SSL-Proxy und SSL-VPN von Blue Coat Systems Technology Day bei eXecure AG, 31. Januar 2007 Blue Coat Corporate Overview presentation. Dated Sept 3, 2003. Michael Hartmann Territory Sales Director DACH & EE Blue Coat Systems GmbH

“The Power of the Proxy” CONTROL Umfassende Policies für Anwendungen, Protokolle, Inhalte und Benutzer Granulares Logging Flexible Authentifizierung + ACCELERATE Multiprotocol Accelerated Caching Hierarchy (MACH) Bandbreiten-Mgt, Kompression, Protokoll- Optimierung Byte-, Object- & Predictive Caching + PROTECT Erkennt Spyware, Malware und Viren Stoppt DoS-Attacken Schützt Schwach-stellen in IE, IM etc. Protokoll-Terminierung = Volle Kontrolle aller Inhalte HTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS, TCP Anecdotes USAF, Saudi Zentrale Instanz für die Unternehmens-Kommunikation

Verschiedene “Rollen” des Proxies Internet Kunden Streaming Web Web Partner Forward Proxy Reverse Proxy Exchange IM Centralized Policy And Reporting P2P TCP Network Mitarbeiter File Access Proxy/RA So coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of: The breadth of applications (web / file / exchange / streaming / TCP, etc.) The fact that the Internet is both a friend / foe Only Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy. One vendor – one OS – one management platform – etc….. (NOTE – the framework on the side shows the circle around all the of columns / rows) Data Center Proxy/Mach5 Streaming Web

Bob Kent *******

Like many users, the first stop after logging on is the Internet… Notice Bob likes to personalize his work environment (this is a picture of the sunset from his backyard)……and not surprisingly, he likes to do a lot of personal activities while at work. Like many users, the first stop after logging on is the Internet… Bob doesn’t waste any time and fires up his browser…. Internet Explorer Browser starten Sucht und zeigt Informationen und Websites im Internet an. 10:45

10:46 Microsoft Corporation – Microsoft Internet Explorer http://my.yahoo.de Bob visits Yahoo as his default home page…but before delivering the Yahoo page, bob notices something new…[MOUSE CLICK]

Internet-Nutzung – Mitarbeiter-Vereinbarung Edge Corp new AUP - Microsoft Internet Explorer Internet-Nutzung – Mitarbeiter-Vereinbarung Sie sind eingeloggt als: Bob Kent Bitte beachten Sie unsere Internet-Nutzungsrichtlinie. Edge Corp. ist berechtigt, jeglichen Internet-Verkehr aus Sicherheitsgründen zu überwachen und zu loggen. Dies betrifft auch den SSL-verschlüsselten Verkehr. Zum Akzeptieren hier klicken Wenn Sie nicht einverstanden sind, hier klicken Today, something new has happened. Bob’s employer, Edge Corp. has just deployed Blue Coat ProxySG at their Internet gateway to provide visibility, control and acceleration. Bob is identified by name and asked to acknowledge Edge Corp’s Acceptable Use Policy. [MOUSE CLICK] Bob is not a patient fellow, so he just accepts and moves on. Edge Corp new AUP

Gmail – Secure email from Google - Microsoft Internet Explorer https://gmail.goole.com/inbox/28677$5552739/show.do Notice that Gmail is SSL encrypted. Bob quickly logs in and sees a couple new messages he’s curious about. He opens the first message, which has an attachment. [MOUSE CLICK] Gmail – Secure email …

Bob Kent, hier ist Ihre IT. Bei der Überprüfung Gmail – Secure email from Google - Microsoft Internet Explorer https://gmail.goole.com/inbox/28677$5552739/attch-dload.do Bob Kent, hier ist Ihre IT. Bei der Überprüfung Ihres Downloads wurde ein Virus gefunden, die Datei wurde daher gelöscht. [MOUSE CLICK] Bob tries to download the attachment, but it has a virus. Even though this Gmail session was inside an encrypted SSL tunnel, Blue Coat’s ProxySG was able to decrypt the tunnel at the gateway and allow Blue Coat’s ProxyAV to scan for and block viruses. Bob decides to look at the other message he’s received. [Mouse Click] Gmail – Secure email …

This email tells Bob he needs to update the corporate credit card information on the PayPal account Edge Corp uses for some online purchases. [MOUSE CLICK] Bob clicks on the provided link [MOUSE CLICK]

