Table of ContentsChapter 1 : Blue Coat SG and Firewalls Chapter 2: Blue Coat SG Deployment Chapter 3: Blue Coat SG Initial Setup Chapter 4: Blue Coat SG Graphical User Interface Chapter 5: Services Chapter 6: Hypertext Transfer Protocol Chapter 7: HTTP Compression Chapter 8: Authentication Introduction Chapter 9: Authentication Realms Chapter 10: Policy Management Chapter 11 : Content Filtering Chapter 12: Managing Downloads Chapter 13: Managing Instant Messaging Chapter 14: Managing Peer-to-Peer Traffic Chapter 15: Notify User Policy Chapter 16: Access Logging Chapter 17: Introduction to Reporter Chapter 18: Blue Coat AV Chapter 19: Service and Support 1 7 23 29 41 49 61 69 79 93 101 117 123 133 141 147 159 173 187 ¡X Blue Coat Educational Services — BCCPA Course v 1.7.1 Appendix A: Deployment Planning Appendix B: Conditional Probability — Bayes Theorem 195 203 X Chapter 1: Blue Coat SG and Firewalls The Web has become a vital m e t h o d of c o m m u n i c a t i o n for n e t w o r k e d businesses a n d organizations w o r l d w i d e . A l t h o u g h the Web is an extremely valuable c o m m u n i c a t i o n s tool, it also provides a w a y for viruses to enter corporate n e t w o r k s , m u c h the s a m e w a y that traditional e-mail p r o v i d e d a n e w entry in the 1990s a n d floppy disks before that. While enterprises c o n t i n u e to tighten security against k n o w n viruses entering a n e t w o r k — t h r o u g h floppy disks, CD-ROMs, or e-mail a t t a c h m e n t s — hackers exploit the Web as an easy w a y into corporations that rely on firewall technology alone to protect them. Most organizations use firewalls to protect their n e t w o r k s . Firewalls — w h i c h typically are placed between a private n e t w o r k a n d outside public n e t w o r k — monitor traffic to d e t e r m i n e w h e t h e r it s h o u l d be allowed in or out. A l t h o u g h firewalls protect against external attacks, they do not enable organizations to control users within their n e t w o r k . This is the role of proxies. Proxies enable organizations to authenticate users, report on n e t w o r k activity, a n d enforce policy: key elements in creating a p r o d u c t i v e a n d safe Web e n v i r o n m e n t . This chapter discusses the basics of firewalls a n d proxies and h o w they w o r k together. It explains h o w organizations can use proxies to control their n e t w o r k s a n d introduces the key basic d e p l o y m e n t s : forward proxy a n d reverse proxy. 1 Blue Coat Educational Services — BCCPA Course v 1.7.1 Firewalls • Most networks are protected by firewalls • Firewalls are required to protect your network • Firewalls are very effective at keeping the "bad" guys out of your network Slide 1 - 1 : Why firewalls are used In this age of viruses, Trojans, a n d s p y w a r e , firewalls h a v e become c o m m o n — even for h o m e c o m p u t i n g . A firewall protects y o u r n e t w o r k from u n w a n t e d Internet traffic. Firewalls m o n i t o r Internet traffic to d e t e r m i n e w h e t h e r the traffic s h o u l d be allowed into (or o u t of) the network. Essentially, they keep the "bad" g u y s out of y o u r n e t w o r k . Firewalls enable an o r g a n i z a t i o n ' s users to request Web pages, d o w n l o a d files, a n d chat while m a k i n g sure that outsiders cannot use the Internet to access n e t w o r k services like file or print s h a r i n g . Some firewalls are pieces of software that r u n on y o u r computer. Other firewalls are built into h a r d w a r e a n d protect the entire n e t w o r k from attacks. 2 Chapter 1: Blue Coat SG and Firewalls Firewalls Designed to keep the bad guy out of the network Slide 1 - 2 : Typical firewall d e p l o y m e n t As y o u can see from Slide 1-2, firewalls typically reside in w h a t is k n o w n as the DMZ, the so-called neutral z o n e between a c o m p a n y ' s private n e t w o r k a n d the outside public n e t w o r k . Internal clients a n d services are shielded from the "lawless" Internet by the firewall, w h i c h blocks u n w a n t e d traffic a n d malicious intrusion a t t e m p t s . Firewalls n o r m a l l y allow clients on the internal n e t w o r k to use instant messaging, listen to music, etc., unless ports u s e d by those services are explicitly blocked by a firewall administrator. 3 Blue Coat Educational Services — BCCPA Course v 1.7.1 Proxy • Complements the firewall for a complete security architecture • Designed to keep the "good" guys "good" • Two types of proxy - Forward proxy - Reverse proxy Slide 1-3: Why p r o x i e s are d e p l o y e d As y o u h a v e learned, firewalls are an i m p o r t a n t p a r t of securing y o u r private network. But they are not the only piece of the security p u z z l e . At the perimeter of the corporate network, firewalls a n d intrusion-detection s y s t e m s provide excellent protection against external attacks. However, they do not enable organizations to obtain visibility a n d control of users from within — t h r o u g h authentication, authorization, reporting, or policy enforcement — to create a productive, safe Web e n v i r o n m e n t . In other w o r d s , proxies serve to "keep the g o o d g u y s good." Proxy servers are v e r y powerful devices that can be d e p l o y e d in t w o very different w a y s — forward proxy a n d reverse proxy. A forward proxy acts as an i n t e r m e d i a r y b e t w e e n a client a n d a content server to protect the client from being seen from the Internet. A forward proxy a s s u m e s responsibility for retrieving a n d r e t u r n i n g d a t a from a content server to the client. It also caches retrieved data so it can serve the d a t a to other clients on the network. Caching decreases n e t w o r k traffic costs significantly, because once the first request is m a d e for a certain d o c u m e n t , s u b s e q u e n t requests are delivered from the local cache. A reverse proxy (also k n o w n as a Web server accelerator) acts as an i n t e r m e d i a r y between a Web server a n d the Internet. A reverse proxy protects the Web server from direct Internet access a n d also eases the s e r v e r ' s load by caching content a n d serving it directly to clients. External clients request content directly from the reverse proxy, w h i c h they a s s u m e is the origin content server (OCS). 4 Chapter 1: Blue Coat SG and Firewalls What is a Proxy? Forward Proxy Internal External Proxy: [...] deputy who acts as a substitute for another * * Definition from the Merriam-Webster Online Dictionary Slide 1 - 4 : D e f i n i t i o n of a p r o x y In simple terms, a p r o x y is a n e t w o r k device that acts on behalf of clients to retrieve requested content from an OCS. A client o p e n s n e t w o r k connections w i t h the proxy only — the proxy then o p e n s a n e w a n d separate connection w i t h the remote OCS. This is an i m p o r t a n t concept because the OCS is never a w a r e of the connection details of client requests; the OCS completes all transaction solely w i t h the proxy, w h i c h it v i e w s as the client. After the proxy h a s retrieved the content from the OCS, it delivers it to the client using the s a m e connection that the client initially established w i t h the proxy. Therefore, a proxy is in a u n i q u e position to: • D e t e r m i n e w h i c h client requests to p e r m i t a n d w h i c h to d e n y D e t e r m i n e w h i c h content to pass from the OCS to clients • • Modify client requests to the OCS Modify any content it receives from the OCS before s e n d i n g it to the client 5 7.Blue Coat Educational Services — BCCPA Course v 1. As s h o w n by the d i a g r a m . s o m e protocols m u s t be p e r m i t t e d to p a s s t h r o u g h the firewall or all corporate business w o u l d cease.1 Slide 1-5: Proxy capabilities The firewall is u s e d at the p e r i m e t e r to block o u t s i d e attacks. including: Filtering Web content • • • • • Blocking u n w a n t e d or malicious d o w n l o a d s Blocking Web mail a n d IM virus p r o p a g a t i o n Blocking p o p . proxies are capable of p r o v i d i n g a variety of useful services. H o w e v e r .u p s a n d s p y w a r e intrusion Protecting c o p y r i g h t e d m e d i a a n d intellectual p r o p e r t y Logging u s e r activity a n d content 6 . As y o u can see in Slide 1-5. the Blue Coat SG is u s e d to control Web-based c o m m u n i c a t i o n s that have been allowed t h r o u g h the firewall. a n d h o w it can be deployed. d e p l o y i n g an explicit proxy using PAC files might a p p e a r more laborious to implement. a t r a n s p a r e n t proxy d e p l o y m e n t that uses a Layer 4 switch (see Slide 2-5) might a p p e a r to be an elegant. a n d easy-to-maintain solution. For example. initial setup cost can be prohibitive a n d consistent user authentication can prove challenging to i m p l e m e n t . but not necessarily the most scalable. On the other h a n d . w h a t it does. You will discover w h y setting up an explicit proxy is the easiest. scalable. More importantly. this decision determines h o w users are affected by the proxy d e p l o y m e n t . proxy d e p l o y m e n t . Blue Coat solution at each remote location enables y o u to maintain control of the n e t w o r k by: • • • Enforcing content-filtering policies Controlling the content of selected SSL transactions Using b a n d w i d t h .Chapter 2: Blue Coat SG Deployment This chapter discusses the three types of proxy d e p l o y m e n t : • • • Explicit proxy Transparent proxy Reverse proxy You will learn w h a t a proxy is. m a k i n g it a consistently p o p u l a r option. However. 7 . y o u will look at t r a n s p a r e n t redirection t h r o u g h the Web Cache C o m m u n i c a t i o n Protocol (WCCP) to explore its load-balancing a n d traffic-segregation benefits. particularly the Blue Coat SG.m a n a g e m e n t options to prioritize the use of the Internet connections for business-relevant applications Enabling edge-to-core compression between Blue Coat SG devices to optimize traffic across the W A N T h e d e p l o y m e n t strategy that y o u i m p l e m e n t can d e t e r m i n e the availability of Blue Coat SG features a n d functionalities. b u t this m e t h o d does not require a n y additional e q u i p m e n t a n d user authentication is easier to implement. Next. You will look at the complexities of Layer 4 transparent redirection a n d w e i g h its benefits against the simplicity of the explicit proxy. 1 Deployment Options • Explicit Proxy . a n d to c o m p r e s s content.Clients do not "know"there is a proxy in the path • Reverse Proxy .7. distribute load across several Web servers. Setting up an explicit proxy is relatively simple. Some reasons to install a reverse proxy are to defend a n d secure the servers b e h i n d it. this s a m e simplicity can be impractical if y o u r n e t w o r k has m a n y clients. integrate full SSL termination capabilities into y o u r Blue Coat SG. All traffic directed to the back-end servers goes to the proxy server instead. O n e of the main reasons for d e p l o y i n g a t r a n s p a r e n t proxy is that y o u do not h a v e to m a n u a l l y configure client browsers to recognize the p r o x y • Reverse proxy Reverse proxy is a proxy server that delivers content for one or more Web servers. H o w e v e r . clients' b r o w s e r s m u s t be m a n u a l l y configured to recognize the proxy.Protects a web server from clients on the internet Slide 2 . 8 . t r a n s p a r e n t proxying s i m p l y m e a n s that the client is u n a w a r e that its requests are being intercepted by a proxy.Blue Coat Educational Services — BCCPA Course v 1.1 : Choices for client Internet access W h e n choosing h o w y o u r clients access the Internet. • Transparent proxy A l t h o u g h the n a m e s o u n d s s o m e w h a t intimidating.Clients "knoW there is a proxy in the path • Transparent Proxy . y o u basically have three choices: • Explicit proxy Explicit p r o x y i n g is the quickest a n d simplest proxy solution. the redirection is accomplished t h r o u g h the use of a Layer 4 switch. Normally. cache static content. 9 . the s t a n d a r d GET request has formatting similar to the following: GET / HTTP/1.1 HOST: www.com W h e n the b r o w s e r is configured to use a proxy. the destination IP address of the client request is the IP a d d r e s s of the proxy. Clients using an explicit proxy format the GET request in a different w a y than clients u s i n g a t r a n s p a r e n t proxy or no proxy at all.Chapter 2: Blue Coat SG Deployment Explicit Proxy Clients "knoW there is a proxy in the path Slide 2 .com/ HOST: www.2 : Explicit proxy deployment D e p l o y i n g an explicit proxy is the least complex solution a n d generally d o e s not require any additional software or h a r d w a r e . the GET request includes the entire URL: GET http://www. a n d not the IP a d d r e s s of the 0 C S . W h e n the b r o w s e r does not have a proxy set.1 Note: In an explicit proxy request.bluecoat. A s i m p l e packet capture can s h o w y o u if a client is using an explicit proxy.com HTTP/1.bluecoat.bluecoat. In essence. Unfortunately. the client's user agent a l w a y s k n o w s that it is s e n d i n g connection requests to a proxy server. the client's user agent is u n a w a r e that traffic is being redirected to a proxy a n d believes that it is talking to the remote server directly. t r a n s p a r e n t proxying is also generally m o r e e x p e n s i v e a n d m o r e complex to set u p . The goal of t r a n s p a r e n t p r o x y i n g is to redirect all traffic to the Blue Coat SG w i t h o u t requiring client k n o w l e d g e of the proxy. 10 . w i t h o u t intermediaries. Note: In a t r a n s p a r e n t proxy request. In a t r a n s p a r e n t proxy d e p l o y m e n t . the destination IP a d d r e s s of the client request is the IP a d d r e s s of the remote server.3 : T r a n s p a r e n t p r o x y d e p l o y m e n t You can t h i n k of t r a n s p a r e n t proxying as the opposite of explicit proxying.7. a n d not the IP a d d r e s s of the proxy.Blue Coat Educational Services — BCCPA Course v 1. scalable.1 Transparent Proxy Clients do not "knoW there is a proxy in the path Slide 2 . Unlike the explicit proxy scenario. y o u c a n n o t tell if a client request is g o i n g to be transparently proxied by looking at a packet c a p t u r e of that request on the client machine. But it is also m o r e efficient. W h e n y o u set up an explicit proxy. a n d robust. t r a n s p a r e n t proxying is a m o r e complex technology than explicit proxying. 11 . M a n u a l configuration can still be useful for testing a n d d e b u g g i n g p u r p o s e s . 0 : | Manual proxy configuration] O Use the same proxy for all protocols HTTP Proxy: [myproxysg j Port: ¡0080 | j SSL Proxy: [myproxysg j Port: ¡8080^ ] Figure 2 . the client s e n d s all HTTP requests over port 8080 to the proxy with the h o s t n a m e myproxysg. Important: Malicious users can easily circumvent explicit proxy solutions. M a n u a l l y configuring an explicit proxy requires a lot of administrator time a n d — unless the proxy is paired w i t h good firewall rules — can be easily bypassed a n d defeated.4 : Explicit p r o x y c o n f i g u r a t i o n In an explicit proxy d e p l o y m e n t .1 : Proxy configuration for Firefox Once the Firefox client has been configured as s h o w n above. y o u can easily set y o u r b r o w s e r to s e n d all HTTP requests to a proxy server. every client is configured to forward all traffic to the Blue Coat SG. Figure 2-1 below s h o w s the proxy configuration screen for a Firefox® client. however. it is impractical for m o s t organizations (except the very smallest) because y o u h a v e to m a n u a l l y configure the b r o w s e r on each client machine.Chapter 2: Blue Coat SG Deployment Explicit: Manually Configured Slide 2 . You can see h o w straightforward this m e t h o d is. For example. Blue Coat Educational Services — BCCPA Course v 1.7.1 Transparent: Layer 4 Switch "/ Simple Slide 2 . protocol. Traffic-routing decisions can be based on several p a r a m e t e r s — destination a d d r e s s . For example: • • s A d v a n c e d load balancing URL h a s h i n g A d v a n c e d fault tolerance a n d r e d u n d a n c y The major obstacle to d e p l o y i n g a n d i m p l e m e n t i n g Layer 4 switches is often cost.5 : N e t w o r k w i t h c o n t e n t switch * initiai Cost In a t r a n s p a r e n t proxy d e p l o y m e n t . Most Layer 4 switches also offer a v e r y useful set of additional features. 12 . s u c h devices can cost tens of t h o u s a n d s of U. source address. or a combination of these. the Layer 4 switch m u s t be able to inspect all o u t b o u n d traffic. dollars. You can configure the switch to direct specific traffic to the Blue Coat SG a n d to pass all other traffic to the firewall (or other destinations).S. port. a n d transparently redirect requests to.0 is a content-routing technology that enables routers to c o m m u n i c a t e with. W C C P v2.6 : E q u i p m e n t w i t h WCCP * Router Load The Web Cache C o m m u n i c a t i o n Protocol (WCCP) v2. The p u r p o s e of the interaction is to establish a n d maintain the transparent redirection of selected traffic types flowing t h r o u g h a g r o u p of routers. a n d advertise connectivity to one or more Web caches. one or more Web caches. 13 . verify. You can read m o r e about W C C P on the Cisco Web site.0 defines m e c h a n i s m s that allow one or more routers (enabled for t r a n s p a r e n t redirection) to discover. W C C P v2.Chapter 2: Blue Coat SG Deployment Transparent: Cisco WCCP s Simple Slide 2 .0 s u p p o r t s the redirection of traffic other than HTTP traffic t h r o u g h a traffic segregation m e t h o d called Service Groups. 1 Transparent: Blue Coat SG Bridging S Simple * Single Point of Failure Slide 2 .7 : Blue Coat SG in b r i d g i n g m o d e The Blue Coat SG can be configured to b r i d g e t w o sides of an IP n e t w o r k . This solution is not r e c o m m e n d e d for m e d i u m or large n e t w o r k s (more t h a n 250 hosts). If there are too m a n y nodes a t t a c h e d to the network. Blue Coat SG becomes a single point of failure a n d is susceptible to o v e r l o a d i n g a n d congestion: The Blue Coat SG is n o w processing a n d f o r w a r d i n g all packets — not j u s t t h o s e that match given policies. In the configuration s h o w n in Slide 2-7. redirect. This solution enables y o u to create a t r a n s p a r e n t proxy e n v i r o n m e n t . 14 .Blue Coat Educational Services — BCCPA Course v 1. block. If the traffic matches a n y filtering criteria set by the administrators.) needs to be applied.7. cache. etc. the Blue Coat SG receives all o u t b o u n d traffic a n d inspects it. Blue Coat SG further inspects the traffic to d e t e r m i n e if a n y rule or action (allow. etc. the Blue Coat SG is capable of routing a n y kind of traffic: UDP. TCP. If the destination TCP port m a t c h e s the service that is set to intercept. 15 .8 : T r a n s p a r e n t : d e f a u l t r o u t e r The Blue Coat SG can act as a default g a t e w a y for clients. In this scenario. U n d e r such situations. the packets will be rejected by the Blue Coat SG. If IP forwarding is not enabled. the Blue Coat SG can either terminate a n d process the traffic or forward the traffic to the next h o p .Chapter 2: Blue Coat SG Deployment Transparent: Default Router s Simple * Single Point of Failure Slide 2 . Otherwise. multicast. NetBIOS. the packets are processed. unicast. IP forwarding m u s t be enabled on the Blue Coat SG. In o r d e r for the Blue Coat SG to act as a default router: • • Clients m u s t h a v e their T C P / I P default g a t e w a y set to the Blue Coat SG's IP address. the packets are f o r w a r d e d based on the destination M A C a d d r e s s a n d the IP a d d r e s s in the packet. regardless of the d e p l o y m e n t strategy that y o u i m p l e m e n t . y o u m a y w a n t to block all traffic t h a t y o u w a n t to go t h r o u g h the proxy. this solution also deters even the m o s t a d v a n c e d users from b y p a s s i n g the proxy.Blue Coat Educational Services — BCCPA Course v 1. Such a firewall configuration enables y o u to force client traffic to go t h r o u g h the proxy.10 •ANY Destination ANY 25 ANY Action ALLOW ALLOW DENY Slide 2 . a firewall allows o u t b o u n d traffic from clients to the Internet. y o u s h o u l d modify the firewall configuration to enforce the use of the proxy.16.0. O n l y the Blue Coat SG s h o u l d be a l l o w e d t h r o u g h the firewall. if y o u w a n t to proxy HTTP a n d HTTPS. Typically.100 •172. 16 .1. More restrictive policies m a y allow only HTTP a n d HTTPS o u t to the Internet.16.7.1 Deployment Best Practice Firewall Rules Source • 172.9 : Firewall best practices No m a t t e r h o w y o u decide to direct client traffic to the proxy. In either case. y o u s h o u l d block clients from directly accessing o u t s i d e resources over these protocols. For example. y o u can see a representation of a traditional n e t w o r k layout for a large enterprise w i t h several satellite offices. The dotted lines represent the V P N t u n n e l s that the satellite office uses to access d a t a centers at the m a i n corporate offices. a n d easy to control allows companies to deploy the Blue Coat solution at each remote location a n d still maintain control of the n e t w o r k by: • Enforcing content-filtering policies Controlling the content of selected SSL transactions 17 . The availability of h a r d w a r e that is cost-effective. Blue C o a t ' s p r o d u c t s are d e s i g n e d to fit into this model. On the right side y o u can see the configuration that s o m e companies are m i g r a t i n g to.a l o n e small offices as well. You can use the same h a r d w a r e for s t a n d . easy to deploy.Chapter 2: Blue Coat SG Deployment Edge Deployment Core Deployment Edge Deployment Slide 2 . In m o v i n g Internet access from the core (headquarters) to the e d g e (remote office). Each office has separate a n d i n d e p e n d e n t n e t w o r k access.1 0 : Moving f r o m the core t o the edge Slide 2-10 represents graphically w h a t is discussed in the introduction of this chapter. features available in the SGOS are designed to fit into both d e p l o y m e n t scenarios. c o m p a n i e s m a y h a v e lost the ability to g r a n u l a r l y control who does vWjarand when. On the left side. H o w e v e r . If the reverse proxy is accelerating several different Web servers.e n d servers.7. a reverse proxy serves specific content on behalf of b a c k . The reverse proxy is effectively a "trusted processor" for Web servers. 18 . s i t e . the proxy (or Layer 4 switch) m a i n t a i n s Web-server m a p p i n g so that content can be obtained from the correct server. For example. all requests g o i n g to h t t p : / / w w w .Blue Coat Educational Services — BCCPA Course v 1. in Slide 2-11.1 1 : Reverse p r o x y Unlike a forward proxy. Reverse proxies are n e t w o r k servers or appliances that typically reside in the D M Z b e t w e e n Web applications a n d the Internet. A reverse proxy protects Web servers from direct Internet access a n d off-loads from t h e m c o m p u t a t i o n a l l y intensive processes to e n h a n c e performance. acting as a m i d d l e m a n b e t w e e n users a n d the Web applications they access. W h e n content is requested. To the o u t s i d e w o r l d . the reverse proxy is the Web server. even t h o u g h the actual content resides on the back-end server.1 Reverse Proxy The proxy is the Web server to clients Slide 2 . w h i c h caches arbitrary content for clients. the proxy either serves the content from its cache or obtains the content from a back-end Web server. c o m (or the c o r r e s p o n d i n g IP address) are directed to the proxy. Using A d a p t i v e Refresh. s u c h as CGI scripts a n d Active Server Pages. To further accelerate Web content. This refreshing activity occurs i n d e p e n d e n t l y of user requests a n d does not i m p a c t response times. Blue Coat typically accelerates first-time Web p a g e retrievals by 50 percent.p e n d i n g algorithms: Object Pipelining a n d A d a p t i v e Refresh. the Blue Coat SG automatically performs "freshness checks" w i t h the Web application to selectively u p d a t e Web objects based u p o n their need to be r e n e w e d . It then serves the requested content from its cache or gets the content from the back-end Web server a n d delivers it to the client (while caching it for s u b s e q u e n t requests). As a result.1 2: Accelerating Web c o n t e n t As s h o w n in Slide 2-12. cannot be cached. Each appliance can service T C P connections an o r d e r of m a g n i t u d e faster than a Web server r u n n i n g UNIX® or W i n d o w s ® NT. Object Pipelining enables the Blue Coat SG to o p e n as m a n y s i m u l t a n e o u s TCP connections as the Web application permits a n d retrieves objects in parallel. 19 . This enables the Blue Coat SG to accelerate all static a n d d y n a m i c content. The Blue Coat SG appliances are built on p r o v e n proxy architecture with an optimized TCP stack to serve large a m o u n t s of H T T P a n d HTTPS traffic v e r y quickly.Chapter 2: Blue Coat SG Deployment Accelerating Web Content Web Server Slide 2 . Object Pipelining eliminates a large portion of the delay c a u s e d by the serial retrieval of objects. T h e objects are then delivered from the appliance straight to the user's d e s k t o p as fast as the b r o w s e r can request them. efficiently off-loading TCP connections from Web servers. the Blue Coat SG incorporates two p a t e n t . This is critical because some d y n a m i c content. the reverse proxy sits outside the firewall a n d intercepts all traffic i n t e n d e d for the Web server. The A d a p t i v e Refresh algorithm significantly speeds s u b s e q u e n t requests by removing the latency involved in refreshing objects. Scan u p l o a d e d content for viruses (when used w i t h Blue Coat AV).1 Securing Corporate Content Slide 2 . By front-ending the Outlook® server. T h e Blue Coat SG p r o v i d e s robust authentication a n d policy s u p p o r t a n d can either challenge u s e r s for identification or t r a n s p a r e n t l y check authentication credentials using an organization's existing security framework. A n d by configuring t h e proxy to allow requests to specific p a t h s on the Outlook server. To protect privacy. the Blue Coat SG can encrypt Web mail sessions u s i n g Secure Sockets Layer (SSL).Blue Coat Educational Services — BCCPA Course v 1. 20 .1 3: Securing c o r p o r a t e c o n t e n t T h e illustration a b o v e s h o w s h o w the Blue Coat SG securely isolates servers from direct Internet access. y o u can: • • Force users to authenticate before they gain access to the O u t l o o k server. For high-performance. y o u can successfully defeat all attacks that a t t e m p t to gain access to other directories on the server.7. this t i m e acting as an i n t e r m e d i a r y b e t w e e n c o r p o r a t e Web mail applications a n d the external clients that a t t e m p t to access them. low-latency virus scanning of all u p l o a d e d content to Web mail servers. the Blue Coat SG integrates w i t h the Blue Coat AV a n d offers a choice of leading antivirus engines. Organizations can combine a variety of d e p l o y m e n t s in their different offices.Chapter 2: Blue Coat SG Deployment Mixed Deployment In this slide y o u see h o w the s a m e organization can d e p l o y the Blue Coat SG differently in separate locations as well as in the s a m e location. a n d b u d g e t / p e r s o n n e l constraints the best. 21 . Transparent proxy u s i n g a Layer 4 switch in a satellite office Explicit proxy in a satellite office Transparent proxy u s i n g W C C P in the main office Bridging m o d e in a satellite office Reverse proxy in a satellite office There is no fit-all solution w h e n it comes to d e p l o y m e n t . 2. 5. 1. 3. 4. policy. Slide 2-14 s h o w s fives different d e p l o y m e n t s in a single organization: four in satellite offices a n d one in the m a i n office. You need to carefully consider each solution a n d d e t e r m i n e w h i c h one fits y o u r environment. 7.1 22 .Blue Coat Educational Services — BCCPA Course v 1. y o u will do a lab exercise that w a l k s y o u t h r o u g h the installation a n d registration process for y o u r Blue Coat SG. The SGOS base is a required c o m p o n e n t of the license key file. y o u can fill o u t the initial configuration form a n d s u b m i t it. 23 . Blue Coat SG appliances s h i p w i t h a pre-defined static IP a d d r e s s that can be u s e d to access the Initial Configuration page. c o m : 8 0 8 3 / There are three types of licensable c o m p o n e n t s : • • • Required: The SGOS base Included: A d d i t i o n a l features p r o v i d e d by Blue Coat Optional: If applicable. b l u e c o a t . U s i n g this page. The static IP a d d r e s s e s is: h t t p s : / / p r o x y s g . Some of the concepts also a p p l y to reconfiguring an existing Blue Coat SG or one that has been restored to factory-default settings. After y o u complete this chapter. a n y additional purchased features W h e n the license key file is created.Chapter 3: Blue Coat SG Initial Setup This section w a l k s y o u t h r o u g h the steps y o u need to complete w h e n setting up the Blue Coat SG for the first time. The current chapter is a high-level o v e r v i e w of the entire s e t u p process. it consists of all three c o m p o n e n t s . • Gathered the netmask. a n d default D N S information for the location w h e r e y o u w a n t to install Blue Coat SG. Optionally y o u m i g h t n e e d o n e of the following: • • A c o m p u t e r w i t h a 9-pin serial p o r t A terminal server w i t h a port assigned to the n e w Blue Coat SG The Blue Coat SG. even before the appliance has an IP a d d r e s s associated w i t h it. y o u can configure the n e t w o r k p a r a m e t e r s a n d the a d m i n i s t r a t o r a n d enable p a s s w o r d s . allows y o u to use different m e t h o d s for initial configuration.com:8083 . You n e e d to contact Blue Coat Systems to obtain these. Assigned a static IP a d d r e s s for the Blue Coat SG. d e p e n d i n g on the actual m o d e l a n d OS version.1 Initial Setup Access • Serial Console .Access reserved site https://proxysq.bluecoat. connect the Blue Coat SG to the network.Blue Coat Educational Services — BCCPA Course v 1. a n d licensing process. From the serial console.1 : Access m e t h o d s Before beginning the installation. a n d then use an SSH client to connect to the C o m m a n d Line Interface (CLI) to complete the configuration. For the Blue Coat SG200-X. The easiest w a y to connect to a b r a n d .Blue Coat SG200-X in bridging mode only Slide 3 .Easy and reliable • LCD/Keypad .n e w Blue Coat SG (or to a Blue Coat SG w i t h an u n k n o w n configuration) is to u s e a serial console. 24 . m a k e s u r e that y o u have: • Created a W e b P o w e r login a n d p a s s w o r d . y o u can u s e y o u r b r o w s e r for the initial configuration.7.A built-in interface for proxy configuration (most models) • TCP/IP . If y o u do not h a v e a serial connection. For simplicity. default router. configuration. y o u can set the IP address. Blue Coat SG 400 a n d higher m o d e l s allow y o u to configure the f u n d a m e n t a l n e t w o r k p a r a m e t e r s (including the admin password) via an LCD display. D u r i n g configuration. SSH.Admin Account Setup (Required) . While this m a y s e e m like a useful security feature. it can backfire. You will do this in the lab exercise that follows this chapter.Chapter 3: Blue Coat SG Initial Setup Serial Access Setup • Initial Setup Console Wizard . a n d M a n a g e m e n t Console access can be restricted to a selected list (or range) of IP addresses. y o u h a v e the option to set a p a s s w o r d to protect serial access. Losing the p a s s w o r d m a y force y o u to R M A y o u r Blue Coat SG.Forwarding Setup (Advanced Only / Optional) • Press the Esc key to exit the Wizard without saving any changes Slide 3 . y o u can o p t to re-run the initial setup. Telnet. There are no risks associated w i t h this p r o c e d u r e because y o u can always u s e the serial access to reconfigure those settings via the CLI. If the s y s t e m is already configured. it cannot be retrieved — a n d y o u will h a v e to send the Blue Coat SG back to Blue Coat to be restored to the original factory settings.2 : Using serial connection W h e n y o u connect to a Blue Coat SG for the first time. Note: You s h o u l d not set a p a s s w o r d to protect the serial access. To avoid this. y o u s h o u l d control the serial access by physically securing access to the Blue Coat SG.Restrict Access Setup (Optional) .Network Interface Setup (Required) . the system forces y o u to enter the a p p r o p r i a t e n e t w o r k p a r a m e t e r s . 25 . If the serial console p a s s w o r d is lost. Both can be set to any alphanumeric value Two login levels .1 Password Levels Create Administrator Account . T h e r e c o m m e n d e d best practice is to: H a v e y o u r a d m i n account set to s o m e t h i n g other than admin Use a s t r o n g p a s s w o r d for the a d m i n account • Use a different a n d stronger p a s s w o r d for the enable m o d e A user w i t h enable m o d e access can completely alter the Blue Coat SG configuration a n d can c h a n g e virtually a n y policy that has been i m p l e m e n t e d . a limited set for basic access a n d a more extensive set for a d v a n c e d configuration.3 : Levels of access to the CLI T h e Blue Coat CLI offers two sets of c o m m a n d s . You need a separate p a s s w o r d to enter enable m o d e .Enable Access Slide 3 .Username and password are both case-sensitive . Note: 26 . T h e basic access c o m m a n d s are available as soon as y o u log in w i t h the a p p r o p r i a t e u s e r n a m e a n d p a s s w o r d .7. The extensive set of c o m m a n d s is available in the e n a b l e m o d e .Basic Access .Blue Coat Educational Services — BCCPA Course v 1. Blue Coat WebFilter . w h e n o p e r a t i n g in trial m o d e .SGOS . FTP. the content-filtering feature will not w o r k — even if y o u . once y o u license the separate c o m p o n e n t s .Others • Instant Messaging . SOCKS . For example.Compression . However. 