeloggt als: Bob KentBitte beachten Sie unsere Internet-Nutzungsrichtlinie.Edge Corp. ist berechtigt, jeglichen Internet-Verkehr aus Sicherheitsgründen zu überwachen und zu loggen. Dies betrifft auch den SSL-verschlüsselten Verkehr.Zum Akzeptieren hier klickenWenn Sie nicht einverstanden sind, hier klickenToday, something new has happened. Bob’s employer, Edge Corp. has just deployed Blue Coat ProxySG at their Internet gateway to provide visibility, control and acceleration. Bob is identified by name and asked to acknowledge Edge Corp’s Acceptable Use Policy. [MOUSE CLICK]Bob is not a patient fellow, so he just accepts and moves on.Edge Corp new AUP
8 Gmail – Secure email from Google - Microsoft Internet Explorer https://gmail.goole.com/inbox/28677$ /show.doNotice that Gmail is SSL encrypted. Bob quickly logs in and sees a couple new messages he’s curious about. He opens the first message, which has an attachment. [MOUSE CLICK]Gmail – Secure …
9 Bob Kent, hier ist Ihre IT. Bei der Überprüfung Gmail – Secure from Google - Microsoft Internet Explorerhttps://gmail.goole.com/inbox/28677$ /attch-dload.doBob Kent,hier ist Ihre IT. Bei der ÜberprüfungIhres Downloads wurde ein Virusgefunden, die Datei wurde dahergelöscht.[MOUSE CLICK] Bob tries to download the attachment, but it has a virus. Even though this Gmail session was inside an encrypted SSL tunnel, Blue Coat’s ProxySG was able to decrypt the tunnel at the gateway and allow Blue Coat’s ProxyAV to scan for and block viruses. Bob decides to look at the other message he’s received. [Mouse Click]Gmail – Secure …
10 This tells Bob he needs to update the corporate credit card information on the PayPal account Edge Corp uses for some online purchases. [MOUSE CLICK] Bob clicks on the provided link [MOUSE CLICK]
11 Bob Kent, Sie haben versucht, Daten an Paypa1 - Login - Microsoft Internet Explorerhttps://www.paypa1.com/PayPal%20-%20Welcome.htmBob Kent,Sie haben versucht, Daten anzu übermitteln. DieseSeite ist sehr wahrscheinlich einePhishing-Seite, die Übertragung wurdedaher gestoppt.*******Which takes him to what appears to be his usual PayPal login page. There’s a little padlock on the toolbar, and the URL starts off “HTTPS” which suggests this is a secure web site. Bob begins to login in. [MOUSE CLICK] However, ProxySG recognizes the signs of a Phishing site and steps in to protect Edge Corp’s private information and alert Bob.Bob feels foolish for having almost fallen for a Phishing attack. [MOUSE CLICK]Paypa1 - Login
12 Dies ist eine Nachricht von Ihrer IT-Abteilung Microsoft Internet ExplorerHallo Bob KentDies ist eine Nachricht von Ihrer IT-AbteilungEs wurde versucht, Spyware auf Ihren Rechner herunterzuladen. Diese Infektion wurde verhindert
13 *******[MOUSE CLICK]Bob clicks on SKYPE to call his best friend Fred out of state. For those of you who don’t know, Skype is a free, video-capable, P2P Internet phone that uses a proprietary encrypted protocol and sometimes turns individual users into “Super Nodes” to relay many other Skype users’ calls. There are more than 200 million skype users. [MOUSE CLICK]Bob won’t be calling any of them today though, because Edge Corp uses ProxySG to block unauthorized Internet applications like Skype. Edge Corp conserves bandwidth very effectively this way. If Bob needs to use Skype for his job, he or a select group can be allowed to use Skype by ProxySG.10:45
14 Vielleicht sollte ich mal was arbeiten… It has been an interesting day so far for Bob, his only option is to get back to work…15:06
16 Verschiedene “Rollen” des Proxies InternetKundenStreamingWebWebPartnerForwardProxyReverseProxyExchangeIMCentralized PolicyAnd ReportingP2PTCPNetworkMitarbeiterFileAccessProxy/RASo coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of:The breadth of applications (web / file / exchange / streaming / TCP, etc.)The fact that the Internet is both a friend / foeOnly Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy.One vendor – one OS – one management platform – etc…..(NOTE – the framework on the side shows the circle around all the of columns / rows)Data CenterProxy/Mach5StreamingWeb
17 Secure Reverse Proxy Höhere Performance durch Caching Internal NetworkProxySG FamilyPublic InternetHöhere Performance durch CachingSSL-Offload Hardware-basiertUser-AuthentifizierungURL-RewritingVirus-Scanning für Upstream-ContentDoS-SicherheitHTTP/HTTPS Request Überprüfung
