Download presentation
Presentation is loading. Please wait.
1
Roger Gotthardsson Sr. Systems Engineer roger@bluecoat.com
Blue Coat Systems Roger Gotthardsson Sr. Systems Engineer
2
Agenda Company Corporate data Solutions Client Proxy Solution
Blue Coat Webfilter SSL Proxy Reverse Proxy MACH5 Products ProxySG, ProxyAV, Director, Reporter K9, - Blue Coat Webfilter at home for free
3
Company
4
Integrated Solution for Acceleration & Security
About Blue Coat Innovative leader in secure content & application delivery 500+ employees; $146M annual revenue run rate 25,000+ appliances shipped worldwide to more than 4,000 customers #1 (37%) market leader in Secure Content & Application Delivery (IDC) Founded in 1996 with a focus on Acceleration Accelerating Web applications…making Internet applications faster Innovative proxy caching appliance with object pipelining, adaptive content refresh Expanded in 2002 to include Policy Control & Security Rich policy framework integrated with performance engine for visibility and control of users, content and applications Visibility: Who, what, where, when, how Control: accelerate, deny, limit, scan, strip, transform… Performance… then Security… #1 Proxy Appliance Vendor – 37% Market share Customer Stories Growing rapidly Integrated Solution for Acceleration & Security
5
Integrated Solution for Acceleration & Security
About Blue Coat Strategic Investments March 1996 Scalable Software (HTTP and OS Kernel) September 1999 Invertex (SSL Hardware Encryption) June 2000 Springbank Networks (Hardware Design and Routing Protocols) December 2000 Entera (Streaming and Content Distribution) November 2003 Ositis (Virus scanning appliance) 2004 – Cerberian (Content filtering) 2006 – Permeo Technologies (SSL VPN & client security) Performance… then Security… #1 Proxy Appliance Vendor – 37% Market share Customer Stories Growing rapidly Integrated Solution for Acceleration & Security
6
Client Proxy Solution
7
Protocol optimization
Client Proxy Byte Caching Protocol detection Logging BW management Authentication Policy Internet Clients Caching Antivirus Protocol optimization URL-Filtering Compression
8
Application proxy ? .mp3 .xxx Internet Streaming AOL-IM Yahoo-IM
HTTP & HTTPS FTP MSN-IM Internet MAPI .mp3 .xxx ? gral.se CIFS P2P Telnet/Shell DNS TCP-Tunnel SOCKS
9
How We Secure the Web Intranet Web Server Public Web Server
Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password.
10
Authentication Internet AD Directory Directory Directory Directory
NT, W2000 or W2003 DC RADIUS Server Netegrity SiteMinder Policy Substitution AD Directory Directory Directory Clients Internet LDAP Client Certifficate On box Database Oblix Directory X509/CA List Directory
11
How We Secure the Web Intranet Web Server Public Web Server
Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy
12
How We Secure the Web Intranet Web Server
Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy
13
Content Filtering Organizations need to control what users are doing when accessing the internet to protect from legal liability and productivity risks Blue Coat and our partners enable enterprise-class content filtering Powerful granular user control using Blue Coat’s Policy Processing Engine By user, group, destination IP and/or URL, time of day, site, category, lots more Multiple logging and reporting options Integrates with all authentication (LDAP, RADIUS, NTLM, AD, 2-factor, etc) Coaching, warnings, etc. High performance with integrated caching Drop-in appliance for easy to deploy and manage De-facto industry content filtering platform Content filtering, on the other hand, is about controlling what types of web sites users can access, preventing them from accessing inappropriate content. For example, content security would enable you to turn off access to all JPEGs, thereby breaking many web pages, whereas content filtering would prevent users from accessing sites that host JPEGs that are inappropriate for a work environment, such as sports related sites.
14
Content filtering databases
Digital Arts InterSafe Optenet IWF WebWasher Proventia Smartfilter Websense SurfControl Clients Internet BlueCoat webfilter Your lists exceptions DRTR
15
How We Secure the Web Intranet Web Server
Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting.
