02 SecureWebGateway

CAP LEVEL2 CERTIFICATION
FOR PARTNER SE
SECURE WEB GATEWAY
Copy right © 2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 1
SECURE WEB GATEWAY - AGENDA
1 Introduction
2 Key Features
3 ProxySG Product Line
INTRODUCTION
Copy right © 2014

2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 3
WHY A SECURE WEB GATEWAY ?
OLD WORLD NEW WORLD

SECURING THE NETWORK EMPOWERING THE USER
Single Device Multiple Devices

Owned by IT Owned by Employee
Office-Based Users on Private Always-on Remote &

WAN Controlled by IT Mobile Workers, Public Access
Enterprise Apps Enterprise Apps Store & Consumer

Sanctioned by IT Style Apps Mandated by Users
INDUSTRY DEFINITIONS
Secure Web Purpose-built anti-malware, URL categorization,

Gateway web app control or policy enforcement appliances
Next-
Generation Firewall w/ integrated IPS and extra-firewall
FireWall intelligence
(NGFW)
Unified Threat “SMB firewall”, an all-in-one network security

Management appliance for Internet connectivity used by midsize
(UTM) businesses
Intrusion
Prevention Deployed inline for inspecting & blocking attacks
System (IPS) using known vulnerabilities or unusual activities.
WHAT IS NOT A SECURE WEB GATEWAY ?
Secure Web
NGFW / UTM / IPS
Gateway
Deep Packet
Architecture Full Proxy
Inspection
URL Filtering Real-time Ratings Static URL Database
Multiple Advanced
Malware Detection Signature-Based
Web
Technologies Server
Firewall
Deployment IPS On-Premise,

On-Premise Only
Options SaaS & Hybrid
Internal
Network
Not available or
SSL Interception Available
Secure Web
performance affected
Gateway
KEY FEATURES
Copy right © 2014

2015 Blue Coat Sy stems Inc. All Rights Reserv ed. 7
PROXYSG IN A NUTSHELL
SGOS - Object-based micro kernel
Acceleration and Optimization
Multi Protocol Interception
Advanced authentication
SSL Interception
Real-time Content Filtering and Anti-malware
Mobility
Reporting
GARTNER MAGIC QUADRANT 2014 FOR
SECURE WEB GATEWAYS
“The ProxySG is the strongest

proxy in the market in terms of
breadth of protocols and the
number of advanced features. It
supports a broad set of protocols
as well as extensive
authentication and directory
integration options.”
http://www.gartner.com/technology/reprints.do?id=1-1VS13FU&ct=140624&st=sb
Deployment
SCENARIOS
 Physical method  Client connection  Proxy role

• Inline • Explicit proxy • Forward proxy
• Virtually inline • Reverse proxy

WCCP/L4
• Transparent proxy
• Out of path
Switch
HIGH AVAILABILITY
 Active – Passive with Parallel Failover

Failover Group
Master (VIP)
Slave
 Active – Passive with Serial Failover
Master (VIP) Slave
Failover Group
HA WITH WCCP/L4
WCCP / L4
WCCP Group
HA WITH PAC FILE
10.1.1.1 10.1.1.2
function FindProxyForURL(url, host)

{
return "PROXY 10.1.1.1:8080; PROXY 10.1.1.2:8080";
}
Content Filtering,
Application Control and
Malware Defense
WEBPULSE WORKFLOW
If not found
locallly, query
Check WebPulse WebPulse
Client against WebFilter
makes WebFilter
request 3
2
Client
1
Return real-time
5 categorization
ProxySG
6
No Policy
Allow ? processing
7no 4
Yes
Perform
Return background
exception analysis if needed
OCS
7yes
Serve content to
SG and client
MULTI DIMENSION CATEGORY
Blue Coat supports up to 4 categories for a Traditional security relies on only 1

given site category for a given site
Society / Living
Gambling
Adult Entertainment
Content
Entertainment
Intimate
Apparel Economy
Shopping Obj ectionable
Sports
Economy Social
Sports Networking
• Flexible security policy based on  Requires you to pick a category that

multiple categories best describes a site
• Accurate policy enforcement from  Multiple one-off policies required to

accurate URL description manage various use scenario
FILTERING FILE TYPES
 ProxySG can detect file types by inspecting:

