ProxySG and Firewalls

Firewalls

• Most networks are protected by firewalls

• Firewalls are required to protect you networks

• Firewalls are very effective at keeping

the “bad” guys out of your network
Firewalls

Intranet Public
Web Web
Servers Firewall Servers

Internal Public
Network Internet

Users
Firewalls block Hackers

at the perimeter . . .

But they are not designed

to control at user level
Designed to keep the bad guy out of the network
Proxy

• Complements the firewall for a complete security

architecture

• Designed to keep the “good” guys “good”

• Two types of proxy

- Forward proxy
- Reverse proxy
What is a Proxy?

Forward Proxy

Client Proxy Server

Internal External
Proxy

Intranet
Web
Servers Proxy Firewall

Internal Public
Network Internet

Users

Restrict or control “Splash page” for Control pop-ups, ads, Prevent downloading
Access to unproductive Acceptable Internet And spyware of copyrighted
Web sites Use policy MP3 files

Stop web content Stop viruses from Keep intellectual Log and archive IM
Such as .vbs, .exe Web mail (Yahoo, property from getting traffic by individual
Hotmail, etc) and IM out over IM text messages
Proxy- Web Caching

Web servers

First request to OCS

Public
Internet
ProxySG Deployment
Deployment Options

• Direct Internet Access

- No proxy

• Explicit Proxy
- Clients “know” there is a proxy in the path

• Transparent Proxy
- Clients do not “know” there is a proxy in the path
Explicit Proxy: Manually Configured

Internet

Simple High Maintenance

Transparent: Layer 4 Switch

Internet

Simple Initial Cost

Transparent: Cisco WCCP

Internet

Simple Router Load

Transparent: ProxySG Bridging

Internet

Simple Single Point of Failure

Deployment Best Practice

172.16.0.100

172.16.1.10

Internet

Firewall Rules
Source Destination Action
172.16.0.100 ANY ALLOW
172.16.1.10 25 ALLOW
ANY ANY DENY
Edge Deployment
Core Deployment Edge Deployment

Internet Internet

Satellite office Satellite office

HEADQUARTER

Satellite office
Satellite office

Satellite office Satellite office

Satellite office Satellite office
Edge Deployment

• Get “bad” sessions off the network

• Maintain control of encrypted sessions

• Prioritize mission-critical traffic

• Optimize WAN traffic

Requirements

• New Hardware

• New Features
- Compression (HTTP and SOCKS)
• New Proxy Services

• Bandwidth Management
Edge office considerations

• Forwarding
- Forwarding failure modes

• Authentication
- Edge authentication vs. core authentication

• Logging
- Edge logging vs. core logging
ProxySG Initial Setup
Initial Setup Access

• Serial Console
- Easy and reliable

• LCD / Keypad
- A built-in interface for proxy configuration (most models)

• TPC/IP
- Access reserved site https://proxysg.bluecoat.com:8083
Password Levels

• Create Administrator Account

- Username and password are both case-sensitive
- Both can be set to any alphanumeric value

• Two login levels

- Basic Access
- Enable Access
Management Console
Management Console Overview

• Reconfigure Network Parameters

• Enable/Disable Proxy Services

• Manage External Services

- ICAP and Websense

• Define Authentication Realms

Management Console Overview

• Default policy options

- Content-filtering engine configuration

• Forwarding objects

• SSL configuration

• Access login
- Setup and configuration
Management Console Overview

• Upgrade and downgrade SGOS

• Licensing

• Content to Blue Coat support

• ProxySG monitoring
Visual Policy Manager
Visual Policy Manager

• Graphical policy editor for ProxySG

(Java-based)

• Available from the Management Console

• Defines Web access and resource control

policies

• GUI to generate CPL

Visual Policy Manager - Layers

• Policies grouped into layers

• Layers contain the same family of policy

- Authentication
- Web Access
- Web content

• Layers are processed in order (left to right)

VPM Policy Layers

• Admin Authentication
• Admin Access
• DNS Access
• SOCKS Authentication
• Web Authentication
• Web Access
• Web Content
• Forwarding
Visual Policy Manager - Rules

• Each layer contains zero or more rules

- You should have at least one rule per layer

• Rules are processed from top to bottom

- Rules matched, processing moves to next layer

• Most effective rule

- First rile, last layer
Visual Policy Manager
Layer Processing Order

Rule Processing Order

Hypertext Transfer Protocol (HTTP)
HTTP Protocol

• Definition
- “Application-level protocol with the lightness and
speed necessary for distributed, collaborative,
hypermedia information systems”

• Different versions available

- HTTP/0.9
- HTTP/1.0 described in RFC 1945
- HTTP/1.1 described in RFC 2616
HTTP Protocol

Step 1: Request

Step 2: Response

• The client always initiates the connection

• The server cannot initiate a connection
HTTP URL

[“http:” “//” host_name [ :port ] [ abs_path [ “?” query]]