18 SSL Termination SSL hardware card ProxySG SSL TerminationSSL hardware card800 new sessions/secondSSLv2,v3 and TLSv1HTTPS connection is established between users and ProxySGHTTP or HTTPS connection is then established between ProxySG and Web ServersSSLv2,v3 and TLSv1 supportUser authentication/authorizationCachingInternal NetworkHTTPProxySGHTTPSInternet
19 User Control Secured authentication Single Sign On ProxySG User ControlSecured authenticationLDAP, ActiveDirectory, NTLM, Radius, local user databaseSingle Sign OnPasses credentials to origin Web ServerURL rewriting hides internal servers & content structureURL validity checkDoS defenceComprehensive User ControlAuthentication/AuthorizationUser DatabaseInternal NetworkHTTPUsername passed inHTTP headerProxySGHTTPSInternet
20 Virus Scanning ProxySG & ProxyAV architecture Purpose-built appliances for speedHigh-availability & load-balancingOne GUI - Ease deployment & administrationLower Total Cost of Operations (TCO)ProxySG and ProxyAVVirus ScanningAppliance basedUser DatabaseInternal NetworkProxyAVHTTPICAPProxySGHTTPSInternet
21 Performance Caching High Availability Scalability Content is cached and can be served directlyHigh AvailabilityUsing 2 ProxySG in Failover modeProxySG performs L3,L4 and L7 health checks on origin Web serversScalabilityMultiple Origin Web servers can be load balanced by ProxySGLeast connectionsRound Robin
22 Verschiedene “Rollen” des Proxies InternetKundenStreamingWebWebPartnerForwardProxyReverseProxyExchangeIMCentralized PolicyAnd ReportingP2PTCPNetworkMitarbeiterFileAccessProxy/RASo coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of:The breadth of applications (web / file / exchange / streaming / TCP, etc.)The fact that the Internet is both a friend / foeOnly Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy.One vendor – one OS – one management platform – etc…..(NOTE – the framework on the side shows the circle around all the of columns / rows)Data CenterProxy/Mach5StreamingWeb
23 Warum SGOS 5.x? = Server Konsolidierung Mehr Applikations-Verkehr + Ineffiziente Protokolle+Mehr verteilte User+Limitierte Bandbreiten+Cost concerns + compliance = consolidationConsolidated applications + long distances + protocols pushed past their limits = poor application performancePoor performance is largely turns, but can also be bandwidth-relatedIndustry answer is to accelerate traffic, but…=Mässige Applikations-Performance
24 NEU: SGOS 5.xMultiprotocol Accelerated Caching HierarchyCompressionBandwidthManagementProtocolOptimizationObjectCachingByteCachingFile Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL)
25 Legacy WAN Optimization Fix Basic ProtocolsCompress with Byte CachingSome Add Wide Area File ServicesKEY MESSAGE: Competitive approaches to WAN optimization are too narrow to comprehensively improve performance. Customers need consider the rest of their application portfolio not improved by other vendors.Legacy Approaches to WAN OptimizationBlue Coat is not the only vendor looking to solve these problems. At first there were point solutions that either pixel-scrape screens (Citrix) or just management bandwidth (Packeteer). However the industry has more or less stabilized around a few, rapidly commoditizing technologies to address WAN performance problems.The first is to fix LAN protocols that break over the WAN by changing their behavior. Blue Coat does this as well. Commonly, CIFS file services, HTTP and the underlying TCP protocols are enhanced for high-latency environments.The second is to use various types of compression to reduce bandwidth. Most effective is Byte Caching, a technique that removes redundant data directly from the bit stream by caching common patterns. Blue Coat proxies also do this. It’s effective at reducing bandwidth, although it has little or no effect on overall latency.Finally, since many WAN Optimizations are file service specific, they sometimes create a redundant overlay network of file servers to bring files closer to the end user.But is this enough?These technologies help, but they only address part of the problem – what about the rest of the traffic? If you peep inside your WAN pipes today, most are not just filled with CIFS and maybe HTTP traffic. They are teeming with a variety of applications, protocols and content. Some of them shouldn’t be there and are just wasting space, but many are business critical and need to be optimized. Are your needs also broader than just file services and simple web?What about the rest of your traffic?