27 .Premium Streaming Optional Add-on Licenses • SSL • Content Filtering . still have seven w e e k s to go in the trial period. y o u decide to license y o u r Blue Coat SG but do not license the content-filtering c o m p o n e n t . s u p p o s e that y o u are in the trial p e r i o d a n d are using a content-filtering license to block certain types of Web content.Chapter 3: Blue Coat SG Initial Setup Features Requiring Licensing SGOS License • Required • Includes: .HTTP.ICAP .Optional but free Slide 3 .SmartFilter . 60-day trial period.4 : License m o d u l e s The Blue Coat SG. in theory. If after a w e e k in trial m o d e . allows y o u to use any of the available features. those that are not licensed cease to function — even if y o u are still in y o u r initial. A b r o w s e r w i n d o w o p e n s to the Blue Coat License Configuration a n d M a n a g e m e n t System. 5. Select the Install tab. Register y o u r h a r d w a r e a n d a d d the licenses for the c o m p o n e n t s y o u h a v e p u r c h a s e d . 2.7.5 : Licensing Blue Coat SG To license Blue Coat SG a n d a n y separate c o m p o n e n t s . y o u n e e d to do the following: 1.Blue Coat Educational Services — BCCPA Course v 1. Log in u s i n g y o u r W e b P o w e r User ID a n d P a s s w o r d . 28 . 3. 4. N o t e that y o u m u s t h a v e a valid W e b P o w e r account to proceed.Add licenses to your Blue Coat SG ® Retrieve the license key Slide 3 . click Retrieve.1 Licensing Installation Overview • Log in to WebPower * Register Blue Coat SG Serial Number . On the M a n a g e m e n t Console Install tab. Click the Register/Manage button. 6. Open the M a n a g e m e n t Console a n d select Maintenance > Licensing. y o u need to recreate the security certificate u s e d by t h e HTTPS-Console. y o u a l w a y s m u s t log on to the Blue Coat SG w i t h y o u r u s e r n a m e a n d p a s s w o r d . 1 The M a n a g e m e n t C o n s o l e is organized into three functional areas represented by tabs: • Configuration tab: U s e d to set up the Blue Coat SG a n d to create objects a n d p a r a m e t e r s u s e d to create policies. 1 . Note: If.Chapter 4: Blue Coat SG Graphical User Interface You u s e the c o m m a n d line interface (CLI) to perform the initial configuration of y o u r Blue Coat SG. Maintenance tab: U s e d to keep the Blue Coat SG up to date. and IP address of your appliance and the v e r s i o n of the SGOS it is r u n n i n g . the b r o w s e r asks y o u for a u s e r n a m e a n d p a s s w o r d .41:8082 After y o u enter the a d d r e s s . w h i c h y o u access securely (over HTTPS) on a n y client w i t h a Web browser. including the Visual Policy M a n a g e r (VPM). you also can view i n f o r m a t i o n f o r c o n f i g u r i n g y o u r browser. You also can u s e CLI to perform a n y task on y o u r appliance. The key c o m p o n e n t of the Blue Coat SG GUI is the M a n a g e m e n t Console. and access the Blue Coat S u p p o r t Web site. if the IP a d d r e s s configured d u r i n g first-time installation is 172. For security. links. serial n u m b e r . Statistics tab: U s e d to m o n i t o r the status a n d the health of Blue Coat SG. For example. F r o m the h o m e page. easy-to-use features.90. t y p e t h e following into a Web b r o w s e r ' s a d d r e s s w i n d o w : HTTPS. most users take a d v a n t a g e of t h e Blue Coat SG's graphical user interface (GUI) to perform m o s t configuration. m a n a g e m e n t . y o u can access the M a n a g e m e n t Console. T h e h o m e page also displays the m o d e l . 29 . a n d m o n i t o r i n g tasks.16. see an HTML v e r s i o n of the Configuration and Management Guide. w h i c h p r o v i d e s an easy w a y to create sophisticated policies w i t h o u t having to use C o n t e n t Policy L a n g u a g e (CPL).From t h e Blue Coat SG h o m e page. however. The rest of the course is b a s e d on the u s e of graphical tools. a n d p o r t 8082 (the default m a n a g e m e n t port). the Blue Coat SG IP address. buttons. a n d the b r o w s e r displays the Blue Coat SG h o m e page.90.16.41. w h e n y o u access the M a n a g e m e n t Console h o m e page. w i n d o w s . enter the following URL in the Web browser: https://172. To access t h e M a n a g e m e n t Console. It includes tabs. a n d other graphical. • • This chapter i n t r o d u c e s the elements of the M a n a g e m e n t Console. Enter the ones y o u established d u r i n g initial configuration. archive t h e configuration. You can license c o m p o n e n t s . a n d u p g r a d e or d o w n g r a d e SGOS. you get a "host mismatch" or an "invalid certificate" message. instant m e s s a g i n g (IM). External Services: Installing an ICAP server or creating a WebSense® off-box service. HTTP. a n d the b r o w s e r displays the a p p r o p r i a t e interface. LDAP. a n d archiving configurations. streaming.Blue Coat Educational Services — BCCPA Course v 1. setting priority for b a n d w i d t h a m o n g different classes. w h i c h y o u use to configure a w i d e range of settings: • General: Configuring the n a m e a n d serial n u m b e r of the Blue Coat SG. MAPI. a n d TCP-Tunnel. v i e w i n g a n d installing policy files. Application Delivery Network: Configuring Blue Coat SG appliances a n d byte caching to i m p r o v e application traffic over the W A N . setting up forms-based authentication. 30 .1 : M a n a g e m e n t Console — C o n f i g u r a t i o n tab T h e M a n a g e m e n t Console's Configuration tab is the starting point for most of the tasks that y o u p e r f o r m on the Blue Coat SG. • Services: Configuring the m a n y proxy services available on the Blue Coat SG. a l l o w i n g y o u to define the hosts a n d g r o u p s of hosts to w h i c h client requests can be redirected. HTTPS. Health Checks: Configuring health checks on (and thus the availability of) a forwarding host or external server that is p r o v i d i n g a service. Click an o p t i o n in the left navigation bar. Policy: Setting the default proxy policy to d e n y or allow traffic. routing tables. SOCKS. • • • Authentication: Defining authentication realms. or RADIUS realms. SSL. software a n d h a r d w a r e bridges. Content Filtering: Configuring the Blue Coat SG to use Blue Coat WebFilter (BCWF) or a t h i r d . configuring s y s t e m time.1 Management Console .p a r t y application to block access to certain Web sites based on their content. Bandwidth Management: Controlling the a m o u n t of b a n d w i d t h u s e d by different classes of n e t w o r k traffic. Network: Configuring a d a p t e r s a n d interface settings. accessing the V P M to create n e w policy. D o m a i n N a m e Services (DNS) servers. including Integrated W i n d o w s Authentication (IWA). • Forwarding: Setting up forwarding.Configuration • Starting point for most tasks with Blue Coat SG • Select options in left navigation bar • Use options to change configurations • Use options to create objects and parameters used to create policy Slide 4 . FTP.7. You access this tab to c h a n g e the appliance's configuration a n d create objects a n d p a r a m e t e r s that y o u u s e in creating policies. g a t e w a y s . including C o m m o n Internet File System (CIFS). setting an u p l o a d schedule. Access Logging: Enabling the logging of traffic t h r o u g h the Blue Coat SG. i m p o r t i n g a n d creating certificates. 31 .Chapter 4: Blue Coat SG Graphical User Interface • SSL: Creating keyrings. configuring access log settings. creating an SSL client. checking the validity of certificates. selecting an access log u p l o a d client. Blue Coat Educational Services — BCCPA Course v 1. w h i c h allows y o u to m o n i t o r the Blue Coat SG. use diagnostic tools Slide 4 . a n d byte caches. including: • • • Restarting the Blue Coat SG. 32 . Configuring the Blue Coat SG's h e a l t h . Setting up event logging: specifying the types of s y s t e m events logged. restore defaults. a n d w h e t h e r the appliance s e n d s an e-mail notification if a certain event is logged. s u c h as setting w a r n i n g s for system p e r f o r m a n c e a n d license expiration.Maintenance • Starting point for variety of maintenance tasks • Restart appliance. restoring the s y s t e m to its default settings. • Using diagnostic tools to enable Blue Coat S u p p o r t to assist y o u in troubleshooting y o u r system. license new features • Configure health monitoring. U p g r a d i n g or d o w n g r a d i n g the SGOS: You can d o w n l o a d an u p g r a d e t h r o u g h the Internet a n d install it.2 : M a n a g e m e n t Console — Maintenance t a b T h e M a n a g e m e n t Console's M a i n t e n a n c e tab allows y o u to perform m a n y different m a i n t e n a n c e tasks. clearing the DNS. You also can d o w n l o a d it to y o u r PC a n d install it from there.m o n i t o r i n g features. clear caches • Upgrade SGOS.1 Management Console . the size of the event log. Viewing the status of y o u r software licenses a n d licensing n e w features y o u have p u r c h a s e d . object. Enabling Simple N e t w o r k M a n a g e m e n t Protocol (SNMP).7. Efficiency 9 Take disks offline.Resources . CIFS. and byte-caching history . a n d byte-caching history IM a n d s t r e a m i n g m e d i a history Resources Efficiency • Bandwidth management In addition.3 : Management Console — Statistics tab The Statistics tab enables y o u to g a t h e r information about system operations a n d view t h e m graphically. MAPI. put them online Slide 4 . CIFS. 33 .HTTP/FTP.Statistics • Allows you to view statistics graphically • Statistics include .Chapter 4: Blue Coat SG Graphical User Interface Management Console .System usage . MAPI. the General option on the Statistics tab provides information about system configuration a n d the status of h a r d w a r e sensors a n d allows y o u to take disks offline a n d offline. The t y p e s of statistics y o u can v i e w include: System u s a g e • • • H T T P / F T P . This concept can also be defined as a list of triggers a n d p r o p e r t y settings. Before discussing the V P M in m o r e detail. For example. Each layer has its o w n tab in the GUI. an A u t h e n t i c a t i o n layer d e t e r m i n e s if a u s e r or client m u s t authenticate. The combined layers w o r k together to p e r f o r m a certain task. the A d m i n Access Layer m a y contain a list of users allowed to access the VPM while the Web Access Layer defines w h a t sites clients can access." Policies often d e p e n d on a combination of these different layers.1 Visual Policy Manager . w h e n . • 34 . it is necessary to discuss s o m e basic terminology: • Policy. A policy is the aggregation of all variables that define a practical business rule. an organization's administrative access policy defines w h o is allowed to access the V P M a n d h o w those users will be authenticated.4 : VPM — layers Policies enable y o u a p p l y y o u r organization's rules t h r o u g h the Blue Coat SG. Rule: A rule is a set of variables that define a m e t h o d or action. The Visual Policy M a n a g e r (VPM) is a graphical policy editor included w i t h the Blue Coat SG. A n y c o m b i n a t i o n of triggers a n d actions can be c o m b i n e d to control e m p l o y e e s ' use of n e t w o r k resources. For example. where. For example. Authentication a n d Access layers usually a c c o m p a n y each other. m p e g files d u r i n g business h o u r s or p r e v e n t t h e m from ever accessing g a m i n g o r p o r n o g r a p h y sites. a n d an Access layer s u b s e q u e n t l y d e t e r m i n e s w h e r e that user or client can go (what Blue Coat SG or Web sites t h e y can access) once they are authenticated. a n d how. what.7. Rules define " w h o .Policy Layers Slide 4 . policies are g r o u p e d into layers that use triggers a n d actions to apply rules.Blue Coat Educational Services — BCCPA Course v 1. You do not n e e d to edit policy files manually. A layer is a g r o u p of rules p e r t a i n i n g to the s a m e family of policy. Layer. It translates y o u r c o m m a n d s into CPL so y o u do not need in-depth k n o w l e d g e of the language to create policies. For example. You l a u n c h the V P M from the M a n a g e m e n t Console. In the VPM. y o u can d e n y u s e r s access to . T h e Blue Coat SG evaluates policy layers in the o r d e r in w h i c h t h e y are listed in the V P M (from left to right). the m a t c h i n g rule in the policy layer evaluated iasr takes precedence. w h e n it has gone t h r o u g h all the policy layers. it d o e s not execute a given rule w i t h i n the layer immediately. a n d then executes the required actions. 35 . W h e n the Blue Coat SG goes t h r o u g h policy layers. resolves any a p p a r e n t conflicts. it compiles a list of all the rules that meet the condition. If there is a conflict b e t w e e n rules in different policy layers. Instead.Chapter 4: Blue Coat SG Graphical User Interface The order of policy layers is of critical importance. it evaluates the list. Web Access: Determines w h a t resources user clients accessing the proxy or the Web can access a n d a n y restrictions that apply. 36 .5 : Types of VPM layers The following list describes the V P M layers: Administration Authentication: D e t e r m i n e s h o w administrators accessing the Blue Coat SG m u s t authenticate. SSL Intercept: D e t e r m i n e s w h e t h e r to t u n n e l or intercept HTTPS traffic. Web Content: Determines caching behavior. • • Administration Access: D e t e r m i n e s w h o can access the Blue Coat SG to perform administrative tasks.Blue Coat Educational Services — BCCPA Course v 1. SOCKS Authentication: D e t e r m i n e s the m e t h o d of authentication for accessing the proxy t h r o u g h SOCKS. such as verification a n d ICAP redirection. • • • SSL Access: D e t e r m i n e s the a l l o w / d e n y actions for HTTPS traffic. Web Authentication: D e t e r m i n e s w h e t h e r u s e r clients that access the proxy or the Web m u s t authenticate. • Forwarding: D e t e r m i n e s forwarding hosts a n d m e t h o d s .7.1 VPM Policy Layers • Admin Authentication * Admin Access e • SSL Access • Web Authentication • Web Access • Web Content • Forwarding DNS Access * SOCKS Authentication • SSL Intercept Slide 4 . DNS Access: D e t e r m i n e s h o w the Blue Coat SG processes D N S requests. the Blue Coat SG applies the rule evaluated last. the most effective rule is the first m a t c h i n g rule in the last layer.Rules Slide 4 . But if y o u p u t all these rules in a single policy layer. Consider the following s i m p l e example.6 : Properties of rules in the VPM A rule is an action within a policy layer. Creating Web Access rules for both these situations is also simple. or the other t w o rules are not applied. If a conflict arises. then the rule prohibiting access to e v e r y o n e m u s t be ordered last. If multiple rules exist within a policy layer. For example. 37 . rule order is i m p o r t a n t . M e m b e r s of the sales d e p a r t m e n t need to access their customer Web sites. Each rule is n u m b e r e d a n d listed in a separate row. Remember. a n d goes on to the next policy layer. A s s u m e that a c o m p a n y has a policy that prohibits e v e r y o n e from accessing the Web. This is a policy that is easy to create w i t h a Web Access Layer rule. w h e n the Blue Coat SG finds a m a t c h i n g rule. it m o v e s to the next layer w i t h o u t evaluating the r e m a i n i n g rules. A policy layer can contain multiple rules. Therefore. because policies are evaluated from left to right a n d rules are processed from top to bottom. As the Blue Coat SG scans the layers. Therefore. This is particularly true for the Web Access Layer. it records the first m a t c h i n g rule in each layer. y o u require the m a n a g e r of the p u r c h a s i n g d e p a r t m e n t to be able to access the Web sites of suppliers. the Blue Coat SG finds the first one that matches a given situation. there are likely to be exceptions to such a broad policy. ignores the remaining rules.Chapter 4: Blue Coat SG Graphical User Interface Visual Policy Manager . The Blue Coat SG evaluates the rules in the order in w h i c h they are listed in a policy layer (from top to bottom). However. 7. To accomplish this.1 : Forcing the publications group to authenticate using the existing NTLM realm 38 .Blue Coat Educational Services — BCCPA Course v 1. the administrator creates a n e w Web Authentication L a y e r a n d a d d s a n e w Force A u t h e n t i c a t i o n Object for the pubs (NTLM) realm (previously created in the M a n a g e m e n t Console).7 : VPM processing o r d e r As y o u can see in the illustration above. XYZ C o m p a n y w a n t s to block the publications g r o u p from accessing the playboy. as s h o w n in the illustration below. Blue Coat SG finds the first matching rule a n d m o v e s on to the next layer. W h e n e v a l u a t i n g rules.com Web site. Rules in the last layer always take precedence because they are e v a l u a t e d last. Figure 4 . C o n s i d e r a s i m p l e example. layers are processed from left to right a n d rules are processed from top to bottom.1 Visual Policy Manager Layer Processing Order Slide 4 . host. Figure 4-2: Web Authentication Layer rule Next. Tab: <Proxy> [Web Authentication Layer (1)] authenticate (pubs) 1 ... M e m b e r s of the publications g r o u p are blocked from accessing playboy. the a d m i n i s t r a t o r creates a n e w Web Access Layer a n d a d d s a n e w Destination H o s t / P o r t rule for the destination playboy. force (yes) authenticate . Rule 1 39 ..exact="www. The finished Web Access Layer is s h o w n in the illustration below.port=8 0 url.playboy. Figure 4-4: Finished Web Access Layer The result of the a d m i n i s t r a t o r ' s actions is as follows: • • M e m b e r s of the publications g r o u p m u s t authenticate using their N T L M realm credentials.com" end condition HostPortl .com.Chapter 4: Blue Coat SG Graphical User Interface The figure below s h o w s the finished Web Authentication Layer.com as s h o w n in the illustration below.mode (auto) . Figure 4-3: Adding the Destination Host/Port object. The g e n e r a t e d CPL for these actions is: define condition HostPortl url. Tab: <Proxy> condition= authenticate .Rule [Web Access Layer (1)] HostPortl Deny. 7. the Blue Coat SG finds the first one that matches a given situation. the user is a l l o w e d to access the site. consider w h a t h a p p e n s w h e n the a d m i n i s t r a t o r a d d s a n e w Web Access rule as s h o w n in t h e illustration below: Figure 4-5: Adding a new Web Access rule S u p p o s e that a m e m b e r of the p u b s realm again a t t e m p t s to access www. The first rule states that a u t h e n t i c a t e d users can access a n y content served over port 80.playboy. e v e n if the original intention w a s to use the second rule to block access. forcing the user to a u t h e n t i c a t e . When multiple rules exist within a policy layer. So r e m e m b e r to order y o u r layers a n d rules accordingly. the Web A u t h e n t i c a t i o n Layer is e v a l u a t e d first. ignores the remaining rules. layers are e v a l u a t e d from left to right a n d rules are evaluated from top to b o t t o m . After the user has a u t h e n t i c a t e d .1 H o w e v e r . 40 . the Web Access Layer is evaluated. The concept that y o u m u s t r e m e m b e r is: Layers are evaluated From left to right and rules are evaluated from top to bottom. Since this rule m a t c h e s the u s e r request (authenticated u s e r a t t e m p t i n g to access w w w . and goes on to the next policy layer. c o m over port 80).com.Blue Coat Educational Services — BCCPA Course v 1. p l a y b o y . In this example. As d i s c u s s e d earlier. Unless there is a service. The default HTTP Console is already configured. If y o u inadvertently deleted the S S H v l a n d SSHv2 host keys from the s y s t e m at the s a m e time. allowing y o u to s i m u l t a n e o u s l y access the M a n a g e m e n t Console u s i n g a n y IP address belonging to the box as well as any of the Blue Coat SG's virtual IP (VIP) addresses. y o u automatically disabled the SSH Console a n d must enable the SSH Console after y o u create a host key. SSH Console: The SSH Console is created a n d enabled by default. This console allows y o u access to the Blue Coat SG t h r o u g h the CLI with y o u r SSH service. • • • 41 . the connection will not be terminated by the proxy. D e p e n d i n g on the specific d e p l o y m e n t m o d e . The Blue Coat SG ships w i t h a n u m b e r of predefined services. The Blue Coat SG ships w i t h a n u m b e r of console services d e s i g n e d to m a n a g e the system a n d c o m m u n i c a t i o n w i t h the system: • HTTPS Console: The HTTPS Console provides secure access to the M a n a g e m e n t Console t h r o u g h the HTTPS protocol. Blue Coat Systems r e c o m m e n d s against using Telnet because of the security hole it creates. The Blue Coat SG s h i p s w i t h an HTTPS Console already created a n d enabled. Each service can be applied to all IP addresses of the Blue Coat SG or limited to individual IP a d d r e s s e s . Telnet Console: The Telnet Console allows y o u to connect to a n d m a n a g e the Blue Coat SG u s i n g the Telnet protocol. y o u m u s t enable it before it can be used. w h i c h matches the destination TCP port a n d the IP a d d r e s s r a n g e for an incoming transaction. By default. R e m e m b e r that Telnet is an insecure protocol that s h o u l d not be u s e d in insecure conditions. You can create multiple m a n a g e m e n t HTTPS consoles. You can create a n d use m o r e than one HTTP Console as long the IP a d d r e s s and the port do not m a t c h the existing HTTP Console settings. Services define the ports for w h i c h the Blue Coat SG listens for requests. You can create additional services as n e e d e d . H T T P Console : The H T T P Console is m e a n t to allow y o u to access the Blue Coat SG if y o u require a less secure e n v i r o n m e n t . The default is HTTPS over p o r t 8082. A variety of attributes can be defined for each service. set to yes. You do not n e e d to create other HTTPS Consoles unless y o u n e e d t h e m for other purposes. Only one SSH Console can exist on the Blue Coat SG. only SSH is created a n d enabled.Chapter 5: Services Chapter 5: Services The Blue Coat SG's M a n a g e m e n t Console includes a Services feature that enables y o u to easily configure w h i c h traffic needs to be processed or ignored. traffic that is not terminated may be d r o p p e d or f o r w a r d e d to the next available h o p b u t not processed against the existing policies. MMS. w h e r e a s the HTTP a n d Telnet consoles are created but disabled by default because of security concerns.1 : Service Ports T h e M a n a g e m e n t Console m a k e s it easy for y o u to configure services on y o u r Blue Coat SG. a n d include M a n a g e m e n t Consoles a n d Application Proxies. M a n a g e m e n t Consoles These consoles are d e s i g n e d to allow y o u access to the Blue Coat SG. T h e Blue Coat SG ships w i t h a n u m b e r of predefined consoles d e s i g n e d to m a n a g e the s y s t e m a n d c o m m u n i c a t i o n w i t h the system. FTP. Some of the consoles are created a n d enabled by default on the Blue Coat SG. other proxies etc). The HTTPS a n d SSH consoles are created a n d enabled by default. T h e s e services run on the Blue Coat SG. RTSP. A d d i t i o n a l service can be a d d e d as w h e n needed. SOCKS.1 Service Ports Slide 5 . T h e Service Ports feature allows the Blue Coat SG to c o m m u n i c a t e w i t h other systems (clients. These services are disabled by default a n d are configurable on the Blue Coat SG.Blue Coat Educational Services — BCCPA Course v 1. A variety of attributes can be defined . d e p e n d i n g on the proxy type. 42 . Service p o r t defines the ports a n d a d d r e s s e s w h e r e the Blue Coat SG listens for i n c o m i n g requests. Each service is associated w i t h a proxy t y p e .7. servers. Application Proxies The v a r i o u s Application proxies available on the Blue Coat SG are Instant m e s s e n g e r (IM). H T T P a n d HTTPS. The Blue Coat SG ships w i t h a n u m b e r of predefined proxy services. There are t w o possible actions: yes a n d no.2 : Service p o r t actions If a listener detects traffic . • • Yes: Tells the proxy service to intercept a n d proxy a n y traffic that matches the proxy listener. An action can be performed only if the traffic matches the proxy listener. Policies w o u l d not be enforced on the traffic. The Default service is m a t c h e d only if a more specific service is not available. The table on the next p a g e lists the proxy services a n d listeners which ship w i t h Blue Coat SG. the service port actions define w h e t h e r that traffic is intercepted or ignored. No: Tells the proxy service to ignore any traffic that matches the proxy listener.Chapter 5: Services Service Port Action Slide 5 . By default. 43 . the action for each service is set to no. Important: Blue Coat SG matches the services from the most specific to the least specific. If policies exist for the proxy service they will be enforced. 1 : Proxy Port Services Service Name Default Port Status AOL-IM DNS EPMapper FTP HTTP HTTP-Console HTTPS HTTPS-Console MMS MSN-IM RTSP SOCKS SSH-Console Telnet Shell proxy 5190(transparent a n d explicit) 53(both t r a n s p a r e n t a n d explicit) 135(both t r a n s p a r e n t a n d explicit) 21 (transparent a n d explicit) 80(transparent a n d explicit)and 8080(explicit only) 8081 8082 1755(transparent a n d explicit) 1863(transparent a n d explicit) a n d 6891 (transparent a n d explicit) 554(transparent a n d explicit) 1080 22 23 No No No No Yes No No Yes No No No No Yes No 44 .1 Table 5.Blue Coat Educational Services — BCCPA Course v 1.7. the traffic is f o r w a r d e d a n d the Blue Coat SG doesnot terminate the client connection.3 : Service port actions-ignored traffic Slide 18-3 discusses the client connection status w h e n the Blue Coat SG service is set to No a n d the traffic is ignored. 45 . If the Blue Coat SG is not in default router m o d e . W h e n the Blue Coat SG is in b r i d g i n g m o d e a n d the service is set to yes. 1. the connection is refused. If it is enabled. the client connection is refused. the Blue Coat SG will not t e r m i n a t e the client connection a n d will forward the traffic.Chapter 5: Services Service Port Action Slide 5 . verify if the Blue Coat SG is in router m o d e set-up. If the service is set to no. the client default g a t e w a y is set to the IP address of the proxy. If the IP f o r w a r d i n g is disabled.Verify if IP f o r w a d i n g is enabled u n d e r the Blue Coat SG. T h e service then determines if the Blue Coat SG is set-up in a b r i d g i n g m o d e . 3. U n d e r an explicit proxy set-up . 2. U n d e r a router m o d e set-up. then the client connection is refused . 4. 1 : Service A t t r i b u t e s T h e service attributes define the default p a r a m e t e r s for a p r o x y service. Explicit allows connections to a Blue Coat SG IP address. It is i m p o r t a n t to u n d e r s t a n d service attributes because they affect h o w the proxy service will process traffic. 46 . d e p e n d i n g on the configuration). not all attributes are available: • Explicit Enables or disables explicit attribute for the port. For example. as these connections are r o u t e d t h r o u g h DNS to the Blue Coat SGs IP address.7. • Transparent Enables or disables t r a n s p a r e n t proxy attribute for port. This is especially useful to force t r a n s p a r e n t proxy authentication in s o m e proxy-chaining scenarios.if DNS redirection is u s e d to direct traffic to the Blue Coat SG.1 Proxy Service Attributes • Attributes define the default parameters for the proxy service . SSL version attributes are available only for HTTPS Reverse Proxy.401 All transparent a n d explicit requests received on the p o r t a l w a y s use transparent authentication (cookie or IP. d e p e n d i n g on the protocol.Dependent on protocol Slide 5 .Blue Coat Educational Services — BCCPA Course v 1.Only apply when action is set to Yes • Attributes vary for different proxy types . A t t r i b u t e s vary based on the p r o x y t y p e the service is using. Authenticate. the explicit flag on its services m u s t be enabled. Described below are the v a r i o u s attributes on the Blue Coat SG. This allows connections to a n y IP a d d r e s s other than those b e l o n g i n g to the Blue Coat SG. Chapter 5: Services • S e n d Client IP Enables or disables s e n d i n g of client's IP a d d r e s s instead of the Blue Coat SG's IP address. 47 . 7.Blue Coat Educational Services — BCCPA Course v 1.1 48 . The HTTP protocol is the application-layer protocol used to deliver Web-based content. Proxies can also be used as "helper applications for h a n d l i n g requests via protocols not i m p l e m e n t e d by the user agent. Server. Request. The i m p e t u s b e h i n d his idea w a s the need for a better w a y of organizing long a n d complex d o c u m e n t s .0) is described in RFC 1945. or s h o u l d not. it is important that y o u become familiar w i t h key concepts of H T T P a n d its architecture. Tunnel: A tunnel is an i n t e r m e d i a r y p r o g r a m which acts as a blind relay between t w o connections. RFCs do a great j o b of explaining the i n t e n d e d p u r p o s e of the technology. Proxy. A software application (even so-called appliances run a software application of s o m e sort). consisting of a structured sequence of octets m a t c h i n g the syntax later on a n d transmitted via the connection. Generally. In fact. Message: The basic unit of H T T P communication. A software application that accepts connections from a client. collaborative. Uniform Resource Identifier (URI) a n d Uniform Resource Locator (URL): These indicate the resource on w h i c h a m e t h o d is to be a p p l i e d . RFC 1945 is no exception: "The H y p e r t e x t Transfer Protocol (HTTP) is an application-level protocol w i t h the lightness a n d speed necessary for distributed. Before going into more detail a b o u t the HTTP protocol. indicating that it is completely i n d e p e n d e n t from the u n d e r l y i n g n e t w o r k architecture. Client requests are serviced internally or are p a s s e d to another server. A message containing an H T T P request. Tunnels are used w h e n a portal is necessary a n d the intermediary cannot. process the requests it receives. t h o u g h the tunnel m a y h a v e been initiated by an H T T P request. Connection: A transport-layer virtual circuit established between t w o application p r o g r a m s for the p u r p o s e of c o m m u n i c a t i o n . w h i c h acts as both a server a n d a client. A proxy can also translation-modify the request it receives from the client a n d send it to the server or to other servers. a proxy m a k e s requests on behalf of other clients." Gateway. interpret the relayed c o m m u n i c a t i o n . Once active.Chapter 6: Hypertext Transfer Protocol T h e idea of hypertext w a s first i n t r o d u c e d by Tim Berners-Lee at CERN in Geneva. Response: A message containing the response to an H T T P request. The original version (HTTP 1. Resource: A n e t w o r k d a t a object or service w h i c h can be identified by a URI.1) is described in RFC 2616." The m o s t i m p o r t a n t part of the preceding p a r a g r a p h is that HTTP is a Layer 7 protocol. A g a t e w a y is a server t h a t acts as an i n t e r m e d i a r y for another server. Unlike a proxy. a g a t e w a y receives requests as if it w e r e the origin server for the requested resource. Switzerland. Client: A software application that s e n d s requests to a server (see below) over an established connection. Messages are p a s s e d in a format similar to that used by Internet Mail a n d the M u l t i p u r p o s e Internet Mail Extensions (MIME). The application poses as a server for the initial client a n d acts as a client for the remote server. this is w h y it is considered b o t h a client a n d a server. 49 . h y p e r m e d i a information systems. This s h o u l d not be confused w i t h the concept of a physical machine or w i t h server (daemon) software. The current version of H T T P (HTTP 1. The t u n n e l ceases to exist w h e n both e n d s of the relayed connection are closed. a t u n n e l is not considered a party to the H T T P communication. a n d s e n d s back responses. the requesting client m a y not be a w a r e that it is c o m m u n i c a t i n g w i t h a gateway. Gateways are often used as server-side portals t h r o u g h n e t w o r k firewalls a n d as protocol translators for access to resources stored on non-HTTP systems. rather than to the p r o g r a m ' s capabilities in general. A n y given p r o g r a m m a y be capable of being b o t h a client a n d a server. a n d deletion.7.Blue Coat Educational Services — BCCPA Course v 1. A cache stores cacheable responses to r e d u c e response time a n d n e t w o r k b a n d w i d t h c o n s u m p t i o n for future requests for the s a m e content. gateway. Likewise. All Rights Reserved. proxy. retrieval. A n y client or server m a y include a cache (though a cache cannot be u s e d by a server while it is acting as a tunnel).1 Cache: A cache is a p r o g r a m ' s local store of response messages a n d the s u b s y s t e m that controls m e s s a g e storage. Note: Portions of the following content are from RFC 1945 C o p y r i g h t (C) The Internet Society (1996) a n d RFC 2616 C o p y r i g h t (C) The Internet Society (1999). or t u n n e l — c h a n g i n g behavior to a d d r e s s the n e e d s of each request. any server m a y act as an origin server. o u r use of these t e r m s refers only to the role p e r f o r m e d by the p r o g r a m for a particular connection. 