• Host name is case insensitive

- Even for UNIX-based Web Servers

• Default port is 80
HTTP Message

• Two types of messages

- Request
- Response

• Two parts of the message

- Headers
- Data
Request Methods

• GET
- Retrieves whatever information (in the form of an
entity) is identified by the URL
- Changes to a conditional GET if the request
message includes an if-Modified-Since or similar
header

• HEAD
- Identical to GET except that the server MUST NOT
return a message-body in the response
Request Methods

• POST
- Designed to allow a uniform method to cover the
following functions:
- Posting a message to a bulletin board, newsgroup, mailing
list or similar group of articles
- Providing a block of data, such as the result of submitting a
form, to a data-handling process
- Extending a database through an append operation

• CONNECT
- Reserved for user with a proxy that can dynamically
switch to being a tunnel (e.g. SSL tunneling)
Request Methods

• OPTIONS
- Represents a request for information about the
communication identified in the URL
- Determines the options and/or requirements
associated with a resource, or the capabilities of a
server, without implying a resource action of initiating
a resource retrieval

• PUT
- The PUT method requests that the enclosed entity
be stored under the supplied Request-URI
Response Codes

• Sample Success Code

- 200 OK

• Sample Client Error

- 404 Page Not Found

• Sample Server Error

- 500 Internal Server Error
HTTP Protocol

Step 1: Request

Step 2: Response

• Request • Response
Get / HTTP /1.1 HTTP/1.x 200 OK
Host: www.google.com Content-Type: text/html
User-Agent: Firefox/1.0 Server: GWS/2.1
Accept: text/xml Content-Length: 1121
Date: Wed, 05 Jan 2005 22:09 GMT
Cascaded HTTP Requests

Step 1: Request Step 2: Request

Step 4: Response Step 3: Response

• The intermediate device is both a client and a

server
• There can be any number of intermediate
devices
GET Requests

Step 1: Request Step 2: Request

Step 4: Response Step 3: Response

GET http://www.bluecoat.com HTTP/1.1 GET HTTP/1.1

HOST: www.bluecoat.com HOST: www.bluecoat.com
Authentication Introduction
Authentication and Security Types

• ProxySG Security
- Console Access
- Physical Access (front panel, serial port)

• ProxySG Authentication
- Validate users before allowing access to protocols

• Remote resources authentication requests

ProxySG Security

• Limit access to the ProxySG appliance

- Restrict access by IP address or IP ranges
- Password to secure Setup Console
- Require PIN to operate front panel
- Password protect serial access

• Role based security

- Use realm-based authentication
- Granular permission selection
Authentication

• Policies based on users and groups

• Granular Reporting

• Manage Exceptions
Explicit Proxy Authentication

• Proxy requires client to authenticate

- HTTP 407 Response “Proxy Authentication Required

• Browser resends the request with user’s

credentials
- Credentials are sent with every request

• Most browsers cache credentials as long as

the process is running
Explicit Proxy Authentication

GET http://www.bluecoat.com HTTP/1.1

2

HTTP/1.1 407 Proxy Authentication Required

GET request + Authentication credentials

Authentication
Server
1 3

www.bluecoat.com
Remote Resources Authentication

GET /securepage.htm

401 Authentication Required

GET /securepage.htm
Authentication details

Internet
Policy Management
Company Policy Enforcement

• Create Acceptable Usage Policy (AUP)

• Create Web Authentication Layer(s)

- Monitor user by login name

• Create Web Access Layer(s)

- Implement AUP
 Policy Translation

XYZ Inc. employees may not visit the BBC

Web site at any time

Simple Language
Who Where How When What
XYZ Employee BBC On web At any time May not visit

Blue Coat Language

Source Destination Service Time Action
ANY bbcworld.com ANY ANY DENY
 Policy Translation

XYZ Inc. employees may not visit any travel

related Web site at any time

Simple Language
Who Where How When What
XYZ Employee Travel On web At any time May not visit

Blue Coat Language

Source Destination Service Time Action
ANY Travel ANY ANY DENY
 Policy Translation

“The Engineering department may not visit any

gaming site during regular business hours.”