26 Accelerate SSL Applications SSL use is growingIf it’s important, it’s encrypted!Internal apps are hard to accelerateExternal apps are even harderHandle with careKEY MESSAGE: Not accelerating SSL applications is a critical failing of other approaches, as it leaves the most important applications and traffic un-optimized. Only Blue Coat provides a comprehensive solution to SSL encrypted applications for both internal and external sites.Start by Accelerating SSL Encrypted TrafficBy everyone’s account, SSL use is growing. Every software-as-serviced application is SSL encrypted, as are most web mail applications and shopping sites. Compliance to user, customers and employee privacy, plus ensuring the security of financial data is driving more internal applications towards encryption as well. Indeed, it’s safe to say that if it’s a web application, and it’s important, it’s SSL encrypted.But how do you optimize, cache and accelerate encrypted traffic? Even if you have the certificate for an application you own and control, it isn’t easy to transparently intercept SSL key exchanges. You need to fully proxy the connection, impersonating the client to the server and vice-versa, and sometimes even put a copy of the private key on the appliance. External applications are even harder, as you don’t have the luxury of copying the private key around to the clients, or the proxies.Even if you could, however, that would raise additional questions. Can you intercept employees going to encrypted health sites? How about visiting customers, partners and contractors connecting back to their corporate networks? SSL communications are often encrypted for a good reason. If you begin undoing that protection, you need to handle with care, and consider how you will advertise, audit, collect user consent and report it all back to auditors, if needed.A Better Way: Open, Inspect and Accelerate All SSL ApplicationsOnly Blue Coat SG appliances with MACH5 technology can seamlessly open all SSL applications, regardless of whether they are internal or external. This allows you to deliver the same performance and great user experience you can provide through WAN optimization to your most important traffic as well. All five MACH5 technologies can be used with SSL applications, without the need to break security best-practices by removing private keys from your servers. Just as importantly, Blue Coat’s user management tools, including alert and coaching pages, user authentication and centralized reporting allow you not only be selective in the SSL you intercept, but produce auditable logs of user consent where needed.Open, Inspect, Accelerate SSL Applications
27 Remove unwanted video. Accelerate the rest Are You Video Ready?What’s already on the WANEarnings announcementCompliance mandated E-learningYouTube.comIs it at least controlled?Split streams for live broadcastDistributed video on demandKEY MESSAGE: You need to be ready for Video. Only Blue Coat provides a comprehensive video solution as part of WAN optimization.Start Accelerating and Managing VideoVideo is one of the fastest growing types of traffic. Even before the explosion of YouTube.com on corporate networks, mainstream websites such as CNN.com and ESPN.com have been converting their traditional content from static pages to streaming video and audio. Business uses for video are also becoming more popular, from earnings announcements to compliance-mandated e-learning in lieu of onsite training.A Better Way: Remove Unwanted Video but Accelerate the RestAre you ready to support video on your network? At a minimum, video needs to be controlled before it crowds out other traffic. An optimization solution should be able to differentiate – based on user, source, and time of day – between what is business related and what is casual video surfing.But to really improve both the user experience and impact on the network, video should be actively optimized. Blue Coat offers two technologies that accelerate video performance. The first is split streaming. If multiple users are pulling the same live feed, Blue Coat SG appliances can download one stream and serve it to all users on the local network, removing redundant downloads that can quickly saturate even the largest pipe. Or, for files that are distributed on demand, active caching of local content allows the appliance to server requests directly, removing almost all wait time for buffering and removing the need for any data to pass over the WAN.Through a combination of video filtering, local caching and active acceleration, Blue Coat appliances can help make your network video ready, above and beyond normal WAN optimization.Remove unwanted video. Accelerate the rest