50 . most Web d o w n l o a d s are not d o n e w i t h FTP."Application-level protocol with the lightness and speed necessary for distributed. Several client-server applications use HTTP as a c o m m u n i c a t i o n protocol.Chapter 6: Hypertext Transfer Protocol HTTP Protocol • Definition . A l t h o u g h HTTP w a s d e s i g n e d to deliver Web content a n d hyperlink-based text. hypermedia information systems" • Different versions available . You s h o u l d consider the protocol's longevity as a reflection of its scalability and reliability. You can u p l o a d a n d d o w n l o a d files of any kind. This chapter is d e s i g n e d to be a brief introduction to the HTTP protocol.HTTP/1. It w a s first described in 1996.HTTP/0.9 . collaborative.MIME is used to " t r a n s f o r m " binary files into ASCII files 51 .1 : History of HTTP H T T P is probably one of the most c o m m o n l y u s e d protocols. M I M E encoding enables H T T P to transfer binary files. 1 1 . it is n o w used to carry m a n y different types of content. a n d its latest u p d a t e w a s in 1999.1 described in RFC 2616 (June 1999) Slide 6 .HTTP/1. but w i t h H T T P directly from a Web browser.0 described in RFC 1945 (May 1996) . Today. After processing the response. For example. w h i c h includes instructions for d o w n l o a d i n g objects (links). Responses w i t h o u t a previous request are ignored.1 HTTP Protocol • The client always initiates the connection • The server cannot initiate a connection Slide 6 .7. in essence the client rejects all unsolicited traffic. it m u s t send instructions a b o u t that information to the client. It is up to the client to decide if those requests s h o u l d be initiated or not.2 : The HTTP r e q u e s t / r e s p o n s e flow An H T T P transaction is a l w a y s initiated by the client. w h e n a client d o w n l o a d s a Web page. the server returns the requested p a g e (object). 52 . the client m a y or m a y not issue n e w requests for the objects listed in the links. W h e n the server n e e d s to s e n d m o r e information t h a n requested by the client. The client s e n d s a request to the server. The server processes the request a n d returns a response.Blue Coat Educational Services — BCCPA Course v 1. 53 . For example: h t t p : / / w w w .html http://www.bluecoat.Chapter 6: Hypertext Transfer Protocol HTTP URL ["http:""//" host_name [ port ] [ abs_path ["?" query ]] • Host name is case-insensitive . y o u can specify the resource y o u w a n t from the server (page.3 : HTTP URL Most TCP-based protocols h a v e w e l l . the following URLs request t w o different resources on a Web site: http://www. parameters are s e p a r a t e d from the script n a m e by the ? character a n d from each other by the & character.com:80 http://www. h t m l is an invalid URL h t t p : / / w w w . the t w o requests listed below are identical: http://www. In theory.com After specifying the h o s t n a m e .).cgi?parameter=value 2 Resources are s e p a r a t e d from the h o s t n a m e a n d from each other by the / character.com/resources/training/index.Even for UNIX-based Web servers • Default port is 80 Slide 6 .bluecoat. b l u e c o a t .k n o w n port assigned to it. h t m l is a valid URL 2 . For example. preceded by the s y m b o l %. files. For example. w e l l .bluecoat. etc. y o u can also pass p a r a m e t e r s that a script (running on the Web server) can process a n d use to return a specific p a g e based on y o u r previous selections: http://www. c o m / t h i s is a s a m p l e .jpg In the request.bluecoat.k n o w n ports assigned to them.bluecoat. Special characters in the URL are represented by their hexadecimal ASCII code.com/test. y o u s h o u l d specify the TCP port every time y o u are m a k i n g a connection to a remote host — unless the protocol used has a pre-defined. The default TCP port for HTTP is 80.com/images/BCS_leftnav_resources. You m u s t specify the full p a t h (as seen by the Web server) for that resource. c o m / t h i s % 2 0 i s % 2 0 a % 2 0 s a m p l e . N o t an actual URL on the Blue Coat Web site. image. b l u e c o a t . b u t the client a n d server m u s t agree on w h i c h to use. the server r e s p o n s e m i g h t differ for clients using H T T P / 1 . Once the client a n d server h a v e agreed on all relevant c o m m u n i c a t i o n p a r a m e t e r s . A range of character e n c o d i n g s can be offered. These details are "discussed" in the h e a d e r section. The initial part contains information relevant to the connection b e t w e e n the client a n d the server.Response Two parts of the message .Headers .Request . Both the request a n d the response are logically d i v i d e d in t w o sections. The s e c o n d part contains the actual data. t h u s controlling the c o m m u n i c a t i o n p a r a m e t e r s b e t w e e n client a n d server. T h e client a n d sever m u s t agree on a series of p a r a m e t e r a n d protocol specifications before a n y d a t a can be sent. d a t a delivery begins.7.1 HTTP Message • Two types of messages .4 : HTTP message You h a v e seen on p r e v i o u s pages h o w an H T T P transaction is a sequence of requests a n d s u b s e q u e n t responses b e t w e e n a client a n d a server. Note: The Blue Coat SG allows y o u to h a v e g r a n u l a r control over request a n d response headers. 0 than for those u s i n g H T T P / 1 . For example. 1 .Data Slide 6 . 54 .Blue Coat Educational Services — BCCPA Course v 1. If-Unmodified-Since. or If-Range h e a d e r field.Changes to a conditional GET if the request message includes an If-Modified-Since or similar header • HEAD . If-None-Match. Responses to a GET request are cacheable. for e x a m p l e the validity a n d accessibility of hypertext links.html HTTP/1. The response to a H E A D request can be u s e d to u p d a t e previously cached data from that resource. For example: GET /sampletext. if a n d only if the request meets the requirements for H T T P caching described in Section 13 of the RFC. The H E A D request m e t h o d is identical to the GET m e t h o d except that H E A D returns only the m e s s a g e h e a d e r s a n d not the message body.Chapter 6: Hypertext Transfer Protocol Request Methods • GET . the processed data is r e t u r n e d in the r e s p o n s e a n d not the source text of the process.5 : The GET and HEAD request m e t h o d s The GET request m e t h o d instructs the server to retrieve the information identified by the request URL. GET is used. then the proxy m u s t treat its cached d a t a as stale. H E A D can be used to obtain metainformation about the entity. if the h e a d e r s indicate that the cached d a t a has been modified.Identical to GET except that the server MUST NOT return a message-body in the response Slide 6 .Retrieves whatever information (in the form of an entity) is identified by the URL . GET is u s e d to ask for a specific d o c u m e n t — w h e n y o u click on a hyperlink. For example. W h a t this m e a n s is that the requesting agent has indicated that the content s h o u l d be returned only if it meets the specified condition. such as c o m m o n g a t e w a y interface (CGI). The GET m e t h o d can be conditional. 55 . If-Match. The conditional GET m e t h o d is i n t e n d e d to optimize the delivery of cached data by r e d u c i n g the n u m b e r of unnecessary connections to the Web server.1 If the URL refers to a process. if the request message includes an If-Modified-Since. The C O N N E C T request m e t h o d is u s e d to direct Web proxies that p r o v i d e SSL tunneling. C O N N E C T signals the proxy to switch to a secure t u n n e l connection on TCP virtual port 443 to s u p p o r t H T T P S connections t h r o u g h the proxy. such as the result of submitting a form. SSL tunneling) Slide 6 . POST is u s e d to return the results of Web s h o p p i n g cart forms. The r e s p o n s e is the p r o g r a m o u t p u t a n d not fixed content.Reserved for use with a proxy that can dynamically switch to being a tunnel (e. The only stipulation is that the receiving p r o g r a m m u s t agree on the format. mailing list or similar group of articles • Providing a block of data.1 Request Methods • POST .Designed to allow a uniform method to cover the following functions: • Posting a message to a bulletin board. You can u s e a POST request to s e n d w h a t e v e r d a t a y o u want.6 : The POST and CONNECT request m e t h o d s The POST r e q u e s t m e t h o d is u s e d to send d a t a to the server to be processed in s o m e way.g. For example. The request URI refers to the p r o g r a m that will process the data instead of a resource to be retrieved. POST requests are different from GET requests in the following w a y s : • A block of d a t a is i n c l u d e d in the message b o d y of the request. The CGI script receives the m e s s a g e b o d y t h r o u g h STDIN. The most c o m m o n use of POST is to s u b m i t H T M L form data to CGI scripts. to a data-handling process • Extending a database through an append operation • CONNECT .7. newsgroup.Blue Coat Educational Services — BCCPA Course v 1. a n d decodes it. not j u s t form submissions. 56 . There are five g r o u p s of response code: lxx — U s e d for notifications • • • 2xx — Used to indicate s o m e sort of successful request 3xx — Used to redirect the client from the requested URL to a n e w one 4xx — U s e d to notify the client an error on its part 5xx — U s e d to notify the client an error on the server p a r t You s h o u l d interpret the term "error" cautiously.500 Internal Server Error Slide 6 .404 Page Not Found • Sample Server Error . HTTP h a n d l e s it as such. While that is not an error per se.200 OK • Sample Client Error . W h e n a client requests a password-protected resource. For example.Chapter 6: Hypertext Transfer Protocol Response Codes • Sample Success Code . the server replies w i t h a 401 error.7 : HTTP response codes H T T P uses a set of r e s p o n s e codes to c o m m u n i c a t e messages from the server to the client. authentication requests are h a n d l e d u s i n g the 4xx messages. 57 . i and G E T /index. The client issues a request specifying a m e t h o d .htm. welcome. 05 Jan 2005 22:09 GMT Slide 6 . 1 The p r e c e d i n g URLs return the s a m e data.html. w h i c h indicates the root of the Web server. default. 58 .Blue Coat Educational Services — BCCPA Course v 1. The m e t h o d is GET.1 HTTP Protocol Request GET/HTTP/1.x 200 OK Content-Type: text/html Server: GWS/2.): GET / HTTP/1 .1) is u s e d w h e n there is one or m o r e virtual servers associated w i t h the s a m e IP a d d r e s s . Note: This is only an example.7. The resource is /.0 Accept: text/xml Response HTTP/1 . a resource.com User-Agent: Firefox/1.1 Content-Length: 1121 Date: Wed. it enables the client to retrieve the requested resource from the server.121 bytes.8 : C l i e n t request and server response In this slide y o u can see s o m e of the h e a d e r s that are being e x c h a n g e d b e t w e e n a client a n d a server d u r i n g the first r o u n d of requests a n d responses. w h i c h is the most c o m m o n l y u s e d one.htm H T T P / 1 . indicating that the request is valid a n d has been accepted. The Host field ( m a n d a t o r y for HTTP/1. Web servers associate a default file n a m e w i t h the root of a directory (index. a n d the protocol version.1 Host: www. Different servers use different default n a m e s . The client also specifies that it is w a i t i n g for text or XML data.google. etc. The response will be 1. The server replies w i t h a 200 OK message.htm. The s a m e concept applies to t h e other proxies in the chain. In general. However. There is no predefined limit to the n u m b e r of proxy servers or similar devices that a request can traverse. at the most. The proxy can then forward the request directly to the origin content server (OCS) or to another proxy. The client is usually aware. a response) to traverse any n u m b e r of HTTP-aware devices. The most c o m m o n example is a proxy server.9 : Cascaded HTTP requests HTTP allows a request (and consequently. This device is a server for the client (on the left h a n d side of the slide) a n d is a client for the server (on the right end side of the slide). at least in general terms.Chapter 6: Hypertext Transfer Protocol Cascaded HTTP Requests • The intermediate device is both a client and a server • There can be any number of intermediate devices Slide 6 . the server is not capable. the client m a k i n g the initial request is a w a r e that it is talking to the server t h r o u g h a proxy server. 59 . of the very first proxy in the chain. of distinguishing the actual client from a proxy server. w h i c h is logical (especially if H T T P / 1 .com Slide 6 . the destination Web server is the destination IP a d d r e s s for the client request.bluecoat. 1 .Blue Coat Educational Services — BCCPA Course v 1.1 GET Requests GET http://www. a n d not that of a n y intermediary.7. The proxy has to k n o w the location of the origin content server that the client n e e d s the d a t a from. The via-proxy GET request contains the entire URL. You can easily recognize w h a t is s o m e t i m e s called a "via-proxy GET request" because the entire URL a p p e a r s in the GET request. 0 is used) because there is no H o s t header. In H T T P / 1 .com GET /HTTP/1. in a direct Web request. in w h i c h the Host field s h o u l d be (according to the RFC) mandatory. In general. However. regardless of H T T P version used. the GET request w i t h the full URL m a y s e e m r e d u n d a n t .1 HOST: www. 60 . all clients conform to this convention.1 HOST: www.1 0 : GET requests The GET request that a p r o x y .bluecoat.bluecoat. The destination IP a d d r e s s of the client request is the IP a d d r e s s of the proxy.a w a r e client uses is v e r y characteristic.com HTTP/1. x b r o w s e r By default. 61 . y o u m a y prefer to configure the Blue Coat SG to ask the OCS for the s a m e compression that the client s u p p o r t s a n d to forward w h a t e v e r the server returns. Be a w a r e that the Blue Coat SG does not compress s o m e types of M u l t i p u r p o s e Internet Mail Extensions (MIME) types. y o u m a y w a n t to request c o m p r e s s e d content from the OCS. The Blue Coat SG also can modify the c o m p r e s s e d content. Important: The Blue Coat SG compresses content only if the response is 200 OK. By default.Chapter 7: HTTP Compression HTTP compression is an a l g o r i t h m that reduces the size of a file w i t h o u t causing loss of data. w h i c h usually refer to already compressed formats: • • • audio/* video/* image/jpeg/gif/png/pjpeg application/x-zip-compressed/x-compressed/x-gzip • • • application/zip/gzip application/pdf N e t s c a p e ® 4. deflate. You m a y or m a y not w a n t to use H T T P compression in y o u r n e t w o r k . You need to selectively t u r n on server-side or client-side compression (or both) t h r o u g h the Visual Policy M a n a g e r (VPM). H T T P compression is t u r n e d off. However. Internet Explorer does not request compressed content w h e n the Blue Coat SG is set in explicit proxy m o d e . M a k i n g the right choice d e p e n d s on three factors: Server-side b a n d w i d t h (between the Blue Coat SG a n d the origin content server [OCS]) Client-side b a n d w i d t h (between the Blue Coat SG a n d the internal clients) • Blue Coat SG C P U If server-side b a n d w i d t h is m o r e expensive in y o u r e n v i r o n m e n t t h a n CPU. or text format. JavaScript® contained in a gzip file can be stripped out. A file can be stored in gzip. if CPU is m o r e valuable. i m p r o v i n g n e t w o r k efficiency a n d performance. The Blue Coat SG can m a n a g e multiple v a r i a n t s of the s a m e objects in cache. for instance. HTTP c o m p r e s s i o n is controlled by policy only. 1 : HTTP c o m p r e s s i o n basics O n e of the features of H T T P / 1 . The OCS s h o u l d choose the first format listed. both j p g a n d . 62 .Typically GZIP or deflate compression • Blue Coat SG Support . are highly compressible file formats.1 HTTP Compression • Allows compatible UA and OCS to exchange compressed data . it c a n n o t a p p l y a n y modification to the content.gif are already c o m p r e s s e d formats. A p r o x y d o e s not need to u n d e r s t a n d t h e specific compression protocol that the UA a n d t h e OCS negotiated. the formats are listed in o r d e r of preference. 1 is s u p p o r t for c o m p r e s s e d content. Plain text is a l w a y s an implicitly a s s u m e d format.7. Today's Web p a g e s are several kilobytes in size. H T M L a n d text in general. The proxy can s i m p l y pass the b o d y of the m e s s a g e as is. m o s t likely the OCS will not a t t e m p t to recompress these formats. c o m p r e s s i o n can m a k e a difference.Supported in HTTP/1. w h i c h do not h a v e any built-in size o p t i m i z a t i o n .Blue Coat Educational Services — BCCPA Course v 1. However.1 . C o m p r e s s i o n is usually a p p l i e d only to file types. For instance. if the proxy is not able to d e c o m p r e s s the HTTP m e s s a g e s that it receives. The m o s t c o m m o n l y u s e d protocols are gzip a n d deflate. T h e user agent (UA) lists the s u p p o r t e d c o m p r e s s i o n formats in the Accept-Encoding header. If there are no c o m m o n compression protocols s u p p o r t e d . the UA will r e t u r n plain text.Proxy can uncompress/compress data to execute policies Slide 7 .Compressed data can flow through the proxy compressed . The OCS declares the compression format that it chose in the Content-Encoding header. N o t e the lack of the Accept-Encoding header.0 J Accept: */* Accept-Language: en-us Host: www. 1 .s i d e s u p p o r t A UA accepts compresses content only if the following t w o events occur: • • T h e UA s u p p o r t s HTTP / 1 . 1 .1 Accept: */* Accept-Encoding: gzip. more specifically. deflatejh Proxy-Connection: Keep-Alive Compression supported GET http://www. an H T T P / 1 . therefore. You m a y see requests in w h i c h either the UA or the proxy issues an H T T P / 1 . it s u p p o r t s gzip a n d deflate compressed content.Chapter 7: HTTP Compression HTTP Compression . Obviously. At the b o t t o m of the slide y o u see the packet capture from UA that does s u p p o r t H T T P / 1 .bluecoat.2 : C l i e n t .google.bluecoat. 0 . 1 GET request w i t h o u t the Accept-Encoding header. 63 . it does not s u p p o r t compression. T h e GET request contains a valid Accept-Encoding header. 1 UA does not h a v e to request c o m p r e s s e d content. the Accept-Encoding h e a d e r is not even provisioned in H T T P / 1 . At the t o p of the slide y o u see the packet c a p t u r e from a UA that s u p p o r t s compression.com/ HTTP/1.Client Side GET http://www.com/I HTTP/1.com Proxy-Connection: Keep-Alive Compression not supported Slide 7 . 27 Jul 2006 22:58:49 GMT Server: Apache/2. N o t all OCS s u p p o r t compression.7.3 (Unix) Content-Type: text/html Content-length: 14230 Compression not supported Slide 7 . the m o s t c o m m o n protocol is gzip. You s h o u l d not confuse Content-Encoding a n d Content-Type. W h e n c o m p r e s s i o n is s u p p o r t e d . the latter refers to the type of d a t a that a p p e a r s in the body.Server Side HTTP/1.2. A n OCS c a n n o t r e t u r n compressed content u n l e s s the client has sent a request that includes the Accept-Encoding header. T h a t alone does not automatically m e a n that the content will be served c o m p r e s s e d .3 : Server-side s u p p o r t T h e OCS specifies the c o m p r e s s i o n protocol a p p l i e d to the b o d y of the response using the Content-Encoding header. 1 responses.Blue Coat Educational Services — BCCPA Course v 1.1^200 OK Date: THu.1 HTTP Compression . N o t e h o w b o t h responses from the server are H T T P / 1 . The Content-Type h e a d e r describes the MIME type of the data. 64 . If this h e a d e r is not present. A s t a n d a r d Web p a g e has the MIME t y p e t e x t / h t m l . Several Web sites deliver only u n c o m p r e s s e d data. the content is a s s u m e d to be plain text. You can configure the Blue Coat SG to: 1.4 : Client-side compression This slide s h o w s a scenario in w h i c h the client s u p p o r t s compression. the OCS does not serve c o m p r e s s e d content. C o m p r e s s the content u s i n g either gzip or deflate.Chapter 7: HTTP Compression HTTP Compression . 2. Serve the c o m p r e s s e d content to the UA. 65 . Retrieve the u n c o m p r e s s e d content from the OCS. but y o u h a v e L A N b a n d w i d t h benefits.Client does support compression . Client side compression feature d e t e r m i n e s is c o m p r e s s e d content can be served based on the UA HTTP request (presence or lack of the Accept-Encoding header). y o u need a client-side compression action in y o u r policy in order to enable server-side compression (discussed next in this chapter). In this scenario. the SG passes the request as-is to the OCS a n d does not perform any modification on the content returned. This process is called client-side compression.Blue Coat SG Client-Side Compression . If the UA requests protocols other than gzip a n d deflate. While this feature does not seem particularly interesting. y o u do not have any W A N b a n d w i d t h benefit.Server does not support compression Slide 7 . however. 3. if they do. U n c o m p r e s s the content. In order to i m p l e m e n t server-side compression.Client does not support compression . Serve the u n c o m p r e s s e d content to the UA.Blue Coat SG Server-Side Compression .1 HTTP Compression . they do not s u p p o r t c o m p r e s s i o n algorithms. however. In this scenario. This is a likely scenario in y o u r organization.Server does support compression Slide 7 .5 : Server-side c o m p r e s s i o n This slide s h o w s a scenario in w h i c h t h e client does not s u p p o r t compression. y o u do not have any L A N b a n d w i d t h benefit. 2.7. 3.Blue Coat Educational Services — BCCPA Course v 1. By enabling a server-side compression policy. or. Retrieve the c o m p r e s s e d content from the OCS. y o u can save precious W A N b a n d w i d t h . m a y not s u p p o r t H T T P / 1 . for o n e reason or another. This process is called server-side compression. You can configure the Blue Coat SG to: 1. but y o u h a v e W A N b a n d w i d t h benefits. Several UAs. y o u also need a client-side compression policy. the OCS d o e s h a v e the ability to deliver c o m p r e s s e d content. 66 . 1 . However. transformation-based variants are not cached. 67 . objects are cached regardless of their encoding. Be a w a r e that the presence of multiple variant objects in the cache m a y affect the object-carrying capacity of the disk. w i t h H T T P compression a n d v a r i a n t object s u p p o r t in n e w e r versions of the SGOS (starting w i t h 4. p r o v i d e d that all other conditions allow caching. the H T T P proxy did not cache objects if the server sent c o m p r e s s e d content.6 : Object variants In p r e v i o u s versions of the SGOS. The Blue Coat SG creates three v a r i a n t types: • uncompressed g z i p compressed • deflate c o m p r e s s e d H o w e v e r . H T T P compression i m p l e m e n t s variant object s u p p o r t in the cache engine using an object v e r s i o n i n g scheme.1. A 64-bit n u m b e r is used to tag the base object a n d its variants.Chapter 7: HTTP Compression Object Variants Blue Coat SG object store (cache) Slide 7 . Variants are objects that are stored in the cache in various forms.1.1). it cannot d e t e r m i n e if active c o n t e n t (or a n y other t y p e of content) is present in that response.x. You m a y have the best policies in place b u t they will not a p p l y to the content. a n d the content is compressed. unless y o u h a v e other client-side compression policies. then the Blue Coat SG can automatically — w i t h o u t the need for a n y special policy — do the following: 1. (That is.7.Blue Coat Educational Services — BCCPA Course v 1. y o u m a y w a n t r e m o v e active content (JavaScript. it is s e r v e d as is. D e c o m p r e s s the OCS response. Visual Basic® script. This is a positive feature because caching c o m p r e s s e d content. T h e Blue Coat SG. A p p l y the content policy. is a w a s t e of resources. etc. starting w i t h SGOS 4.) from all sites except for s o m e on a special w h i t e list.1 Compression and Policies Slide 7 . If y o u h a v e content-specific policies. 2. If the p r o x y does not u n d e r s t a n d the c o m p r e s s i o n protocol that is being applied to an HTTP response. ActiveX®. 3. r e m o v e JavaScript. can automatically u n c o m p r e s s a response if there are relevant policies that need to be a p p l i e d .7 : C o m p r e s s i o n a n d policies You m a y w a n t to apply several policies to the content that a UA in y o u r organization receives. the p a g e will not be cached in the c o m p r e s s e d format b u t in the u n c o m p r e s s e d format. If a p a g e w a s received c o m p r e s s e d a n d a content policy applied. w h i c h is likely to be u n c o m p r e s s e d a n d modified again. then the content is not u n c o m p r e s s e d . If y o u do not h a v e a n y content-specific policy. Note: 68 . For instance.) C o m p r e s s the content a n d serve it. This is a g o o d practice for both security a n d a u d i t i n g : You do not w a n t u n a u t h o r i z e d devices on y o u r n e t w o r k to connect to the Internet. a n d y o u w a n t to keep an accurate log of w h o is accessing which resource. decide the authentication a n d security policies. In general.Chapter 8: Authentication Introduction This section details w h a t k i n d of authentication challenges can be h a n d l e d by the Blue Coat SG a n d for w h i c h use. the p r o x y can h a n d l e the request a n d pass it to the user a n d back to the origin content server (OCS) transparently. there are three m a i n reasons that users m a y be challenged for authentication: • • They a t t e m p t to access the M a n a g e m e n t Console (or CLI). you. (You can limit access t h r o u g h the Blue Coat SG to a u t h o r i z e d users. 69 . The first t w o instances are controlled by the Blue Coat SG directly.) They request a specific resource on the Internet (password protected p a g e or file). The third authentication t y p e is i n d e p e n d e n t from the Blue Coat SG. as the administrator. There are a few steps that y o u can take in order to make access to the policy a n d configuration m o r e secure. For instance. however. It is also r e c o m m e n d e d that y o u authenticate users before y o u can grant t h e m access to the Internet. They a t t e m p t to access the Internet. based on Active Directory® or LDAP g r o u p s . it is a g o o d idea to give selective read a n d write permission to modify the policies on the Blue Coat SG. 1 : A u t h e n t i c a t i o n and security types The Blue Coat SG h a n d l e s three t y p e s of security challenges. Remote resource authentication refers to the authentication challenges that a r e m o t e OCS can issue to a u s e r agent (UA) before s e n d i n g the requested content. read a n d write) access to the m a n a g e m e n t .Physical Access (front panel.Blue Coat Educational Services — BCCPA Course v 1.Validate users before allowing access to protocols • Remote resources authentication requests Slide 8 .7. • Blue Coat SG security refers to the ability to control or limit (read only.1 Authentication and Security Types • Blue Coat SG Security . serial port) • Blue Coat SG Authentication . 70 . Two are controlled by the Blue Coat SG itself. Blue Coat SG authentication refers to the option of challenging users to s u b m i t p r o p e r credentials (username) before their requests are allowed to go t h r o u g h the proxy. a n d rules a d m i n i s t r a t i o n of the Blue Coat SG. however. configuration.Console Access . The Blue Coat SG does not h a v e a n y control over this challenge. a n d one is d e t e r m i n e d by the security on the OCS. it can pass the challenge from the OCS to the UA a n d the credentials from the UA to the OCS. To m a n a g e the Blue Coat SG. w h i c h can h a p p e n if s o m e o n e b u m p s against the unit.Use realm-based authentication . You m a y w a n t to secure the front panel w i t h a personal identification n u m b e r (PIN) to a v o i d accidental misconfiguration. Of course. You s h o u l d ensure that only authorized p e r s o n n e l can physically reach the unit.Password protect serial access • Role-based security . the most i m p o r t a n t security aspect of any mission-critical server. y o u can i m p l e m e n t m e a s u r e s to limit a d m i n i s t r a t i v e access only to a u t h o r i z e d users. If you choose to rely on an external authentication realm.Require PIN to operate front panel . Create a secure enable-level p a s s w o r d . Important: If y o u decide to enable a p a s s w o r d for the serial console (not advisable). there is no recovery option. like the Blue Coat SG.Chapter 8: Authentication Introduction Blue Coat SG Security • Limit access to the Blue Coat SG appliance . y o u can use the built-in a d m i n i s t r a t o r account or any of the Active Directory or LDAP g r o u p s (or y o u can select individual users).Restrict access by IP address or IP ranges . You can safely enable the following security m e a s u r e s by taking these steps: * Limit access to the M a n a g e m e n t Console and CLI only to a selected pool of IP addresses. Once y o u have ensured that the Blue Coat SG is "safe" in the server room.Password to secure Setup Console . is physical security.2 : Blue Coat SG security You can control access to the Blue Coat SG in several w a y s . y o u can g r a n u l a r l y define read-only or read-and-write permissions on the unit. If y o u lose the p a s s w o r d y o u need to RMA the unit! 71 .Granular permission selection Slide 8 . p a s s w o r d . s h a r i n g the basic console account settings is only o n e option. The enable (privileged-mode) p a s s w o r d is evaluated w h e n the console account is u s e d t h r o u g h SSH w i t h p a s s w o r d authentication a n d w h e n the CLI is accessed t h r o u g h the serial console a n d t h r o u g h SSH w i t h RSA authentication.v t y ti_neou t command applies Management Console Login/Logout / / / Slide 8 . After setting the console account u s e r n a m e . u s e the CLI or the M a n a g e m e n t Console to create a console ACL. but it is the least secure m e t h o d a n d is not recommended. a n d enable (privileged-mode) p a s s w o r d . Also. do not give out the enable (privileged-mode) p a s s w o r d .7. SSH w i t h RSA authentication connections are valid only from w o r k s t a t i o n s specified in the console ACL (provided it is enabled). 72 .1 Available Security Measures Security Measures Available Username and password evaluated (console-level credentials) Serial Console SSH W i t h Password Authentication SSH W i t h RSA Authentication Management Console / Console Access List evaluated / / / / S y S CPL<Admin> Layer evaluated Enable password required to enter privileged mode CLI l i n e . Console access control list — moderate security U s i n g the access control list (ACL) allows y o u to further restrict use of the console account a n d SSH w i t h RSA authentication to w o r k s t a t i o n s identified by their IP address a n d s u b n e t mask. Console account — minimum security T h e console account u s e r n a m e a n d p a s s w o r d are e v a l u a t e d w h e n the Blue Coat SG is accessed from the M a n a g e m e n t Console t h r o u g h a b r o w s e r a n d from the CLI t h r o u g h SSH w i t h p a s s w o r d authentication. the console account can only be u s e d by workstations defined in the console ACL.Blue Coat Educational Services — BCCPA Course v 1. This page a n d the next s u m m a r i z e all available options.3 : Security m e a s u r e s W h e n d e c i d i n g h o w to give other users read-only or read-write access to the Blue Coat SG. W h e n the A C L is enforced. To give read-only access to the CLI. The simplest w a y to give access to others is to s h a r e this basic console account information. Policy is never evaluated on direct serial-console connections or SSH connections u s i n g RSA authentication. a n d m a n y other conditions. Using the Visual Policy M a n a g e r (VPM). Using the CLI or the M a n a g e m e n t Console GUI. or N T L M w i t h BASIC credentials enabled. • To prevent a n y o n e from u s i n g the console credentials to m a n a g e the Blue Coat SG. specify policy rules that: (1) require a d m i n i s t r a t o r s to log in using credentials from the previously created a d m i n i s t r a t i v e realm. or given read-write access. This is a less flexible o p t i o n t h a n Blue Coat Content Policy L a n g u a g e (CPL) because y o u cannot control the level of access w i t h policy. A u t h o r i z a t i o n can be based on IP address. g r o u p m e m b e r s h i p . time of day. For administrative access. The chart s h o w n in Slide 8-3 details the various w a y s administrators can access the Blue Coat SG console a n d the authentication a n d authorization m e t h o d s that a p p l y to each. Local. If the credentials s u p p l i e d are not the console account u s e r n a m e a n d password. A u t h e n t i c a t i o n occurs by verifying k n o w l e d g e of the c o r r e s p o n d i n g p r i v a t e key. You can also restrict access to a single IP a d d r e s s that can be u s e d as the emergency recovery workstation. RADIUS. W h e n connecting t h r o u g h SSH. policy is e v a l u a t e d w h e n the Blue Coat SG is accessed t h r o u g h SSH w i t h p a s s w o r d authentication or the M a n a g e m e n t Console. Blue Coat Content Policy Language — maximum security CPL allows y o u to control administrative access to the Blue Coat SG t h r o u g h policy. create an authentication realm to be used for a u t h o r i z i n g a d m i n i s t r a t i v e access. the a d m i n i s t r a t o r logs in w i t h no p a s s w o r d exchange. 