Simple Language
Who Where How When What
Engineering Gaming On web M-F, 08-17 May not visit

Blue Coat Language

Source Destination Service Time Action
ENG Gaming ANY M-F, 08-17 DENY
XYZ Inc. Web Access Policy

Similar rules become a layer in the Web

Access Policy

Source Destination Service Time Action

ANY BBC ANY ANY DENY

ANY Travel ANY ANY DENY

ENG Gaming ANY Mon-Fri, 8-17 DENY

Layer

Web Access Layer

VPM Objects

• Trigger Objects
- Source
- Destination
- Service
- Time

• Action
- Action
- Track
Default Policy

• Deny
- Default option for ProxySG
- All network traffic received by the proxy is blocked

• Allow
- Network traffic is allowed through the proxy
- Other policies can deny selected traffic
Content Filtering- Dynamic
Categorization
Content Filtering – Logical Flow
Content Filter
(Onbox/offbox)

URL Categorization Access

Client permitted
URL Request

Policy
Engine

Access Denied
Dynamic Categorization

• Numerous URLs and URL patterns are not

classified – and thus are not filtered by static
lists

• Static list updates typically are not updated in

real time

• New Web content/sites are created each day,

adding to the list of unclassified sites
Dynamic Categorization - Overview

Request to site not

categorized Site

from DRTR
Request
DRTR
Request to
Dynamic Categorization - Functionality

• Dynamic Categorization Modes

- Do not categorize dynamically
- Categorize dynamically in the background
- Categorize dynamically in real time

• Dynamic Categorization Costs

-Bandwidth cost-round-trip request/response from
the ProxySG to the server
-Latency cost-time spent waiting for dynamic
categorization service to provide a result
 Blue Coat Web filter For ProxySG
94% success rate
BCWF <1 ms

BUFF

DRTR
Master Rating
Database

Dynamic
background rating
30 sec. to 1 hr
Blue Coat Web filter

• Hybrid solution
- Onbox database for ProxySG
- Optional Service Component to categorize unrated
URLs

• Data Quality
- 58 categorizes
- Consistency
- Relevant URLs (feedback)
- Immediate coverage for new sites (DRTR)
Other Vendors

• Third-party filtering with BCWF

-ProxySG supports one third-party database

• Smartfilter v4 Support
-Secure Computing changed method for applying
content-filtering database
-License key instead of username/password
-User’s secure-assigned serial number
• Other Filter Vendors
-Optenet -Proventia -Webwasher -Intersafe
Managing Instant Messaging
Instant Messaging

• Informal means of communicating over

Web
-Enables user to create a kind of “chat room” with
another individual over the Internet in real time
• IM attempts to find a way around firewalls
-Searches for an open port on which it can use its
normal protocol
-Can tunnel its normal protocol over HTTP if port
scanning fails
• Originated with Internet Relay Chat (IRC)
AOL Instant Messenger (AIM)

• AIM
- Free , ad-supported instant messaging application
that detects when are online
• AIM includes
- Person-to-person text messaging
- Chat room messaging
- Ability to share files peer-to-peer with one’s buddies
- Ability to play games with each other
AOL Instant Messenger (AIM)

• AIM client messages transmitted directly

to public IM servers for delivery to a
“buddy”
-Users can add other users to their buddy lists
without asking permission
• One version of AIM , called AIM Express ,
runs in a Web browser
-No need to install an executable client on PC
Instant Messaging Control

• IM protocols allow communication across

Web under almost any possible
configuration
- Difficult to control using existing network products
• IM can be harmful to enterprise networks
- Minimal control over transmitted information
- Intellectual property can escape as a text message
- Employee productivity can be reduced via chatting
- New regulations require logging of communication
Instant Messaging using proxySG

• Configuring ProxySG to control IM

provides
- Selection of allowed protocols
- Authentication rules for using IM
- Ability to allow or deny attachments by file type
- Ability to allow or deny chat room or voice chat
access
- Blocking of IM access by user , time of day, etc.
- Filtering of keywords
- Logging of all IM access
IM – Control with ProxySG
1
2 Public IM servers

Intranet
Internet

5
3
4

1. User establishes IM session.

2. ProxySG authenticates user , then approves or denies request.
3. Content and URLs embedded in IM blocked or allowed.
4. All IM transactions logged for reporting and regulatory compliance.
5. Safe IM content and attachments delivered.
Instant Messaging Reflection

• Normally , an IM from one buddy to another

is sent to and from an IM service

• IM Reflection allows containing IM traffic

within the enterprise network
- All IM traffic on the same network never travels
beyond the proxySG
-This includes IM users who log into different ProxySG
configured in a hierarchy (Proxy chaining)
 IM Reflection with fail open

Policy contains a rule to allow IM service to clients not logged

into the ProxySG
IM Service
Client 1 to client 3:
Shall I pick up
Provider
Client 1 dinner tonight?

Client 1 to client 2: Internet

Did you finish coding
project x ?

Client 2 to client 1: Client 3

Client 3 to client 1:
Yes , the system runs Thanks. See you
faster now when get home
Client 2
 IM Reflection with fail closed

Policy contains a rule to deny IM service to clients not logged

into the ProxySG
Client 1 to client 3: IM Service
Shall I pick up dinner
tonight?
Provider
Client 1 ADMIN: DENIAL OF
SERVICE

Client 1 to client 2: Internet

Did you finish coding
project x ?