Bob Kent, Sie haben versucht, Daten an Paypa1 - Login - Microsoft Internet Explorer https://www.paypa1.com/PayPal%20-%20Welcome.htm Bob Kent, Sie haben versucht, Daten an www.paypa1.com zu übermitteln. Diese Seite ist sehr wahrscheinlich eine Phishing-Seite, die Übertragung wurde daher gestoppt. Bob.kent@edge.com ******* Which takes him to what appears to be his usual PayPal login page. There’s a little padlock on the toolbar, and the URL starts off “HTTPS” which suggests this is a secure web site. Bob begins to login in. [MOUSE CLICK] However, ProxySG recognizes the signs of a Phishing site and steps in to protect Edge Corp’s private information and alert Bob. Bob feels foolish for having almost fallen for a Phishing attack. [MOUSE CLICK] Paypa1 - Login

Dies ist eine Nachricht von Ihrer IT-Abteilung Microsoft Internet Explorer Hallo Bob Kent Dies ist eine Nachricht von Ihrer IT-Abteilung Es wurde versucht, Spyware auf Ihren Rechner herunterzuladen. Diese Infektion wurde verhindert

******* [MOUSE CLICK] Bob clicks on SKYPE to call his best friend Fred out of state. For those of you who don’t know, Skype is a free, video-capable, P2P Internet phone that uses a proprietary encrypted protocol and sometimes turns individual users into “Super Nodes” to relay many other Skype users’ calls. There are more than 200 million skype users. [MOUSE CLICK] Bob won’t be calling any of them today though, because Edge Corp uses ProxySG to block unauthorized Internet applications like Skype. Edge Corp conserves bandwidth very effectively this way. If Bob needs to use Skype for his job, he or a select group can be allowed to use Skype by ProxySG. 10:45

Vielleicht sollte ich mal was arbeiten… It has been an interesting day so far for Bob, his only option is to get back to work… 15:06

Blue Coat’s Komplett-Lösung Director ProxyAV Web AV Filtering Port 80 traffic Public Internet Internal Network Streaming ProxySG Reporter Visual Policy Manager Management Tools P2P Authenticate IM

Verschiedene “Rollen” des Proxies Internet Kunden Streaming Web Web Partner Forward Proxy Reverse Proxy Exchange IM Centralized Policy And Reporting P2P TCP Network Mitarbeiter File Access Proxy/RA So coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of: The breadth of applications (web / file / exchange / streaming / TCP, etc.) The fact that the Internet is both a friend / foe Only Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy. One vendor – one OS – one management platform – etc….. (NOTE – the framework on the side shows the circle around all the of columns / rows) Data Center Proxy/Mach5 Streaming Web

Secure Reverse Proxy Höhere Performance durch Caching Internal Network ProxySG Family Public Internet Höhere Performance durch Caching SSL-Offload Hardware-basiert User-Authentifizierung URL-Rewriting Virus-Scanning für Upstream-Content DoS-Sicherheit HTTP/HTTPS Request Überprüfung

SSL Termination SSL hardware card ProxySG SSL Termination SSL hardware card 800 new sessions/second SSLv2,v3 and TLSv1 HTTPS connection is established between users and ProxySG HTTP or HTTPS connection is then established between ProxySG and Web Servers SSLv2,v3 and TLSv1 support User authentication/authorization Caching Internal Network HTTP ProxySG HTTPS Internet

User Control Secured authentication Single Sign On ProxySG User Control Secured authentication LDAP, ActiveDirectory, NTLM, Radius, local user database Single Sign On Passes credentials to origin Web Server URL rewriting hides internal servers & content structure URL validity check DoS defence Comprehensive User Control Authentication/Authorization User Database Internal Network HTTP Username passed in HTTP header ProxySG HTTPS Internet

Virus Scanning ProxySG & ProxyAV architecture Purpose-built appliances for speed High-availability & load-balancing One GUI - Ease deployment & administration Lower Total Cost of Operations (TCO) ProxySG and ProxyAV Virus Scanning Appliance based User Database Internal Network ProxyAV HTTP ICAP ProxySG HTTPS Internet

Performance Caching High Availability Scalability Content is cached and can be served directly High Availability Using 2 ProxySG in Failover mode ProxySG performs L3,L4 and L7 health checks on origin Web servers Scalability Multiple Origin Web servers can be load balanced by ProxySG Least connections Round Robin

Verschiedene “Rollen” des Proxies Internet Kunden Streaming Web Web Partner Forward Proxy Reverse Proxy Exchange IM Centralized Policy And Reporting P2P TCP Network Mitarbeiter File Access Proxy/RA So coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of: The breadth of applications (web / file / exchange / streaming / TCP, etc.) The fact that the Internet is both a friend / foe Only Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy. One vendor – one OS – one management platform – etc….. (NOTE – the framework on the side shows the circle around all the of columns / rows) Data Center Proxy/Mach5 Streaming Web