28 Stop Accelerating the Junk! Why accelerate?Frivolous surfingBulk downloadsPeer-to-peerGet rid of it!Or it will growCrowd out good appsKEY MESSAGE: If there is traffic you’d rather not have on your network, why accelerate it? Selectively prioritize based on who, what, and when so critical applications always get the bandwidth they need.How Much Junk Is On Your Wire? How Fast Do You Want it to Go?Despite years of talk, and some action, there is still a surprising amount of unnecessary or outright unseemly traffic on corporate WANs. Even for organizations that aren’t concerned with the productivity loss of extraneous web surfing and downloads, rapid increases in both web traffic and multimedia content threaten to crowd out business applications.Legacy WAN Optimizations solutions either don’t affect the junk, or attempt to minimize the problem by accelerating it along with the good traffic. Like upgrading bandwidth, however, this does nothing to slow or stop the use of these services – in fact, by making them work better in the short term, they actually encourage further use of bandwidth-intensive external services.A Better Solution is Flexible Bandwidth ControlWhy accelerate junk in the first place? The most obvious thing to do is remove it from the WAN entirely. But what exactly is “junk” traffic? Unfortunately, there is no easy answer, and it almost certainly varies from network to network, user to user and by time of day.To effectively assign resources in a way that matches your organizational policies and culture requires a flexible bandwidth management solution. Blue Coat SG appliances can allocate bandwidth based on a variety of criteria – application, time of day, source server – but most importantly by individual user or user groups as defined in your existing directory. Combined, this provides a comprehensive tool to manage your bandwidth, and stop the absurdity of accelerating traffic you don’t want on your network to begin with.Flexible, User Based Bandwidth Control
29 Start Accelerating the Rest Web traffic is hugeFastest growing trafficHTTP, and then someWeb servicesWeb widgetsJava clientsGet the Internet off your WANKEY MESSAGE: The ultimate WAN optimization technology is serving from a local cache that can remove almost all latency and bandwidth costs from video, web and file sharing traffic.Use the LAN, not the WANRemember life before server consolidation? Files came down fast – really fast. That’s because the file server was just next door, on the same LAN as the user. Now imagine if not only the file server was on the LAN, but the Internet and a video server as well. That’s the power of having a local cache.Local caching works even better than most people expect. Up to 90% of corporate traffic is repetitive. Consider how a very small selection of files get changed, and how the same file might be downloaded from a web page, forwarded in an , then copied to a file share. Or how Internet traffic – the fastest growing part of most enterprise WANs – is mostly the same couple dozen web sites, with the same graphics and sharing the same banner ads.A Better Way: Download Once, Serve ManyAll this traffic can be served locally to reduce the strain on your bandwidth, conserving it for other business-critical uses. The Blue Coat object cache can store almost any type of content found on enterprise WANs, including video, Internet graphics, HTML, and any file commonly found on fileshares, or peer-to-peer. Subsequent requests will then be served instantaneously, without having to wait for another download over the WAN. That dramatically cuts repetitive Internet backhaul, and nothing does more to improve the end user experience. Also, it works with files that byte caching alone can’t optimize, especially large and already compressed files such as multimedia and graphics.Nothing is faster than a local copy, and nothing does as much to reduce WAN bandwidth. All without the overhead, integration or data corruption worries of a WAFS solution that can only address a fraction of the content on your pipe.Deliver Web-Based Applications Without Extra Bandwidth
30 What About The Office of One? Aren’t We All Mobile Users?Poor performanceInconsistent performanceNo control over user experienceKEY MESSAGE: Application performance problems don’t end at the front door. Roaming users need fast, secure and consistent access to internal and external applications wherever they are.Are Mobile Users Being Left Behind?Where are you users? How many of them connect directly to a company-owned LAN every day? Once just a problem for salespeople and executives, access to internal applications and data is a growing challenge. Telecommuting, contracting and outsourcing, enabled by inexpensive laptops and mobile connectivity and driven by IT cost cutting, are now the norm rather than the exception.By definition, however, they are all WAN users – connecting in over VPNs and the Internet to internal applications with significantly higher latency and lower bandwidth than their colleagues at headquarters. As they move around, their network conditions change, and so does their user experience. Despite that, however, it’s still IT’s job to make sure they get the tools they need to do their job. There needs to be a way to ensure a consistently high quality user experience outside the boundaries of the enterprise network, regardless of underlying network conditions and without