16
HTTP Compression ProxySG can support a mixed mode of HTTP compression operation Original Content Server (OCS) or Core ProxySG can send either (de)compressed content to edge or core ProxySG using GZIP or Deflate algorithms compressed Core ProxySG uncompressed Edge ProxySG compressed uncompressed compressed uncompressed Remote Office HQ Office compressed uncompressed compressed uncompressed ProxySG Enterprise Internet
17
Bandwidth Management (BWM)
OBJECTIVE Classify, control and limit the amount of bandwidth used by a class of network traffic BENEFITS Protect performance of mission critical applications SAP, ERP apps Prevent bandwidth greedy applications from impacting other applications P2P Provision bandwidth for applications that require a per-session amount of bandwidth Streaming Balance necessary and important, bandwidth intensive, applications HTTP, IM
18
How We Secure the Web Intranet Web Server
Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network via HTTP, HTTPS and FTP is stripped or scanned by ProxyAV.
19
Virus, Code & Script scanning
Other ICAP servers Clients Internet Sophos McAfee ProxyAV Kaspersky Panda
20
ProxyAV Purpose-built appliances for speed
ProxySG & ProxyAV Large Enterprise/Network Core Scan once, serve many (cache benefit) Internet Internal Network ProxyAV ProxySG Virus Scans HTTP, FTP with caching benefit ProxySG Load Balances Purpose-built appliances for speed “Scan once, serve many” to increase performance High-availability & load-balancing Purpose built operating systems
21
How We Secure the Web Intranet Web Server
Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure.
22
BlueCoat Spyware Prevention Solution
Stops spyware installations Detect drive-by installers Blocks spyware websites On-Proxy URL categorization Scans for spyware signatures High-performance Web AV Detects suspect systems Forward to cleansing agent Internet Internal Network ProxyAV ProxySG Blue Coat Gateway Anti-Spyware blocks spyware installations ProxySG™ appliances provide policy controls that inspect, filter and block Web content associated with Spyware installation software and masked Web sites used to phish users. Blue Coat Gateway Anti-Spyware scans for spyware signatures High-performance ProxyAV™ Web anti-virus appliance scans Web traffic for known spyware signatures using proven third party anti-virus scanning engines. The ProxyAV is the only solution capable of virus scanning Web traffic with low latency, leveraging cache intelligence logic to optimize performance. Blue Coat Gateway Anti-Spyware prevents spyware communications Blue Coat blocks client communications to known spyware and adware sources. Reporting features combined with on-proxy URL filtering identify Spyware “calling home” activity on the network. Communication attempting to reach a spyware domain is immediately terminated by Blue Coat’s ProxySG. The ProxySG supports five leading on-proxy URL filtering databases, plus custom categories, overrides and exceptions to advise, coach and enforce users. Blue Coat Gateway Anti-Spyware targets spyware infected systems for cleansing Blue Coat’s custom logging and reporting features enable administrators to target suspect systems and trigger spyware clean-up. Blue Coat will interoperate with InterMute’s SpySubtract solution for targeted cleansing and removal of spyware agents from desktops.
23
How We Secure the Web Intranet Web Server
Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure. IM Traffic Control: IM traffic is subjected to policies and is logged
24
IM Control with Blue Coat ProxySG
Granular IM policy control By enterprise, group or user level Control by IM feature (IM only, chat, attachments, video, etc.), internal or external IM, time of day, etc. Control IM options include deny connection, strip attachment, log chat (including attachment) Key word actions include send alert to IT or manager, log, strip, send warning message to user Drop-in appliance for easy to deploy and manage IM control Content filtering, on the other hand, is about controlling what types of web sites users can access, preventing them from accessing inappropriate content. For example, content security would enable you to turn off access to all JPEGs, thereby breaking many web pages, whereas content filtering would prevent users from accessing sites that host JPEGs that are inappropriate for a work environment, such as sports related sites.
25
How We Secure the Web
Intranet Web Server Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure. IM Traffic Control: IM traffic is subjected to policies and is logged Caching: Acceptable, clean content is stored in cache and delivered to requestor.