Warum SGOS 5.x? = Server Konsolidierung Mehr Applikations-Verkehr + Ineffiziente Protokolle + Mehr verteilte User + Limitierte Bandbreiten + Cost concerns + compliance = consolidation Consolidated applications + long distances + protocols pushed past their limits = poor application performance Poor performance is largely turns, but can also be bandwidth-related Industry answer is to accelerate traffic, but… = Mässige Applikations-Performance

NEU: SGOS 5.x Multiprotocol Accelerated Caching Hierarchy Compression Bandwidth Management Protocol Optimization Object Caching Byte Caching File Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL)

Legacy WAN Optimization Fix Basic Protocols Compress with Byte Caching Some Add Wide Area File Services KEY MESSAGE: Competitive approaches to WAN optimization are too narrow to comprehensively improve performance. Customers need consider the rest of their application portfolio not improved by other vendors. Legacy Approaches to WAN Optimization Blue Coat is not the only vendor looking to solve these problems. At first there were point solutions that either pixel-scrape screens (Citrix) or just management bandwidth (Packeteer). However the industry has more or less stabilized around a few, rapidly commoditizing technologies to address WAN performance problems. The first is to fix LAN protocols that break over the WAN by changing their behavior. Blue Coat does this as well. Commonly, CIFS file services, HTTP and the underlying TCP protocols are enhanced for high-latency environments. The second is to use various types of compression to reduce bandwidth. Most effective is Byte Caching, a technique that removes redundant data directly from the bit stream by caching common patterns. Blue Coat proxies also do this. It’s effective at reducing bandwidth, although it has little or no effect on overall latency. Finally, since many WAN Optimizations are file service specific, they sometimes create a redundant overlay network of file servers to bring files closer to the end user. But is this enough? These technologies help, but they only address part of the problem – what about the rest of the traffic? If you peep inside your WAN pipes today, most are not just filled with CIFS and maybe HTTP traffic. They are teeming with a variety of applications, protocols and content. Some of them shouldn’t be there and are just wasting space, but many are business critical and need to be optimized. Are your needs also broader than just file services and simple web? What about the rest of your traffic?

Accelerate SSL Applications SSL use is growing If it’s important, it’s encrypted! Internal apps are hard to accelerate External apps are even harder Handle with care KEY MESSAGE: Not accelerating SSL applications is a critical failing of other approaches, as it leaves the most important applications and traffic un-optimized. Only Blue Coat provides a comprehensive solution to SSL encrypted applications for both internal and external sites. Start by Accelerating SSL Encrypted Traffic By everyone’s account, SSL use is growing. Every software-as-serviced application is SSL encrypted, as are most web mail applications and shopping sites. Compliance to user, customers and employee privacy, plus ensuring the security of financial data is driving more internal applications towards encryption as well. Indeed, it’s safe to say that if it’s a web application, and it’s important, it’s SSL encrypted. But how do you optimize, cache and accelerate encrypted traffic? Even if you have the certificate for an application you own and control, it isn’t easy to transparently intercept SSL key exchanges. You need to fully proxy the connection, impersonating the client to the server and vice-versa, and sometimes even put a copy of the private key on the appliance. External applications are even harder, as you don’t have the luxury of copying the private key around to the clients, or the proxies. Even if you could, however, that would raise additional questions. Can you intercept employees going to encrypted health sites? How about visiting customers, partners and contractors connecting back to their corporate networks? SSL communications are often encrypted for a good reason. If you begin undoing that protection, you need to handle with care, and consider how you will advertise, audit, collect user consent and report it all back to auditors, if needed. A Better Way: Open, Inspect and Accelerate All SSL Applications Only Blue Coat SG appliances with MACH5 technology can seamlessly open all SSL applications, regardless of whether they are internal or external. This allows you to deliver the same performance and great user experience you can provide through WAN optimization to your most important traffic as well. All five MACH5 technologies can be used with SSL applications, without the need to break security best-practices by removing private keys from your servers. Just as importantly, Blue Coat’s user management tools, including alert and coaching pages, user authentication and centralized reporting allow you not only be selective in the SSL you intercept, but produce auditable logs of user consent where needed. Open, Inspect, Accelerate SSL Applications