a bulky appliance.A Better Way: Software Acceleration Client for the Mobile DesktopRoaming users need the optimization features of an appliance, but on their laptops. The Blue Coat SG client includes our full suite of MACH5 technology to improve the performance of applications, regardless of their proximity to the user. By combining protocol optimization, caching and bandwidth control, IT can provision applications to users previously limited by bandwidth and latency. Further, understanding that not all remote users are employees, the SG Client comes as either a persistent client or on-demand, allowing partners, customers and occasional home users access to the same quality experience as the professional road warrior.As with all Blue Coat SG solutions, there is no need to sacrifice control and security for performance. The SG Client offers content control, web filtering and a secure SSL VPN options to ensure the privacy and security of your corporate communications. It also supports detailed user experience monitoring, to help IT quantify the quality of service they are delivering all the way to the last mile. The combined result is an application delivery solution for every user, regardless of location.Desktop Client for Acceleration and Control
31 Bandbreiten-Management User & Applikationen werden klassifiziertGarantierte Minimum- oder limitierte Bandbreite pro KlassePriorisierung der Klassen gemäss Business-ErfordernissenSales Applikation Priorität 1Min 400Kb, Max 800KbPriorität 2Min 100Kb, Max 400KbFile ServicesPriorität 3Min 400Kb, Max 800KbWeb Surfing allgemeinPriorität 4Min 0Kb, Max 200Kb
32 Protokoll-Optimierung: ClientServerPacket #1 request client -- serverOpen a filePacket #2 response server - clientIndicate FileID or error if not foundFID is used in subsequent packet for accessing the filePacket #3 request client -- serverRead from a filePacket #4 response server - clientReturns file data requestedA client can not request another read until it receives the first request. Thus, large documents could require lots of round trips, causing a ping-pong effect. This is effect has been termed as a chatty protocol.… für CIFS, MAPI, HTTP, HTTPS, TCP
33 Objekt Caching: Object-Caches für: Object-Cache Vorteile: HTTP/HTTPS-CachingCaching von Audio/Video StreamsCIFS-CachingObject-Cache Vorteile:Schneller AntwortzeitenWeniger Last für ServerObject-Cache Nachteile:Nur für bestimmte Applikationen/Protokolle anwendbarNur für bestimmte Inhalte einer Applikation anwendbarAlles oder Nichts: kein Vorteil, wenn das Objekt nicht verfügbar ist oder geändert wurde
34 Wie Byte Caching arbeitet: Zentraler CacheLokaler Cache……Sequenzen sind im lokalen Cache vorhandenBytes werden als Token über das WAN übertragenByte-Stream wird aufgrund der lokalen Cache-Daten rekonstruiertProxy speichert alle übertragenen Bytes[R1] [R2] [R3]Used for WAN Link OptimizationDeploy ProxySGs on both ends of a WAN linkEliminate repeated sequences of bytes sent over WANDrastically improve performance for bandwidth limited applicationsConsistent end user response timesControlled application bandwidth requirementsKey BenefitsCompletely transparent to client and serverExactly the same bytes are seen at both endsWorks on any TCP connection, no protocol or application knowledge requiredWorks with dynamic and changing dataFrequently updated filesDynamic web applicationsMost effective data transmission accelerationLimitationsByte Caching addresses bytes transferredNo server offloadNo protocol optimizationNo protection or controlNeed application proxies for full performance managementLocal LANWAN LinkRemote LAN
35 Kompression: gzip compression Kompression eliminiert “white space” aus übertragenem Content/ObjektMACH5 nutzt anerkannten gzip Kompression- AlgorithmusKomprimiert damit jeglichen Verkehr zwischen zwei Appliancesgzipcompression
36 MACH5 im Zusammenspiel Object Object Bandbreiten Mgmt. Priorisierung/QoSLimitierung/Zuweisungpro User, pro Applikat.Bandbreiten-ReduktionProtokoll OptimierungProtokoll-IneffizienzenReduktion der LatencyObjectBytegzipByteObjectgzipWANObject CachingApp-level CacheEffektivste Beschleunigungoptimiert BandbreiteByte Cachingjede TCP-Applikationähnliche Datengeänderte Datenoptimiert BandbreiteGzip Kompressionmin. Übertragungoptimiert Bandbreite
37 Proxy Architektur Architectural Foundation for Application Delivery Technology PartnerEnd PointRemote Access &Web ProtectBlue Coat AVHTTP(S), File,Exchange, Streaming,‘Byte’BandwidthControl, DiffServForward &ReverseProxyIM,Skype & P2PControlServicesSSLProxyThe Blue Coat SG architecture consists of the following:Purpose-built custom operating system (SGOS)Secure, high-performance foundation built for web-objects with caching and enterprise reliabilitySecure Proxy with integration across multiple simultaneous authentication systems, and customizable logging optionsLDAP, RADIUS, NTLM, AD, 2-factor, etc.Transparent proxy implementation – no changes required to clientsOnly proxy vendor to provide encrypted credentials acquisition for users and adminsPolicy Process