73 . given read-only access.Chapter 8: Authentication Introduction Per-user RSA public key authentication — moderate security Each a d m i n i s t r a t o r ' s public keys are stored on the appliance. This is secure because the p a s s w o r d s never go over the network. LDAP. set the console ACL to d e n y all access (unless y o u plan to use SSH with RSA authentication). but it is a better choice than sharing the console credentials. a n d (2) specify the conditions u n d e r w h i c h administrators are either d e n i e d all access. or by a d d i n g CPL rules to the Local or Central policy file. the realm m u s t s u p p o r t BASIC credentials — for e x a m p l e . .) Authentication is v e r y i m p o r t a n t in conjunction w i t h r e p o r t i n g as it allows y o u to generate reports w h e r e y o u can see the user information (login name) rather t h a n just an IP a d d r e s s or host n a m e . etc. Novell. RADIUS. M a n y c o m p a n i e s base policy to allow or d e n y access to specific resources on the realm g r o u p s that they h a v e set up (Active Directory.7.1 Authentication • Policies based on users and groups • Granular Reporting • Manage Exceptions Slide 8-4: Reasons for authentication Slide 8-4 details the main reasons w h y Blue Coat c u s t o m e r s enable authentication.Blue Coat Educational Services — BCCPA Course v 1. the UA s e n d s the authentication information for each request. asking the user to authenticate (407 Proxy Authentication Required). regardless of the URI requested.Credentials are sent with every request • Most browsers cache credentials as long as the process is running Slide 8 .5 : Explicit proxy authentication T h e authentication m e c h a n i s m i m p l e m e n t e d in the HTTP RFC for proxy-based connections is pretty simple a n d straightforward. Once the UA is a w a r e that it is c o m m u n i c a t i n g w i t h a proxy that requires authentication. unless y o u t e r m i n a t e the application y o u s h o u l d not be p r o m p t e d again for u s e r n a m e and password. Most b r o w s e r s cache the authentication information as long as the browser main process is running. W h e n the UA m a k e s its first request to the p r o x y the proxy returns an HTTP 407 response message. N T L M is the m o s t notable exception (the message is still Base64-encoded). The information (username a n d p a s s w o r d ) are. passed in clear text u s i n g Base64 encoding. 75 . N T L M does not transmit the p a s s w o r d over the n e t w o r k .Chapter 8: Authentication Introduction Explicit Proxy Authentication • Proxy requires client to authenticate .HTTP 407 Response "Proxy Authentication Required" • Browser resends the request with user's credentials . in general. The browser resends the s a m e request b u t this time it a d d s the authentication credentials. 1.7.Blue Coat Educational Services — BCCPA Course v 1. From RFC 2 6 1 6 . the UA keeps s e n d i n g the p r o p e r authentication credentials w h e n requesting a URI to the proxy w i t h o u t p r o m p t i n g the user again." 1 Once the authentication is successful. this message "indicates that the client m u s t first authenticate itself w i t h the proxy.1 Explicit Proxy Authentication Slide 8 . 76 . According to the RFC 2616. Important: If the UA is not using explicit proxy it ignores a n y 407 requests.6 : Explicit p r o x y a u t h e n t i c a t i o n The 407 HTTP response code is u n i q u e l y defined to h a n d l e proxy authentication requests. The proxy MUST return a Proxy-Authenticate h e a d e r field containing a challenge applicable to the proxy for the r e q u e s t e d resource. The client MAY repeat the request w i t h a suitable Proxy-Authorization h e a d e r field. This action is useful to identify a user before the denial so that the u s e r n a m e is logged along w i t h the denial. select a character set a n d click OK.7 : A u t h e n t i c a t i o n o p t i o n s The Blue Coat SG allows y o u to control h o w users are authenticated. Authentication Charset The V P M allows y o u enter non-ASCII text in m a n y objects. 77 . Force Authenticate Forces the u s e r to authenticate even t h o u g h the request is going to be d e n i e d for reasons that do not d e p e n d on authentication. This object allows y o u set the character set to use in conjunction w i t h localized policy.d o w n list. From the d r o p .Chapter 8: Authentication Introduction Authentication Options Slide 8 . W h e n y o u create a rule in the Web Authentication Layer. You can also control w h e t h e r the user can enter double-byte language credentials. s u c h user a n d g r o u p n a m e s a n d text for the Notify User object. • Authenticate Creates an authentication object to verify users. y o u can decide if the authentication s u p e r s e d e d a DENY statement or not. An authentication realm m u s t exist on the Blue Coat SG to be selected t h r o u g h VPM. 2.] containing a challenge applicable to the r e q u e s t e d resource. a n d the UA has already a t t e m p t e d authentication at least once. Let's a s s u m e that y o u are accessing t w o Web sites. it p r o m p t s the u s e r for a u t h e n t i c a t i o n information ( u s e r n a m e a n d p a s s w o r d ) . From RFC 2 6 1 6 . behaves w h e n it receives a 407 message a n d w h e n it receives a 401 m e s s a g e . since that entity m i g h t include relevant diagnostic i n f o r m a t i o n . If the request a l r e a d y i n c l u d e d A u t h o r i z a t i o n credentials.1 Remote Resources Authentication Slide 8 . If the 401 response contains the s a m e challenge as t h e prior response.ferrari.Blue Coat Educational Services — BCCPA Course v 1. T h e client MAY r e p e a t the request w i t h a suitable Authorization h e a d e r field [. it will nor u s e the credential s u b m i t t e d by the user for the C N N Web site.. t h e n the user S H O U L D be p r e s e n t e d the entity t h a t w a s given in the response. If y o u r UA receives a 407 after the initial request to the C N N Web site. it will automatically s e n d the u s e r ' s credentials to the p r o x y w h e n r e q u e s t i n g the Ferrari Web site. w i t h o u t p r o m p t i n g the u s e r again. c o m a n d http://www. . If the UA receives a 401 after the initial request to the C N N Web site.7.8 : Remote resource a u t h e n t i c a t i o n T h e response c o d e 401 notifies t h e UA that the "request requires u s e r authentication. then t h e 401 response indicates that a u t h o r i z a t i o n has been refused for those credentials. " 2 You need to be a w a r e of the key difference b e t w e e n the w a y s the UA. h t t p : / / w w w . The response M U S T i n c l u d e a www-Authenticate h e a d e r field [. c n n . The UA p r o m p t s the user again.it.. as it cannot a s s u m e that the 401 credential requests are " p o r t a b l e " across different URIs..].. if the UA receives a 401 again w h e n connecting to the Ferrari Web site. Oracle® COREid. traffic is increased to the authentication server because each authentication request generates an authentication a n d authorization request to the server. If you specify 0 as the cache time. 2. Local. click Flush a n d confirm. Policy Substitution) • External server configuration: Backend server configuration information.Chapter 9: Authentication Realms A realm authenticates a n d authorizes users for access to Blue Coat® SG™ services u s i n g either explicit proxy or t r a n s p a r e n t proxy m o d e . Credentials can be cached for up to 3. (This option is selected by default. Note: W h e n y o u h a v e configured all y o u r realms. Certificate.100 (3 million +) seconds. This w o u l d be the case for a c o m p a n y using an L D A P server w i t h m u l t i p l e authentication b o u n d a r i e s . You can use realm s e q u e n c i n g to search multiple realms at once. in seconds.932. port. select the realm from the d r o p . w i t h all realms that y o u h a v e created. that user a n d a d m i n i s t r a t o r credentials are cached. a n d other relevant information based on the selected service Authentication schema: The definition u s e d to authenticate users • A u t h o r i z a t i o n schema: The definition u s e d to authorize users for m e m b e r s h i p in defined g r o u p s a n d check for attributes that trigger evaluation against any defined policy rules One-time p a s s w o r d s are s u p p o r t e d for RADIUS realms only. click Flush realm a n d confirm.) • o To flush the entire credentials cache immediately. LDAP. The Realms page displays. RADIUS. 79 . To flush only the entries for a particular realm in the credentials cache. s u c h as host. To p u r g e the credentials cache w h e n y o u m a k e policy changes. select Flush When Policy File Changes. Sequences. Multiple authentication realms can be u s e d on a single Blue Coat SG. A realm configuration includes: • Realm n a m e A u t h e n t i c a t i o n service: (IWA. Blue Coat SG can cache authentication credentials. All of these actions force users to be re-authenticated. To m a n a g e the credential cache t h r o u g h the M a n a g e m e n t Console: 1. Select Configuration > Authentication > Realms. y o u can view y o u r realms a n d m a n a g e the credentials cache for a specific realm. You can specify the length of time. The default is 900 seconds (15 minutes). Even for companies u s i n g only one protocol. Multiple realms are essential if the enterprise is a m a n a g e d service p r o v i d e r or if the c o m p a n y has m e r g e d w i t h or acquired a n o t h e r company.d o w n list. eTrust® SiteMinder®. multiple realms m i g h t be necessary. Blue Coat Educational Services — BCCPA Course v 1.1 Authentication Realms • IWA . You s h o u l d ask y o u r instructor to cover the details of the realm that y o u use in y o u r network. the f u n d a m e n t a l concepts of i m p l e m e n t i n g authentication are virtually identical. . The only real difference is the type of information n e e d e d to create t h e realm. if y o u r realm is not a m o n g the ones discussed here. a n d constantly g r o w i n g . y o u s h o u l d be able to collect the necessary information. a n d Sequence.Windows NT Domains and Active Directory • LDAP .1 : Most c o m m o n l y used a u t h e n t i c a t i o n realms Blue Coat SG s u p p o r t s a w i d e .7. n u m b e r of authentication realms.List of authentication realms to be processed Slide 9 . LDAP.Active Directory and other LDAP Databases • Sequence . While y o u m a y use a different realm in y o u r organization. This training focuses on s o m e of the m o s t c o m m o n l y u s e d realms: IWA. regardless of the actual realm used. The client receives the list of s u p p o r t e d credentials from the proxy. N T L M is discussed in greater detail on the following pages. the u s e r n a m e a n d p a s s w o r d are available to a n y b o d y w h o can r u n a packet trace of the c o m m u n i c a t i o n between the UA a n d the proxy. BASIC authentication This m e t h o d is clearly described in the H T T P RFC. The u s e r n a m e a n d p a s s w o r d are e n c o d e d u s i n g Base64.l.Uses the Microsoft proprietary authentication . It s u p p o r t s three types of credentials. The key idea b e h i n d N T L M is to authenticate users w i t h o u t the p a s s w o r d ever being e x c h a n g e d between clients a n d the authentication server (the d o m a i n controller or DC). each detailed below.Least secure option ® NTLM Credentials .Medium security option • Kerberos Credentials . The credentials a p p e a r as username: password in a Proxy-Authorization header. since the earliest version. w h i c h allows client a n d server to m u t u a l l y authenticate each other. 81 . Microsoft Internet Explorer is the only b r o w s e r currently s u p p o r t i n g this type of credentials.Uses Microsoft implementation of M.Username and password are sent base64 encoded . Every browser s h o u l d s u p p o r t basic credentials. Kerberos Authentication This is the most secure a n d m o d e r n authentication m e t h o d . Because Base64 is not encryption.2 : IWA Realm Integrated W i n d o w s Authentication (IWA) allows y o u to authenticate users against an Active Directory® tree or an NT Domain. It uses a very secure exchange of encrypted tickets. • N T L M Authentication N T L M is a Microsoft-proprietary protocol that authenticates users a n d c o m p u t e r s based on an authentication challenge a n d response. The client s h o u l d choose the most secure c o m m o n set of credentials.T Kerberos v5 .Highly secure option Slide 9 . Every User A g e n t (UA) a n d every OCS on the Internet m u s t s u p p o r t at least basic credentials.Chapter 9: Authentication Realms IWA Realm • Basic Credentials . N T L M is bar far the most c o m m o n l y u s e d authentication m e t h o d . Because W i n d o w s is nearly u b i q u i t o u s on d e s k t o p c o m p u t e r s .Requires compatible user agents • Widely used . Note: F o r m s authentication m o d e s cannot be used w i t h an N T L M realm that allows only N T L M credentials. users w h o access the Internet t h r o u g h a proxy server (that is compatible w i t h N T L M a n d requires authentication) do not need to re-enter their u s e r n a m e a n d p a s s w o r d w h e n they o p e n the browser for the first time. offers a m e d i u m d e g r e e of security because the actual p a s s w o r d is never t r a n s m i t t e d over the n e t w o r k . N o t e t h a t this is a b r o w s e r feature. In essence. automatically a n d in the b a c k g r o u n d . s t e m m i n g from the close integration between Internet Explorer™ a n d the W i n d o w s ® OS.7.Prevalence of Windows OS on desktops Slide 9 . an a c r o n y m for NT L A N Manager.Blue Coat Educational Services — BCCPA Course v 1. Internet Explorer s e n d s . the u s e r ' s information w h e n it is c h a l l e n g e d for authentication by a proxy server.3 : NTLM a u t h e n t i c a t i o n N T L M . A n o t h e r benefit.Password is not transmitted over the network • Supports single sign-on . Recently. a Policy Substitution realm. or a Certificate realm. is the ability of users to enjoy single sign-on. y o u will receive a configuration error. other b r o w s e r s — including Mozilla Firefox® — h a v e i m p l e m e n t e d s u p p o r t for single sign-on a n d N T L M authentication. If a form m o d e is in u s e a n d the authentication realm is any of them.1 NTLM Authentication • Provides secure authentication . 82 . This message contains s o m e information s u c h as the client host n a m e . in essence. The client c o m p u t e s the DES encryption of the challenge using the p a s s w o r d as the key a n d t h e n s e n d s it to the server. a n d other information.4 : NTLM a u t h e n t i c a t i o n N T L M is a c h a l l e n g e / r e s p o n s e authentication mechanism. This message. If the Type 3 message matches the calculation d o n e by the server. 83 . because of the properties of DES encryption. After s e n d i n g the Type 2 message. This approach. If there is a mismatch. This reply is k n o w n a n d Type 3 message.Chapter 9: Authentication Realms NTLM Authentication Slide 9 . W h e n a client w a n t s to authenticate. it s e n d s a Type 1 message to the d o m a i n controller. contains a string that the client has to e n c r y p t u s i n g DES (Data Encryption Standard) encryption a n d the p a s s w o r d as the key. the d o m a i n w h e r e it w a n t s to authenticate. 1 1 . either encrypted or in clear text. the details are b e y o n d the scope of this class. b u t a g a i n . the server calculates the DES encrypted version of the challenge using the p a s s w o r d associated to the u s e r n a m e as the k e y . NTLM p e r f o r m s DES e n c r y p t i o n a p p l y i n g three d i f ferent keys on the c h a l l e n g e . the server k n o w s that the client has k n o w l e d g e of the correctly p a s s w o r d .Details are i g n o r e d here as not relevant. while requiring m o r e transactions b e t w e e n the client a n d the authentication server. The server replies w i t h a Type 2 message. the authentication fails. allows the client to be authenticated w i t h o u t ever s e n d i n g the p a s s w o r d over the wire. the N T L M version s u p p o r t e d . o p e n .2) Solaris ( s u p p o r t i n g SiteMinder realms) 2 2. to s u p p o r t a n y n u m b e r of authentication systems. s u c h as NTLM. For example. T h e Blue Coat SG can interface directly w i t h o p e n .s t a n d a r d databases s u c h as LDAP because the details of the i m p l e m e n t a t i o n are k n o w n .API: A software package p r o v i d i n g a level of abstraction between the application and the k e r nel. if y o u w a n t to use N T L M authentication. a n d COREid. BCAAA enables the Blue Coat SG to s u p p o r t a g r o w i n g n u m b e r of databases. BCAAA m u s t r u n on a W i n d o w s system. it m u s t be run on a s y s t e m s u p p o r t e d by the s u p p l i e r of the API for a given authentication d a t a b a s e .7.5 : Blue Coat Authentication and Authorization Agent T h e Blue Coat SG r u n s a p r o p r i e t a r y o p e r a t i n g system called SGOS. In o r d e r for the Blue Coat SG to use BCAAA. B C A A A is available for three different o p e r a t i n g systems: • • W i n d o w s 2000 a n d later ( s u p p o r t i n g all three realm types) W i n d o w s NT (for BCAAA versions earlier than 4. Kerberos.Blue Coat Educational Services — BCCPA Course v 1. w h i c h currently include NTLM.1 BCAAA Slide 9 . 84 . the Blue Coat Authentication a n d A u t h o r i z a t i o n A g e n t (BCAAA). It uses external software. w h i c h is designed to h a n d l e secure p r o x y server tasks. it is d e s i g n e d to enable t h i r d . SiteMinder.s y s t e m or proprietary. T h e Blue Coat SG uses BCAAA ( p r o n o u n c e d BECK-ah) as an elegant a n d efficient a p p r o a c h to s u p p o r t i n g different authentication systems. Proprietary systems. conceal fine protocol detail but provide an Application P r o g r a m m i n g Interface (API) to help third parties d e v e l o p software that can interface w i t h the systems.p a r t y software vendors to access a selected set of f u n c t i o n s . This time. w h i c h passes the information to the Blue Coat SG. the Type 3 m e s s a g e for that challenge. The UA receives the Type 2 message. If the Type 3 m e s s a g e contains the correct encryption to the challenge. 3.) The BCAAA decodes the message from the Base64 to its original format and. The d o m a i n controller r e s p o n d s to the BCAAA w i t h the Type 2 message. 5. 2.Chapter 9: Authentication Realms NTLM Authentication over HTTP Slide 9 . w h i c h contains the challenge. Let's follow the steps in the authentication process w h e n y o u use an N T L M realm: 1. a n d calculates. w h i c h passes it to the d o m a i n controller for the final validation. Blue Coat SG closes the connection. using the u s e r ' s p a s s w o r d . The client r e s e n d s the original request. y o u need to have BCAAA r u n n i n g on a W i n d o w s m a c h i n e — either a d e s k t o p or server — that is a m e m b e r of the d o m a i n w h e r e y o u w a n t to authenticate users. the UA includes the Type 1 message. N o t e that the Blue Coat SG explicitly defines the authentication required as NTLM. 4. The Blue Coat SG passes the information to the BCAAA. After r e t u r n i n g the Type 2 message to the client. this time including the authentication credentials.6 : NTLM over HTTP In o r d e r to authenticate users w i t h N T L M . passes the Type 1 m e s s a g e to the d o m a i n controller for authentication. e n c o d e d u s i n g Base64. The client m a k e s a request to the Blue Coat SG. This message is p a s s e d to the Blue Coat SG a n d to the client. using W i n d o w s API. The client s e n d s the Type 3 m e s s a g e to the Blue Coat SG as a Base64-encoded string. The BCAAA service authenticates users in all d o m a i n s trusted by the c o m p u t e r on w h i c h it is r u n n i n g . The Blue Coat SG replies w i t h a 407 HTTP response c o d e (explicit authentication mode). A single installation of the BCAAA service can s u p p o r t multiple Blue Coat SG appliances. 85 . the Blue Coat SG closes the connection. T h e Type 1 message is sent from the Blue Coat SG to the BCAAA over port 16101 (you can customize the port over w h i c h Blue Coat SG a n d BCAAA communicate. w h i c h p r o m p t s the user agent (UA) to resend the request. the d o m a i n controller authenticates the u s e r a n d notifies the BCAAA. This is a s t a n d a r d technique used in H T T P to pass binary data b e t w e e n entities. the following m e s s a g e s are displayed: The BCAAA service could not be started. After a successful authentication. The messages a p p e a r in the W i n d o w s Event Log. is Important: Slide 9-6 contains an intentional error. issues w i t h BCAAA. the following error message displays: The requested service has already been started. there is a bit m o r e information being e x c h a n g e d between the u s e r agent a n d the Blue Coat SG. At this point.Blue Coat Educational Services — BCCPA Course v 1. the connection b e t w e e n the Blue Coat SG a n d the UA is a u t h e n t i c a t e d a n d the u s e r starts receiving the r e q u e s t e d data. If an a t t e m p t to start the B C A A A service is issued w h e n B C A A A is already started.7. As y o u can see. T h e following t w o bullet points describe the most c o m m o n . M a k e sure that y o u r instructor discusses it. Only one usage of each socket address (protocol/network address/port) normally permitted. Can y o u find it? 86 . ask w h e r e the error is on the slide. • If a n o t h e r application is u s i n g t h e s a m e port n u m b e r as the B C A A A service. a n d easy to address. If he or she does not. System error 10048 has occurred.1 6. the Blue Coat SG returns a 200 HTTP response code to the client. A system error has occurred. (the p a s s w o r d is n o t p a s s e d over the wire). w h i l e N T L M is m o r e secure t h a n other authentication m e t h o d s . L D A P g r o u p . servers can return referrals to others servers back to the client.Chapter 9: Authentication Realms LDAP Realm • Lightweight Directory Access Protocol • LDAP can contain a wide range of information . The Blue Coat SG s u p p o r t s the use of external LDAP database servers to authenticate a n d a u t h o r i z e users on a p e r . • LDAP realm supports Basic and Basic over SSL Slide 9 . Important: You can configure an LDAP realm to use SSL w h e n c o m m u n i c a t i n g to the LDAP server. An L D A P directory m i g h t s p a n multiple L D A P servers. devices. etc. 87 .Users. An L D A P directory. either version 2 or version 3. Blue Coat s u p p o r t s both LDAP v2 a n d L D A P v3.g r o u p or per-attribute basis. allowing the client to follow those referrals if desired. consists of a simple tree hierarchy. An L D A P realm s u p p o r t s BASIC authentication a n d BASIC authentication over SSL.b a s e d authentication for the Blue Coat SG can be configured to s u p p o r t a n y LDAP-compliant directory including: • Microsoft Active Directory Server • Novell N D S ® / e D i r e c t o r y ™ Server • N e t s c a p e / S u n iPlanet™ Directory Server T h e Blue Coat SG also provides the ability to search for a single user in a single root of an LDAP directory information tree (DIT). a n d to search in multiple Base Distinguished N a m e s (DNs). b u t r e c o m m e n d s LDAP v3 because it uses Transport Layer Blue Coat SG (TLS) a n d SSL to p r o v i d e a secure connection between the Blue Coat SG a n d the L D A P server. applications. In L D A P v3.8 : LDAP a u t h e n t i c a t i o n The L i g h t w e i g h t Directory Access Protocol (LDAP) is a p o p u l a r protocol that enables y o u to find users a n d resources on a n e t w o r k w i t h o u t k n o w i n g w h e r e they are located in the n e t w o r k topography. Some of the k n o w n object classes are: • • • • • D o m a i n Context (DC): This indicates the root of y o u tree.7.Blue Coat Educational Services — BCCPA Course v 1. Canonical N a m e (CN): This is h o w an object is identified in the tree.9 : LDAP . 88 . Organization Unit (OU): This is almost the equivalent of g r o u p s in an NT d o m a i n .Tree s t r u c t u r e L D A P is a l a n g u a g e or interface u s e d to q u e r y a compatible realm. D i s t i n g u i s h e d N a m e (DN): This is the u n i q u e n a m e of the object in the tree. Some objects in the tree h a v e w e l l .k n o w n n a m e s .Directory Information Tree Slide 9 . but y o u can a d d a n y attribute y o u w a n t a n d chose a n y a l l o w e d n a m e .1 LDAP . You can search the information in t h e realm. Basically there are very few set rules. C o u n t r y (C): You can create branches in y o u r L D A P tree to reflect the different countries w h e r e y o u r c o m p a n y has representation. L D A P allows the realm d e s i g n e r to use a very flexible structure a n d i m p l e m e n t the p a r a m e t e r s that are d e e m e d necessary for that realm. The objects are on the s a m e level but are on different branches. The full n a m e of an object.TEL: +39-347-555-2200 Slide 9 .Distinguished Name DN: UID=kelly. is identified by the full path from the object (leaf) to the D o m a i n Context (root).GIVENNAME: Kelly .Chapter 9: Authentication Realms LDAP . in this case a user. This can h a p p e n u n d e r one or t w o conditions: • • The objects are on different levels in the tree. Important: Each DN m u s t be u n i a u e w i t h i n a tree.CN: Kelly Lee .1 0 : Distinguished name L D A P allows m o r e t h a n one object class to have the s a m e value. 89 . DC=BlueCoat Additional objects for a DN . C=IT. OU=people.lee. Blue Coat Educational Services — BCCPA Course v 1. it can be difficult to d e t e r m i n e w h e r e y o u s h o u l d authenticate u s e r s . The Blue Coat SG then challenges the client for authentication. The basics are simple: You enable s e q u e n c i n g by establishing a sequence realm a n d a d d i n g different authentication realms to it. Sequence authentication is ideal for mixed e n v i r o n m e n t s . . It does not m a t t e r if the Blue Coat SG is d e p l o y e d in t r a n s p a r e n t m o d e or explicit m o d e .7. y o u can h a v e only one IWA realm in a s e q u e n c e . However. The Blue Coat SG m a k e s it simple to search for a u s e r ' s credentials in m u l t i p l e authentication reams t h r o u g h a m e t h o d called sequencing. Local. By establishing a s e q u e n c e realm on the Blue Coat SG. W h e n y o u h a v e multiple realms. or IWA realms in a s e q u e n c e realm. Local. It is c o m m o n for organizations that centralize operations or acquire other companies to h a v e multiple authentication m e t h o d s — N T L M a n d LDAP.1 Sequence Realm • Credentials checked against multiple realms • LDAP. T h e client s u b m i t s credentials.1 1 : Sequencing overview O r g a n i z a t i o n s m a y use m u l t i p l e authentication m e t h o d s t h r o u g h o u t their network. You can place LDAP. y o u can authenticate users against all the different realms y o u h a v e p u t in the sequence. or IWA realm in sequence • Ideal for mixed environments Slide 9 . for e x a m p l e . w h i c h the Blue Coat SG t h e n checks against the different realms in the sequence. one after the other. Sequencing begins w h e n a client m a k e s an authentication request to the Blue Coat SG. • • • A s e q u e n c e realm checks a u s e r ' s credentials against multiple realms. 4.Chapter 9: Authentication Realms Sequence Authentication Slide 9 . • • • 91 . 3. the Blue Coat SG tries to authenticate the credentials again. If it finds a match. M a k e sure that each realm that y o u plan to a d d to the s e q u e n c e is customized to y o u r needs. If there is no match w i t h Realm 1. If there is no match w i t h Realm 2 or a n y of the other realms.1 2 : Sequence a u t h e n t i c a t i o n f l o w c h a r t The basic principles of s e q u e n c e authentication are simple: The Blue Coat SG begins seeking authentication from the first realm on its list a n d e n d s the process as soon as the credentials are a u t h e n t i c a t e d . it m u s t be either the first or last on the list. Note: Browsers count a cycle t h r o u g h all the realms in the sequence as a single attempt. If multiple attempts are allowed. m a k e sure that the Allow Basic Credentials check box is set correctly. if the u s e r ' s b r o w s e r allows m o r e t h a n one attempt. the user is authenticated a n d the process e n d s . If it finds a match. They do not c o u n t each q u e r y of individual realms as a single attempt. (For IWA. M a k e sure that their current values are correct. You can then r e n a m e or delete it. Make it the first r e a m on the list if y o u w a n t to enable single sign-on. 1. If y o u h a v e an IWA realm in a sequence. If y o u m u s t r e n a m e or delete a realm. 2.) P u t no more than one IWA realm in a sequence. the Blue Coat SG seeks to authenticate the u s e r ' s credentials w i t h Realm 2. authentication fails — or the process begins again. You also cannot r e n a m e or delete a realm as long as it is part of a sequence. generally allow users several a t t e m p t s to authenticate. Browsers. The process continues until the credentials are authenticated or the n u m b e r of attempts has been exhausted a n d authentication is denied. The flowchart in the slide above depicts the entire process. the user is authenticated a n d the process ends. Setting up a sequence realm is simple. The Blue Coat SG seeks to authenticate the u s e r ' s credentials w i t h Realm 1. y o u m u s t r e m o v e it from the s e q u e n c e first. but y o u m u s t follow several i m p o r t a n t rules. to allow for t y p i n g mistakes. • M a k e certain that the realm exists before y o u a d d it to a sequence. that is. such as Certificate. m a k e IWA the first on the list a n d enable "Try IWA authentication once. You cannot place connection-based realms.7. y o u cannot place a s e q u e n c e realm inside a n o t h e r sequence realm.1 • • • • • If y o u h a v e an IWA realm a n d it d o e s n o t s u p p o r t basic credentials.Blue Coat Educational Services — BCCPA Course v 1. You cannot place a realm in a p a r t i c u l a r sequence m o r e t h a n once." You m a y p u t as m a n y BASIC realms as y o u w a n t in a sequence. . You cannot nest sequence realms. in a sequence. including user a n d g r o u p configurations Flexible user-defined conditions a n d actions • • • C o n v e n i e n c e of predefined c o m m o n actions a n d h e a d e r transformations S u p p o r t for multiple authentication realms Configurable policy event logging 93 . • Fine-grained controls to m a n a g e behavior of the appliance Multiple policy decisions a l l o w e d for each request • • Multiple actions triggered by a particular condition Configurable b a n d w i d t h limits A u t h e n t i c a t i o n . they face challenges in configuring s y s t e m s to enforce written corporate policies. This framework allows a security a d m i n i s t r a t o r to control Web protocols a n d Web c o m m u n i c a t i o n s across the entire enterprise. The Blue Coat® SG™ Policy Processing Engine provides a comprehensive policy architecture that s p a n s all users.a w a r e proxy device. Blue Coat policies p r o v i d e to the administrator. a n d security services. applications. there are several that generally cause the m o s t concern: • • • • • Intellectual p r o p e r t y loss leading to decreased competitive a d v a n t a g e Malicious viruses Productivity loss c a u s e d by "illegitimate" Internet use Threats from hacking Legal problems c a u s e d by accessing u n s a v o r y or copyright material A l t h o u g h m a n y organizations create Internet usage policies. content types.Chapter 10: Policy Management W h i l e there are m a n y p r o b l e m s associated w i t h using the Internet as a business tool. Only a secure proxy with an object-handling o p e r a t i n g system can offer the f r a m e w o r k needed to identify a n d enforce policies across an entire enterprise w i t h line-speed performance. the set of rules that define a d m i n i s t r a t o r access is contained in the A d m i n Access Layer.Blue Coat Educational Services — BCCPA Course v 1. y o u can create targeted rules to meet y o u r organization's requirements.1 : Setting up AUP e n f o r c e m e n t The first step to controlling a n d m a n a g i n g Web a n d e-mail u s a g e is h a v i n g an Acceptable Usage Policy.7. U s i n g the Blue Coat SG C o n t e n t Policy L a n g u a g e (CPL) or Visual Policy M a n a g e r (VPM). applications. a n d security services. destination.Monitor user by login name • Create Web Access Layer(s) . This layer specifies w h i c h source. For example. y o u need a c o m p r e h e n s i v e a n d easy-to-use policy architecture. to create such a rule. 94 . y o u m u s t first define the a p p r o p r i a t e authentication realms in the Blue Coat SG M a n a g e m e n t Console — V P M realm objects are retrieved from the Blue Coat SG. This layer identifies w h i c h source a n d destination requests will be e v a l u a t e d a n d d e t e r m i n e s w h i c h authentication realm will be u s e d for credential validation. y o u can create a rule that states that the Engineering g r o u p m u s t authenticate. content types. To create an overall Web access policy.Implement AUP Slide 1 0 . However. For example. service a n d time requests will be e v a l u a t e d a n d d e t e r m i n e s the a u t h o r i z e d action for the request. y o u s h o u l d create rules in the following V P M layers: Web Authentication Layer. An A U P establishes w h a t is permissible w h e n u s i n g c o m p a n y resources to access the Internet. or create specific rules for i n d i v i d u a l users. To enforce y o u r written AUP. For example. The V P M enables y o u to establish policy rules that identify w h o is allowed to access content a n d h o w they will authenticate. 