26
Streaming acceleration
Microsoft Streaming & Native RTSP Live Stream split, VOD Stream cache Rich Streaming features, Unicast-Multicast Scheduling live streaming from VOD Enhancements Store, Cache & distribute Video On Demand Schedule VOD content to be played as Live Content Convert between Multicast-Unicast Authenticate Streaming users To NTLM, Ldap, RADIUS+Onbox
27
How We Secure the Web
Intranet Web Server Public Web Server Internal Network Public Internet AAA: User logs onto network and is authenticated via NTLM, AD (Single-Sign-on), LDAP, Radius, Forms, local password. Policy Processing Engine: All user web application requests are subjected to granular security policy Content Filtering: Requests for content are controlled using content filtering based on granular policy Bandwidth management: Compression, Bandwidth management and Streaming media Caching and Splitting. Web Virus scanning: Potentially harmful content entering network from web is stripped or scanned by ProxyAV. Spyware: Prevention is better than a cure. IM Traffic Control: IM traffic is subjected to policies and is logged Caching: Acceptable, clean content is stored in cache and delivered to requestor. Reporting: All browser, streaming, IM & virus activity, can be reported using Bluecoat's highly configurable reporter.
28
Reporter
29
Blue Coat Webfilter
30
The Internet The internet today consists of 350 million webservers.
A large ammount of these conatain information you don’t want in your organisation. A cleaver solution would be to use Content Filtering. BlueCoat now introduces Generation 3 of content filtering, BlueCoat Webfilter. 350 Million
31
Generation 1 The first generation of content filters consisted of
static manually managed lists of popular pornographic and unproductive websites. Very often retreived from access logs, popular bad sites where banned. The intended purpose was to save bandwidth and warn users that inapropriate behaviour was logged. People got together and distributed their lists in free lists compatible with proxies such as Squid. The distributed list where in the size of a million URL:s 1 Million 349 Million
32
Generation 2 Corporations relised they could make money of a list
and started to collect lists and logs from the web, manually rating these in larger scale. More categories where added to increase value. The systems started to collect URL:S autmatically and download new lists periodicly. Some of them even many times every day. Special categories where added for static security threats placed on known webservers, spyware phishing etc. Other than bad sites where added such as Economy, business, news etc. to present statistics of Internet usage. 15 Million 335 Million
33
Generation 2 Number of URL:s was in the numbers of 10-20 millions.
Hitrates in logsystems presented was in the numbers of 50-80%. Regular expression on URL:s and other tricks sometimes gave a false picture of rating over 90%. But in fact less than 5% of the Internet was covered. 15 Million 335 Million
34
Generation 3 The dynamics of internet and new security risks urged for a new way of categorizing the Internet, Dynamic rating of uncategorized websites can today rate most websites, the ones thats impossible to rate could be stripped down to present only html and images to reduce risk. The static URL database are constantly updated like any Generation 2 filter. This database is cached in some systems (ProxySG) to increase performance. The rest (95%) of the Internet is categorised using dynamic rating. 15 Million 335 Million
35
Dynamic Real Time Rating
DBR Servers Internet 44µs RS G2 DRTR language 1 language 2 language 3 language 4 language 5 language n Language detection To background rating HR DXD RS= Rating server DXD = ? DRTR= Dynamic real time rating DBR= Dynamic Background Rating HR= human rating Clients Customer BlueCoat * The picture is simplified, all systems are redundant.