Engine (PPE) that interprets policy to know who, what and when to controlLeverages cache of approved or scanned contentAdvises, coaches and enforces acceptable use policiesSecurity Services for today’s content issues with the ability to expandContent Filtering on ProxySG has a lower TCO, increased performance with cached content, and granular policy controlsWeb Virus Scanning on ProxySG has a 10x performance improvement and lower TCO than software based solutionsIM Control provides enterprise granular policy control for all leading IM vendors (AIM, MSN, Yahoo!)Peer-to-Peer file sharing blocking of traffic and client downloadsPop-Up ad blocking with the ability to accept use for enterprise applications (ex. Outlook Web Access)Technology Partners for a best in class choice of leading vendorsContent Filtering with nine “on-proxy” URL listsVirus Scanning – ProxyAV with McAfee, Kaspersky, Sophos, Ahn Lab or Panda AV enginesIntegrated purpose built hardware appliancesPerformance, Scalability, Ease of managementEnterprise Policy ManagementPolicy administration (GUI or CLI), multiple appliance management Director, enterprise ReporterPolicyPolicy Processing EngineProxyAuthentication, Authorization, LoggingCustom OSSGOS™ Object-based OS with CachingArchitectural Foundation for Application Delivery
38 Verschiedene “Rollen” des Proxies InternetKundenStreamingWebWebPartnerForwardProxyReverseProxyExchangeIMCentralized PolicyAnd ReportingP2PMitarbeiterTCPNetworkFileAccessProxy/RASo coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of:The breadth of applications (web / file / exchange / streaming / TCP, etc.)The fact that the Internet is both a friend / foeOnly Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy.One vendor – one OS – one management platform – etc…..(NOTE – the framework on the side shows the circle around all the of columns / rows)Data CenterProxy/MACH5StreamingWeb
39 Blue Coat RA: Einfach & Sicher Public InternetInternes NetzwerkBusiness Partner & KundenMitarbeiter an Heim-PCs, andere “unmanaged Devices”Mitarbeiter an IT-managed Devices (PC, PDA etc)SSLInformation Theft ProtectionMalware ProtectionInformation Leak PreventionSensitive & Confidential Corporate InformationAuthorisierte & Authentisierte Applikations-RequestsWeb App´s-ServerClient-Server AppsDatabanken & File ServicesTerminal Services wie Citrix u.a.Host Integrity CheckIntroducing Blue Coat RA[Step through animation. This slide has two builds on bottom.]First sectionRA – the next gen SSL VPN – why next gen? What’s different?Single mode of access for all Web and non-Web applications through the patent-pending Connector technologyIntegrated endpoint security and information protection – not a bunch of product partnerships, but an integrated, comprehensive set of featuresFinally, it’s the only on demand solution – never software to install, never requires local Admin rights, completely transient – no sticky residue left when session expires[Continue build and begin to compare with IPSec and Traditional SSL VPNs]Blue Coat RA was designed to address the limitations of both IPSec and Traditional SSL VPNs.Connectivity to Web and non-Web applications – Blue Coat RA provides the access to browser-based, client-server, and other applications. Why is BC RA better? Blue Coat RA is architected differently – where Traditional SSL VPNs use HTTP reverse proxies as a engine, Blue Coat RA uses a SOCKS proxy. Why is this better? HTTP reverse proxies are at the application layer and so they have problems supporting anything but HTTP applications (and that’s why they insist on Port Forwarding and Network Extender clients…), SOCKS is a session-layer proxy that is independent of the application and protocol – it supports them all without having to know anything about them!Endpoint Security / Info Protection [Step through animation]Host integrity checks – check OS patches, AV updates, etc. before allowing device to connectAnti-malware – protect against malicious programs on the endpointInfo Theft Prevention – proactive protection against spyware and other info thiefsInfo Leak Prevention – prevent inadvertent information leaks – “user error” leaksThe completeness of this feature set is unmatched in the industry. All of the other vendors make bold promises, but they always require third party products and they combined they can’t offer the features that RA provides. These features are one of the main reasons people get interested in RA – nothing comes close.Support for Unmanaged Endpoints- RA is a great fit for unmanaged endpoints. Not only because of the endpoint security and info protection features, but because RA never requires Admin rights or software installation. It leverages its Connector technology, which is its single access mode for all applications. This makes it a great fit for unmanaged endpoints, such as the home PC of an employee.Blue Coat RA – SSL VPN der nächsten GenerationSingle Access für Web & Non-Web Applikationen.Integrierte Endpoint Security & Information Protection.Keine Client-Software, keine lokalen Admin-Rechte.