• File name extension
• HTTP content type
• Apparent data type
 Use policy to make decision to allow or deny
GRANULAR APPLICATION CONTROL
 Apps are no longer limited to

single primary feature
 ON-OFF approach cannot
support high productivity Post Message
Upload Pictures
 Granular operation control
Upload Videos
Send Message
Download
Attachment
Upload Attachment
Login
Manage Profile
Upload Files
YOUTUBE CATEGORIZATION
 Benefit:
• Allows granular policy around YouTube
• Ability to allow some YouTube content while
blocking other content
 Feature:
• Policy can now be set around 32 content filtering
categories for YouTube
• No license requirements
MEDIA STREAMING ON PROXYSG
 The ProxySG streaming media proxies allow you to monitor,

control, limit, or even block streaming media traffic on your
network
 It supports the most popular streaming media clients:
• Adobe Flash*
• HTTP-based
• Windows Media
• Real Media
• QuickTime
 ProxySG provides acceleration features such as:
• Live splitting
• Video-ondemand caching
• Content pre-population
* License required
Authentication
WHY AUTHENTICATE ON THE PROXYSG
 Most admins want to identify users and what they are

accessing
 Policy can be written based on users or groups
 Logging shows who accessed content, not only IP address
 Mandatory feature as legal compliant
 ProxySG still works without authentication
SCALABILITY
 Each TCP connection requires authentication

 ProxySG allows authentication based on connection, IP and
cookie
• IP
– Does not work with NAT or Terminal Server
– IP can be faked
• Cookie
– Only valid for HTTP and HTTPS
– Only for browser and not for mobile devices
– Depends on the cookie policy
PROXYSG ATHENTICATION
ARCHITECTURE
AUTHENTICATION METHODS
 Directory of usernames and passwords

 A realm can contain multiple
authentication servers
 Authentication per policy
 Sequential authentication
 Common realm types
• Local
– Credentials on ProsySG, no external server
• IWA
– Basic, NTLM and Kerberos
• LDAP
AD CONNECTION METHODS
SSL Interception
THE INVISIBLE THREATS
Threats we can’t see…
30-40% of Traffic is Encrypted

80% of APTs operate over SSL
THE PERFORMANCE PROBLEM
Source: NSLabs report

(https://www.nsslabs.com/sites/default/files/public-report/files/SSL%20Performance% 20Problems.pdf)
SSL ON PROXYSG
 Encrypted sessions can be decrypted

• Server validation (phising attacks)
• Application control
• Malware scanning
 Selective interception (users, category, …)
 Non-HTTPS traffic can be detected
• Instant messaging
• Some peer-to-peer traffic
 Decrypted content can be cached
 Enable HTTPS interception on exception
MESSAGE FLOW
 ProxySG functions as both SSL client and SSL server

1. Client sends SSL client SSL HELLO to ProxySG
2. ProxySG sends client SSL HELLO to server
3. Server sends server certificate to ProxySG
4. ProxySG sends its own certificate to client
ENCRYPTED TAP
Output Decrypted Traffic for Additional Security Integration
Logging
Forensics
IDS/IPS
APT Scanners
Encrypted Tap
Client ProxySG Server

SSL session 1 SSL session 2
* License required
Reporting
BLUE COAT REPORTER
 Flexible and customizable reports