36
SSL Proxy
37
SSL Proxy: Policy Enforcement
Control web content, applications, and services…regardless of encryption Block, allow, throttle, scan, accelerate, insert, strip, redirect, transform … Apply the same policies to encrypted traffic as to normal traffic Stops/controls rogue applications that take advantage of SSL Protect the enterprise from SSL-borne threats Stop spyware and secured phishing SSL-secured webmail and extranets – virus transmissions SSL-borne malicious and inappropriate content Accelerate critical applications Enables a variety of acceleration techniques (e.g., caching) Apps SSL Policy SSL User Internet Internal Network
38
Blue Coat: Visibility and Context
Client-Proxy Connection Server-Proxy Connection Client Proxy Server Algorithms I support. Connection Request. Algorithms I support. Connection Request. Use this algorithm. Server’s digital certificate. Verify certificate and extract (proxy’s) public key. Let’s use this algorithm. Emulated certificate. Verify certificate and extract server’s public key. Red checkmarks are key: Examine user and connection – valid user? Valid app? Examine server response – valid cert? Expected response? Ongoing examination of user/app interaction to ensure compliance with policy (e.g., no threats, no inappropriate content) Complete Authentication. Complete Authentication. Complete Authentication. Complete Authentication. Tunnel Established Tunnel Established
39
Flexible Configurations
Trusted applications passed through Sensitive, known, financial or health care No cache, visibility Awareness of network-level information only Option 1 Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel) Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs) Administrative granularity – can log all, none, certain elements; can log off-box, securely Fine-grained content security controls (over 500 different triggers and actions) include: Trusted Domains Rogue Categories Active Content Categories Drive-by Installers (.CAB, .OCX, .MSI) Executable file types & executable MIMEs Active Content & MIME Types User Agents Speeds up business processes High-performance: over 400Mbps Low-latency: 3-4msec Control Apps Internet User SSL TCP TCP
40
Flexible Configurations
Initial checks performed Valid user, valid application Valid server cert User/application traffic passed through after initial checks No cache Visibility and context of network-level info, certificates, user, and applications Can warn user, remind of AUP, and offer opt-out Option 2 Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel) Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs) Administrative granularity – can log all, none, certain elements; can log off-box, securely Fine-grained content security controls (over 500 different triggers and actions) include: Trusted Domains Rogue Categories Active Content Categories Drive-by Installers (.CAB, .OCX, .MSI) Executable file types & executable MIMEs Active Content & MIME Types User Agents Speeds up business processes High-performance: over 400Mbps Low-latency: 3-4msec Control Apps Internet User SSL TCP TCP
41
Flexible Configurations
Initial checks performed Valid user, valid application Valid server cert User/application traffic proxied after initial checks Full caching and logging options Visibility and context of network-level info, certificates, user, applications, content, etc. Full termination/proxy Can warn user, remind of AUP, and offer opt-out Option 3 Can granularly proxy or tunnel…or partially proxy (i.e., check to ensure valid app, user, and cert., then passthrough/tunnel) Warn user with splash screen – remind user of policy and offer chance to “opt-out” of transaction Caching granularity – can cache no SSL, all SSL, or only certain objects (e.g., JPEGs/GIFs) Administrative granularity – can log all, none, certain elements; can log off-box, securely Fine-grained content security controls (over 500 different triggers and actions) include: Trusted Domains Rogue Categories Active Content Categories Drive-by Installers (.CAB, .OCX, .MSI) Executable file types & executable MIMEs Active Content & MIME Types User Agents Speeds up business processes High-performance: over 400Mbps Low-latency: 3-4msec Control Apps User SSL Internet SSL TCP TCP
42
Reverse Proxy
43
Reverse Proxy Internet Policy Logging Authentication URL-rewrite
Clients Servers AV SSL/Certificate Caching
44
Secure & Accelerate Web Applications
Reverse Proxy PROTECTS Web Servers Secure, object-based OS Controls access to web apps Web AV scanning ACCELERATES Web Content Intelligent caching Compression and bandwidth mgt. TCP & SSL offload Web Servers Users ProxySG Firewall Internal Network Public Internet Users ProxySG provides scalable performance and security for web content and applications Secure proxy architecture High-performance, scalable content delivery Optimized appliance for cost-effective, easy-to-manage reverse proxy solution Visual Policy Manager for intuitive policy creation and management Comprehensive logging and reporting for visibility SIMPLIFIES Operations Scalable, optimized appliance Easy policy creation & management Complete logging & reporting Secure & Accelerate Web Applications
45
HTTPS Termination HTTPS Termination (Client ProxySG)
Off-load secure website or portal HTTPS Origination (ProxySG Server) Secure channel to content server for clients Man-in-the-Middle (Termination & Origination) Allows caching, policy and virus scanning Secure credential acquisitions SSL Hardware Acceleration Cards 800 RSA transactions per second per card SSL v2.0, v3.0, and TLS v1 support Off-load web application servers to improve performance Popular with application front-ending web applications like OWA, Siebel and others, HTTPS Termination off-loads application web servers and provide hardware acceleration for SSL. Secure traffic can be configured between clients and ProxySG (termination) or from ProxySG to a content server (Origination). Using both options, ProxySGs is the middle-man providing caching, policy and virus scanning benefits to a secure tunnel between client and content server. Also, ProxySG uniquely provides secure credential acquisitions for users and administrators.