40 Blue Coat RA (SSL VPN) Applikationen “On Demand” Connectivity Web- und Non-Web-ApplikationenKeine Admin-Rechte/RebootsLeak-DetectorLive-Demo!S y s t e m C a l l sBlue Coat RA ConnectorBrowser SecurityMalware ProtectionHost IntegrityTBAInformation ControlsRA ServicesSSL ConnectivityOperating SystemOne of the main differentiators is the RA Connector, which utilizes patent-pending Connector technology.What is it? It is an on demand agent that is pushed down to the endpoint when access to application is required. It is binary executable code pushed down via Java or ActiveX. When a user is logged in, an icon (padlock with blue rings) is seen in the user’s system tray.How does it work? When a user requests access, the Connector is dynamically pushed down and inserted between the applications and the operating system. By being between the applications and the OS, it can intercept targeted network and system requests. For example, when the user’s Outlook client queries the Exchange server, the Connector can intercept it.What does it do?The first thing it does is provide connectivity using SOCKS. When it intercepts network requests, it wraps them in SOCKS, encrypts them in SSL and then reroutes them to the RA server where the packets are decrypted, “unwrapped” and authenticated. Then the packets are proxied and sent on to their targeted resources, such as an Exchange server.The second thing it does is provide the various security services, such as malware protection and host integrity checks.This connectivity and security services are all provided on demand. It is RA’s single access mode – it’s all you’ll ever need.It’s entirely on demand – no Admin rights are required, no reboot is necessary, and it’s completely transient – nothing is left behind when the user logs out.Finally, the Connector is extensible to other services. As Blue Coat adds new services, they will be downloaded through the Connector.This is really the “secret sauce” of Blue Coat RA, which delivers the “clientless” VPN that other vendors only claim to have.
41 Integrierte Endpoint Security Host Integrity CheckCheck von:AV-UpdatesOS-PatchesFirewall SettingsIndividuelle ChecksStufenlose Access-SteuerungMalware ProtectionEXE Signatur-ChecksProgramm Black/ White ListenWatch-Listen mit kryptografischen ChecksummenInformation Theft ProtectionKeylogger Erkennung/Unter- drückungFramegrabber Erkennung/unter- drückungInitaler & laufende ScansInformation Leak PreventionBrowser Cache / Temp File Real-Time Encryption & LöschungAuto Session TerminierungAuto Session Clean Up (cookies, etc.)Info Controls (save, print, etc.)[Click through one at a time]For endpoint security, RA provides four unique set of features. And, again, these features are all integrated. There are not third party products to license and deploy.Host Integrity Checks – this allows you to check the integrity of the connecting device before allowing access. It can look for AV updates, OS patches or personal firewall settings. And, it’s customizable so you can develop your own checks, such as looking for the existence of a certain file. Finally, access can be managed based on the results of the check.Malware Protection – controls which applications the user can access (white list) or can’t access (black list) and also prevents unauthorized or known bad programs from hijacking the VPN session. It checks all EXE signatures and has black and white lists for managing which programs have access to the VPN tunnel and which are completely forbidden (such as a peer-to-peer application). Also, it has watch lists to identify specific programs that cannot access the VPN tunnel.Information Theft Protection – features to scan and suppress keyloggers and framegrabbers that may be stealing user credentials and sensitive information. RA is the only solution to provide pre-authentication scan for keyloggers and framegrabbers. If any suspicious processes are identified, RA can temporarily suppress them for the duration of the user’s session. It doesn’t kill any processes and make any changes, it simply “hides” the user’s session from the keyloggers and framegrabbers. This is highly unique to RA.Information Leak Prevention – these are browser security features that protect against “user error” – that is, features that protect the user from accidentally leaking information. These features, such as information controls (which allow the administrator to define what a user can do with the information that is downloaded – for example, a person may not be allowed to save a document downloaded from Web mail when on an unmanaged device, like the employee’s home PC). Also, RA provides real-time cache and temp file encryption and complete session shredding (to DoD specifications).Finally, these features are all integrated and our managed through one admin console and, of course, it’s one price for everything.