1 1. A collection of rules that a p p l y to the s a m e m e c h a n i s m is identified as a layer. The Blue Coat SG Policy Processing Engine allows y o u to control users. a n d specify the authentication m e t h o d to be used.1 Company Policy Enforcement • Create Acceptable Usage Policy (AUP) • Create Web Authentication Layer(s) . N o t discussed in this class. y o u can define the allowable content for all E n g i n e e r i n g g r o u p m e m b e r s . Web Access Layer. all e m p l o y e e s of XYZ C o m p a n y are prohibited from visiting the BBC World Web site ( h t t p : / / w w w . u k ) . Slide 10-2 s h o w s that policy rules are s i m p l y a V P M translation of practical business rules. W h e n the Blue Coat SG receives a request for the BBC UK Web site. employees may not visit the BBC Web site at any time. In this example. b b c . Because the destination does not m a t c h ( h t t p : / / w w w ." it proceeds to evaluate the destination.com Service ANY Time ANY Action DENY Slide 1 0 . 95 . This translation enables the V P M to e v a l u a t e a request to see if an action s h o u l d be triggered. c o . the request is allowed. c o m ) at any time. it evaluates the source first. b b c w o r l d ." Simple Language Who XYZ Employees Blue Coat Language Where BBC How On web When At any time What May not visit Source ANY Destination bbcworld. Because the source is "any.Chapter 10: Policy Management Policy Translation 'XYZ Inc.2 : Example of natural language translated i n t o policy rules A l t h o u g h the concept of rules a n d layers m i g h t s o u n d confusing. Websense®. s u c h as Blue Coat WebFilter.® or SurfControl®. y o u m u s t d e p l o y s o m e t y p e of content-filtering software.3 : Example of natural language translated i n t o policy rules In this example. employees may not visit any travel related Web site at any time.1 Policy Translation "XYZ Inc. Content filtering c o m p a n i e s m a i n t a i n d a t a b a s e s of Web site categories a n d continually u p d a t e t h e m w i t h n e w sites. all e m p l o y e e s of XYZ C o m p a n y are prohibited from visiting travel sites at any t i m e . 96 ." Simple Language Who X Y Z Employees Blue Coat Language Where Travel How On web When At any time What May not visit Source ANY Destination Travel Service ANY Time ANY Action DENY Slide 1 0 .7.Blue Coat Educational Services — BCCPA Course v 1. To block an entire category of Web sites (like travel sites). SmartFilter. 08-17 What May not visit Source ENG Destination Gaming Service ANY Time Mon-Fri.4 : Example of natural language translated i n t o policy rules In this example. The c o r r e s p o n d i n g Web Access rule is s h o w n in Slide 10-4. 8-17 Action DENY Slide 1 0 . all m e m b e r s of the Engineering d e p a r t m e n t are prohibited from visiting a n y g a m i n g sites d u r i n g regular business h o u r s (08:00 to 17:00). y o u m u s t h a v e Web Authentication rules that force authentication for the authorization realm that includes the E N G g r o u p . To enforce this rule.Chapter 10: Policy Management Policy Translation "The Engineering department may not visit any gaming site during regular business hours." Simple Language Who Engineering Blue Coat Language Where Gaming How On web When M-F. 97 . .5 : How rules f o r m policies As Slide 10-5 illustrates. All employees are prohibited from accessing the BBC Web site a n d all travel-related Web sites. the Web access policy goes from general to specific. Action 1 1 | ANY ANY ENG "V\ 1 1 BBC Travel Gaming 1 1 1 1 1 1 1 ANY ANY ANY 1 1 ANY 1 ANY |Mon-Fri. 98 . specifying actions for individual e m p l o y e e s or IP addresses.1 XYZ Inc. policy rules that a p p l y to the s a m e business rule can be g r o u p e d into a layer. once a m a t c h i n g rule is found.i : 1 | 1 DENY DENY DENY | | | Layer J W e b Access Policy Slide 1 0 . However. the Engineering g r o u p has the a d d e d restriction of not being allowed to b r o w s e g a m i n g sites d u r i n g business h o u r s . Important: The m o s t effective rule is a l w a y s the first rule in the last layer. all s u b s e q u e n t rules are i g n o r e d .7. Users in other g r o u p s do not h a v e this restriction.. Web Access Policy Similar rules become a layer in the Web Access Policy Source Destination | | Service Time 1|. R e m e m b e r that rules are e v a l u a t e d from t o p to bottom. In this example. N o t e that Blue Coat SG provides the flexibility to create even m o r e specific rules. 8-171 1 1 .Blue Coat Educational Services — BCCPA Course v 1. " For example. The Action field n o r m a l l y allows or denies access or imposes a special condition (like requiring authentication). the V P M determines the action to a p p l y by evaluating the Action a n d Track fields.Time Action Objects . Service.Service . a n d Time fields. logging the fact that a user requested "illegal" content). a n d w h e n " of a rule.Destination .Track Slide 1 0 . while Action objects represent the "what. 99 . w h e r e . Trigger objects represent the " w h o . The Track field logs the result of the rule (for example. If all triggers match. a request from a n y user in that g r o u p triggers evaluation of the Destination.Source .Chapter 10: Policy Management VPM Objects • Trigger Objects .6 : VPM objects as they relate to policy t r a n s l a t i o n The V P M evaluates rules based u p o n trigger a n d action objects. if the Source field in a rule is set to ENG. how.Action . A default policy of D e n y prohibits access to the Blue Coat SG: To allow access.Other policies can deny selected traffic Slide 1 0 . or if explicit read-only or read-write privileges policies exist.Default option for Blue Coat SG . By default. y o u m u s t create policies that explicitly grant access.7 : Default policies and t h e i r use The default policy sets the p r o x y b e h a v i o r w h e n no other action is specified.All network traffic received by the proxy is blocked Allow . Note: The default proxy policy does not a p p l y to a d m i n transactions.Blue Coat Educational Services — BCCPA Course v 1. A default policy of Allow permits any a n d all access to the Blue Coat SG: To d e n y access. 100 . The Blue Coat SG default policy is Deny.Network traffic is allowed through the proxy .1 Default Policy Deny .7. y o u m u s t create explicit d e n y policies. a d m i n transactions are a l w a y s d e n i e d unless y o u log in using console account credentials. a n d IP addresses organized by category. pages. The content filter d a t a b a s e is merely a list of sites. onbox is often the preferred choice. It is up to the administrator.1. D e p e n d i n g on the vendor.1. W h a t e v e r the case. a URL can belong only to one category or can belong to several categories. In SGOS v4. it m a k e s sense that processing requests locally to the Blue Coat® SG™ is faster than o p e n i n g a n e t w o r k connection to an external server. There are t w o possible d e p l o y m e n t options for content filtering: • • O n b o x content filter database Offbox database (available w i t h Websense® only) For performance reasons. N o n e of the m a n y s u p p o r t e d v e n d o r databases is available w h e n y o u first configure the Blue Coat SG. You need to obtain a valid key for one of the v e n d o r s .1 or higher. d o w n l o a d the database. The content filter d a t a b a s e does not block a n y site or a n y category by default. to build a set of rules to allow or d e n y access to specific resources based on information obtained by the content filer. both configurations are fully s u p p o r t e d a n d customers use either one. a n d then install it. However. y o u can test the Blue Coat WebFilter a n d a n o t h e r v e n d o r at the s a m e time. 101 . t h r o u g h CPL or the Visual Policy M a n a g e r (VPM). You m a y obtain a d e m o license for almost a n y of the v e n d o r s s u p p o r t e d . the role of the d a t a b a s e is to offer additional information to the Blue Coat SG (and to the administrator) about the request that is being m a d e by a user.Chapter 11: Content Filtering Content filtering is a major functionality of the Blue Coat SG. The proxy extracts the URL from the request a n d s e n d s it to the content filter for categorization.1 : Logical f l o w o f c o n t e n t f i l t e r i n g The logical flow of a transaction via proxy. The policy e n g i n e considers the u s e r ' s information. The u s e r m a k e s a request.Blue Coat Educational Services — BCCPA Course v 1.7. d e p e n d i n g on the decision m a d e by the policy engine. 4. a n d its categorization. . is fairly simple: 1.Logical Flow Slide 1 1 . the t i m e of the day. 5. the URL.1 Content Filtering . 2. 3. w h e n content filtering is enabled. The u s e r receives the requested content or an exception page. The content filter r e t u r n s one or m o r e categories ( d e p e n d i n g on the vendor) for that URL. a n d based on the policies in place makes a decision to allow or d e n y the request. daily. a t t e m p t s to p r o v i d e categorization of Web sites by looking for key w o r d s in the H T M L pages that users request. u s e d by some earlier v e n d o r s . The other a p p r o a c h consists of assembling a t e a m of content researchers a n d posting a n e w database of sites o r g a n i z e d by category. This a p p r o a c h has t w o severe limitations: lack of scalability a n d lack of accuracy.2 : C a t e g o r i z a t i o n techniques There are t w o leading approaches to content filtering. The n e w databases m a y be posted weekly. One.Chapter 1 1 : Content Filtering Categorization Techniques Database Pros • • Accuracy (100%) Response time Dynamic Cat Pros • • • Immediate coverage Any site Scalability • Coverage (80/20 rule) Database Cons • Small number of site • Update time Dynamic Cat Cons • • Response time Accuracy (90%) Slide 1 1 . The major limitation to this a p p r o a c h is the lack of flexibility a n d ability to a d a p t to specific content. or every few h o u r s . Blue Coat WebFilter (BCWF) uses a hybrid a p p r o a c h : • • Static list Remote D y n a m i c Categorization u s i n g a d v a n c e d Bayesian statistical analysis 103 . N o b o d y could ever classify the entire Web. A d m i n i s t r a t o r s can w r i t e policy to allow or d e n y access to resources based on the information in the database.Immediate coverage for new sites (DRTR) Slide 11 .Onbox database for Blue Coat SG . BCWF p r o v i d e s a static list w i t h its o n b o x database.Relevant URLs (feedback) .Optional Service Component to categorize unrated URLs • Data Quality .3 : Blue Coat WebFilter characteristics Blue Coat WebFilter (BCWF) takes a h y b r i d a p p r o a c h in p r o v i d i n g its content-filtering solution.Consistency .58 Categories .1 Blue Coat WebFilter • Hybrid Solution . 104 . w h i c h s e n d s requests to a D y n a m i c Real-Time Rating (DRTR) server if t h e resource is not in the BCWF d a t a b a s e l o a d e d locally. But BCWF also offers optional Remote D y n a m i c Categorization. It provides nearly 60 categories to allow a high degree of control in w r i t i n g policy. BCWF also focuses on quality of results. It also is highly consistent in h o w it categorizes resources a n d gives top priority to categorizing resources that are requested most frequently.7. T h e optional DRTR service also p r o v i d e s i m m e d i a t e coverage for sites that h a v e not been previously categorized.Blue Coat Educational Services — BCCPA Course v 1. 2 0 0 6 . The size of the database. Finnish. b u t relevant a n d reliable. I n f o r m a t i o n as of A u g u s t 3 0 t h . a n d the n u m b e r of URLs rated daily is in line w i t h the major v e n d o r s in this market. a n d m a n y others. Japanese. G e r m a n .000 additional unique URLs rated per day 40+ Recognized languages 10+ Categorized languages Includes spyware and malware Highly accurate categorization of URLs Categorizes over 95% of objectionable content Categorization Dynamic Rating Slide 11 . 1 . 105 . Italian.4 : Blue Coat WebFilter d a t a s h e e t 1 Blue Coat WebFilter s u p p o r t s an impressive n u m b e r of languages. You s h o u l d also n o t e that the n u m b e r of URLs present in a list s h o u l d only be part of the decision-making process to select a vendor. English. including Chinese.Chapter 11 : Content Filtering Blue Coat WebFilter Details Features Languages Ratings Quantity 50 + 15 Million + Comments Excellent quality Categorized URL list is growing daily Categories 58+ 4. Subject to change w i t h o u t notice. The Blue Coat content research team devotes serious attention to m a k i n g sure that the list is not only as large as possible. Arabic.000 to 6. The URLs need to be relevant a n d most of all accurate. the n u m b e r of categories. the Blue Coat SG first checks if that resource is categorized in the BCWF d a t a b a s e l o a d e d locally.1 Dynamic Categorization . it is an i m p o r t a n t c o m p l e m e n t to the BCWF. If the resource is not categorized in the m a i n list. however. Note: The request d o e s not contain a n y user-related or a n y c o m p a n y .Overview Slide 11 . . w h e n available.5 : Fundamental concepts f o r d y n a m i c c a t e g o r i z a t i o n The d y n a m i c categorization process is e n a b l e d by default w h e n y o u u s e BCWF. It contains only the destination URL. W h e n a u s e r requests a resource on the Internet.r e l a t e d information. the Blue Coat SG s e n d s a request to the nearest DRTR server. You do not have to use d y n a m i c categorization.7.Blue Coat Educational Services — BCCPA Course v 1. The DRTR server processes the request a n d returns a categorization. T h e u s e r ' s request is m a t c h e d against the BCWF installed on the local machine. If DRTR can d e t e r m i n e a rating for a n e w Web site in real time. it then categorizes the site as "other" a n d m o v e s it to a third-stage rating process called D y n a m i c Background Rating (DBR) for additional review. or o n e of a few other generally unacceptable categories. BCWF queries the external database. no rating service can ever categorize every Web page. 95 of every 100 URLs requested are found the local database (provided that it is kept up to date). all of t h e m feature high-availability servers a n d high b a n d w i d t h .T i m e Rating f o r Blue Coat WebFilter The Internet changes constantly. If the DRTR service cannot d e t e r m i n e a rating for a n e w Web site in real time. the context of each w o r d . These sites are then a d d e d to the BCWF ratings database.3 s e c o n d s a n d returns s o m e a d d i t i o n a l sites. therefore. This search can take up to 0. The DRTR service looks at a n u m b e r of elements. If the URL is not available in the current database. it s e n d s a request to the DRTR server. There is a 95 percent success rate. Pornography.Chapter 11: Content Filtering Blue Coat WebFilter For Blue Coat SG Slide 1 1 . 3. The DRTR can correctly categorize up to 95 percent of the requests it receives for these kinds of sites. it either assigns it to one of BCWF's 58 content categories or q u e u e s in a list for the h u m a n reviewers to rate it. Once DBR has reviewed the site. 107 . W h e n u s e r s request a n e w URL that has not been rated in the BCWF ratings database. W h e n the external database does not h a v e a categorization for the URL. The entire process for categorizing Web sites operates as follows: 1. The DRTR server returns only a response to the Blue Coat SG if the URL is categorized as Adult. A static list is only a partial solution to the need for categorizing content. Gambling. This l o o k u p requires less than 5 m s . including the w o r d s on the page. it then rates a n d categorizes it. it is u p d a t e d every 15 m i n u t e s a n d contains w h a t will become the n e w available list on the following day.6 : Dynamic R e a l . There are multiple locations a r o u n d the w o r l d that h a n d l e this process. This d a t a b a s e contains the most up-to-date list of Web sites. a n d the formatting u s e d on the p a g e a n d r e s p o n d s in one of t w o w a y s . 2. the BCWF service uses its DRTR technology to retrieve the p a g e from its host server to be analyzed for its content. While this process m a y s e e m laborious on the surface. 5. T h e URLs that are categorized by the DBR are u p l o a d e d to the Master Rating Database (MRD). Note: 4. The URLs that do not return a positive m a t c h after the DRTR l o o k u p are forwarded to the D y n a m i c Background Rating (DBR) for additional review. however. So. as m a n y as 95 are correctly categorized.Blue Coat Educational Services — BCCPA Course v 1. w h i c h is the d a t a b a s e u s e d to create the d o w n l o a d list available daily to all of the BCWF subscribers.7. for every 100 generic requests received by the DRTR only 12 return a positive m a t c h . The URLs that do not h a v e a m a t c h after being processed by the DBR are q u e u e d for h u m a n review by a multilingual t e a m of content researchers. The r e v i e w e d URLs are then u p l o a d e d into the external database (the o n e u s e d in Step 2) a n d in the BUFF. it represents the state-of-the-art a t t e m p t to offer the most accurate. This process can take up to five seconds. fast. F r o m the MRD they are sent in to the external d a t a b a s e (the o n e queried at Step 2 of this process) a n d into the BUFF database. The h u m a n rating process can take a d a y or more. This behavior reduces the overall n u m b e r of positive matches for DRTR requests to 12 percent. . reliable. for every 100 a d u l t URLs scanned by the DRTR.1 The other sites are not categorized. a n d scalable a n s w e r to o r g a n i z a t i o n s ' need to protect themselves from i n a p p r o p r i a t e Web surfing. This process is more intensive t h a n the DRTR a n d can take up to 1 hour. You can t u r n on or off the DRTR l o o k u p . • • At t i m e t the transaction reaches the Blue Coat SG a n d policy evaluation begins. Categorize dynamically in the background: Objects not categorized by the database are d y n a m i c a l l y categorized as time permits. w h i c h m e a n s that policy decisions are m a d e immediately u p o n receiving all available information. the proxy request is blocked until DRTR r e s p o n d s . the Blue Coat SG is ready to m a k e a decision at time t . • In t h e g r a p h on top. note that t >td p o If y o u configure DRTR to categorize in real time. The DRTR server returns the result at time t^ . This m o d e is distinct from disabling the service. no d y n a m i c categorization is d o n e .Chapter 1 1 : Content Filtering Dynamic Categorization . d y n a m i c categorization (in either real time or b a c k g r o u n d mode) can be explicitly invoked by policy. Do not categorize dynamically. 3. Categorize dynamically in real-time: T h e default. Proxy requests are not blocked while DRTR is consulted. regardless of policy. the Blue Coat SG holds the transaction for a time t = ( t -t ) a n d will use the result from the DRTR in the final policy evaluation. URLs not in the database s h o w up as category none. w h e n the policy p e v a l u a t i o n is completed. Objects not categorized by the database are d y n a m i c a l l y categorized on first access. The l o a d e d database is consulted for category information. a n d the Blue Coat SG does not m a k e a n y contact w i t h the d y n a m i c categorization service. 2. but the object w a s served before the DRTR response w a s available.7 : Dynamic c a t e g o r i z a t i o n m o d e s There are three options available for DRTR: 1. 0 At time ty the Blue Coat SG d e t e r m i n e s that the site is not categorized a n d s e n d s a categorization request to the DRTR. indicating that DRTR w a s requested. If this entails consulting the DRTR service. W h e n the service is disabled. W h e n Do not categorize dynamically is set as the default. w d p 109 . Objects not found in the database a p p e a r as category pending. The g r a p h s in the slide above s h o w the sequence of events w h e n the Blue Coat SG processes a transaction a n d DRTR is enabled.Options Slide 1 1 . The a d v a n t a g e of real-time m o d e d y n a m i c categorization is that Blue Coat policy has access to the results of d y n a m i c categorization. transactions are not held back waiting for the DRTR response. y o u m a y w a n t to try configuring DRTR to o p e r a t e in the b a c k g r o u n d before disabling it completely. T h e DRTR response will be u s e d for s u b s e q u e n t connection requests to that resource. This is the m a x i m u m a m o u n t of time t h a t t h e Blue Coat SG waits for a response from the DRTR). D y n a m i c categorization has t w o t y p e s of cost: • • B a n d w i d t h : Represents the r o u n d trip r e q u e s t / r e s p o n s e from the Blue Coat SG to the service.1 o If y o u configure DRTR to r u n in the b a c k g r o u n d . W h e n y o u configure DRTR to Categorize dynamically in real-time. • In the b o t t o m graph. In the rare case w h e r e u s e r s experience DRTR-related response delays. y o u r Blue Coat SG incurs b o t h b a n d w i d t h a n d latency costs. the Blue Coat SG incurs only the b a n d w i d t h cost. but it is mostly negligible. if t h e DRTR response arrives after Blue Coat SG is r e a d y to m a k e a policy decision. p You m a y experience a delay of up to 5 s e c o n d s if decide to u s e the DRTR in real time. this cost is minimal. Because the d y n a m i c categorization protocol is compact. the Blue Coat SG receives the DRTR r e s p o n s e before it is r e a d y to m a k e a policy decision.7. If y o u configure DRTR to Categorize dynamically in the background. 110 . the Blue Coat SG does not w a i t for the r e s p o n s e from the DRTR server after t h e policy e n g i n e is r e a d y to m a k e a decision. the option Categorize dynamically in the background a n d Categorize dynamically in real-time act in the s a m e way. Note: The b a n d w i d t h utilization by DRTR is a factor.Blue Coat Educational Services — BCCPA Course v 1. In this case. w h e n t > t^ . Latency: Represents the t i m e s p e n t w a i t i n g for the d y n a m i c categorization service to p r o v i d e a result. The Blue Coat SG can use a distributed n e t w o r k of servers to enable customers to d o w n l o a d the BCWF database u p d a t e s reliably a n d efficiently a n d to expedite DRTR transactions.cwfservice.Chapter 1 1 : Content Filtering Blue Coat WebFilter Service Points Slide 11 . by contacting sp.. Currently.8 : Service points f o r Blue Coat WebFilter Blue Coat has a w o r l d w i d e c u s t o m e r base. the closest a n d most available d o w n l o a d site for y o u .S. a n d Japan. Blue Coat has DRTR a n d d o w n l o a d sites in the U. Each location features h i g h .b a n d w i d t h Internet access a n d a fully fault-tolerant a n d load-balanced security a n d d o w n l o a d architecture. The Blue Coat SG can discover. 111 . Europe.net. 98417 0.. h o w m a n y are correctly categorized? If DRTR claims 100 pages to be category X a n d 85 of t h e m actually are category X.98 0.80 / 0.9 : DRTR results Probability T h e n o r m a l i z e d probability calculated from each token (e. then the precision is 0. For instance. If the DRTR has processed 100 sites that are in the p o r n o g r a p h y category.50000 1. the other one gets w o r s e .85 m e a n s t h a t o u t of 100 pages that actually are category X.57908 0. Blue Coat has by far the fewest false positives in any published testing b e t w e e n content filtering v e n d o r s . w h e n one gets better.83 / 0. 2 3 Slide 1 1 .g.78 NEVER 1 .ooooc 0.50000^1..60 1. this is p a g e is very likely to belong to the category S p o r t s / R e c r e a t i o n / H o b b i e s . the DRTR is convinced that it i n d e e d is English.e. The recall a n d precision value m o v e in o p p o s i t e directions. T h e n o r m a l i z e d probability is 1. Precision (Accuracy) T h e precision d e t e r m i n e s h o w accurate DRTR is. In the e x a m p l e s h o w n above.85. h o w m a n y w e r e categorized correctly? A recall v a l u e of 0. 0 0 / 0 . 112 . Top iLWgBagM^*^" " « » » « » ^ : ^ v^Prob ability Thresholdj LÔ0ÏÏBÏÏ 0.00 0.50000 1 .73 0. w o r d on the page) represents the probability that the entire p a g e is in l a n g u a g e Y a n d it belongs to category X.0000(1 0.00 / 1.7. DRTR categorizes 85 of t h e m correctly.00000 1 Category english Slovenian Italian clmese P Il5 0. Blue Coat WebFilter aims at 85-90 p e r c e n t precision.1 DRTR Categorization Results : .00000 0. 0 0 / 0 . The goal for a tool like DRTR is to find a s w e e t spot w h e r e the precision is h i g h e n o u g h w i t h o u t c o m p r o m i s i n g the recall value. out of 100 sites that DRTR m a r k e d as Pornography. Also. Threshold T h r e s h o l d is the n o r m a l i z e d m i n i m u m probability v a l u e for a given category to reach the d e s i g n a t e d precision a n d recall values.00 / 0.Blue Coat Educational Services — BCCPA Course v 1. 9 7 P/R • •'" 'Top ' Categories Categor> r Probability : Threshold 1.00. Recall (Coverage) T h e recall defines the ability of DRTR to catch all of the sites in a certain category. i.00000 0. the p a g e is v e r y likely to be in English.0000c|: Sp orts/Reereation/Hobbies News/Media Education Miscellaneous 0.80 / 0.00000 i 0.00001 o. y o u will get the result of Unrated.Chapter 1 1 : Content Filtering Additional Notes DRTR does not return a categorization to the requesting Blue Coat SG unless the recall a n d precision value are w i t h i n specific p a r a m e t e r s that Blue Coat defines. C u r r e n t l y the categories w i t h the best recall to precision correlation are Pornography. the DRTR engine has correctly identified that the l a n g u a g e is Japanese a n d the category is Travel. In actuality. c o . etc. the recall value is too l o w for the DRTR to be confident e n o u g h to return the categorization of Travel. For instance if y o u process the site h t t p : / / w w w . Gambling. j p t h r o u g h the DRTR. however. j a l . A d u l t / M a t u r e Content. 113 . 1 Local Database • Custom Categories . Being able to m a n a g e the local d a t a b a s e as a stand-alone file. s o m e restrictions a p p l y to a local database that do not a p p l y to policy definitions: • • • No m o r e t h a n 200 s e p a r a t e categories are allowed.Blue Coat Educational Services — BCCPA Course v 1. The local d a t a b a s e stores c u s t o m categories in a m o r e scalable a n d efficient m a n n e r . You can use a n y c o m b i n a t i o n of the local database. or the V P M to m a n a g e y o u r category definitions.7. You m i g h t find it convenient to p u t y o u r local d a t a b a s e on the s a m e server as a n y policy files y o u are using.1 0 : Local d a t a b a s e You can create y o u r o w n local d a t a b a s e file a n d d o w n l o a d it to the Blue Coat SG. You can also use b o t h a local d a t a b a s e a n d a third-party v e n d o r for y o u r content filtering needs. separate from the M a n a g e m e n t C o n s o l e a n d the VPM. H o w e v e r . Blue Coat r e c o m m e n d s that y o u put t h e m into a local d a t a b a s e rather than into a policy file. policy files.Custom allowed list . a n d separates the a d m i n i s t r a t i o n of categories from policy. is useful for three reasons: • • • It allows different i n d i v i d u a l s or g r o u p s to be responsible for administrating the local database a n d policy. A given URL p a t t e r n can a p p e a r in no more than four category definitions. except that only define category s t a t e m e n t s are allowed in the local d a t a b a s e . It allows the local d a t a b a s e to s h a r e categories across multiple boxes that h a v e different policy.Customer denied list . It keeps the policy file from g e t t i n g cluttered.Does not require VPM/Management Console Access Slide 1 1 . Category n a m e s m u s t be 32 characters or less. This file is created in the s a m e w a y t h a t policy files are created. T w o m a i n reasons to use a local d a t a b a s e instead of a policy file for defining categories are: A local d a t a b a s e is m o r e efficient t h a n policy if y o u h a v e a large n u m b e r of URLs.Internal URLs • Performance and Security .Hash list . If y o u have extensive category definitions. • A local database s e p a r a t e s administration of categories from policy. . You can override this check a n d force a d o w n l o a d by selecting Force Full Update.com www. Ordinarily.com kaspersky. If the database is up to date.com end define category mycompany_denied www.com microsoft.com www.playboy.com end define category mycompany_internal intranet.Chapter 11: Content Filtering You can configure the Local D a t a b a s e to be u p d a t e d as frequently as once a day.com Symantec.hacking. the Blue Coat SG checks if the d a t a b a s e has changed before initiating a d o w n l o a d .mycompany.com webmail.com sophos. this o p t i o n is not n e e d e d u n d e r n o r m a l circumstances. define category mycompany_allowed bluecoat.com end 115 .sex. then no d o w n l o a d is necessary a n d n o n e is p e r f o r m e d .com 4 01k.mycompany. The following is an e x a m p l e of a local database file.mycompany. Blue Coat Educational Services — BCCPA Course v 1.7.1 116 . p r o v i d e d that correct information is included in the response h e a d e r a n d the client s u p p o r t s it. image. the problems arising from e m p l o y e e Web b r o w s i n g a n d d o w n l o a d i n g have not received as m u c h attention. the Blue Coat SG can d e t e r m i n e w h i c h t y p e of file y o u are a t t e m p t i n g to d o w n l o a d u s i n g a n y of the following p a r a m e t e r s : file extension. jpeg. deflate. especially w h e n objectionable Web content is being accessed. The u s e r agent (UA) requests the specific file u s i n g o n e of the allowed m e t h o d s (most likely GET). As users d o w n l o a d seemingly safe content such as music files.) The Blue Coat SG k n o w s the file that y o u are requesting. They w e r e originally d e v e l o p e d to deliver non-text e-mail attachments but are n o w u s e d in m a n y other applications as well. MIME types are very i m p o r t a n t because they can be used to identify the content type. A n d while most organizations h a v e taken steps to a d d r e s s the security threat p o s e d by e-mail viruses.Chapter 12: Managing Downloads Sometimes the greatest business a n d security risks c o m e from w i t h i n an organization. MIME types are not peculiar to HTTP. the Internet can h u r t productivity a n d expose c o m p a n i e s to potential lawsuits. 117 . y o u can see that corporations s i m p l y cannot afford to overlook the problems p o s e d by u s e r d o w n l o a d s .) The encoding of the d a t a (none. W h e n y o u a d d the time a n d resources lost while employees b r o w s e a n d d o w n l o a d content. it does not necessarily transform binary d a t a to text. The process of transferring d a t a over HTTP is relatively simple: 1. a n d reads the information in the r e s p o n s e h e a d e r as well as in the response d a t a portion. etc. if necessary. based on the URL presented. gif. etc. As result. 2. In this chapter. a n d block the d o w n l o a d . they can also u n k n o w i n g l y d o w n l o a d h i d d e n viruses. The origin content server r e s p o n d s (if everything is correct in the request) a n d specifies: D • a The t y p e of file being delivered (text. gzip. Trojans. Base64 encoding is a l l o w e d in HTTP but not required. or file header. declared MIME type. You can transfer binary d a t a in the d a t a portion on an HTTP response. The details of MIME types are defined in RFC 2045 a n d RFC 2049. T h o u g h HTTP is d e s i g n e d to use M u l t i p u r p o s e Internet Mail Extension (MIME) types. application) The sub-type (for images. y o u will learn h o w HTTP is u s e d to s e n d d a t a over the Web. Left unchecked. or m a l w a r e . ActiveX®. a n d other scripts. freeware a n d s h a r e w a r e software often contain more-or-less h i d d e n code. The rest o f the chapter helps y o u u n d e r s t a n d h o w d o w n l o a d s over HTTP o p e r a t e a n d h o w y o u can use the Blue Coat SG to control them.Spyware Malware • Bandwidth . In addition.Blue Coat Educational Services — BCCPA Course v 1. D o w n l o a d of large files can cause incremental n e t w o r k d e g r a d a t i o n . a n d particularly e n h a n c e m e n t s in user agents. this list u s u a l l y includes d o w n l o a d sites for y o u r antivirus v e n d o r s . m a l w a r e .1 : HTTP download threats The majority of viruses travel the Internet t h r o u g h e-mail. however.Most downloads are not business relavant Slide 1 2 . a n d other suppliers of critical software u p d a t e s . 