• Animesh Gupta

Blue Coat ProxySG: Secure Web Gateway Overview


What is BlueCoat Proxy?


Blue Coat® Systems ProxySG™ Appliance represents the latest in perimeter defense for securing and controlling Web-based content and applications. The Blue Coat ProxySG is designed to integrate protection and control functions for Internet and intranet traffic without sacrificing performance and employee productivity. The ProxySG series of proxy appliances is designed specifically to manage and control user communication over the Internet. Acting on behalf of the user and the application, the ProxySG does not replace existing perimeter security devices; rather, it complements them by giving organizations the ability to control communications in a number of ways that firewalls and other externally focused devices cannot.


Web Security Solution


The Blue Coat ProxySG provides a point of integration, control, and acceleration for enterprise Web security applications, including:

  • Layered security approach with content-level protection to combat Web-based threats using port 80.

  • Abundant policy controls wrapped in performance-based hardware and a custom operating system to give organizations visibility and control over employee Web communications.

  • A preventative spyware defense that combines multiple techniques in a high-performance solution acceptable for Web-based business communications.

  • Integrated reverse proxy caching and SSL support to offload content delivery and encryption tasks from Web servers, reducing server bottlenecks and enhancing Web site performance and scalability.

  • Control over which users are allowed to use Instant Messaging, and which IM protocols are allowed, what features are to be enabled, to whom users can IM or chat with (inside the company or outside the company), what time of the day they can IM, and how logging is managed.

  • Immediate and dynamic Peer-to-Peer (P2P) control, allowing an administrator to identify, log, and block P2P traffic.

  • Integrated caching, content positioning, bandwidth savings, and bandwidth management to provide superior performance for controlling Web content.

  • Control over Windows Media, Real Time, and QuickTime video and audio streams as the file is being downloaded over the Internet.

  • Prevention of the spread of viruses and other malicious code by using the Blue Coat ProxyAV™ Appliance in conjunction with the Blue Coat ProxySG. The ProxySG with ProxyAV integration is a high-performance Web anti-virus (AV) solution. Blue Coat ProxySG Configuration and Management Guide 24.

  • Control over the type of content retrieved by the ProxySG. You can also filter requests made by clients. If you use Blue Coat Web Filter (BCWF), a highly effective content filtering service that quickly learns and adapts to the working set of its users, you can also use a network service that dynamically examines and categorizes Web pages as they are requested.

Policy and Management Architecture


Networking environments have become increasingly complex, with a variety of security and access management issues. Enterprises face challenges in configuring products and ensuring the result supports enterprise policies. Policies enhance ProxySG features, such as authentication and virus scanning, allowing you to manage Web access specific to the enterprise’s needs. Blue Coat policies provide:

  • Fine-grained control over various aspects of ProxySG behavior.

  • Multiple policy decisions for each request.

  • Multiple actions triggered by a particular condition.

  • Bandwidth limits.

  • Authentication awareness, including user and group configuration.

  • Flexibility of user-defined conditions and actions.

  • Convenience of predefined common actions and transformations.

  • Support for multiple authentication realms.

  • Configurable policy event logging.

  • Built-in debugging.

The ProxySG uses policies and system configuration together to provide the best possible security for your network environment. Blue Coat's unique architecture allows for scalable decision making. Effectively turning on multiple combinations of granular policy requires a unique level of performance. Blue Coat's flexible logging features, coupled with integrated authentication and identification capabilities, give organizations the power to monitor Web access for every user in the network at any time, regardless of where they are. Internet access traffic flowing through the ProxySG gives administrators and managers the ability to audit Web traffic as needed.


Content Filtering


As the number of users and the total amount of traffic grows, policy enforcement demands higher performance to provide adequate end-user quality of experience. To satisfy the management level and scalability that enterprise traffic demands, ProxySG Appliances have emerged as a new layer of infrastructure that provide the performance and manageability required for enterprise-wide policy-based content filtering. SGOS 4.1offers a dynamic categorization service if you use the Blue Coat Web Filter (BCWF). The BCWF categorization service is an Internet service, available from designated service points with high-bandwidth connections and dedicated hardware. It analyzes data externally so that content (offensive, distasteful, or perhaps even potentially a legal liability) never enters the network.



The ProxySG enforces Internet access policies based on:

· Content categories (gambling, sex, etc.)— Besides BCWF, which includes a database and a dynamic categorization service, databases from leading third-party filtering vendors are offered.

· Content type and protocols (HTTP, FTP, streaming, MIME type, etc.)—Ads the ability to block certain types of content transported on certain types of protocols.

· Identity (user, group, network)—Customize policy based on who the users are regardless of location.

· Network conditions—Customize based on real-time conditions.

Content and Virus Scanning


When integrated with a supported Internet Content Adaptation Protocol (ICAP) server such as the Blue Coat ProxyAV appliance, Blue Coat provides content scanning and filtering. ICAP is an evolving protocol that allows an enterprise to dynamically scan and change Web content. Content scanning includes actions like sending a given request for content to an ICAP server for virus scanning or malicious mobile code detection. To eliminate threats to the network and to maintain caching performance, the ProxySG sends objects to the integrated ICAP server for evaluation and saves the scanned objects in its object store. With subsequent content requests, the ProxySG serves the scanned object rather than rescanning the same object for each request.



The ProxySG blocks viruses from Web content behind and in front of the firewall. Blue Coat architecture is optimized to handle Web requests and responses that require scanning for potentially malicious mobile code and viruses. The ProxySG uses ICAP to vector responses to supported virus scanning servers to deliver unmatched flexibility and performance in scanning Web content.