46
Example Scenarios for Reverse Proxy
Secure and Accelerate Public Websites Improves content delivery with integrated caching Services legitimate users while resisting DoS attacks High-performance SSL Secure Corporate Webmail Securely isolates Web servers from direct Internet access Proxy authentication for additional layer of protection Plug-n-play SSL Scanning Uploaded Files for Viruses Simple integration with ProxyAV™ Real-time scanning of uploaded content Protects Web infrastructure from malware ProxySG for Reverse Proxy can be deployed for a number of different web applications. Universal across these deployments are the need for effective web server protection and efficient web content acceleration. The most common ProxySG for Reverse Proxy scenarios include the following: 1) Securing and Accelerating a Public Website 2) Securing Corporate Web 3) Optional Web Virus Scanning of uploaded files
47
Accelerate Applications – All Users – All Locations
48
Recipe for Branch Performance Problems
Server Consolidation Increased application traffic + Inefficient application protocols + Highly distributed users + Cost concerns + compliance = consolidation Consolidated applications + long distances + protocols pushed past their limits = poor application performance Poor performance is largely turns, but can also be bandwidth-related Industry answer is to accelerate traffic, but… Narrow bandwidth links + = Poor Application Performance
49
Minimum for Application Acceleration
Optimize use of existing WAN bandwidth Reduce latency associated with applications Improve the efficiency of application protocols Prioritize the applications that matter most Re-use and compress data where possible Accelerate File Sharing, , and browser-based enterprise applications Complete Solution Requires More
50
Platform for Application Acceleration
Multiprotocol Accelerated Caching Hierarchy Bandwidth Management Protocol Optimization Object Caching Byte Caching Compression File Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL)
51
New Requirement: SSL Acceleration
Nearly 50% of all corporate Web application traffic is SSL 70% of all mobile and teleworkers use SSL for secure application delivery 68% of Blue Coat customers depend on externally hosted Web applications More and More SSL… SSL Traffic Internally Hosted Apps Externally Hosted Apps Source: Blue Coat Customer Surveys
52
New Requirement: Video Acceleration
Enterprise users becoming more distributed Mobile, teleworker, and branch/ remote offices Regulatory and cost drivers Remote employee training becoming a necessity Live (streaming) and on-demand video Performance quality becoming a requirement Network and application issues must be addressed Control and acceleration of video is needed
53
Bandwidth Management Divide user and application traffic into classes
Sales Automation App Priority 1 Min 400Kb, Max 800Kb Priority 2 Min 100Kb, Max 400Kb File Services Priority 3 Min 400Kb, Max 800Kb General Web Surfing Priority 4 Min 0Kb, Max 200Kb Divide user and application traffic into classes Guarantee min and/or max bandwidth for a class Align traffic classes to business priorities
54
Protocol Optimization
Packet #1 request client -- server Open a file Packet #2 response server - client Indicate FileID or error if not found FID is used in subsequent packet for accessing the file Packet #3 request client -- server Read from a file Packet #4 response server - client Returns file data requested A client can not request another read until it receives the first request. Thus, large documents could require lots of round trips, causing a ping-pong effect. This is effect has been termed as a chatty protocol.