118 .1 HTTP Threats • Malicious software . w h i c h tracks a n y sort of information a b o u t a user a n d can result in r e d u c e d m a c h i n e a n d n e t w o r k performances. m a k e it possible to w r i t e harmful code that users can d o w n l o a d . I m p r o v e m e n t s in the protocol. A c o m p l e t e security policy s h o u l d include tight control of the file types that uses can d o w n l o a d a n d the sources from w h i c h they can d o w n l o a d . You also s h o u l d create a white list of a p p r o v e d sites. a n d other threats are often delivered via HTTP. The best a p p r o a c h is to block the following file types: exécutables. s p y w a r e .7. completely u n a w a r e that they are d o i n g so. operating s y s t e m v e n d o r s .Large downloads can clog the network • Productivity . JavaScript®. asked for gzip-compressed content. because an OCS often declares the MIME type of an attached file solely based on that file's extension. The presence of the content-encoding h e a d e r signals to the UA that the file received needs to be d e c o m p r e s s e d u s i n g gzip. an OCS. In general. 119 . The OCS r e s p o n d s a n d declares the attached file as an H T M L p a g e in text format. at times. w h i c h already are inherently c o m p r e s s e d . malicious sites host harmful files n a m i n g t h e m u s i n g extension reserved for other file types. JPEG is a compression-with-loss format. However. The bottom d i a g r a m s h o w s a UA asking for a file that most like is an image file. Again. the OCS has a p p l i e d gzip compression to the file a n d has declared it in the response header. even if it s u p p o r t s compression. that it will accept that encoding. explicitly or implicitly. it is i m p o r t a n t to use the w o r d should. The OCS replies a n d specifies that the attached binary d a t a s h o u l d represent an image in JPEG format. in this scenario.2 : HTTP d a t a transfer The slide a b o v e s h o w s h o w different files can be transferred over HTTP a n d h o w different encoding formats can apply. The top d i a g r a m s h o w s a UA asking for a file that most likely is an image file. if available.Chapter 12: Managing Downloads HTTP Downloads Slide 1 2 . like JPEG. The UA. You cannot be sure w h a t the file really is. The OCS can a p p l y a different type of encoding. will not a t t e m p t to c o m p r e s s file formats. a p p l y i n g gzip to it m a y have a null or even negative effect on the resulting file size. in the original request. as long as the client has declared. Blue Coat Educational Services — BCCPA Course v 1.1 HTTP Downloads HTTP uses many of the constructs defined for Mail Multipurpose Internet Extensions (MIME) . The value is typically "1. for e x a m p l e "content-type: text/plain.Transfer-Encoding Slide 1 2 . s o u n d s . a n d application/msword.The Content-Type header field uses the standard MIME types Several other encoding types exist for the HTTP response . as the RFC 2616 states." 120 . Other e x a m p l e s of content t y p e a n d s u b t y p e i n c l u d e video/mpeg. T h e list b e l o w discusses i m p o r t a n t MIME h e a d e r s : MIME-Version The presence of this h e a d e r indicates that the message is MIME-formatted.Content-Encoding . not of the entity. image/gif.7. If multiple encodings h a v e been a p p l i e d to an entity. This differs from the content coding in that the transfer-coding is a p r o p e r t y of the message. H T T P can transform binary content s u c h as images. so this h e a d e r a p p e a r s as " M I M E . movies." As RFC 2045 states.0". a n d c o m p u t e r p r o g r a m s into plain text for delivery to y o u r browser.v e r s i o n : i . the transfer-codings m u s t be listed in the o r d e r in w h i c h they w e r e applied. • Transfer-Encoding The transfer-encoding. o .3 : HTTP and MIME types Because u s i n g MIME types. " Content-Type This h e a d e r indicates the t y p e a n d s u b t y p e of the message content. The Content-Type h e a d e r is "used to specify the m e d i a type a n d s u b t y p e of d a t a in the b o d y of a m e s s a g e a n d to fully specify the native representation (canonical form) of s u c h data. "indicates w h a t (if any) t y p e of transformation has been applied to the m e s s a g e b o d y in o r d e r to safely transfer it between the s e n d e r a n d the recipient. m p 3 files. • MIME types . The Blue Coat SG p r o v i d e s a high-performance a n d flexible w a y to create a n d enforce user d o w n l o a d policies.avi. 121 . y o u can configure the Blue Coat SG to block users from d o w n l o a d i n g .4 : File t y p e d e t e c t i o n m e t h o d s N o w that y o u k n o w the process b e h i n d Web d o w n l o a d s . etc. For example. You can even create policies that specify w h e n a n d w h e r e d o w n l o a d s are blocked. jpeg. MIME types: For example. e Apparent Data Type .Initial bytes in a file Slide 1 2 . y o u can configure the Blue Coat SG to block all (or only some) a u d i o or i m a g e files. let's talk about h o w to block them. The Blue Coat SG will scan these data files to d e t e r m i n e if the special d a t a is present.text/html.Chapter 12: Managing Downloads File Type Detection • File extensions . y o u can block users from d o w n l o a d i n g video files from a n y n e w s sites d u r i n g w o r k hours. • Apparent Data Type: The A p p a r e n t Data Type refers to special data located at the beginning of a file that is u s e d to indicate its type. etc. image/gif. You can block by • File extension types: For example. bmp. 5 : File type d e t e c t i o n a m b i g u i t y It is possible. 1 1 .OCX). y o u can see h o w the d a t a part clearly contains a GIF file. W h e n the UA issues a G E T request for the t e s t . E H T T P / 1 . 2 1 S e p 2006 0 5 : 4 9 : 3 5 ETag: "c3eOl-4299-451227ef"\r\n Accept-Ranges: b y t e s \ r \ n content-Length: 17049\r\n Keep-Alive: timeout=15. m o r e often than not.1 File Type Detection Ambiguity 1 '•l'-- J .M o d i f i e d : T h u . If y o u r policies d e n y access to GIF files b a s e d solely on file extension or MIME type. allows y o u to control file d o w n l o a d s using the information in the file rather t h a n the extension or the MIME type. y o u can get a total m i s m a t c h between the actual file a n d its M I M E type. txt. 1 200 O K \ r \ n D a t e : T h u . . Because. If y o u take a close look to the packet capture. this particular file w o u l d be accepted because it does not m a t c h s u c h policies.Blue Coat Educational Services — BCCPA Course v 1. a n d hosted on an A p a c h e Web server. it is possible that malicious Web sites host executable files b u t w i t h an extension that m a k e s t h e m look like a n o t h e r file t y p e . (GIF files u s u a l l y contain the v a l u e GIF89 as file header. ActiveX controls (. h o w e v e r not very likely. from test. For example.7. Each blocking s c h e m e has its o w n a d v a n t a g e s .CAB).txt file). txt file.You can b l o c k v i r t u a l l y any file t y p e . that files are hosted on a server w i t h the incorrect extension. While the A p p a r e n t D a t a Type feature is 100 percent accurate. . it currently blocks only the following file t y p e s : W i n d o w s ® DLL a n d executable files. The slide s h o w s a GIF i m a g e that w a s r e n a m e d . b u t this requires y o u to w r i t e policies in CPL 122 .3. the OCS generates a response in w h i c h the h e a d e r declares the MIME t y p e as t e x t / p l a i n (as it s h o u l d be for a . gif to test. The a p p a r e n t d a t a type. 2 1 Sep 2006 0 5 : 5 2 : 1 2 G M T \ r \ n server: Apache/1.) You can do the s a m e with an executable file. a n d W i n d o w s cabinet files (. the OCS declares the MIME t y p e of a file solely based on the file's extension.31 (unix^Wi L a s t .'" ' : •"• •" 'I . discussed in detail later. . max=100\r\n conrigct i on: Keep-Al i y e \ r \ n GMT\r\n fc"ont~eTfE"-Type: text/pTai n \ r \ n 1 \r\n id Line-based t e x t data: t e x t / p l a i n [GIF819aAO0 3 \ 2 3 5 \ Q Q C p \ 0 0 0 \ 0 0 b ' i \ 0 0 0 \ 0 0 0 \ 0 0 0 \ 0 0 0 3 \ O C \ 0 3 53\264\2 50\321\243H\223*']\312\264\2 51\323\247F D\265W\2 6 7 p \ 2 0 6 \ 3 5 4 \ t \ 3 3 2 \ 1 7 7 \ 3 5 0 \ 2 3 5 ' ~ \ 2 0 1 \ 3 1 0 \ C \224\037<\237 T H t \ 0 0 2 \ 3 01\2 61\034w\a\021\2 03\001\000\3 56\2 21g\3 \ 2 7 4 \ 3 2 1 \ 3 6 7 O \ 2 0 1 \ 2 1 3 \ 2 5 5\34 5 \ 2 4 1 \ 1 7 7 \ 3 2 1 \ 2 Q 5 e \ 3 3 Slide 1 2 . a n d y o u m a y need to e x p e r i m e n t to see w h a t w o r k s the best for y o u in y o u r e n v i r o n m e n t . an IM client p r o g r a m connects to an IM server. allow or d e n y a t t a c h m e n t s by file type. M a n y IM s y s t e m s offer a directory of users. however. IM systems h a v e b e c o m e p o p u l a r targets for s p a m m e r s (SPIM). A d m i n i s t r a t o r s can allow e m p l o y e e s to use IM or. block IM access by u s e r or other criteria. Sensitive information can leave the c o m p a n y t h r o u g h messages to outsiders. Or. IM also raises concerns a b o u t security. file transfers. To accomplish this. a n d the MSN passport service login fails. a n d viruses a n d other m a l w a r e can enter the n e t w o r k from files shared t h r o u g h IM clients. This can lead to a serious security p r o b l e m because the Blue Coat SG cannot d e t e r m i n e w h a t is being sent or received to enforce its policy rules. a n d Yahoo! clients. a n d filter k e y w o r d s .k n o w n . Additionally. The Blue Coat SG serves as an IM proxy.t h r o u g h the traffic to the MSN passport. The Blue Coat SG s u p p o r t s explicit proxy authentication if explicit SOCKS V5 proxy is specified in the IM client configuration. You can. Most IM services offer a feature that indicates w h e t h e r p e o p l e on a u s e r ' s list of contacts are currently online and available to chat. MSN. sign on to the system. Blue Coat SG allows n e t w o r k administrators to control the use of selectable IM features for A O L . a d d policy to p a s s .com site w i t h o u t requiring authentication. It is even possible to save the complete record of the conversation as a simple text file. all IM conversations can be monitored a n d logged. Yahoo!: Client cannot create a chat room.0 a n d above): A l t h o u g h the M S N IM client s u p p o r t s user credentials. IM differs from e-mail in that messages are e x c h a n g e d in real time. which a p p l y to IM clients using HTTP proxy: AOL IM: Proxy authentication is s u p p o r t e d . T h e Blue Coat SG allows the administrator to block all e n c r y p t e d traffic. search for k e y w o r d s .Chapter 13: Managing Instant Messaging Instant m e s s a g i n g (IM) has become c o m m o n in the enterprise. administrators can p e r m i t employees to use only certain features of IM while k e e p i n g their n e t w o r k more secure. prevent t h e m from u s i n g it. s o m e indicate w h e t h e r the other p a r t y is t y p i n g a reply. The Blue Coat SG s u p p o r t s instant m e s s a g i n g t h r o u g h the HTTP proxy. Advertisers can gather this information. Consider the following proxy authentication notes. w h i c h allows IM activity from b e h i n d restrictive firewalls. a n d limit chat r o o m access on a global or per-user basis. Yahoo! IM: Yahoo! IM clients do not h a v e proxy authentication configuration abilities. A O L a n d Yahoo clients lose certain features w h e n connected t h r o u g h H T T P proxy rather than t h r o u g h SOCKS or t r a n s p a r e n t connections: • • AOL: Direct connections. a n d files sharing are not available. it cannot r e s p o n d to H T T P proxy authentication requests from the Blue Coat SG. allow or d e n y chat activity. It helps co-workers c o m m u n i c a t e quickly a n d easily. The benefits of u s i n g IM as a business tool are w e l l . Flexible policies can be defined to block file transfers. You can select allowed protocols. establish authentication rules for u s i n g IM. • 123 . i n c l u d i n g s u c h d e m o g r a p h i c information as age a n d sex. however. • M S N IM (5. M o d e r n I M p r o g r a m s have a n i n p u t w i n d o w a n d another w i n d o w t o display the r u n n i n g conversation. a n d s e n d unsolicited messages. Several IM clients are capable of requesting that their c o m m u n i c a t i o n s be encrypted. The application of policies a n d IM activity logging is accomplished by the H T T P proxy h a n d i n g off IM c o m m u n i c a t i o n s to the IM proxy. IM clients are configured to connect to IM services t h r o u g h HTTP. 124 . In the event W i n d o w s M e s s a g i n g is a b u s e d at y o u r site. N o t e also that W i n d o w s Messaging can h a v e s p a m . it can be disabled in a variety of w a y s .Blue Coat Educational Services — BCCPA Course v 1.1 Note: Instant m e s s a g i n g is nor related to the Microsoft W i n d o w s Messaging. w h i c h a p p e a r s as a n o r m a l dialog box containing the s p a m m e r ' s m e s s a g e as text.7. w h i c h is u s e d to allow servers to s e n d alerts to a d m i n i s t r a t o r w o r k s t a t i o n s . w h i c h is s p a m over IM) IM has several security w e a k n e s s e s that enable users to exploit third-party software to perform possibly malicious acts. In particular. AOL's instant m e s s a g i n g service.1 : Instant messaging overview IM protocols allow c o m m u n i c a t i o n across the Web u n d e r almost any possible configuration. 125 . also can pose problems t h r o u g h the Viewpoint M e d i a Player plug-in for d i s p l a y i n g graphical content — a n d w h i c h also collects u s a g e information a n d s e n d s it on to its Viewpoint server. such as harvesting IP a d d r e s s e s a n d s e n d i n g viruses u p o n a direct connection. T h e y are therefore difficult to control u s i n g existing n e t w o r k products. others perform potentially d a n g e r o u s actions. A n y of the instant m e s s a g i n g services present v a r i o u s challenges w h e n u s e d in an enterprise network: • • Leakage of confidential information S p r e a d of viruses a n d other malicious code Verbal h a r a s s m e n t A n n o y a n c e (SPIM. AIM®. A l t h o u g h s o m e are merely annoying.Chapter 13: Managing Instant Messaging Instant Messaging Overview • Powerful and productive communication tool • Prone to a wide variety of threats Slide 1 3 . An a d m i n i s t r a t o r also can prevent the transmission of instant m e s s a g e s that contain unacceptable k e y w o r d s pre-defined by a c o m p a n y ' s security policy. 126 . You can keep the logs. a n d Yahoo! instant messaging c o m m u n i c a t i o n s can be controlled a n d l o g g e d to meet compliance requirements in place at m a n y corporations. the file transfer feature can be disabled so that users cannot send files from the c o r p o r a t e n e t w o r k using IM. Usage policies can be w r i t t e n to d e t e r m i n e w h i c h protocol m e t h o d s are allowed. the Blue Coat SG has the ability to d e t e r m i n e if the traffic is coming from a client that is directly connected to it or from an external source. The Blue Coat SG can m o n i t o r a n d record every transaction that occurs over IM. You also can a p p l y specific traffic-shaping policies. Additionally. The t y p e of authentication that can be u s e d (SOCKS version 5.7. For example. r u n reports. AOL.1 Blue Coat SG and IM Slide 1 3 .2 : IM and Blue Coat SC The Blue Coat SG provides a d m i n i s t r a t o r s w i t h the features to m a n a g e a n d control IM traffic e n t e r i n g a n d leaving the corporate n e t w o r k . This allows y o u to create a d v a n c e policy a n d restrict c o m m u n i c a t i o n s only to u s e r s w i t h i n y o u r n e t w o r k . y o u can decide the m a x i m u m b a n d w i d t h allocated for IM-type traffic a n d g r a n u l a r l y control w h a t files. Within certain limitations. MSN. can be transferred. This feature is extremely i m p o r t a n t for regulatory compliance. etc. y o u can associate IM traffic w i t h the actual u s e r logged onto the m a c h i n e that sent a message.Blue Coat Educational Services — BCCPA Course v 1. if any.) d e p e n d s on the client v e n d o r a n d the client version. H T T P 407. a n d even replay a n y conversation b e t w e e n i n d i v i d u a l users or within chat r o o m s . W h e n y o u associate a port w i t h a specific protocol (with the exception on TCP-Tunnel) the Blue Coat SG expects the traffic on those ports to contain the actual protocol specified. For example. etc. If y o u h a v e handoff disabled. m o r e complex policies. However. for both legitimate a n d not-so-legitimate reasons. a n d y o u h a v e handoff enabled. The Blue Coat SG can detect IM traffic e n c a p s u l a t e d over HTTP. For example. In reality. but other. Applications. URL rewrite. is associated w i t h a protocol. The IM server a n d the i n t e n d e d recipient receive the packet. the Blue Coat SG expects to receive HTTP traffic on that port. the traffic is intercepted a n d processed u s i n g the policies that y o u created. if y o u t u n n e l IM over HTTP. Unless a specific policy applies. If traffic is e n c a p s u l a t e d over a n o t h e r protocol.3 : Protocol handoff The Blue Coat SG can receive traffic on any TCP port. IM-specific policies a n d policies affecting the protocol over w h i c h IM is t u n n e l e d apply. proxied over SOCKS ports. if y o u assign p o r t 80 to HTTP. As long as there is a service r u n n i n g a n d listening for connections on that TCP port.Chapter 13: Managing Instant Messaging Protocol Handoff Slide 1 3 . the Blue Coat SG expects to receive that type of traffic on that port or port range. or port range. For instance. c o m m o n l y try to encapsulate d a t a over a port u s u a l l y reserved for a different t y p e of traffic. if y o u encapsulate IM over H T T P a n d connect to the Blue Coat SG. Each port. do not a p p l y if Blue Coat SG detects that the traffic is IM. the IM protocol is recognized a n d policy applied. If y o u enable H T T P handoff of IM. y o u need to note that allow or d e n y policies a n d policies related to authentication apply. In particular. IM traffic that is encapsulated in HTTP or proxied over H T T P will be processed by the Blue Coat SG IM engine.. they also can be configured to use HTTP and SOCKS proxies. then only HTTP policy applies. If y o u send a n y t h i n g that is not HTTP. IM clients can be configured to use any TCP port. such as modifying HTTP headers. as long as there are no policies that d e n y that particular transmission. y o u can associate HTTP w i t h T C P port 80. both IM policy a n d HTTP policy apply. IM-specific policies will be applied. the connection will time out after few seconds. the handoff process does not modify the IM packet in any way. a n d native-protocoled over TCP-Tunnel ports a n d IM-specific ports. 127 . Several non-HTTP applications c o m m u n i c a t e over port 80 a n d e n c a p s u l a t e their protocol over HTTP. 1 If y o u w a n t to allow a specific IM client to connect t h r o u g h H T T P t h r o u g h the Blue Coat SG. a n d t h a t IM protocol has not been licensed . 1 1 . This m i g h t be also be necessary to t e m p o r a r i l y pass t h r o u g h traffic from n e w versions of IM clients that are not yet s u p p o r t e d by the Blue Coat SG.7.IM license is optional but free. then disable H T T P handoff to allow the traffic to be t r e a t e d as plain H T T P traffic a n d to a v o i d an error in the licensing check d o n e by the IM m o d u l e .Blue Coat Educational Services — BCCPA Course v 1. . This includes IM users w h o log on to t w o different Blue Coat SG appliances configured in a hierarchy (proxy chaining). Normally. an IM sent from one u s e r to a n o t h e r is sent to a n d from an IM service.This includes IM users who log into different Blue Coat SGs configured in a hierarchy (proxy chaining) Slide 1 3 . Reflection further reduces the risks of exposing company-confidential information t h r o u g h public IM networks a n d of allowing a client to become infected w i t h a virus or malicious code. on the s a m e n e t w o r k never has to travel b e y o n d the Blue Coat SG.Chapter 13: Managing Instant Messaging Instant Messaging Reflection • Normally.All IM traffic on the same network never travels beyond the Blue Coat SG . policy. With IM reflection. IM reflection involving clients in different buildings a n d even on different sites is still possible by u s i n g SOCKS a n d H T T P forwarding. an IM from one user to another is sent to and from an IM service • IM Reflection allows containing IM traffic within the enterprise network . i n c l u d i n g chat messaging.4 : IM reflection IM reflection allows y o u to contain IM traffic w i t h i n the enterprise network. a n d a Blue Coat SG hierarchy. IM traffic between users. 129 . Blue Coat Educational Services — BCCPA Course v 1. IM activity between clients on t h e internal n e t w o r k a n d those o u t s i d e is forwarded to the IM service p r o v i d e r for n o r m a l delivery. As far as the clients are concerned. it will emulate the r e m o t e IM server. IM activity b e t w e e n the clients on the left is reflected by the Blue Coat SG.1 IM Reflection with Fail Open Slide 1 3 .5 : IM reflection .7. Instead. The circle s h o w s the area of reflection. it will not send the information to the IM server. If the Blue Coat SG detects that a packet is c o m i n g from this area. they are totally u n a w a r e that the Blue Coat SG is reflecting the messages. Fail-open reflection is useful in controlling the a m o u n t of W A N b a n d w i d t h utilized a n d to e n s u r e that internal exchanges of c o m m u n i c a t i o n s remain internal. • • IM clients on the left side of the slide are logged into the s a m e Blue Coat SG. while the one on the right is o u t s i d e the n e t w o r k . The Blue Coat SG a d m i n i s t r a t o r m u s t d e c i d e to allow or d e n y IM traffic. 130 . they are s e n d i n g a n d receiving messages from the actual IM server. This slide a n d the next illustrate the choice of actions w h e n reflection is not possible.fail open The d i a g r a m in the slide above d e m o n s t r a t e s IM reflection d e p l o y m e n t with fail o p e n on a Blue Coat SG that is configured to a t t e m p t to reflect all IM activity. the authentication a n d authorization is still m a n a g e d by the actual IM server. Important: 131 . While this m a y s e e m harsh. You m a y w a n t to use a combination of fail close a n d fail o p e n a p p r o a c h e s in controlling IM: • • Fail close for file transfer. The external client is completely u n a w a r e that a message w a s sent to it. Fail-closed reflection completely isolates the internal users from the outside w o r l d . If an external client is s e n d i n g a m e s s a g e to a client inside the area of reflection: • • It a s s u m e s that the m e s s a g e w a s delivered. If a client in the reflection area a t t e m p t s to connect to an outside user: • • It receives a m e s s a g e from the Blue Coat SG notifying it that the message w a s blocked.Chapter 13: Managing Instant Messaging IM Reflection with Fail Closed Slide 1 3 . The clients w i t h i n the area of reflection are allowed to c o m m u n i c a t e to the IM server for the initial connection. it allows y o u to secure y o u r n e t w o r k against loss of confidential information a n d w a s t e d productivity. h o w e v e r m they cannot send or receive messages to a n d from the outside world. IM reflection w i t h fail closed keeps users in a n e t w o r k from s p e n d i n g w o r k time chatting w i t h friends a n d family m e m b e r s a n d prevents t h e m from c o m m u n i c a t i n g sensitive or proprietary c o m p a n y information to outsiders. the clients within the reflection area can s e n d a n d receive messages only to a n d from other clients in the s a m e zone.6 : IM reflection . Clients in the reflection area a p p e a r online a n d active to the external clients. The internal client receives a message from the Blue Coat SG notifying it that the message w a s blocked. Fail o p e n for certain allowed users a n d contact n a m e s for a n y t h i n g except for file transfer. After the initial logon.fail closed An a d m i n i s t r a t o r can a d d a policy rule to deny IM service to clients nor logged into the Blue Coat SG. 1 132 .7.Blue Coat Educational Services — BCCPA Course v 1. this feature reduces total d o w n l o a d time a n d b a n d w i d t h c o n s u m p t i o n for the hosts that offer content. each participant in a peer-to-peer n e t w o r k is both a client a n d a server. the performance of the n e t w o r k d e g r a d e s a n d server availability is reduced. Each n o d e is a client while also acting as a server to t h e other nodes.Chapter 14: Managing Peer-to-Peer Traffic In a peer-to-peer n e t w o r k . if one of the hosts has the requested content. 133 . it forwards the request to its o w n list of k n o w n hosts. for scalability reasons. if any. In a peer-to-peer n e t w o r k the a d d i t i o n of n e w n o d e s m a k e s m o r e content available to the community. Each n o d e needs a starting point to discover other n o d e s . otherwise. T h e initial n o d e s can be h a r d .c o d e d in the d o w n l o a d e d client software or can be found u s i n g G w e b c a c h e (the Gnutella version of DNS) a n d even IRC. a n d broadcast requests are not admissible. N o d e s often are b e h i n d firewalls. Gnutella started using a total peer-to-peer m o d e l . the host can search for material. C o n t r a r y to the m o r e established client-server model. in w h i c h each machine has one specific role. p u r e peer-to-peer n e t w o r k s are used for file sharing today. it s e n d s it. however. by definition. W h e n more clients are a d d e d to a client-server n e t w o r k (and the n u m b e r of servers does not change). it n o w uses a m i x e d .m o d e system. Queries are sent to k n o w n hosts. Peers participating in the Gnutella n e t w o r k (the third largest peer-to-peer network) connect to a b o u t five other n o d e s . w h i c h are well k n o w n . Very few. It also potentially reduces the load on existing nodes while increasing the n e t w o r k ' s overall performance a n d fault-tolerance. all nodes h a v e the s a m e role a n d the s a m e i m p o r t a n c e . Once a list of nodes is available to a peer. How Peer-to-Peer Networks Work Discovery of other n o d e s in a peer-to-peer n e t w o r k r u n n i n g on the Internet infrastructure presents s o m e challenges. just as the DNS m o d e l needs root servers. Content can be retrieved from m o r e than o n e host at the time. Note: Peer-to-peer n e t w o r k s are designed to bypass traditional firewalls to t u n n e l traffic over HTTP ports. to locate hosts. As long as at least one special peer a n d o n e peer are active. originally i n t r o d u c e d by the FastTrack network. It uses a p u r e peer-to-peer n e t w o r k .) leverages the idea of a n o n y m i t y of t h e participant a n d interaction w i t h t r u s t e d or w e l l . Figure 14-1: Pure peer-to-peer vs. the court stated that "We hold that one w h o distributes a device w i t h the object of p r o m o t i n g its u s e to infringe copyright. The content is stored on the different hosts that participate in the network. If at least t w o hosts are active. Ltd. the n e t w o r k is active a n d m o r e hosts can join. the n e t w o r k is active a n d m o r e hosts can join. G n u t e l l a w a s d e v e l o p e d as an alternative to the e m b a t t l e d Napster. w h i c h are vital for the n e t w o r k to exist a n d function. peer-to-peer n e t w o r k s are not illegal per se. Legal issues F r o m a legal s t a n d p o i n t .7. this w a s the real revolutionary concept. Universal City Studios Inc. as s h o w n by the clear expression or other affirmative steps taken to foster infringement. In the United States. w h i c h is nearly impossible to s h u t d o w n . unless advertised a n d used solely (or primarily) to violate c o p y r i g h t laws (or any other law for that matter). the S u p r e m e C o u r t has issued t w o rulings that are relevant to the peer-to-peer n e t w o r k s : • • M G M Studios Inc. Grokster. in a d d i t i o n to the regular p e e r hosts. First-generation n e t w o r k s are easy to s h u t d o w n b e c a u s e the indexing servers. vs." 134 . These n e t w o r k s are k n o w n as second generation peer-to-peer networks. N a p s t e r w a s s u e d over c o p y r i g h t infringement. is n o w u s e d by most of the other n e t w o r k s .k n o w n peers. there are s o m e n o d e s that function as special peers. This a p p r o a c h .k n o w n w a s Napster. Scalability issues h a v e p u s h e d developers to a d d the concept of special peers. — June 2005 Sony Corporation of A m e r i c a vs.1 M i x e d . Entropy. Software a n d n e t w o r k s based on centralized indexing are called first generation peer-to-peer n e t w o r k s . etc. a mixed-mode network with special peers History of P2P Networks T h e first peer-to-peer application to become w e l l . — 1984 In the m o s t recent ruling. are well k n o w n a n d easily identifiable. T h e third generation of peer-to-peer n e t w o r k s (I2P. is liable for the resulting acts of infringement by t h i r d parties. A special p e e r is a host that has m o r e information about the s t a t u s of the n e t w o r k a n d can o p e r a t e as an i n d e x i n g server.Blue Coat Educational Services — BCCPA Course v 1. Several peers w o r k in conjunction w i t h one special peer. m a k i n g it not a p u r e peer-to-peer.m o d e n e t w o r k s are similar in concept a n d design to the p u r e peer-to-peer n e t w o r k s . the result is similar to h a v i n g a series of star n e t w o r k s . This a p p r o a c h eliminates the scalability concerns while still m a k i n g the n e t w o r k h a r d to control. This n e t w o r k uses a centralized indexing server. These n e t w o r k s are not yet very p o p u l a r but can further contribute to the uncontrolled a n d u n a u t h o r i z e d distribution of c o p y r i g h t e d material. 135 .Chapter 14: Managing Peer-to-Peer Traffic A c o m p a n y that allows e m p l o y e e s to access peer-to-peer n e t w o r k s m a y be held liable if its e m p l o y e e s use the c o m p a n y ' s n e t w o r k resources to d o w n l o a d a n d redistribute c o p y r i g h t e d content. Important: The content d o w n l o a d e d by one n o d e is then available to the other u s e r s on the n e t w o r k w h o m a y d o w n l o a d the s a m e file from that node. QTorrent.Gnutella • Provides policy control of P2P traffic • Reduces bandwidth consumption and liability risk of illegal file sharing Slide 1 4 . SimpleBT. KCeasy.Blue Coat Educational Services — BCCPA Course v 1. eMule. etc. P h e x Poisoned. BitAnarch. BitTorrent. • • P2P n e t w o r k : t h e c o m m u n i t y of clients u s i n g a specific v a r i a n t of a P2P protocol P2P protocol: t h e u n d e r l y i n g t e c h n o l o g y t h a t p o w e r s a n e t w o r k P2P client: t h e u s e r interface t h a t p a r t i c i p a n t s in a c o m m u n i t y u s e T h e table b e l o w gives y o u a n i d e a o f h o w m a n y different clients s h a r e t h e s a m e technology. eDonkey2000. TorrentStorm.FastTrack (Kazaa) .7. LMule. gtk-gnutella. MLDonkey.1: Networks and clients BitTorrent Edonkey FastTrack Gnutella ABC. M L D o n k e y . mlMac. BitTornado.1 Peer-to-Peer Detection . Poisoned. XoloX. P2P protocols.1 : Supported P2P n e t w o r k s T h e r e is f u n d a m e n t a l difference b e t w e e n P2P n e t w o r k s . Shareaza. 136 . etc. aMule. TomatoTorrent. giFT. BitSpirit. Swapper. BearShare. mlMac. A z u r e u s . a n d P2P clients. Acquisitionx. mlMac. G n u c l e u s Grokster. Table 14. Cabos. BetBug. G3 Torrent. MLDonkey. MLDonkey. i M e s h Light. iMesh. Kazaa. Shareaza. LimeWire. etc. etc. xMule. iMesh. M a m m o t h . mlMac. M o r p h e u s . BitComet. Grokster. M i n d G e m .Overview • Recognizes common P2P traffic through various proxy service ports — BitTorrent . Shareaza.eDonkey . The Blue Coat SG can detect P2P traffic t u n n e l e d over H T T P or SOCKS by enabling the Detect Protocol setting for each c o r r e s p o n d i n g service. The Blue Coat SG examines all the packets it receives for ports on which a service is r u n n i n g a n d can g r a n u l a r l y analyze the structure of the packet to determine if it is P2P. 137 .k n o w n o p e n ports on firewalls a n d s h a p e traffic to look like HTTP.SOCKS . It uses a d v a n c e d protocol-recognition technology to identify the specific P2P protocol.HTTP . try to tunnel traffic over w e l l .TCP-Tunnel port Slide 1 4 . The benefit of the default proxy service is that there is no need to create a service a n d explicitly define a TCP port. The default proxy service (which listens on all p o r t s not assigned to other services) can be enabled to detect P2P traffic on any TCP port. a l t h o u g h this also is an option. Most a d v a n c e d users.t o .2 : P e e r . P2P applications often use a r a n d o m TCP port to c o m m u n i c a t e . Some other p r o d u c t s associate P2P traffic w i t h specific ports a n d do not s u p p o r t t u n n e l e d protocols.Chapter 14: Managing Peer-to-Peer Traffic Peer-to-Peer Detection P2P traffic is detected on . regardless of the destination port a n d IP a d d r e s s e s . Some users m a y even try to t u n n e l the traffic over SOCKS. a n d s o m e t i m e s even the client software.p e e r detection The Blue Coat® SG™ s u p p o r t s all the m a i n second-generation networks. For instance. If there is no service listening on a specific p o r t a n d the default proxy service is not enabled. The firewall allows all o u t b o u n d traffic. If y o u h a v e not created a service to listen on port 6134 a n d the default p r o x y service is not listening. T h e d e p l o y m e n t option is irrelevant. if the firewall allows all o u t b o u n d traffic a n d the Blue Coat SG default proxy service is listening. etc. Note: You can e x t e n d the concepts discussed here for the b r i d g i n g m o d e d e p l o y m e n t to all of the other d e p l o y m e n t s : explicit proxy. Connection termination is b a s e d on services r u n n i n g . then no action can be t a k e n on traffic reaching the Blue Coat SG over the r e q u e s t e d port. 138 .Blue Coat Educational Services — BCCPA Course v 1.7.1 Deployment . the P2P activity will be detected. WCCP. You h a v e a Blue Coat SG d e p l o y e d in b r i d g i n g m o d e .3 : D e p l o y m e n t o p t i o n s f o r P2P d e t e c t i o n The Blue Coat SG is a device that terminates T C P connections on one side a n d o p e n s n e w connections on the other side.General Concepts • P2P traffic on ports without proxy services will not be detected and cannot be blocked • Configure the firewall to deny traffic on other ports Slide 1 4 . then the Blue Coat SG cannot identify the P2P activity. O n e or more ports are associated w i t h a r u n n i n g service. On the other h a n d . a s s u m e that a P2P application uses port 6134. Layer 4 switch. 