Remove unwanted video. Accelerate the rest Are You Video Ready? What’s already on the WAN Earnings announcement Compliance mandated E-learning YouTube.com Is it at least controlled? Split streams for live broadcast Distributed video on demand KEY MESSAGE: You need to be ready for Video. Only Blue Coat provides a comprehensive video solution as part of WAN optimization. Start Accelerating and Managing Video Video is one of the fastest growing types of traffic. Even before the explosion of YouTube.com on corporate networks, mainstream websites such as CNN.com and ESPN.com have been converting their traditional content from static pages to streaming video and audio. Business uses for video are also becoming more popular, from earnings announcements to compliance-mandated e-learning in lieu of onsite training. A Better Way: Remove Unwanted Video but Accelerate the Rest Are you ready to support video on your network? At a minimum, video needs to be controlled before it crowds out other traffic. An optimization solution should be able to differentiate – based on user, source, and time of day – between what is business related and what is casual video surfing. But to really improve both the user experience and impact on the network, video should be actively optimized. Blue Coat offers two technologies that accelerate video performance. The first is split streaming. If multiple users are pulling the same live feed, Blue Coat SG appliances can download one stream and serve it to all users on the local network, removing redundant downloads that can quickly saturate even the largest pipe. Or, for files that are distributed on demand, active caching of local content allows the appliance to server requests directly, removing almost all wait time for buffering and removing the need for any data to pass over the WAN. Through a combination of video filtering, local caching and active acceleration, Blue Coat appliances can help make your network video ready, above and beyond normal WAN optimization. Remove unwanted video. Accelerate the rest

Stop Accelerating the Junk! Why accelerate? Frivolous surfing Bulk downloads Peer-to-peer Get rid of it! Or it will grow Crowd out good apps KEY MESSAGE: If there is traffic you’d rather not have on your network, why accelerate it? Selectively prioritize based on who, what, and when so critical applications always get the bandwidth they need. How Much Junk Is On Your Wire? How Fast Do You Want it to Go? Despite years of talk, and some action, there is still a surprising amount of unnecessary or outright unseemly traffic on corporate WANs. Even for organizations that aren’t concerned with the productivity loss of extraneous web surfing and downloads, rapid increases in both web traffic and multimedia content threaten to crowd out business applications. Legacy WAN Optimizations solutions either don’t affect the junk, or attempt to minimize the problem by accelerating it along with the good traffic. Like upgrading bandwidth, however, this does nothing to slow or stop the use of these services – in fact, by making them work better in the short term, they actually encourage further use of bandwidth-intensive external services. A Better Solution is Flexible Bandwidth Control Why accelerate junk in the first place? The most obvious thing to do is remove it from the WAN entirely. But what exactly is “junk” traffic? Unfortunately, there is no easy answer, and it almost certainly varies from network to network, user to user and by time of day. To effectively assign resources in a way that matches your organizational policies and culture requires a flexible bandwidth management solution. Blue Coat SG appliances can allocate bandwidth based on a variety of criteria – application, time of day, source server – but most importantly by individual user or user groups as defined in your existing directory. Combined, this provides a comprehensive tool to manage your bandwidth, and stop the absurdity of accelerating traffic you don’t want on your network to begin with. Flexible, User Based Bandwidth Control

Start Accelerating the Rest Web traffic is huge Fastest growing traffic HTTP, and then some Web services Web widgets Java clients Get the Internet off your WAN KEY MESSAGE: The ultimate WAN optimization technology is serving from a local cache that can remove almost all latency and bandwidth costs from video, web and file sharing traffic. Use the LAN, not the WAN Remember life before server consolidation? Files came down fast – really fast. That’s because the file server was just next door, on the same LAN as the user. Now imagine if not only the file server was on the LAN, but the Internet and a video server as well. That’s the power of having a local cache. Local caching works even better than most people expect. Up to 90% of corporate traffic is repetitive. Consider how a very small selection of files get changed, and how the same file might be downloaded from a web page, forwarded in an email, then copied to a file share. Or how Internet traffic – the fastest growing part of most enterprise WANs – is mostly the same couple dozen web sites, with the same graphics and sharing the same banner ads. A Better Way: Download Once, Serve Many All this traffic can be served locally to reduce the strain on your bandwidth, conserving it for other business-critical uses. The Blue Coat object cache can store almost any type of content found on enterprise WANs, including video, Internet graphics, HTML, and any file commonly found on fileshares, email or peer-to-peer. Subsequent requests will then be served instantaneously, without having to wait for another download over the WAN. That dramatically cuts repetitive Internet backhaul, and nothing does more to improve the end user experience. Also, it works with files that byte caching alone can’t optimize, especially large and already compressed files such as multimedia and graphics. Nothing is faster than a local copy, and nothing does as much to reduce WAN bandwidth. All without the overhead, integration or data corruption worries of a WAFS solution that can only address a fraction of the content on your pipe. Deliver Web-Based Applications Without Extra Bandwidth