42 Key Blue Coat RA Features Step 6Connector Clean UpDelivering Secure ConnectivityStep 5Information UsageControlStep 4Browser ProtectionStep 3Malware ProtectionStep 1 – patent-pending preauthentication scan for, and blocking of, framegrabbers and keyloggers.Step 2 – before granting any access, verify the security posture of the endpoint (Antivirus, firewall, registry settings). HIC is used not to allow or block the user from logging in, but for granular per-resource security checks.Step 3 – Application Watchlist and Application Validation (MD5 checksums) ensure that only specifically allowed applications are granted access.Step 4 – Encrypt all browser cache and application temp files in real-time.Step 5 – ability to enable the Security Administrator to specify what a user’s managed and unmanaged device can do with the corporate information, ex. cutting, pasting, printing, etc.Step 5 – once session is terminated by end user all traces are completely removed from end user’s system using DOD-spec file wiping.Step 2Host Integrity ChecksStep 1Spyware Blocking
43 Für den Anwender… Nutzer startet loggt sich im Portal ein Connector lädt Security Services herunterScan & Unterdrückung von MalwareHost Integrity ChecksNutzer wird authentifiziertSystem Secure.You may log in.Connector vervollständigt den DownloadJane.Doe[Step through process]Some notes:RA can integrate with existing corporate portal or provide oneConnector is around 500kb – which is negligible on a broadband connection, but can take some time on dial up.Spyware scan and suppression is unique to RA – no one else can do this. (Many people can scan, but no one else can suppress them temporarily.)RA supports a wide array of authentication schemes (AD, RADIUS, SecureID, etc.)User can launch applications from a portal OR from their native desktop (like they do in the office or on an IPSec VPN)When the user logs out or is timed out, a complete session clean up occurs – cache and temp files erased, all history information removed, etc.*******Nutzer startet Desktop ApplikationenNutzer loggt aus, Session endetSession-”Spuren” werden automatisch gelöscht
44 Appliance Überblick SG8100 Series SG810 Series SG510 Series CorporateHeadquartersSG810 SeriesSG510 SeriesRA/AV810 SeriesRemoteOfficesRA/AV510 SeriesSG200 SeriesBlue Coat provides you a range of appliances to support smaller branch offices on up to the largest enterprise implementations.Connected UsersUp to 250 users150 – 1000 users800 – 4000 users3000 – 50,000+ usersWAN ThroughputUp to 20Mbps30 – 50 Mbps100Mbps – 140Mbps200Mbps – 400+ MbpsPerformance
45 URL-Filtering für zu Hause [Step through process]Some notes:RA can integrate with existing corporate portal or provide oneConnector is around 500kb – which is negligible on a broadband connection, but can take some time on dial up.Spyware scan and suppression is unique to RA – no one else can do this. (Many people can scan, but no one else can suppress them temporarily.)RA supports a wide array of authentication schemes (AD, RADIUS, SecureID, etc.)User can launch applications from a portal OR from their native desktop (like they do in the office or on an IPSec VPN)When the user logs out or is timed out, a complete session clean up occurs – cache and temp files erased, all history information removed, etc.
Your consent to our cookies if you continue to use this website.