Client 2 to client 1: Client 3

Client 3 to client 1:
Yes , the system runs Thanks. See you
faster now when get home
Client 2
Notify User Policy
Notification Types

• Exception page
-Dead end
• Splash page
-Show once

• Coaching page
-option to continue
Exception page

• Built-in
-Notify user that access has been denied
-Notify user of network or appliance errors
-Can be customized ( better create user-defined ones)

• User-defines
-User-defined to send more specific message
-Can include any HTML or JavaScript code
-Can link external resources (images)
Splash page

• Used to notify users

-Company AUP
-Network outages
-Any global or user-specific message

• After page is displayed , user can access the

requested sites
Coaching page

• Used for sites that should be blocked

• User needs to click on a link to access the
requested resource
-Temporarily allowed ( default 10 minutes)

• Known also as burn-through feature

Notify User - Overview

• In earlier OS versions , splash an coaching pages

require hand-modification of CPL

• Modification triggers requires understanding of

the policy logic and hand editing of the CPL

• SGOS v4.x makes advanced policy behaviors like

splash and coaching pages easier to install
Notify User - Configuration

• Management Console
-VPM feature: Notify User action added to the web Access Layer
-To customize which users/transactions are notified, write policy other
triggers as you would for any other action( such as deny or allow )

• Command line
-Not available through the CLI – available through the VPM only
Access logging
Access logging

• ProxySG creates access logs for the traffic

following through the system
• ProxySG creates an access log record
-Per each protocol
-Data recorded at the end of the transaction

• Logs can be automatically uploaded to a remote

location for analysis and archive
About Access Logging

• Access logging is “ a generic term for raw logs of

client requests”
• Multiple Access log formats available
-optimized by protocol
-Custom logs available
Log Facility
Service(s)

Log File

Rotation Schedule
Password

Log Format Upload Schedule

Access Logging – Data Flow

1 2
4

5 3
Client On box
logs
OCS
Access Logging – Data Flow

Client On box
logs
OCS

Database
Reporter
ProxyAV
What is ProxyAV ?

• Powerful defense against

-Viruses and worms
-Spyware and trojans

• Protects often overlooked “back doors”

-Personal Web e-mail accounts
-Web content or e-mail spam with trojan or spyware
-Browser-based file downloads that bypass existing virus-scanning
defenses
ProxyAV Virus-Scanning Server

• ProxyAV uses ICAP to communicate with

ProxySG
• One ProxyAV can support multiple proxySGs
• Blue Coat ProxySG supports
-Kaspersky
-Sophos
-McAfee
-Panda
Why ProxyAV ?

• Performance
-ICAP server = separate processor
-Performance = an order of magnitude better

• Choice
-ProxyAV allows different AV vendors
-Automatically download pattern files daily

• Continue Integration
-Integrate the ProxyAV and ProxySG
ICAP Fundamentals

• Internet Content Adaptation Protocol

• Lightweight protocol for executing a “remote
procedure call” on HTTP messages
• Server executes its transformation service (
adaptation) on messages and sends back
responses to the client , usually with modified
messages
ICAP Fundamentals
ProxySG

ICAP Cient

ICAP Server

ProxyAV
ICAP REQMOD

• ICAP client sends an HTTP request to an ICAP

server
• The ICAP server may then:
-Send back a modified version of the request
- Send back an HTTP response to the request
-Return an error
ICAP REQMOD

• REQMOD
-Scan HTTP PUT requests
-Scan FTP upload requests
-Scan POST requests bodies

• Used for scanning outgoing Web-based e-

mails
ProxySG and ProxyAV

• Processing Requests
(REQMOD)
client Server
ProxySG
Request

Response

Virus Scanning

External

ProxyAV
Internal
ICAP RESPMOD

• ICAP client sends an HTTP request to an

ICAP server

• The ICAP server may then:

-Send back a modified version of the request
-Return an error
ICAP RESPMOD

• RESPMOD
-Virus scanning of HTTP and FTP (RETR)
- Virus scanning of FTP over HTTP

• Used for scanning incoming Web-based e-

mails and file downloads
ProxySG and ProxyAV

• Processing Requests
(RESPMOD)
client Server
ProxySG
Request

Response

Virus Scanning

External

ProxyAV
Internal
Reverse Proxy
Reverse Proxy

The proxy is the web server to clients

Client Proxy Server

www.site.com

External Internal
Why Reverse Proxy?

• Securing and Accelerating Public Web Site

• Securing Corporate Web –mail

• Securing and Accelerating Web

Applications
Accelerate Web Content
Reverse Proxy
Web Sever
3
2

Internet

1
Securing Corporate E-mail
Outlook Web Reverse Proxy ProxyAV
Access 3
5
2

Internet

Authentication
4
Server
1
 Web Business Applications
Authentication Reverse Proxy
server
3
2

4
Internet

Web Sever
5
1

Application
Server