 Activity overview
 Video usage
 Malware reporting
 Web application controls
 Search engine
 Role based
 Appliance and cloud integration
ACTIVITY OVERVIEW
CREATE AND ORGANIZE REPORTS
MALWARE / RISK GROUP REPORTING
VIDEO USAGE REPORTING
WEB APPLICATION CONTROLS
SEARCH ENGINE KEYWORD REPORT
 Web Searches
• Supports Google, Yahoo, Bing, Baidu, AltaVista
• Reports on searched terms
• View by user, group, site, etc.
ROLE-BASED REPORTING
AD/LDAP
Managers
Role-based Access
Administrators Self & Direct Reports
Role-based Access
Thousands of Reporter Users
Up to 50 concurrent logins
Custom Dashboards Users
Standard/Custom Reports Role-based Access
Drill-down Analysis Individual Reporting
Report Scheduling Reporter
Online, PDF or CSV
Email Delivery
PROXYSG - ADDITIONAL FEATURES
 Caching and optimization

 Bandwidth management (users, category, application,…)
 Smartphones and tablets interception and authentication
 DDoS protection
• Connection limit per IP/subnet
• Request limit per IP/subnet
• Server request limit
 Web Application Reserve Proxy
• Accelerates Web Content
• Web Server protection
Web Application Reverse Proxy
(WARP)
WEB APPLICATION REVERSE PROXY
PROTECTS Web Servers ACCELERATES Web Content

• Secure, object-based OS • Intelligent caching
• Controls access to web apps • Compression and bandwidth mgt.
• Web AV scanning • SSL offload
Web Servers
Proxy Users
Internal
Public
Network
Internet
Firewall Firewall
ACCELERATES WEB CONTENT
 Object caching
 Server load balancing
 SSL offloading
 Bandwidth management
• Divide traffic into classes, by user, application, operation, content,
transaction, application protocol, etc.
• Guarantee priority and min and/or max bandwidth for a class
 Streaming optimization
• Live stream splitting
• Cache “Video on demand”
BLUE COAT PROTECTION LAYERS
PERIMETER PROTECTION
 Blue Coat WARP completely isolates protected servers and

applications from the Internet
 ProxySG terminates each HTTP and HTTPS user sessions
and receives the content requests
 Features a purpose-built, secure operating system (SGOS)
 Dual-stack Reverse Proxy for IPv4 and IPv6
WEB ACCESS SECURITY – CONTROL
 Strong User Authentication

• SAML
• Digital Certificates
• LDAP
• RADIUS
• NTLM/Kerberos
 Access control policies:
• User/Groups
• Time of the Day
• Source Country (Client GeoIP)
• User-Agent
• Effective user IP
• Protocol Method (POST, GET, HEAD, etc)
• Requested hostname/ or URL with REGEX
• Standard and custom http headers
WEB ACCESS SECURITY – GEO
LOCATION
GEO Location
• For regulatory and other
reasons, customers get
visibility and control over
traffic based on the
country their network traffic
is coming from
• Policy conditions are

available to identify the
country based on client IP
address of traffic going
through the ProxySG
WEB APPLICATION LEVEL PROTECTIONS
 Application Protection Feed:

• SQL injection protection
• Null byte detection
• Multipart form validation
• HTTP parameter pollution detection
 XSS attack protection
 Session authentication security (cookie signing), thwarting
session hijacking & CSRF
 (cross site request forgery) attacks.
 Normalization(Canonicalization)
• Recognize and Thwart Evasion Techniques
 HTTP and HTTPS request body parsing
• Attack signatures include both header and body details to uniquely
identify attack
Product Line
BLUE COAT PROXYSG PRODUCT LINE
ProxySG S500
ProxySG S200 ProxySG S400
ProxySG 9000
ProxySG 300
ProxySG 900
ProxySG VA
Regional & Data Center
Remote & Branch Office
MODELS PRODUCT LINE
Serie Max Internet Model

bandwidth
(Mbps)
VA 100 SWG-V100
300 6 - 10 300-5 => 300-10 => 300-25
900 60 - 500 900-10 => 900-20 => 900-30 => 900-45 => 900-55
9000 250 - 622 9000-20 => 9000-30 => 9000-40
S200 10 - 100 S200-10 => S200-20 => S200-30 => S200-40
S400 100 - 500 S400-20 => S400-30 => S400-40
S500 500 - 1000 S500-10 => S500-20
Sizing and licensing
SIZING INFORMATION
 What are the primary calculations and considerations you

need to select the correct Blue Coat Proxy
• Internet bandwidth consumed
• Number of users (Concurrent connecctions)
 What other factors to consider
• SSL traffic
• iCAP server
SIZING GUIDE
 Forward Proxy: Assumes 70% peak CPU

load with
• Complex policies
• 15% SSL
• ICAP
• Content filtering
• Logging
• Limited streaming content
 Max Internet Bandwidth: Maximum client-
side throughput for ProxySG
 Employee Count: The total number of
employees that use the system
LICENSING - APPLIANCE
 Appliance base license