Spyware


Spyware leverages multiple vectors, making silver bullet defenses using coarse-grained controls useless and unproductive and impeding critical Web-based business communications. No single technique can filter out spyware and adware to defend against the threat. Blue Coat combines multiple techniques in a high-performance solution acceptable for Web-based business communications. Latency is minimal and the protection layers are comprehensive to stop, block, and scan spyware. With Blue Coat, you can:

  • Stop spyware installations;

  • Block spyware Web sites;

  • Scan for spyware signatures;

  • Detect desktop spyware and target for cleanup.



For information on using the ProxySG and ProxyAV together, refer to the Blue Coat ProxyAV Configuration and Management Guide.


Instant Messaging


Instant Message (IM) usage in an enterprise environment creates security concerns because, regardless of how network security is configured, IM connections can be made from any established protocol, such as HTTP or SOCKS, on any open port. Because it is common for coworkers to use IM to communicate, especially in remote offices, classified company information can be exposed outside the network. Viruses and other malicious code can also be introduced to the network from file sharing through IM clients. The ProxySG serves as an IM proxy, both in transparent and explicit modes. You can control IM actions by allowing or denying IM communications and file sharing based on users (both employee identities and IM handles), groups, file types and names, and other triggers. You can also log and archive all IM chats. Using policy, administrators can quickly deploy sophisticated IM usage policies that integrate with existing authentication directories through LDAP, NTLM and Radius.




Integrated Reverse Proxy ProxySG Appliances are easily configured for reverse proxy mode, providing optimized Web server acceleration and featuring a high RAM-to-disk ratio and a built-in Secure Sockets Layer (SSL) encryption/decryption processor. This processor can manage 10 to 40 times more secure sessions than a standard Web server, allowing the appliances to accelerate the delivery of both public (HTTP) and private (HTTPS) content. The product is packaged in a compact 1U form factor (ProxySG 400 and ProxySG 800 models) a major advantage in space-constrained data centers, or a 4U form factor (ProxySG 8000) that allows for modular expansion of network interface cards, SSL cards, processors, and RAM.

The ProxySG system software is easily tuned for the workload of high traffic Web sites. This environment is characterized by a finite amount of site content accessed by many remote users, often resulting in flash crowds. The ProxySG Appliances allow efficient scaling of Web farms to address flash or peak periods of traffic, and includes advanced features such as protection against Denial-of-Service attacks and dynamic content acceleration.

Bandwidth Management


Bandwidth management allows you to classify, control, and, if required, limit the amount of bandwidth used by different classes of network traffic flowing into or out of the ProxySG. Network resource sharing (or link sharing) is accomplished using a bandwidth-management hierarchy where multiple traffic classes share available bandwidth in a controlled manner. You can also create policies to constrain who can use certain media types, and how much of it. For example, you can allow your executives to view high-bandwidth streaming media, but only allow the accounting group to view streams up to 56k on corporate sites. With Blue Coat, you can limit access based on user, group, network address, and the time of day. You can also prevent all access to the Internet except for a group of users who need access to do their jobs, effectively freeing bandwidth for mission-critical needs.


SWG Platform Options


Blue Coat ProxySG can be deployed as a hardware appliance, virtual machine (VM) or cloud service. Each product provides identical functions in differing enterprise network environments.


Blue Coat ProxySG Appliance Options


Blue Coat offers seven different models for various-sized enterprises. At the low end of the spectrum is the SG 300-5, which supports up to 40 users. This device is tailored to smaller remote offices that have their own Internet connectivity. The appliance has 2 GB of memory, a single 250 GB hard disk drive (HDD) and two 10/100/1000 Mbps Ethernet ports with bypass capabilities to protect against server failures.

In the middle of the pack is the SG S400-20. This is suitable for up to 6,000 users. It's equipped with three 1 TB HDDs, 16 GB of memory, multiple connectivity options, including 1 Gb and 10 Gb copper or fiber interfaces, and can be ordered with or without bypass capabilities.

Blue Coat’s carrier-grade SWG is the SG 9000. The appliance can support a virtually unlimited number of users. In terms of performance, the appliance contains 64 GB of RAM, 15 1 TB disk drives and a broad array of 1 Gb and 10 Gb connectivity options -- both copper and fiber.

Blue Coat ProxySG VM options

Blue Coat currently offers a single VM server option, which is called the VA-100. A single instance can support up to 1,000 users. The VA-100 can be licensed in 25, 50, 100, 250, 500 and 1,000 user increments. The appliance runs in VMware ESX or ESXi environments and requires at least a single core CPU, 4 GB of memory and 200 GB of disk space.


Blue Coat Cloud Service Options


Blue Coat's cloud service is designed to be flexible and easy to implement. Only minor modifications are necessary to begin sending corporate Web traffic to the cloud SWG for inspection and protection. If needed, an optional, lightweight desktop software agent can be installed on corporate and BYOD devices to protect users that are outside of the enterprise network.


Pricing and Support


Blue Coat ProxySG hardware, software and services are available through the Blue Coat global partner network. List pricing for hardware appliances ranges between $6,500 for the SG300 to more than $200,000 for a SG9000 appliance. The VA-100 virtual appliance is priced between $1,200 and $50,000, depending on the number of users, for a one-year license. Cloud services are priced between $25 and $60 per user, depending upon the number of machines monitored. Blue Coat offers five different support tiers. All include unlimited 24/7 telephone support, access to a customer portal and unlimited access to patches and software releases. Blue Coat's premium support tiers are classified by the amount of time replacement hardware is shipped to a customer.

©2019 Security Unleashed | New Delhi