55
Protocol Optimization
Packet #1 request client -- server Open a file Packet #2 response server - client Indicate FileID or error if not found FID is used in subsequent packet for accessing the file Packet #3 request client -- server Read from a file Packet #4 response server - client Returns file data requested A client can not request another read until it receives the first request. Thus, large documents could require lots of round trips, causing a ping-pong effect. This is effect has been termed as a chatty protocol. 10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCP
56
Object Caching Built on high-level applications and protocols
Streaming caches CIFS cache Advantages Fastest response times Offload work from servers (and networks) Can be deployed asymmetrically Limitations Application-specific All or nothing: No benefit if whole object not found or changed
57
Byte Caching Local History Cache Remote History Cache
… … Sequences are found in the local history cache They are transmitted as small references over the WAN The original stream is reconstructed using the remote history cache Proxies keep a history of all bytes sent and received [R1] [R2] [R3] Used for WAN Link Optimization Deploy ProxySGs on both ends of a WAN link Eliminate repeated sequences of bytes sent over WAN Drastically improve performance for bandwidth limited applications Consistent end user response times Controlled application bandwidth requirements Key Benefits Completely transparent to client and server Exactly the same bytes are seen at both ends Works on any TCP connection, no protocol or application knowledge required Works with dynamic and changing data Frequently updated files Dynamic web applications Most effective data transmission acceleration Limitations Byte Caching addresses bytes transferred No server offload No protocol optimization No protection or control Need application proxies for full performance management Local LAN WAN Link Remote LAN
58
Compression COMPRESSION
COMPRESSION Industry-standard gzip algorithm compresses all traffic Removes predictable “white space” from content and objects being transmitted
59
MACH5 Techniques Work Together
Object Caching Caches repeated, static app-level data; reduces BW and latency Byte Caching Caches any TCP application using similar/changed data; reduces BW Compression Reduces amount of data transmitted; saves BW Bandwidth Management Prioritize, limit, allocate, assign DiffServ – by user or application Protocol Optimization Remove inefficiencies, reduce latency
60
Object Caching Object caches are built on higher level applications and protocols HTTP/Web caching Streaming caches CIFS cache Object cache advantages Fastest response times Offload work from servers Can be deployed asymmetrically Object cache disadvantages Works with limited set of applications Works on limited range of data inside applications All or nothing: No benefit if whole object not found or changed
61
HTTP(S), FTP, Streaming, CIFS
Object vs. Byte Caching Object Caching Byte Cache Proxy? HTTP(S), FTP, Streaming, CIFS Built on TCP Protocol Optimization Integration X Server Offload Network Offload Incremental Updates No App Integration End User Performance Best Good Scope Focused Broad
62
Products
63
MACH5 Ships with Blue Coat SGOS 5
SG8000 Series Headquarters Corporate SG800 Series SG400 Series Blue Coat provides you a range of proxy appliances to support smaller branch offices on up to the largest enterprise implementations. Each is based on our custom operating system, SGOS, meaning the same comprehensive set of functionality for controlling Web communications is provided in each platform. And, each enables the granular policy enforcement demonstrated today along with wire speed performance with very little maintenance and virtually no patching. Name drop: The entire country of Saudi Arabia is granted Internet access through our proxy appliances. [NOTE: Use Other customers that you are familiar with eg, CompUSA, US Air Force, etc] SG200 Series GA April 2006 Appliances start at US$1,995 Remote Offices Branch Office Enterprise Core
64
ProxyAV Appliances 2000-E Series 400-E Series Performance Corporate
Headquarters 2000-E Series 400-E Series Remote Offices Connected Users Up to 250 users users ,000+ users WAN Bandwidth Sub 1.5Mbps Bandwidth 1.5Mbps- 45Mbps Bandwidth 150Mbps + Bandwidth Performance
65
400-E1 One Model: 400-E1 RAM: 512 MB CPU: 1.26GHz PIII
Disk drive 40 GB IDE Network Interfaces (2 on board) 10/100 Base-T Ethernet 19" Rack-mountable
66
Software Reporter (SW)
Advanced Java application to generate statistics from logs
67
Licenced products Licensed products Streaming
Real Networks, Microsoft, Quicktime Instant Messaging MSN, Yahoo, AOL Optional Security (HW+SW bundle) SSL termination/proxy
68
Licenced products Licensed products Content filtering
BlueCoat Webfilter ICAP AV Scanner ProxyAV (McAfee, Sophos, Panda, Kaspersky, Ahn Labs)
69
Ultimate Control Point for Communications