139 . one f u n d a m e n t a l concept hold true: If the proxy does not h a v e a service for the traffic that y o u are trying to m a n a g e . y o u need to enable the default proxy service to ensure that P2P traffic is detected. P2P traffic will be detected on p o r t 80.4 : D e p l o y m e n t o p t i o n s f o r P2P d e t e c t i o n A successful Blue Coat SG d e p l o y m e n t goes h a n d in h a n d w i t h appropriate firewall policies. P2P traffic can be monitored a n d blocked. Both configurations g u a r a n t e e that all o u t b o u n d traffic is inspected by the Blue Coat SG. y o u do not need the default proxy service. in particular. If y o u d e p l o y the Blue Coat SG in bridging m o d e a n d the firewall allows all o u t b o u n d traffic. They also g u a r a n t e e that p r o p e r policies are applied to the traffic.Chapter 14: Managing Peer-to-Peer Traffic Sample Deployment F i r e w a l l a l l o w s all o u t b o u n d t r a f f i c Firewall allows o u t b o u n d traffic only for the ports controlled by Blue Coat SG Slide 1 4 . No m a t t e r h o w y o u h a v e d e p l o y e d Blue Coat SG. no action can be performed. If y o u d e p l o y the Blue Coat SG in bridging m o d e a n d the firewall allows only port 80 a n d 443 traffic o u t b o u n d . while a VCR can be u s e d to illegally duplicate movies.000 a n d be s e n t e n c e d to five years in prison. 140 . which is not specifically designed to violate copyright laws. a n d advertised the n e t w o r k w i t h the p r i m a r y intention of illegally distributing c o p y r i g h t e d material. w h i c h can be u s e d to infringe on copyright. against the actual e n d users.S.Blue Coat Educational Services — BCCPA Course v 1. that the o w n e r a n d operators of the P2P n e t w o r k targeted.S. as long as the p r i m a r y scope a n d use of such a technology are not illegal. The mere possession of illegally o b t a i n e d copyrighted material is a crime in the U. S u p r e m e C o u r t ruling ( k n o w n as the Betamax case) established that a technology. For instance. as it successfully did. Grokster. designed.S. .Operators of P2P networks are liable for copyright infringement by the users . Ltd. M G M h a d to prove. Universal Studios . is legal even such use is possible Slide 1 4 . Based on the 1984 ruling. m a y be e x t e n d e d to the users of a P2P n e t w o r k . The 1984 U. Violators can be fined up to $250.June 2005 . vs. is legal. both of w h i c h are legal. The court ruling a n d other relevant legislation in the U. the p r i m a r y objective of its m a n u f a c t u r e — a n d that of most users — is to w a t c h movies a n d record TV p r o g r a m s .5 : Legal i m p l i c a t i o n s of P2P use P2P n e t w o r k s h a v e been so w i d e l y u s e d to illegally deliver c o p y r i g h t e d material that big c o m p a n i e s like M G M a n d Sony ( n o w o n e c o m p a n y ) h a v e taken legal action against n e t w o r k o p e r a t o r s a n d .The intent of the network needs to be the promotion of the distribution of copyrighted material • Sony Corporation vs. at times.A technology.1 Legal Implications of P2P Use • MGM Studios Inc.1984 .7. That's because users w h o can't access a site m a y think a n e t w o r k problem has occurred a n d m a k e u n n e c e s s a r y calls to y o u r organization's help desk. particularly w h e n y o u block access to certain types of content. Notifying users a b o u t policy w h e n they u s e the Internet is a g o o d practice.Chapter 15: Notify User Policy The Blue Coat® SG™ can do m o r e than let y o u control users' Internet activities. 141 . The rest of this c h a p t e r introduces the different kinds of notification pages a n d briefly explains h o w they are created. It also allows y o u to explain y o u r o r g a n i z a t i o n ' s Internet usage policies clearly a n d at the most effective time — w h e n users try to access questionable or forbidden pages. y o u can p r e v e n t that p r o b l e m by creating c u s t o m notification pages. Even if y o u install content-filtering software a n d write strict Internet u s a g e policy. These pages a p p e a r in users' b r o w s e r s a n d tell t h e m w h y access to certain sites is forbidden or w h y access to other sites is officially d i s c o u r a g e d even if it is allowed. The Blue Coat SG o p e r a t i n g s y s t e m allows administrators to create notification pages t h r o u g h the Visual Policy M a n a g e r (VPM) instead of requiring t h e m to write a d v a n c e d Content Policy L a n g u a g e (CPL). However. y o u m a y not see a gain in productivity unless y o u also tell users w h y they can't v i e w s o m e Web pages. a n d c u s t o m p a g e s i n greater detail.1: Notification Page Types Exception Splash Coaching Every time users try to access site Blocked To inform users t h a t access is d e n i e d To r e m i n d users of Internet usage policy To inform users t h a t access is officially p r o h i b i t e d although not blocked Once.Dead end * Splash page . s p l a s h . T h e table b e l o w p r e s e n t s t h e basic i n f o r m a t i o n a b o u t each k i n d of p a g e . 142 .Blue Coat Educational Services — BCCPA Course v 1.1 Notification Types • Exception page .1 : The t h r e e types of user n o t i f i c a t i o n pages A d m i n i s t r a t o r s can u s e t h r e e different k i n d s of notification p a g e s to inform u s e r s of their o r g a n i z a t i o n ' s policies.Show once 8 Coaching page . Table 15.Option to continue Slide 1 5 . Each h a s a different p u r p o s e . often each t i m e u s e r s A l l o w e d launch b r o w s e r Every t i m e users try to access site A l l o w e d after w a r n i n g T h e following t h r e e p a g e s discuss exception.7. You also can use H T M L or JavaScript® code in writing the page or a d d links to external resources.Notify user that access has been denied . Be a w a r e that if a user-defined exception is referenced by policy. a n d y o u c a n n o t create n e w built-in exceptions. In a user-defined exception page. 143 . detailed message t h a n the ones contained in the built-in exception pages. it cannot be deleted.Can be customized (better create user-defined ones) • User-defined . or music d o w n l o a d i n g — is blocked.Can include any HTML or JavaScript code . y o u can write a m o r e specific. Built-in exceptions s e n d information back to users w h e n certain conditions occur. however.Can link external resources (images) Slide 1 5 . such as i m a g e s .2 : Exception page details The Blue Coat SG allows y o u to return t w o different kinds of exception pages: built-in a n d user-defined pages.Chapter 15: Notify User Policy Exception Page • Built-in .Notify user of network or appliance errors .User-defined to send more specific message . built-in exceptions cannot be deleted. Built-in exception pages can be customized. y o u can create y o u r o w n exception pages. Both can tell users that access to a certain site or category of sites — s u c h as adult. However. g a m b l i n g . such as w h e n a request is contrary to policy. 7. W h e n s p l a s h pages appear. users are not p r e v e n t e d from accessing a n y Web sites or other resources. u s e r s can access the site they w a n t by t y p i n g in the URL or selecting a b o o k m a r k as usual.3 : Splash page details Splash p a g e s can be u s e d to deliver a n y m e s s a g e to users.Network outages . T h e y often notify users of an o r g a n i z a t i o n ' s Acceptable U s a g e Policy (AUP) for the Internet or inform t h e m of an event.1 Splash Page • Used to notify users . s u c h as a p l a n n e d n e t w o r k outage. If the splash p a g e a p p e a r s w h e n the b r o w s e r o p e n s .Blue Coat Educational Services — BCCPA Course v 1. a splash p a g e reminds users that an A U P could a p p e a r each time they l a u n c h their browsers. Splash p a g e s generally a p p e a r at a specific time. 144 .Any global or user-specific message • After page is displayed. they can access the site they r e q u e s t e d by clicking the reload b u t t o n on their b r o w s e r s . If the p a g e a p p e a r s w h e n u s e r s t y p e in a URL.Company AUP . user can access the requested sites Slide 1 5 . For instance. 145 . the coaching p a g e also offers a link to the resource a l o n g w i t h a w a r n i n g that users' activity will be m o n i t o r e d a n d reported. For instance. You m a y find it useful to use both exception a n d coaching pages. W h e n users see a coaching page. they are informed that their organization's policy prohibits t h e m from v i e w i n g certain content. the default is 10 minutes. y o u m a y w a n t to block users from a d u l t sites a n d return exception pages w h e n they try to access them.t h r o u g h pages or features. However. Coaching pages are sometimes called b u r n .4 : Coaching page details Coaching pages h a v e a d u a l p u r p o s e : T h e y notify users that a Web site or other resource is forbidden and they also allow users to access it. You m a y w a n t to d i s c o u r a g e traffic to travel or Web e-mail sites a n d return coaching pages w h e n users a t t e m p t to v i e w them. Access to the resource is allowed only temporarily.Chapter 15: Notify User Policy Coaching Page • Used for sites that should be blocked • User needs to click on a link to access the requested resource • Known also as burn-through feature Slide 1 5 . Blue Coat Educational Services — BCCPA Course v 1.1 146 .7. Each time a u s e r requests a resource.These logs a n d reports g e n e r a t e d from t h e m can be m a d e available in real-time or on a s c h e d u l e d basis. Access logging gives c o m p a n i e s the ability to audit all traffic for both external a n d internal content requests. Blue Coat SG can create access logs for the traffic that flows t h r o u g h the system. reporting tools such as Blue Coat Reporter can be used to analyze log files. ELFF is the default log file format on Blue Coat SG. The access logs can be directed to one or more log facilities. 147 . the proxy saves information a b o u t that request to a file for later analysis. In a d d i t i o n to Web policy m a n a g e m e n t . a n d Web content virus scanning. the Blue Coat SG can create access logs for each H T T P request from the client. FTP or one of several vendor specific protocols. companies can i m p l e m e n t m o n i t o r i n g schemes t h r o u g h the access logging feature.The information t h u s stored is called a log.Once u p l o a d e d .Chapter 16: Access Logging Chapter 16: Access Logging Access logging allows y o u to track traffic for the entire n e t w o r k or specific information on u s e r or d e p a r t m e n t u s a g e patterns. Each protocol on the Blue Coat SG can create an access log at the e n d of the transaction for that protocol. T h e u p l o a d s can take place using HTTP. w h i c h associates the logs with their configured log formats a n d u p l o a d schedules.For example. content filtering. Data stored in log facilities can be automatically u p l o a d e d to a r e m o t e location for analysis a n d archival p u r p o s e s . Most Web servers s u p p o r t the C o m m o n Logfile Format (CLF) a n d the Extended Log File Format (ELFF). Access logs t h u s g e n e r a t e d can be u p l o a d e d to a remote server a n d then be analyzed u s i n g Blue Coat Reporter for generating reports.1 : Access l o g g i n g Access logging helps y o u to track Web u s a g e for the entire n e t w o r k or specific information on u s e r or for d e p a r t m e n t u s a g e p a t t e r n s .1 Access Logging • Track Web usage for . Blue Coat SG creates access logs for all traffic flowing t h r o u g h the system.entire network . created t h r o u g h the V P M or CPL. Slide 1 6 . to anticipate a n d resolve potential p r o b l e m s before they result in p o o r performance or failure.department usage patterns. 148 . are m a n a g e d by policies.specific information on user .7. Each n e t w o r k protocol can create an access log record at t h e e n d of each transaction. each containing a single logical file a n d s u p p o r t i n g log format. Blue Coat SG s u p p o r t s access logging to help y o u m o n i t o r Web u s a g e . T h e access logs.Blue Coat Educational Services — BCCPA Course v 1. M o n i t o r i n g allows y o u to detect a n d r e m e d y failures a n d w h e n d o n e pro actively. • Blue Coat SG creates access logs for each type of protocol. 3. 4. or the content is served from the cache. 5. 6.Chapter 16: Access Logging Access Logging Slide 1 6 . The Blue Coat SG s e n d s the response back to the client. Note: 149 . Various steps that go b e h i n d the creation of an access log are: 1. If the connection is d e n i e d . The Blue Coat SG t h e n s e n d s in this request to the Origin Content Server. The Blue Coat SG records this transaction a n d saves it to its disk. 2.These records are stored in the Blue Coat SG's disk a n d can be m a d e available for analysis later. An access log record is created only after the transaction is complete. Steps 2 a n d 3 are completed by the proxy.2 : Log creation Access logs contain data a b o u t u s e r requests a n d the c o r r e s p o n d i n g response from the w e b servers. The client s e n d s in a request for a resource. An access log for this entire transaction is created after the client receives the response from the Blue Coat SG. The Origin Content Server replies w i t h a response to the Blue Coat SG. 3 : Protocols supporting access logging Blue Coat SG creates access logs for all traffic flowing t h r o u g h the system. each protocol can create an access log at the e n d of each transaction for that protocol. In fact. For example.Blue Coat Educational Services — BCCPA Course v 1.1 Protocols supporting access logging v' Endpoint Mapper Proxy s Peer-to-Peer( P2P) s Real Media/Quick time S SOCKS v'SSL S FTP • HTTP s HTTPS Forward Proxy HTTPS Reverse Proxy • ICP ^ Instant Messaging (IM) ^ TCP Tunnel ^ Telnet s Windows Media Slide 1 6 . 150 .7. an access log can be created for each H T T P r e q u e s t t h r o u g h the system. Old logs are converted to the main log format. But. You can globally enable or disable access logging.4 : .Protocols and d e f a u l t logs in Blue Coat SG You can associate a log w i t h a protocol at a n y point of time. You can log a single transaction to multiple log facilities t h r o u g h a global configuration setting for the protocol that can be modified on a per-transaction basis t h r o u g h policy. If y o u h a v e u p g r a d e d from a previous version of SGOS. that policy will override a n y settings that y o u m a k e . If access logging is disabled. The above slide s h o w s the default log association for different protocols in the Blue Coat SG. Multiple access log facilities are s u p p o r t e d in Blue Coat SG. Certain protocols like ICP a n d SOCKS do not h a v e a n y logging.SOCKS s no logging </ im y Default Log S main s Instant Messaging s Peer-to-Peer s Multimedia Streaming v SSL. connection information is sent to the default log facility for the service. if you have a policy that defines protocol a n d log association. HTTPS p2p s streaming •s ssl Slide 1 6 . logging is t u r n e d off for all log objects. 151 . a l t h o u g h each access log s u p p o r t s a single log format. s o m e protocols might already be associated w i t h a specific log format.Chapter 16: Access Logging Protocols and Default Logs Protocol •y Endpoint Mapper •/ FTP • HTTP •/ TCP Tunnel J Telnet J HTTPS Reverse proxy • ICP. Once globally enabled. y o u essentially need to take the following steps: 1. the Blue Coat SG periodically creates a n e w log file. 3. Especially w i t h a b u s y site. 5. the t i m e at w h i c h the access log is u p l o a d e d . rotation s c h e d u l e a n d general settings.1 Log Facility Slide 1 6 . To create a log facility. logs can g r o w quickly a n d b e c o m e too big for easy analysis.5 : Understanding a log facility A log facility is a s e p a r a t e log that contains a single logical file that s u p p o r t s a single log format. a n d the p o i n t at w h i c h the facility can be u p l o a d e d etc.7.The facility contains the file's configuration a n d u p l o a d schedule information. s u c h as h o w often to rotate the logs at the destination. 152 . With log rotation. the t i m e b e t w e e n connection a t t e m p t s .a s well as o t h e r configurable information. 2. a n d the protocol that is used. the time between keep-alive packets. T h e U p l o a d Schedule allows y o u to configure the frequency of the access logging u p l o a d to a remote server.Blue Coat Educational Services — BCCPA Course v 1. Log rotation helps prevent logs from g r o w i n g excessively large. 4. Create a log format (only if y o u use a c u s t o m format) Create a log n a m e a n d assign a format Assign a log to a protocol Configure the u p l o a d client Configure the u p l o a d schedule. a n d archives the older one w i t h o u t d i s t u r b i n g the current logfile. 6 : . a n d general e n o u g h to be used for any protocol • • • • SmartReporter SurfControl. 153 .Supported log formats in Blue Coat SG Every access log created. defined by W3C.The log format is specified u s i n g a set of format strings. Slide 1 6 . You can create additional log formats using ELFF or custom format strings. a p r o p r i e t a r y log format compatible w i t h the WebSense Reporter tool BC ReporterMain.SurfControl . a proprietary log format compatible w i t h Blue Coat Reporter tool Blue Coat SG can create access logs w i t h a n y one of the above available log formats.ELFF . The log format is highly configurable.SQUID Compatible .BC ReporterSSL • Custom log formats Create your own log format using format strings. a proprietary log format compatible w i t h the SurfControl Reporter tool WebSense. Available log formats are: • • N C S A C o m m o n log format. designed specifically for cache statistics Extended Log File Format(ELFF).Chapter 16: Access Logging Supported Log Formats • Available log formats NCSA Common .Websense .Smart Reporter . uses a specific log format for logging the transaction. containing only basic H T T P access information SQUID compatible format. The ELFF format strings are extended version of the C o m m o n log format a n d allow y o u to h a v e more control over the data recorded.BC ReporterMain . the default u p l o a d client • • • HTTP client C u s t o m client Websense client The C u s t o m client can be u s e d for special circumstances. D u r i n g the u p l o a d i n g process. g z i p . Signing is s u p p o r t e d for b o t h content t y p e s — text a n d g z i p — a n d for both u p l o a d t y p e s — c o n t i n u o u s a n d periodic. If the log is both signed a n d encrypted.Blue Coat Educational Services — BCCPA Course v 1. A t t e m p t i n g to verify an e n c r y p t e d file fails.sig extension. The signature file has the s a m e n a m e as the access log file but w i t h a .7 : Access Log Upload Blue Coat SG has the capabilities to u p l o a d the access logs to a remote server u s i n g different types of u p l o a d clients. m e a n i n g that the signature is calculated on the u n e n c r y p t e d version of the file. 154 . or filename. log. You can digitally sign y o u r access log files w i t h or w i t h o u t encryption.1 Upload Logs Slide 1 6 . the access logs can be digitally signed a n d e n c r y p t e d for security. You m u s t d e c r y p t the log file before verifying the file. s i g . log. filename. All four of the a b o v e m e n t i o n e d u p l o a d clients can be configured. if the access log is a gzip file. that is. If y o u use Blue Coat Reporter for a n a l y z i n g the access logs. the signing operation is d o n e first. Each log file has a s i g n a t u r e file associated w i t h it that contains the certificate a n d the digital signature for verifying the log file. Blue Coat SG s u p p o r t s the following u p l o a d clients: FTP client. b u t only the selected client is used. if the access log is a text file. O n l y o n e u p l o a d client can be u s e d by the Blue Coat SG at a n y one time. y o u need to decrypt the access logs before loading t h e m into the database. You can digitally sign access logs to certify that a particular Blue Coat SG w r o t e a n d u p l o a d e d this log file.7. s u c h as while w o r k i n g w i t h SurfControl Reporter. s i g . it continues to u p l o a d until y o u stop it. W h e n y o u configure y o u r Blue Coat SG for continuous u p l o a d i n g .Chapter 16: Access Logging Continuous Upload Slide 1 6 . W h e n the remote server is available again. it continues to stream log files until y o u stop it. the appliance r e s u m e s c o n t i n u o u s u p l o a d i n g . C o n t i n u o s u p l o a d i n g allows y o u to: View the latest log information almost immediately • • • Send log information to a log analysis tool for real-time processing a n d reporting Maintain Blue Coat SG performance by s e n d i n g log information to the remote server Save Blue Coat SG disk space by s a v i n g log information on remote server. w h i c h m u s t stop u p l o a d i n g before y o u can v i e w t h e m . switch to periodic u p l o a d i n g temporarily. streaming refers to the real-time transmission of access logs files using a specified u p l o a d client. W h e n y o u configure a log for continuous uploading. the Blue Coat SG saves the log information on the Blue Coat SG disk. This is s o m e t i m e s required for g z i p or encrypted files. To s t o p c o n t i n u o u s u p l o a d i n g . C o n t i n u o u s u p l o a d i n g can send log information from a Blue Coat SG farm to a single log analysis tool. the Blue Coat SG continuously streams n e w access log entries to the remote server from its memory. In this context. If the remote server is unavailable to receive c o n t i n u o u s upload log entries.8 : C o n t i n u o u s Upload U n d e r c o n t i n u o u s u p l o a d i n g . 155 . This allows y o u to treat multiple Blue Coat SG appliances as a single entity a n d to review combined information from a single log file or series of related log files. s a v e d to disk a n d t h e n u p l o a d e d to a remote server at a particular time. The u p l o a d s c h e d u l e feature of the Blue Coat SG allows to configure the frequency of the access logging u p l o a d . the Blue Coat SG transmits log entries on a s c h e d u l e d basis. The log entries are all are batched.7.9 : Periodic Upload Blue Coat SG allows y o u to u p l o a d access log files periodically to a r e m o t e server. time b e t w e e n connection a t t e m p t s .1 Periodic Upload Slide 1 6 . With periodic u p l o a d i n g . time at w h i c h the log is u p l o a d e d .Blue Coat Educational Services — BCCPA Course v 1. say once a d a y or at specific time intervals. Periodic u p l o a d i n g is a d v i s e d w h e n y o u do not need to analyze the log entries in real time. 156 . c o n t i n u o u s u p l o a d u s i n g text format is advised. Some of the a d v a n t a g e s of file compression are: • • • Reduces the time a n d resources u s e d to p r o d u c e a log file because fewer disk writes are required for each megabyte of log-entry text Uses less b a n d w i d t h w h e n the Blue Coat SG s e n d s access logs to an u p l o a d server Requires less disk space. g z .Chapter 16: Access Logging Log File Encoding Slide 1 6 . log. 157 . Blue Coat SG uses GZIP format to u p l o a d compressed access logs.1 0 : Log file e n c o d i n g Blue Coat SG allows y o u to u p l o a d either compressed access logs or plain text access logs to the remote server. C o m p r e s s e d access logs can be best u p l o a d e d d u r i n g a periodic or schedule u p l o a d . C o m p r e s s e d log files h a v e the extension . GZIP c o m p r e s s e d files allow more log entries to be stored in the Blue Coat SG. If y o u w o u l d like to analyze the log data in real time. Text log files are best suited for continuous u p l o a d to a remote server. Plain text access logs h a v e the extension .log. Blue Coat Educational Services — BCCPA Course v 1.7.1 158 . An organization can use these reports to: • • • • Identify violators of Web access policies Track user activity that could bring viruses. scheduling. a n d distributing reports for different d e p a r t m e n t s Reporter p r o v i d e s these benefits by w o r k i n g seamlessly w i t h the Blue Coat SG. s p y w a r e .Chapter 17: Introduction to Reporter Blue Coat SG access logs help y o u m o n i t o r activity on a network. a n d the benefits it offers. a n d other h a z a r d o u s content into the network C o n s e r v e n e t w o r k resources by identifying abuse patterns Set n e w policy or plan n e t w o r k i m p r o v e m e n t s by s t u d y i n g Web use patterns a n d trends This chapter introduces Reporter. a n d to maintain a compliant Web environment. The Blue Coat SG records d a t a a b o u t every transaction that passes t h r o u g h it. However. Reporter then allows organizations to create pre-defined or custom reports t h r o u g h an easy-to-use Web interface or t h r o u g h a c o m m a n d line. Blue Coat's Reporter p r o v i d e s a solution: The a d v a n c e d application m a k e s it easy to analyze log files from one or more Blue Coat SG appliances. 159 . creating c o m p r e h e n s i v e logs. extracting information from e n o r m o u s log files can be a t e d i o u s a n d time-consuming task. enabling organizations to m a n a g e n e t w o r k resources more effectively. h o w it w o r k s . It also discusses the different versions available. To preserve n e t w o r k a n d u s e r productivity. c o m p a n i e s need: • • • • K n o w l e d g e of w h a t sites users access a n d w h a t content the sites contain A w a r e n e s s of s p y w a r e a n d m a l w a r e m a s k e d by Web content Identification of i n d i v i d u a l users a n d their activities on the n e t w o r k M e t h o d s for customizing. a log reader a n d a log parser. You t h e n access Reporter t h r o u g h a Web b r o w s e r a n d use g r a p h i c a l interface to generate. You m u s t install HTTP or FTP server software in order to take a d v a n t a g e of these u p l o a d options.7. It includes a p r o p r i e t a r y Web server.Blue Coat Educational Services — BCCPA Course v 1. 160 . or a direct link to the Blue Coat SG. You can choose o n e of several m e t h o d s — FTP.1 : From access logs to r e p o r t s R e p o r t e r is a self-contained application that analyzes Blue Coat SG access logs from one or m u l t i p l e appliances. I n s t e a d of u p l o a d i n g the access log files. display. y o u can copy t h e m o n t o the Reporter server. y o u configure y o u r Blue Coat SG appliances to u p l o a d their access log files to the Reporter server. In a typical d e p l o y m e n t . Note: Be a w a r e that Reporter natively s u p p o r t s only a direct link to the Blue Coat SG. The m e t h o d y o u choose d e p e n d s on the t y p e of d a t a a n d report y o u w a n t to generate. a n d c u s t o m i z e reports. an internal database.1 Reporter Deployment Slide 1 7 . HTTP. a q u e r y engine. m i n u t e w i n d o w on n e t w o r k activity.In Excel-compatible format Slide 1 7 . Generate a report on a particular g r o u p ' s Web u s a g e every Friday at 6 p.150+ pre-defined reports available .s e p a r a t e d v a l u e (xsv) text files.t o . The application allows y o u to generate m o r e t h a n 150 pre-defined reports. including: • N e t w o r k traffic • C a t e g o r y of content (including P2P a n d IM) • Protocols • User a n d / o r g r o u p activity • • • • S p y w a r e a n d viruses Time a n d d u r a t i o n of activity Cost of a resource in bytes or time taken Details of u s e r s ' Web sessions Reporter is d e s i g n e d to meet the r e q u i r e m e n t s of m a n a g e r s t h r o u g h o u t an organization — h u m a n resources a n d business m a n a g e r s as w e l l as n e t w o r k a d m i n i s t r a t o r s a n d IT professionals.2 : Reports can be scheduled and exported Reporter can create reports on a w i d e range of data. which can be v i e w e d and modified in Microsoft Excel® 161 . identifying the most active users on a network.Chapter 17: Introduction to Reporter Reporter Functions • Generating reports on a wide range of data .m. a n d schedule other key tasks. such as 30 days. For example. s c h e d u l e it to r u n periodically. Reporter also p r o v i d e s t w o m e t h o d s for exporting reports: • As c o m m a . Reporter allows y o u to generate a report once. or s h o w i n g which viruses the n e t w o r k has been exposed to. periodically. For instance. Expire d a t a from a database once the d a t a reaches a certain age. y o u can generate reports in real time. You also can create c u s t o m reports t h r o u g h a variety of m e t h o d s that will be discussed later in this chapter.At a specific time.In HTML by scheduled e-mails . In addition. y o u can generate pre-defined reports giving a s n a p s h o t of Web traffic at a particular time. y o u can: • • • R u n a report on blocked s p y w a r e before a t t e n d i n g a meeting. displaying user activity by risk g r o u p category.t h e . p r o v i d e d that y o u establish a direct link to the Blue Coat SG a n d configure the a p p l i a n c e to u p l o a d log data continuously. This feature t u r n s the application's Web interface into an u p .Reports can be customized 8 Scheduling reports . or in real time 8 Exporting reports . 1 • In H T M L format. 162 . also allows y o u g e n e r a t e reports as PDF-friendly files. u s i n g R e p o r t e r ' s s c h e d u l i n g features to e-mail reports at a specific t i m e or periodically Reporter.Blue Coat Educational Services — BCCPA Course v 1.7. T h e s e files can be converted to P D F format by uses w h o h a v e PDF-creation software installed on their c o m p u t e r s . t h r o u g h its s c h e d u l i n g features. Reporter displays the report in the form of an H T M L page. Reporter builds a database for that profile a n d creates a report derived from the d a t a in the database. The profile. the m a n a g e r of a h u m a n resources d e p a r t m e n t m a y be able to view reports on w h i c h categories of content users are accessing. Slide 17-3 s h o w s the relationship b e t w e e n a profile.3 : Profiles allow y o u to create databases and run reports The profile is the m o s t i m p o r t a n t concept to u n d e r s t a n d before y o u can use Reporter effectively. an a d m i n i s t r a t o r can use different profiles to p r o v i d e users access only to reports they need. For instance. allowing t h e m to generate reports from the profiles. in addition to the settings. An a d m i n i s t r a t o r can associate users w i t h certain profiles. and users.Chapter 17: Introduction to Reporter Profiles Slide 1 7 . includes the database created w i t h the settings. location. A profile is a collection of settings that allow y o u to create a database from access log files a n d to generate reports from those files. The Blue Coat SG u p l o a d s the log files to the Reporter server. a n d format of the log file. w h i c h can be v i e w e d only by m e m b e r s of the IT team. W h e n a u s e r requests a report. access log. But the m a n a g e r m a y not be able to view reports on response codes generated by users' requests. database. The Reporter administrator creates a profile. 