What About The Office of One? Aren’t We All Mobile Users? Poor performance Inconsistent performance No control over user experience KEY MESSAGE: Application performance problems don’t end at the front door. Roaming users need fast, secure and consistent access to internal and external applications wherever they are. Are Mobile Users Being Left Behind? Where are you users? How many of them connect directly to a company-owned LAN every day? Once just a problem for salespeople and executives, access to internal applications and data is a growing challenge. Telecommuting, contracting and outsourcing, enabled by inexpensive laptops and mobile connectivity and driven by IT cost cutting, are now the norm rather than the exception. By definition, however, they are all WAN users – connecting in over VPNs and the Internet to internal applications with significantly higher latency and lower bandwidth than their colleagues at headquarters. As they move around, their network conditions change, and so does their user experience. Despite that, however, it’s still IT’s job to make sure they get the tools they need to do their job. There needs to be a way to ensure a consistently high quality user experience outside the boundaries of the enterprise network, regardless of underlying network conditions and without a bulky appliance. A Better Way: Software Acceleration Client for the Mobile Desktop Roaming users need the optimization features of an appliance, but on their laptops. The Blue Coat SG client includes our full suite of MACH5 technology to improve the performance of applications, regardless of their proximity to the user. By combining protocol optimization, caching and bandwidth control, IT can provision applications to users previously limited by bandwidth and latency. Further, understanding that not all remote users are employees, the SG Client comes as either a persistent client or on-demand, allowing partners, customers and occasional home users access to the same quality experience as the professional road warrior. As with all Blue Coat SG solutions, there is no need to sacrifice control and security for performance. The SG Client offers content control, web filtering and a secure SSL VPN options to ensure the privacy and security of your corporate communications. It also supports detailed user experience monitoring, to help IT quantify the quality of service they are delivering all the way to the last mile. The combined result is an application delivery solution for every user, regardless of location. Desktop Client for Acceleration and Control

Bandbreiten-Management User & Applikationen werden klassifiziert Garantierte Minimum- oder limitierte Bandbreite pro Klasse Priorisierung der Klassen gemäss Business-Erfordernissen Sales Applikation Priorität 1 Min 400Kb, Max 800Kb E-Mail Priorität 2 Min 100Kb, Max 400Kb File Services Priorität 3 Min 400Kb, Max 800Kb Web Surfing allgemein Priorität 4 Min 0Kb, Max 200Kb

Protokoll-Optimierung: Client Server Packet #1 request client -- server Open a file Packet #2 response server - client Indicate FileID or error if not found FID is used in subsequent packet for accessing the file Packet #3 request client -- server Read from a file Packet #4 response server - client Returns file data requested A client can not request another read until it receives the first request. Thus, large documents could require lots of round trips, causing a ping-pong effect. This is effect has been termed as a chatty protocol. … für CIFS, MAPI, HTTP, HTTPS, TCP

Objekt Caching: Object-Caches für: Object-Cache Vorteile: HTTP/HTTPS-Caching Caching von Audio/Video Streams CIFS-Caching Object-Cache Vorteile: Schneller Antwortzeiten Weniger Last für Server Object-Cache Nachteile: Nur für bestimmte Applikationen/Protokolle anwendbar Nur für bestimmte Inhalte einer Applikation anwendbar Alles oder Nichts: kein Vorteil, wenn das Objekt nicht verfügbar ist oder geändert wurde

Wie Byte Caching arbeitet: Zentraler Cache Lokaler Cache …..11011111001110011...111001111001100101011101100100001101001100111001000001111000111001100011000001001111000000110111101001000011011000101111100101010101110011010011101001111001000000000000111001011100101101101101001010110010110011110001111111111000000000 …..11011111001110011...111001111001100101011101100100001101001100111001000001111000111001100011000001001111000000110111101001000011011000101111100101010101110011010011101001111001000000000000111001011100101101101101001010110010110011110001111111111000000000 Sequenzen sind im lokalen Cache vorhanden Bytes werden als Token über das WAN übertragen Byte-Stream wird aufgrund der lokalen Cache-Daten rekonstruiert Proxy speichert alle übertragenen Bytes 110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100 110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100 [R1]0010010[R2]100101111100110100111011010011[R3] Used for WAN Link Optimization Deploy ProxySGs on both ends of a WAN link Eliminate repeated sequences of bytes sent over WAN Drastically improve performance for bandwidth limited applications Consistent end user response times Controlled application bandwidth requirements Key Benefits Completely transparent to client and server Exactly the same bytes are seen at both ends Works on any TCP connection, no protocol or application knowledge required Works with dynamic and changing data Frequently updated files Dynamic web applications Most effective data transmission acceleration Limitations Byte Caching addresses bytes transferred No server offload No protocol optimization No protection or control Need application proxies for full performance management Local LAN WAN Link Remote LAN