• Perpetual license
• Unique per appliance serial number
 WebFilter license
• Subscription license for 1 or 3 years
• One license per user
 Flash license (optional)
• Unique per appliance model
 eTAP license (optional)
• Unique per appliance model
LICENSING – VIRTUAL APPLIANCE
 Base license
• One license per user
• WebFilter license already included
 Flash license (optional)
 eTAP license (optional)
SECURE WEB GATEWAY QUALIFICATION
 Any medium to big enterprise connected to the Internet,

who allows their users to access Internet content and with
productivity and security concerns.
 Requirement for user authentication integrated with
corporate directories
 Requirement for flexible content control policies
 Requirement for content security policies
 Requirement for HTTPS interception
 Requirement for content control and security of iOS and
Android devices.
 Requirement for a powerful reporting system on their users’
Internet activity
PROXY / SWG: PARTNER RESOURCES
 At-a-Glance
 Playbooks
 Battlecards
 Deployment Guides
 Reference architectures
https://partners.bluecoat.com/sales/tools
 Solution Guides
 https://partners.bluecoat.com/solutions/security-and-policy-
enforcement-center
 And of course your Blue Coat SE Team


02 SecureWebGateway

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

02 SecureWebGateway

Hochgeladen von

Copyright:

Verfügbare Formate

CAP LEVEL2 CERTIFICATION

SECURE WEB GATEWAY

3 ProxySG Product Line

Copy right © 2014

OLD WORLD NEW WORLD

Single Device Multiple Devices

Office-Based Users on Private Always-on Remote &

Enterprise Apps Enterprise Apps Store & Consumer

Secure Web Purpose-built anti-malware, URL categorization,

Unified Threat “SMB firewall”, an all-in-one network security

URL Filtering Real-time Ratings Static URL Database

Deployment IPS On-Premise,

Copy right © 2014

SGOS - Object-based micro kernel

Acceleration and Optimization

Multi Protocol Interception

Real-time Content Filtering and Anti-malware

“The ProxySG is the strongest

 Physical method  Client connection  Proxy role

• Virtually inline • Reverse proxy

 Active – Passive with Parallel Failover

 Active – Passive with Serial Failover

Master (VIP) Slave

function FindProxyForURL(url, host)

Blue Coat supports up to 4 categories for a Traditional security relies on only 1

• Flexible security policy based on  Requires you to pick a category that

• Accurate policy enforcement from  Multiple one-off policies required to

 ProxySG can detect file types by inspecting:

 Apps are no longer limited to

 The ProxySG streaming media proxies allow you to monitor,

 Most admins want to identify users and what they are

 Each TCP connection requires authentication

 Directory of usernames and passwords

Threats we can’t see…

30-40% of Traffic is Encrypted

Source: NSLabs report

 Encrypted sessions can be decrypted

 ProxySG functions as both SSL client and SSL server

Output Decrypted Traffic for Additional Security Integration

Client ProxySG Server

 Flexible and customizable reports

 Caching and optimization

PROTECTS Web Servers ACCELERATES Web Content

 Blue Coat WARP completely isolates protected servers and

 Strong User Authentication

• Policy conditions are

 Application Protection Feed:

Serie Max Internet Model

 What are the primary calculations and considerations you

 Forward Proxy: Assumes 70% peak CPU

 Appliance base license

 Any medium to big enterprise connected to the Internet,

 And of course your Blue Coat SE Team

Das könnte Ihnen auch gefallen