The Power of the Proxy Web Security Prevent spyware, malware & viruses Stop DoS attacks IE vulnerabilities, IM threats Policy Control Fine-grained policy for applications, protocols, content & users (allow, deny, transform, etc) Granular, flexible logging Authentication integration Accelerated Applications Multiprotocol Accelerated Caching Hierarchy BW mgmt, compression, protocol optimization Byte & object caching + + Full Protocol Termination = Total Visibility & Context (HTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS) Ultimate Control Point for Communications
70
Management
71
Management User Interface Scalable management Reporting tools
HTTP (HTTPS), web GUI Interface Telnet (Cisco CLI) SSH & Serial console Java Policy interface CPL, Policy Language SNMP MIBII + Traps Monitor network status and statistics Reporting tools BlueCoat Reporter Scalable management Centralized configuration management in Director
72
Reporting (example) 18.2 % Spyware (gator) 16.5 % Aftonbladet
9.5 % Ad’s (in top 40) 6.8 % https (encrypted)
77
System-wide Management and Control
Blue Coat Director Centralized configuration of Blue Coat appliances – set up, policy, etc Centralized monitoring – appliance health, application use, user experience Blue Coat Reporter Enterprise roll-up and analysis of application delivery information: appliances, application use, user experience Both Director and Reporter are proven, with thousands of nodes under management…
78
Director configuration Management
Remotely and securely manage via GUI or CLI. Work- station Configuration Management Policy Management Disaster protection centrally Configuration Management Monitor and control Resource Management Monitor network status and statistics Profile Management Backup configuration Create overlays using GUI or CLI. Automate changes License Management Director (2) Snapshot profile and save on Director (3) Create and edit overlays using GUI or CLI. “Profile” system Configuration Management Standardize configurations, provide disaster protection, centrally monitor and control Policy Management Distribute and synchronize web security and user policy Resource Management Conserve valuable resources with bandwidth policies and content positioning Monitor network status and statistics Quickly view statistics. Rapidly view/edit individual cache configurations. Common look and feel with browser console Create profile. Snapshot of good device configuration. Strips nongeneric settings (IP, licenses, etc). Customize by region with overlays. Create overlays using GUI or CLI. Create from scratch or copy from existing caches. Distribute License Keys. Real, WMT, Websense, SmartFilter, etc. Import keys and automatically distribute with profiles. Standardize Configurations. Schedule overlays. Schedule changes with advanced configurations. Automate policy changes Automate network changes Quickly change individual settings via GUI. Time-based management Schedule any command or config change Powerful CLI automation. All configurations stored as CLI commands. Create policies. Create with Visual Policy Manager. Distribute to groups of devices. Schedule or manually distribute. Centrally store policies and configurations. Examples: Filter files, CPL, WCCP, PAC, ICP, RIP, etc. Store and manage on Director or on distributed web servers. Three types of snapshots. Profile + overlay + advanced configuration Automated snapshot with every profile distribution Scheduled backups – tied to individual devices Rollback/restore Rollback to good snapshot upon discovery of problems Script rollbacks if necessary Control streaming impact Set bandwidth policies by protocol. By user, by group Proactively preposition content Schedule distribution of large files during off-peak hours. Distribute both internal and external content. Schedule all b/w policy changes. Use overlays or advanced configurations; or Set times within policies (4) Push profiles and overlays to one or more systems (1) Configure and test “profile” system Production systems
79
Content Delivery Network
WWW Servers 1 Publish content 4 Pull content from origin servers. Director 2 Tell Director about new content Content Owners Edge Systems 3 Tell caches to update content We focus on not only the networking side of the CDN, but also the publishing experience. Our goal is to reduce their pain. First, the content owner publishes his content. Second, the publishing system tells Director that new content exists. We offer a family of tools to automate that process, from a no-touch scenario to full integration with an SDK. Third, Director tells the caches to update content. It controls the CDN, but does not sit in the data path to add additional points of publishing and failure. Fourth, the caches pull content from origin servers using native protocols (HTTP, MMS over HTTP, etc.) You can scale your web farm without scaling out the Director platform. Fifth, the caches deliver the content. Users 5 Deliver the content.
80
Director GUI
81
K9 – For free http://www.getk9.com/refer/Roger.Gotthardsson
If you want to protect your family with Content Filtering Blue Coat is now giving it away, read more at: Please send this link to anyone you want !!!!
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.