Kompression: gzip compression Kompression eliminiert “white space” aus übertragenem Content/Objekt MACH5 nutzt anerkannten gzip Kompression- Algorithmus Komprimiert damit jeglichen Verkehr zwischen zwei Appliances 110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100010100100101010101010100010111101010101010100100100101001001001010101010101010010010010101010001111101010101 gzip compression 1101111100111001001001011100110010101110110010000110100110011100100000111100011100110001100000100111100000011011

MACH5 im Zusammenspiel Object Object Bandbreiten Mgmt. Priorisierung/QoS Limitierung/Zuweisung pro User, pro Applikat. Bandbreiten-Reduktion Protokoll Optimierung Protokoll-Ineffizienzen Reduktion der Latency Object Byte gzip Byte Object gzip WAN Object Caching App-level Cache Effektivste Beschleunigung optimiert Bandbreite Byte Caching jede TCP-Applikation ähnliche Daten geänderte Daten optimiert Bandbreite Gzip Kompression min. Übertragung optimiert Bandbreite

Proxy Architektur Architectural Foundation for Application Delivery Technology Partner End Point Remote Access & Web Protect Blue Coat AV HTTP(S), File, Exchange, Streaming, ‘Byte’ Bandwidth Control, DiffServ Forward & Reverse Proxy IM, Skype & P2P Control Services SSL Proxy The Blue Coat SG architecture consists of the following: Purpose-built custom operating system (SGOS) Secure, high-performance foundation built for web-objects with caching and enterprise reliability Secure Proxy with integration across multiple simultaneous authentication systems, and customizable logging options LDAP, RADIUS, NTLM, AD, 2-factor, etc. Transparent proxy implementation – no changes required to clients Only proxy vendor to provide encrypted credentials acquisition for users and admins Policy Process Engine (PPE) that interprets policy to know who, what and when to control Leverages cache of approved or scanned content Advises, coaches and enforces acceptable use policies Security Services for today’s content issues with the ability to expand Content Filtering on ProxySG has a lower TCO, increased performance with cached content, and granular policy controls Web Virus Scanning on ProxySG has a 10x performance improvement and lower TCO than software based solutions IM Control provides enterprise granular policy control for all leading IM vendors (AIM, MSN, Yahoo!) Peer-to-Peer file sharing blocking of traffic and client downloads Pop-Up ad blocking with the ability to accept use for enterprise applications (ex. Outlook Web Access) Technology Partners for a best in class choice of leading vendors Content Filtering with nine “on-proxy” URL lists Virus Scanning – ProxyAV with McAfee, Kaspersky, Sophos, Ahn Lab or Panda AV engines Integrated purpose built hardware appliances Performance, Scalability, Ease of management Enterprise Policy Management Policy administration (GUI or CLI), multiple appliance management Director, enterprise Reporter Policy Policy Processing Engine Proxy Authentication, Authorization, Logging Custom OS SGOS™  Object-based OS with Caching Architectural Foundation for Application Delivery

Verschiedene “Rollen” des Proxies Internet Kunden Streaming Web Web Partner Forward Proxy Reverse Proxy Exchange IM Centralized Policy And Reporting P2P Mitarbeiter TCP Network File Access Proxy/RA So coming full circle – we outlined what issues have driven the development of the Application Delivery Infrastructure and what business factors are driving IT projects. Therefore – any true solution needs to be inclusive of: The breadth of applications (web / file / exchange / streaming / TCP, etc.) The fact that the Internet is both a friend / foe Only Blue Coat can provide a breadth of price performance proxy appliances that provide the key ‘application performance’ services and incorporate critical controls to assure both business and casual use is aligned with resources / policy. One vendor – one OS – one management platform – etc….. (NOTE – the framework on the side shows the circle around all the of columns / rows) Data Center Proxy/MACH5 Streaming Web

Blue Coat RA: Einfach & Sicher Public Internet Internes Netzwerk Business Partner & Kunden Mitarbeiter an Heim-PCs, andere “unmanaged Devices” Mitarbeiter an IT-managed Devices (PC, PDA etc) SSL Information Theft Protection Malware Protection Information Leak Prevention Sensitive & Confidential Corporate Information Authorisierte & Authentisierte Applikations-Requests Web App´s Email-Server Client-Server Apps Databanken & File Services Terminal Services wie Citrix u.a. Host Integrity Check Introducing Blue Coat RA [Step through animation. This slide has two builds on bottom.] First section RA – the next gen SSL VPN – why next gen? What’s different? Single mode of access for all Web and non-Web applications through the patent-pending Connector technology Integrated endpoint security and information protection – not a bunch of product partnerships, but an integrated, comprehensive set of features Finally, it’s the only on demand solution – never software to install, never requires local Admin rights, completely transient – no sticky residue left when session expires [Continue build and begin to compare with IPSec and Traditional SSL VPNs] Blue Coat RA was designed to address the limitations of both IPSec and Traditional SSL VPNs. Connectivity to Web and non-Web applications – Blue Coat RA provides the access to browser-based, client-server, and other applications. Why is BC RA better? Blue Coat RA is architected differently – where Traditional SSL VPNs use HTTP reverse proxies as a engine, Blue Coat RA uses a SOCKS proxy. Why is this better? HTTP reverse proxies are at the application layer and so they have problems supporting anything but HTTP applications (and that’s why they insist on Port Forwarding and Network Extender clients…), SOCKS is a session-layer proxy that is independent of the application and protocol – it supports them all without having to know anything about them! Endpoint Security / Info Protection [Step through animation] Host integrity checks – check OS patches, AV updates, etc. before allowing device to connect Anti-malware – protect against malicious programs on the endpoint Info Theft Prevention – proactive protection against spyware and other info thiefs Info Leak Prevention – prevent inadvertent information leaks – “user error” leaks The completeness of this feature set is unmatched in the industry. All of the other vendors make bold promises, but they always require third party products and they combined they can’t offer the features that RA provides. These features are one of the main reasons people get interested in RA – nothing comes close. Support for Unmanaged Endpoints - RA is a great fit for unmanaged endpoints. Not only because of the endpoint security and info protection features, but because RA never requires Admin rights or software installation. It leverages its Connector technology, which is its single access mode for all applications. This makes it a great fit for unmanaged endpoints, such as the home PC of an employee. Blue Coat RA – SSL VPN der nächsten Generation Single Access für Web & Non-Web Applikationen. Integrierte Endpoint Security & Information Protection. Keine Client-Software, keine lokalen Admin-Rechte.

Blue Coat RA (SSL VPN) Applikationen “On Demand” Connectivity Web- und Non-Web-Applikationen Keine Admin-Rechte/Reboots Leak-Detector Live-Demo! S y s t e m C a l l s Blue Coat RA Connector Browser Security Malware Protection Host Integrity TBA Information Controls RA Services SSL Connectivity Operating System One of the main differentiators is the RA Connector, which utilizes patent-pending Connector technology. What is it? It is an on demand agent that is pushed down to the endpoint when access to application is required. It is binary executable code pushed down via Java or ActiveX. When a user is logged in, an icon (padlock with blue rings) is seen in the user’s system tray. How does it work? When a user requests access, the Connector is dynamically pushed down and inserted between the applications and the operating system. By being between the applications and the OS, it can intercept targeted network and system requests. For example, when the user’s Outlook client queries the Exchange server, the Connector can intercept it. What does it do? The first thing it does is provide connectivity using SOCKS. When it intercepts network requests, it wraps them in SOCKS, encrypts them in SSL and then reroutes them to the RA server where the packets are decrypted, “unwrapped” and authenticated. Then the packets are proxied and sent on to their targeted resources, such as an Exchange server. The second thing it does is provide the various security services, such as malware protection and host integrity checks. This connectivity and security services are all provided on demand. It is RA’s single access mode – it’s all you’ll ever need. It’s entirely on demand – no Admin rights are required, no reboot is necessary, and it’s completely transient – nothing is left behind when the user logs out. Finally, the Connector is extensible to other services. As Blue Coat adds new services, they will be downloaded through the Connector. This is really the “secret sauce” of Blue Coat RA, which delivers the “clientless” VPN that other vendors only claim to have.

Integrierte Endpoint Security Host Integrity Check Check von: AV-Updates OS-Patches Firewall Settings Individuelle Checks Stufenlose Access-Steuerung Malware Protection EXE Signatur-Checks Programm Black/ White Listen Watch-Listen mit kryptografischen Checksummen Information Theft Protection Keylogger Erkennung/Unter- drückung Framegrabber Erkennung/unter- drückung Initaler & laufende Scans Information Leak Prevention Browser Cache / Temp File Real-Time Encryption & Löschung Auto Session Terminierung Auto Session Clean Up (cookies, etc.) Info Controls (save, print, etc.) [Click through one at a time] For endpoint security, RA provides four unique set of features. And, again, these features are all integrated. There are not third party products to license and deploy. Host Integrity Checks – this allows you to check the integrity of the connecting device before allowing access. It can look for AV updates, OS patches or personal firewall settings. And, it’s customizable so you can develop your own checks, such as looking for the existence of a certain file. Finally, access can be managed based on the results of the check. Malware Protection – controls which applications the user can access (white list) or can’t access (black list) and also prevents unauthorized or known bad programs from hijacking the VPN session. It checks all EXE signatures and has black and white lists for managing which programs have access to the VPN tunnel and which are completely forbidden (such as a peer-to-peer application). Also, it has watch lists to identify specific programs that cannot access the VPN tunnel. Information Theft Protection – features to scan and suppress keyloggers and framegrabbers that may be stealing user credentials and sensitive information. RA is the only solution to provide pre-authentication scan for keyloggers and framegrabbers. If any suspicious processes are identified, RA can temporarily suppress them for the duration of the user’s session. It doesn’t kill any processes and make any changes, it simply “hides” the user’s session from the keyloggers and framegrabbers. This is highly unique to RA. Information Leak Prevention – these are browser security features that protect against “user error” – that is, features that protect the user from accidentally leaking information. These features, such as information controls (which allow the administrator to define what a user can do with the information that is downloaded – for example, a person may not be allowed to save a document downloaded from Web mail when on an unmanaged device, like the employee’s home PC). Also, RA provides real-time cache and temp file encryption and complete session shredding (to DoD specifications). Finally, these features are all integrated and our managed through one admin console and, of course, it’s one price for everything.

Key Blue Coat RA Features Step 6 Connector Clean Up Delivering Secure Connectivity Step 5 Information Usage Control Step 4 Browser Protection Step 3 Malware Protection Step 1 – patent-pending preauthentication scan for, and blocking of, framegrabbers and keyloggers. Step 2 – before granting any access, verify the security posture of the endpoint (Antivirus, firewall, registry settings). HIC is used not to allow or block the user from logging in, but for granular per-resource security checks. Step 3 – Application Watchlist and Application Validation (MD5 checksums) ensure that only specifically allowed applications are granted access. Step 4 – Encrypt all browser cache and application temp files in real-time. Step 5 – ability to enable the Security Administrator to specify what a user’s managed and unmanaged device can do with the corporate information, ex. cutting, pasting, printing, etc. Step 5 – once session is terminated by end user all traces are completely removed from end user’s system using DOD-spec file wiping. Step 2 Host Integrity Checks Step 1 Spyware Blocking

Für den Anwender… Nutzer startet loggt sich im Portal ein Connector lädt Security Services herunter Scan & Unterdrückung von Malware Host Integrity Checks Nutzer wird authentifiziert System Secure. You may log in. Connector vervollständigt den Download Jane.Doe [Step through process] Some notes: RA can integrate with existing corporate portal or provide one Connector is around 500kb – which is negligible on a broadband connection, but can take some time on dial up. Spyware scan and suppression is unique to RA – no one else can do this. (Many people can scan, but no one else can suppress them temporarily.) RA supports a wide array of authentication schemes (AD, RADIUS, SecureID, etc.) User can launch applications from a portal OR from their native desktop (like they do in the office or on an IPSec VPN) When the user logs out or is timed out, a complete session clean up occurs – cache and temp files erased, all history information removed, etc. ******* Nutzer startet Desktop Applikationen Nutzer loggt aus, Session endet Session-”Spuren” werden automatisch gelöscht

Appliance Überblick SG8100 Series SG810 Series SG510 Series Corporate Headquarters SG810 Series SG510 Series RA/AV810 Series Remote Offices RA/AV510 Series SG200 Series Blue Coat provides you a range of appliances to support smaller branch offices on up to the largest enterprise implementations. Connected Users Up to 250 users 150 – 1000 users 800 – 4000 users 3000 – 50,000+ users WAN Throughput Up to 20Mbps 30 – 50 Mbps 100Mbps – 140Mbps 200Mbps – 400+ Mbps Performance

URL-Filtering für zu Hause www.getk9.com [Step through process] Some notes: RA can integrate with existing corporate portal or provide one Connector is around 500kb – which is negligible on a broadband connection, but can take some time on dial up. Spyware scan and suppression is unique to RA – no one else can do this. (Many people can scan, but no one else can suppress them temporarily.) RA supports a wide array of authentication schemes (AD, RADIUS, SecureID, etc.) User can launch applications from a portal OR from their native desktop (like they do in the office or on an IPSec VPN) When the user logs out or is timed out, a complete session clean up occurs – cache and temp files erased, all history information removed, etc.