163 . Because each profile can be u n i q u e . The most i m p o r t a n t settings are the name. S u p p o r t fewer pre-defined reports than v8 profiles S u p p o r t log filters a n d a d v a n c e d report filters S u p p o r t profiles created in Reporter 7. a n d s t r e a m i n g — a n d w i t h Squid log formats. Also w o r k w i t h m a i n log files if y o u prefer v7 profile reports or need to a p p l y log filters or a d v a n c e d report filters.7. V8 Profiles Work w i t h Blue Coat SG m a i n format log files • • • • S u p p o r t a w i d e variety of pre-defined reports S u p p o r t direct links to Blue Coat SGs. instant messaging. Your selection d e p e n d s on the t y p e of d a t a y o u w a n t to analyze.Work with all Blue Coat SG ELFF and Squid formats and with Blue Coat SG main log files . real-time reporting • v7 profiles . a n d the degree of customization y o u r reports require.Blue Coat Educational Services — BCCPA Course v 1. v8 a n d v7. the size of the log file.1 Profile Selection Depends on data and reporting needs ® v8 profiles . the format of t h e log file. allowing the creation of reports in real time Do not s u p p o r t log filters or a d v a n c e d report filters Works w i t h large d a t a sets V7 Profiles • Work w i t h all Blue Coat SG ELFF formats — including peer-to-peer.x (All Reporter 7.1. so do not allow creation of reports in real time Works w i t h smaller d a t a sets • 164 .but allow greater customization Slide 1 7 .Support many pre-defined reports. w h i c h y o u create t h r o u g h a profile w i z a r d .Work with Blue Coat SG main log files .4 : Profile selection R e p o r t e r 8 s u p p o r t s t w o t y p e s of profiles.3 functions available via v7 profiles) • • Do not s u p p o r t direct links to Blue Coat SGs.Support fewer pre-defined reports . 000 lines p e r second. s u c h as image files.5 : Enhanced performance in Reporter 8 Reporter 8 offers behind-the-interface changes that i m p r o v e the application's log processing a n d database expiration performance c o m p a r e d w i t h p r e v i o u s versions.Saves disk space Slide 1 7 . Database and Parser for v8 Profiles The database a n d parser for v8 profiles can h a n d l e very large access log files. i m p r o v i n g report-generation performance. The p a r s e r ' s log reading rate is 62.3.) The resulting d a t a b a s e entry inherits all its fields from the p a g e view entry. w h i c h can be selected from within the D a s h b o a r d feature in v8 reports. c o m p a r e d w i t h 16. Resulting d a t a b a s e records more closely represent user b r o w s i n g activity because each object is not c o u n t e d as a separate entry. Page View Combiner Usage reports. Also g e n e r a t e d are hits. 165 . The PVC p r o v i d e s the following benefits: • • It reduces the n u m b e r of database entries from the original log file. the time required to expire data from a database has been r e d u c e d from h o u r s to seconds. the total n u m b e r of original log entries that are i n c l u d e d in this database record. The PVC takes a p a g e view a n d a d d s all helper objects referred to by the p a g e view. For large data sets. a n d the counter fields are a c c u m u l a t e d across all related entries.000 lines per second in Reporter 7. (The Dashboard is discussed later in this chapter.Reduces time needed to process large amounts of data .Chapter 17: Introduction to Reporter Enhanced Performance • New database and parser for v8 profiles . e m p l o y the Page View C o m b i n e r (PVC) to aggregate data.1.Log processing is 300% faster than in Reporter 7 • Page view combiner (PVC) . 1 Standard v. Reporter software can be d o w n l o a d e d from the Blue Coat Web site a n d operates by default in S t a n d a r d m o d e .Blue Coat Educational Services — BCCPA Course v 1. and edit Limited to five Scalability Customizing Reports Single processor Limited ability Slide 1 7 . Entreprise Modes Standard Profile Creation Enterprise Unlimited profile creation Multiple processor support Extensive ability to create. If y o u evaluate or b u y Enterprise functionality. • R e p o r t / R e p o r t M e n u Editor: The Enterprise version allows y o u to edit the report elements a n d the report m e n u . y o u can create as m a n y profiles as y o u want. T h e list below outlines the differences b e t w e e n the Enterprise a n d S t a n d a r d versions of Blue Coat Reporter: • Profiles: With the Enterprise version of Reporter. customize. w i t h the S t a n d a r d version. Multiple Processors: The Enterprise version s u p p o r t s multiple processors. No other licenses are required. except for the Blue Coat SG. the S t a n d a r d version s u p p o r t s only one processor. The S t a n d a r d version is free b u t is more limited t h a n the Enterprise version.6 : The t w o Reporter m o d e s Reporter operates in t w o m o d e s . y o u are limited to five profiles.7. the S t a n d a r d version does not. w h i c h requires a license. 166 . S t a n d a r d a n d Enterprise. y o u receive a license key to activate the Enterprise m o d e . m e m o r y a n d storage. The first time y o u access Reporter. they also grant non-administrators read-only access to profiles a n d the ability to run reports t h r o u g h those profiles.7 : Reporter r e q u i r e m e n t s and setup Because Reporter processes very large access log files.Windows XP Pro. V7 Profiles Reporter can fetch log files for v7 profiles from: • • • An FTP server An HTTP s e r v e r A local folder If y o u w a n t to u s e v7 profiles. p d f ) .0 or the Firefox® Web browser. y o u access the application from a client c o m p u t e r t h r o u g h the Internet Explorer® 6. The m e t h o d y o u choose d e p e n d s on w h e t h e r y o u plan to w o r k w i t h v7 or v8 profiles. 167 . b l u e c o a t . 2003 Server for Windows or Red Hat Enterprise . Only administrators can create or edit profiles a n d reports. 2003 Server for W i n d o w s . or copy the files to the Reporter server.Chapter 17: Introduction to Reporter Requirements and Setup • Install Reporter on dedicated hardware . it s h o u l d always be installed on h a r d w a r e dedicated to its sole use. configure the Blue Coat SG to u p l o a d access log files via FTP or HTTP.Direct link for continuous uploads (v8) Slide 1 7 . The g u i d e r e c o m m e n d s m i n i m u m h a r d w a r e specifications based on the n u m b e r of users being proxied a n d the v o l u m e of logs to be stored in the Reporter database. Once Reporter is installed on y o u r network.FTP or copying files to server (v7 and v8) . Reporter can r u n on any c o m p u t e r r u n n i n g W i n d o w s ® XP Pro. You also m u s t transfer log files to a location from w h e r e Reporter can retrieve them.HTTP (v7) . Some r e c o m m e n d a t i o n s are discussed later in this chapter. y o u will be p r o m p t e d to create an a d m i n i s t r a t o r u s e r n a m e a n d p a s s w o r d . or Red Hat® Enterprise Linux (ES or AS) — p r o v i d e d that the c o m p u t e r has e n o u g h processing power. c o m / p r o d u c t s / r e p o r t e r / R e p o r t e r S i z i n g G u i d e .Follow Configuration and Sizing Guide • Access Reporter via a Web browser • Configure Blue Coat SGs to upload log files . y o u s h o u l d consult the Configuration and Sizing Guide on the Blue Coat Web site ( h t t p : / / w w w . If y o u plan to install Reporter. Blue Coat Educational Services — BCCPA Course v 1. H T T P server. customize. a n d s c h e d u l e reports. configure the Blue Coat SG to u p l o a d access log files via FTP. establish a direct link b e t w e e n the Blue Coat SG a n d Reporter. Reporter requires y o u to specify the log file location. y o u u s e R e p o r t e r ' s Web interface to create profiles a n d generate. To u s e v8 profiles. You can specify only an FTP server. 168 .1 V8 Profiles Reporter can retrieve log files for v8 profiles from: • • • An FTP server A direct link to the Blue Coat SG A local folder. Once y o u h a v e installed Reporter a n d transferred y o u r log files. or a local file w h e n y o u create a v8 profile. or local file w h e n y o u create a v7 profile. or c o p y log files to the Reporter server.7. y o u can specify only an FTP server. W h e n e v e r y o u create a v7 or v8 profile. direct link to a Blue Coat SG. d o w n m e n u in the top right of the page. is u s e d to generate reports.8 : The Dashboard for v8 profile reports Reports are H T M L pages that display w i t h i n y o u r Web browser." or focus on specific information. click the Show Reports link for that profile a n d then. y o u choose m i n i a t u r e reports to display from the Choose a Report d r o p . Pre-Defined Reports Reporter 8 features m o r e than 150 different pre-defined reports. or s o m e other element of n e t w o r k use. The b r o w s e r displays the list of available pre-defined reports in the left navigation area a n d an O v e r v i e w report in the central frame. v8 or v7. The browser displays the list of pre-defined reports in the left navigation area a n d filter options in the central frame. To access the pre-defined report m e n u for a v8 profile. Others call t h e m top 10 reports because m a n y of t h e m focus on top users.Chapter 17: Introduction to Reporter Viewing Reports Slide 1 7 . To use the D a s h b o a r d . You can then click on links within the report to "drill down. W h e n y o u generate a report created w i t h v7 profiles. Note: The D a s h b o a r d is not available for reports created w i t h v7 profiles. URLs. click the Show Reports link for that profile. Each w i n d o w contains a link that y o u can click in o r d e r to display the full report. an O v e r v i e w Report instead of the D a s h b o a r d a p p e a r s by default in the central frame of the browser page. after the D a s h b o a r d a p p e a r s . The reports a p p e a r in individual w i n d o w s as s h o w n in Slide 17-8. 169 . To access the pre-defined report m e n u for a v7 profile. The D a s h b o a r d displays automatically after y o u choose a v8 profile a n d then click the Show Reports link on the Profiles page. Report options differ d e p e n d i n g on w h i c h profile. a browser page that allows y o u to view s i m u l t a n e o u s l y up to 16 u n i q u e m i n i a t u r e reports created with v8 profiles. A striking feature of Reporter 8 is the D a s h b o a r d . Some users call the miniature reports widgets. categories. click the Reports tab at the top of the page. Blue Coat Educational Services — BCCPA Course v 1.7. bear in m i n d that D a s h b o a r d reports a n d pre-defined reports h a v e different uses. particularly in real time. 170 .1 Clicking on the n a m e of a pre-defined report — for either v8 or v7 profiles — displays the complete report in the browser. activity by risk g r o u p category. s c h e d u l i n g reports. pre-defined reports u s u a l l y c o m b i n e both high-level a n d detailed information. W h e n y o u create reports w i t h v8 profiles. security. For instance. y o u w o u l d w a n t to use a pre-defined report if y o u w a n t to list the categories of URLs that each u s e r visits in a d a y a n d h a v e that report e-mailed once a w e e k to the h u m a n resources manager. D e p e n d i n g on h o w y o u configure y o u r Blue Coat SGs a n d Reporter a n d w h i c h reports y o u select. For instance. Pre-defined reports offer options for customizing. y o u w o u l d w a n t to use a D a s h b o a r d report to learn the details of a single u s e r ' s Web activity or w a n t to find out the top categories of URLs visited. D a s h b o a r d reports are i n t e n d e d for cases w h e n y o u w a n t to investigate v e r y specific information. Real-time Reporting Reporter 8 s u p p o r t s c o n t i n u o u s u p l o a d s of access logs for reports created with the v8 profile. a n d detailed u s e r activity by d a t e or time. E x a m p l e s of pre-defined reports include traffic. They are useful for reports that need to be g e n e r a t e d a n d sent to the s a m e p e r s o n on a regular basis. However. a n d s e n d i n g t h e m by e-mail. y o u can use the D a s h b o a r d to d i s p l a y multiple real-time reports in a single interface. that is an a d v a n c e d task.. y o u can specify which numerical fields — such as bytes. a virus. . O p t i o n s w i t h i n v8 a n d v7 pre-defined reports allow y o u to specify the d a t a in a report a n d h o w it is d i s p l a y e d in a table. d o m a i n s . or a response code.9 : C u s t o m i z a t i o n o p t i o n s O n e of R e p o r t e r ' s benefits is the ability to customize reports easily t h r o u g h the Web interface.Apply filters • v7 profile setup allows you to pick numeric fields • Advanced filtering available through CLI Slide 1 7 . s u c h as URLs. 171 . a n d visitors — will a p p e a r in the reports generated w i t h that profile. content categories. You can a p p l y customization w h e n y o u export reports as x s v files a n d o p e n t h e m in Excel. W h e n y o u create a V7 profile. a user. Clicking on links within a report enables y o u to view detailed information about a specific report element." or get details of specific elements . p a g e views. • • Reporter a d m i n i s t r a t o r s also can create filters t h r o u g h the c o m m a n d line interface (CLI). the D a s h b o a r d allows y o u to display the s a m e report in different w a y s at the s a m e time. You also can specify a date or d a t e r a n g e a n d a p p l y filters. • For v8 profile reports.Change how data is displayed . however. y o u can then modify t h e m like a n y other Excel spreadsheet.Set date or date range .. For instance.Chapter 17: Introduction to Reporter Customizing Reports • Options within reports allow you to . y o u can display a report on top content categories by n u m b e r of p a g e v i e w s as a table next to the s a m e report in the form of a pie chart."Drill down. T h e Configuration and Sizing Guide also includes r e c o m m e n d a t i o n s for creating v8 a n d v7 profile a n d for log filtering.com/products/reporter/ReporterSizingGuide. Red Hat Linux Windows XP and 2003 Servers. The table in Slide 17-10 displays s o m e of the r e c o m m e n d e d specifications for each of the three h a r d w a r e options.8 G H z or faster) 8 GB 15K RPM/RAID 0 X25 * Total amount of compressed logs Slide 1 7 .pdf 172 . Following the r e c o m m e n d a t i o n s will help ensure that y o u achieve the best possible performance from the application. the m a x i m u m n u m b e r of d a y s of logs in the Reporter database. The n u m b e r of users being proxied ranges from fewer t h a n 1. T h e Guide is available on the Blue Coat Web site: http://www.7. The G u i d e ' s first r e c o m m e n d a t i o n is to choose one of three h a r d w a r e options.bluecoat. The options are b a s e d on the n u m b e r of users being proxied a n d on r e p o r t i n g d a y s .000 to m o r e than 5.1 Reporter Sizing Guide MINIMUM RECOMMENDED HARDWARE SPECIFICATIONS Available Disk Space* Options CPU 1 x P4 (2. the n u m b e r of r e p o r t i n g d a y s ranges from o n e m o n t h to three m o n t h s .8 G H z or faster) 4 GB 15K RPM/RAID 0 X25 3 4 x Xeon (2.8 GHz or faster) Xeon (2.000.1 0 : Sizing r e c o m m e n d a t i o n s f o r Reporter Blue Coat strongly r e c o m m e n d s t h a t y o u follow the r e c o m m e n d a t i o n s in the Configuration and Sizing Guide w h e n y o u install Reporter.8 GHz or faster) RAM Storage Drives OS Windows XP and 2003 Servers. Red Hat Linux Windows XP and 2003 Servers.Blue Coat Educational Services — BCCPA Course v 1. Red Hat Linux 1 2GB Internal SCSI Controller Internal DualChannel SCSI or External Fibre Channel Internal DualChannel SCSI or External Fibre Channel 15K RPM/RAID 0 X25 2 2 x Xeon (2. w o r m . These viruses can be b r o u g h t into a c o m p a n y t h r o u g h Web-based e-mail p r o g r a m s or other Web-enabled applications. T h e Blue Coat SG a n d Blue Coat AV appliances p r o v i d e the performance n e e d e d for t o d a y ' s Web e n v i r o n m e n t s . • RESPMOD: ICAP response modification m o d e . Until recently. An application p r o g r a m that accepts connections in order to service ICAP requests by s e n d i n g back responses. a surrogate acting on behalf of a user. The Blue Coat SG ICAP implementation is fully compatible w i t h Blue Coat AV. REQMOD: ICAP request modification m o d e . users w a n t to click on links in an e-mail m e s s a g e or in a Web p a g e — both of w h i c h require separate scanning. the ICAP server is the Blue Coat AV. Symantec® A n t i v i r u s Scan Engine (SAVSE) Server. A p r o g r a m that establishes connections to ICAP servers for the p u r p o s e of s e n d i n g requests. For instance. In Blue Coat d e p l o y m e n t s . • 173 . Trend Micro InterScan® Web Security Suite (IWSS). A Blue Coat ICAP configuration allows administrators to select the virus-scanning servers that are to be u s e d by the Blue Coat SG appliance. the ICAP client is the Blue Coat SG. ICAP server. Web AV m u s t be high-performance because users are a w a r e of a n d w a n t to access content before s c a n n i n g starts. In Blue Coat d e p l o y m e n t s . but not always. However. the URI refers to an ICAP service that performs a d a p t a t i o n s of HTTP messages. Before g o i n g into more detail a b o u t Blue Coat AV a n d ICAP. Trojan or spyware). • • ICAP resource: A n e t w o r k d a t a object or service that can be identified by a URL Unlike HTTP. The policy definition for content scanning is fully i n t e g r a t e d into the policy f r a m e w o r k a n d is defined using the either the M a n a g e m e n t Console or C o n t e n t Policy L a n g u a g e (CPL). Finjan SurfinGate™. users do not k n o w they h a v e a message until after it is scanned. Web virus s c a n n i n g solutions w e r e too slow to be practical. An ICAP client is often. a n d Webwasher®. The virus-checking capabilities are i m p l e m e n t e d t h r o u g h an offbox solution that uses the Internet Content A d a p t a t i o n Protocol (ICAP) as the c o m m u n i c a t i o n m e c h a n i s m b e t w e e n the Blue Coat SG a n d the Blue Coat AV. In traditional e-mail antivirus (AV) p r o g r a m s . ICAP client.Chapter 18: Blue Coat AV Web v i r u s s c a n n i n g is the process of p r o v i d i n g content s c a n n i n g for files infected w i t h an Internet-based threat (virus. it is i m p o r t a n t that y o u become familiar w i t h several key ICAP terms. Web content or e-mail spam with trojan or spyware . leaving d e s k t o p s to defend themselves.Browser-based file downloads that bypass existing virus-scanning defenses Slide 1 8 . w h i c h can activate Trojan d o w n l o a d s or h i d d e n s p y w a r e • Browser-based file d o w n l o a d s that b y p a s s existing virus-scanning defenses 174 . s p y w a r e .Blue Coat Educational Services — BCCPA Course v 1. p r o v i d e s scalability for v i r u s scanning. w o r m s . The Blue Coat AV enables o r g a n i z a t i o n s to scan for viruses.7. Web antivirus g a t e w a y s often lack scalability a n d performance for HTTP a n d FTP scanning. c o m b i n e d w i t h the Blue Coat SG. a n d Trojans entering t h r o u g h Web-based b a c k d o o r s . w h e r e a majority of viruses a n d w o r m s p r o p a g a t e Web s p a m or e-mail s p a m .1 : Blue Coat AV p r o t e c t i o n Traditional. as well as c o m p l e t e visibility a n d control of enterprise Web c o m m u n i c a t i o n s . The Blue Coat AV.Spyware and trojans • Protects often overlooked "back doors" . including: Personal Web e-mail accounts.Personal Web e-mail accounts .1 What is Blue Coat AV ? • Powerful defense against .Viruses and worms . the Blue Coat AV provides high-performance AV s c a n n i n g of both cached a n d non-cached content. or security gained t h r o u g h the proxy. The Blue Coat SG a n d the Blue Coat AV share u n d e r l y i n g Blue Coat processes.Sophos . enabling superior performance.Chapter 18: Blue Coat AV Blue Coat AV Virus-Scanning Server • Blue Coat AV uses ICAP to communicate with Blue Coat SG • One Blue Coat AV can support multiple Blue Coat SGs • Blue Coat AV supports . a n d e r r o r / e x c e p t i o n h a n d l i n g over software-based ICAP servers.McAfee . (ICAP is described in more detail in the following pages.Kaspersky . b a n d w i d t h gains.2 : Blue Coat AV details and capabilities B l u e Coat S G T h e Blue Coat SG a n d Blue Coat AV appliances c o m m u n i c a t e using an e n h a n c e d a n d o p t i m i z e d version of ICAP. reliability.Panda Slide 1 8 . including: • • • • Kaspersky® Sophos McAfee® Panda 175 .) A single Blue Coat AV can s u p p o r t multiple Blue Coat SG appliances. w h i c h allows for easy d e p l o y m e n t a n d integration. this solution allows for the s c a n n i n g a n d p u r g i n g of harmful viruses a n d other malicious c o d e w i t h o u t compromising the n e t w o r k control. Once integrated. Blue Coat AV s u p p o r t s a r a n g e of virus scanning applications. While the Blue Coat SG p r o v i d e s flexible a n d g r a n u l a r control of Web traffic a n d access. ICAP server = separate processor . Virus-free content is cached for a "scan once. This is possible because Blue Coat AV C P U processing is focused on virus-scanning heuristics d e s i g n e d to maximize t h r o u g h p u t . Heuristic fingerprints are utilized for non-cacheable content to avoid r e d u n d a n t scanning.Blue Coat AV allows different AV vendors . The content cache also rescans itself after an AV u p d a t e based u p o n user requests. serve m a n y " benefit w h e n scanning cacheable Web objects. Integration b e t w e e n the Blue Coat AV a n d the Blue Coat SG is seamless w i t h default configurations o p t i m i z e d for performance.Blue Coat Educational Services — BCCPA Course v 1. Virus u p d a t e s to the Blue Coat AV are a u t o m a t e d w i t h definable schedules. Blue Coat AV scans only Web objects f o r w a r d e d from the Blue Coat SG — s c a n n i n g t h e m at w i r e s p e e d . Blue Coat solves this p r o b l e m by d e p l o y i n g a d e d i c a t e d virus scanning offbox solution. The c o m b i n e d s o l u t i o n offers an integrated s y s t e m w i t h cache intelligence.3 : Blue Coat AV benefits Blue Coat SGBecause v i r u s protection applications are v e r y resource-intensive. 176 .7. For i m p r o v e d performance.Performance = an order of magnitude better • Choice .1 Why Blue Coat AV? • Performance . By utilizing the Blue Coat SG a n d Blue Coat AV y o u gain performance a n d scalability (up to 250+ M b p s H T T P t h r o u g h p u t ) along w i t h Web-content control. the Blue Coat AV. u s i n g a proxy or firewall for virus s c a n n i n g u s u a l l y results in unacceptable overall performance.Integrate the Blue Coat AV and Blue Coat SG Slide 1 8 .Automatically download pattern files daily • Continue Integration . a n d cached content is automatically cleared w i t h each u p d a t e . the a d a p t e d messages are either H T T P requests or H T T P responses. ICAP is. Typically. This means. s u c h as virus scanning. The ICAP server executes its transformation service on messages a n d s e n d s back responses to the client. Despite the similarity. in essence. ICAP is a r e q u e s t / r e s p o n s e protocol similar in semantics a n d usage to H T T P / 1 . u s u a l l y w i t h modified messages. that ICAP m e s s a g e s cannot be forwarded by H T T P surrogates. ICAP off-loads specific Internet-based content to d e d i c a t e d servers that are o p t i m i z e d to perform specialized tasks. the Internet Content A d a p t a t i o n Protocol. This frees up resources on the proxy or firewall. "ICAP. n o r is it an application protocol that r u n s over HTTP. a lightweight protocol for executing a 'remote p r o c e d u r e call' on HTTP messages. 177 . 1 .Chapter 18: Blue Coat AV ICAP FundamentaSs • Internet Content Adaptation Protocol • Lightweight protocol for executing a "remote procedure call" on HTTP messages • Server executes its transformation service {adaptation) on messages and sends back responses to the client. ICAP is not HTTP.4 : ICAP fundamentals As RFC 3507 states. usually with modified messages Slide 1 8 ." The protocol enables ICAP clients (like the Blue Coat SG) to pass HTTP messages to ICAP servers (like the Blue Coat AV) for s o m e sort of transformation or other processing (hence the t e r m "adaptation"). for example. is a protocol a i m e d at p r o v i d i n g simple object-based content vectoring for H T T P services. T h e r e are five s t e p s to d e p l o y i n g I C A P w i t h t h e Blue C o a t SG a n d t h e Blue C o a t AV a p p l i a n c e s : 1.5 : ICAP client/server interaction Blue C o a t S G B l u e C o a t S G T h e c o m b i n a t i o n o f t h e I C A P server a n d its a p p l i c a t i o n a r e k n o w n a s an ICAP service. T h e I C A P service is registered w i t h t h e I C A P client. 5. Define a n d configure I C A P settings for t h e Blue C o a t AV.7. T h e ICAP server (Blue C o a t AV) t h e n r e t u r n s t h e p r o c e s s e d request or r e s p o n s e to t h e Blue C o a t SG. Test t h e configuration a n d n e w policy. 2. C r e a t e an o p t i o n a l p a t i e n c e p a g e . Define a n d configure t h e I C A P o p t i o n on the Blue C o a t SG.1 ЮАР Fundamentals Slide 1 8 . Configure a n d c o n s t r u c t a Blue C o a t policy w i t h t h e desired v i r u s s c a n n i n g exactness. w h i c h in this case is t h e Blue C o a t SG. T h e I C A P client s e n d s client r e q u e s t s or r e s p o n s e s to the I C A P server (the Blue Coat AV) for p r o c e s s i n g (virus s c a n n i n g ) . 4.Blue Coat Educational Services BCCPA Course V 1. 178 . 3. or r e t u r n s an error. However. If t h e ICAP server r e t u r n s an error.. T h e ICAP client m a y t h e n p e r f o r m t h e modified request by c o n t a c t i n g an origin server.Send back an HTTP response to the request . or re-try the a d a p t a t i o n again. • Send back an H T T P r e s p o n s e to t h e request. the ICAP client m a y (for example) r e t u r n the e r r o r to the user. I C A P clients do have flexibility in h a n d l i n g errors.Send back a modified version of the request . it m a y pipeline the modified request to a n o t h e r ICAP server for further modification.Chapter 18: Blue Coat AV ЮАРREQMOD • ICAP client sends an HTTP request to an ЮАР server • The ICAP server may then: . execute t h e u n a d a p t e d request as it a r r i v e d from the client. R e t u r n an error. Or. This is u s e d to p r o v i d e i n f o r m a t i o n useful to the u s e r in case of an e r r o r (e. " y o u s e n t a r e q u e s t to v i e w a p a g e y o u are not a l l o w e d to see"). 179 . The I C A P server m a y t h e n : S e n d back a modified version of the request. • I C A P clients m u s t be able to h a n d l e all t h r e e types of responses.g.Return an error Slide 1 8-6: ICAP REQMOD details The "request modification" (REQMOD) m o d e is u s e d to s e n d client requests to the I C A P server for processing. pi HTTP/1.net Encapsulated: req-hdr=0.net/server?arg=87 Host: icap-server. req-body=147 POST /origin-resource/form. T h e I C A P client s e n d s : REQMOD icap://icap-server.Scan POST request bodies • Used for scanning outgoing Web-based e-mail Slide 1 8 .Scan HTTP PUT requests . T h e following e x a m p l e s h o w s t h e m e s s a g e an I C A P client m i g h t s e n d to an I C A P server. FTP u p l o a d r e q u e s t s a n d o u t g o i n g Web mail are also s c a n n e d .com Accept: text/html.7.Scan FTP upload requests .Blue Coat Educational Services — BCCPA Course v 1. t h e R E Q M O D m e t h o d a p p l i e s to a P O S T request.1 Host: www.0 180 .origin-server.7 : How REQMOD is used T h e R E Q M O D m e t h o d enables s c a n n i n g of H T T P P U T r e q u e s t s a n d H T T P P O S T request bodies. H e r e . text/plain Accept-Encoding: compress Pragma: no-cache ICAP/1.1 ICAP REQMOD • REQMOD . The Blue Coat SG s e n d s the request to the Blue Coat AV (known as the ICAP server). The origin server r e s p o n d s to the request a n d delivers it to the Blue Coat SG. A client m a k e s a request to the Blue Coat SG (known as the ICAP client) for an object on an origin server.8 : How processes requests Blue Coat SGBlue Coat S G T h e typical p a t h for requests that are to be modified by the R E Q M O D m e t h o d is as follows.Chapter 18: Blue Coat AV Blue Coat SG and Blue Coat AV Processing Requests (REQMOD) Slide 1 8 . 4. 3. The Blue Coat SG s e n d s the reply to the client. 1. The Blue Coat AV executes the ICAP resource's service (the a d m i n i s t r a t o r determines the actual services performed by the ICAP server) on the request a n d s e n d s the (possibly modified) request back to the Blue Coat SG. 181 . 5. 2. 6. The Blue Coat SG s e n d s the request to the origin server. Send back a modified version of the response .9 : ICAP RESPMOD details I n t h e " r e s p o n s e modification" (RESPMOD) m o d e .1 ICAP RESPMOD • ICAP client sends an HTTP response to an ICAP server • The ICAP server may then: . R e t u r n an error.7.) T h e I C A P server m a y t h e n : • • Send back a modified version of t h e r e s p o n s e .Blue Coat Educational Services — ВССРА Course v 1. (The r e s p o n s e s e n t by t h e I C A P client typically h a s b e e n g e n e r a t e d by an origin server.Return an error Slide 1 8 . T h e r e s p o n s e modification m e t h o d is i n t e n d e d for post-processing p e r f o r m e d on an H T T P r e s p o n s e before it is delivered to a client. 182 . a n I C A P client s e n d s a n H T T P r e s p o n s e t o a n I C A P server. Chapter 18: Blue Coat AV ICAP RESPMOD • RESPMOD .Virus scanning of FTP over HTTP • Used for scanning incoming Web-based e-mail and file downloads Slide 1 8 . FTP RETR responses (remote s y s t e m file retrieval).example. text/plain. compress 183 .1 Host: www. a n d FTP over HTTP.Virus scanning of HTTP and FTP (RETR) . The following e x a m p l e s h o w s the RESPMOD m e s s a g e applied to an origin server response from a G E T request.com Accept: text/html.org/satisf ICAP/1.example.origin-server.1 0 : H o w RESPMOD is used The RESPMOD m e t h o d enables s c a n n i n g of HTTP responses.org Encapsulated: req-hdr=0. image/gif Accept-Encoding: gzip. res-hdr=137. The ICAP client s e n d s a message similar to the following: RESPMOD icap://icap.0 Host: icap. res-body=296 GET /origin-resource HTTP/1. I n c o m i n g Web mail a n d file d o w n l o a d s are also scanned. 4. T h e following steps s h o w this process: 1. T h e Blue Coat SG s e n d s the request to the origin server. 2. T h e Blue Coat AV executes the ICAP resource's service on the response a n d s e n d s the (possibly modified) response back to the Blue Coat SG.7.1 1 : How processes r e s p o n s e s Blue C o a t SGBlue Coat S G T h e typical p a t h for responses that are to be modified by the R E S P M O D m e t h o d is as follows.Blue Coat Educational Services — BCCPA Course v 1. 3. T h e Blue Coat SG caches the safe object. 184 . A client m a k e s a request to t h e Blue Coat SG (known as the ICAP client) for an object on an origin server. The Blue Coat SG s e n d s the r e s p o n s e to the client. 5. A n y additional requests for the s a m e content are h a n d l e d by the Blue Coat SG w i t h o u t a rescan of the content — t h u s a v o i d i n g additional load on the Blue Coat AV. w h i c h s e n d s the response to the Blue Coat AV. The origin server returns the object to the Blue Coat SG.1 Blue Coat SG and Blue Coat AV Processing Responses (RESPMOD) Slide 1 8 . D e p l o y i n g several Blue Coat AV appliances e n h a n c e s scanning performance because ICAP requests are load-balanced across them.XYZ Inc. Branch offices are typically served by o n e Blue Coat SG 200 a n d one Blue Coat AV. 185 . A typical m a i n office deployment. the Blue Coat SG cannot act as an ICAP server for ICAP clients o u t s i d e the local network.consists of one Blue Coat SG 800 serviced by several Blue Coat AV appliances.1 2: Sample ICAP d e p l o y m e n t Blue Coat SGYou m u s t d e p l o y the Blue Coat AV a n d the Blue Coat SG in the s a m e n e t w o r k s e g m e n t . As Slide 18-12 illustrates.Chapter 18: Blue Coat AV Sample Deployment . Slide 1 8 . Blue Coat Educational Services — BCCPA Course v 1.7.1 186 . a r o u n d . it will a d v a n c e ship a replacement unit w i t h i n five business days. For the r e m a i n i n g nine m o n t h s of the warranty.Chapter 19: Service and Support Blue Coat Systems s u p p o r t s its p r o d u c t s with an o u t s t a n d i n g customer s u p p o r t p r o g r a m . 7 days a week) P h o n e Support 187 . Blue Coat Systems products a n d service offerings provide the protection a n d flexibility required to k e e p y o u r n e t w o r k up a n d r u n n i n g . W o r l d w i d e Service includes: • P l a t i n u m Service • Unlimited 24 x 7 (24 h o u r s a day. 5 days a week) technical p h o n e s u p p o r t . if Blue Coat d e t e r m i n e s that a problem is caused by a h a r d w a r e failure. For the first 90 d a y s of the warranty. c u s t o m e r s will receive 8 x 5 (8 h o u r s a day. a n d FAQs All Blue Coat h a r d w a r e p r o d u c t s include: • • • 90-day p h o n e s u p p o r t w a r r a n t y 90-day Blue Coat O p e r a t i n g System software w a r r a n t y 1-year h a r d w a r e w a r r a n t y 90-day technical s u p p o r t a n d software w a r r a n t y For the first 90 days. All Blue Coat p r o d u c t s come w i t h a 90-day software a n d one-year h a r d w a r e warranty. yet m a i n t a i n the flexibility required to meet y o u r organization's specific logistical a n d b u d g e t needs. allowing y o u to review o p e n cases a n d a d d c o m m e n t s to existing cases Exclusive s u p p o r t d o c u m e n t a t i o n . Teamed together. All Blue Coat s u p p o r t services include a W e b P o w e r p a s s w o r d that provides access to the following: • • Online access to o p e n technical s u p p o r t cases. installation notes. S u p p o r t m a y also include logging into customer systems for diagnosis of p r o b l e m s or providing a w o r k . a n d identification of h a r d w a r e a n d software problems. The 90-day w a r r a n t y also includes access to all m i n o r a n d maintenance releases of Blue Coat Systems operating s y s t e m software. All Blue Coat Systems service offerings are designed to protect y o u r business in the event of a h a r d w a r e failure. S u p p o r t includes assistance w i t h configuration. h a r d w a r e will be repaired u n d e r o u r Return for Repair or Replacement service. x:yyyy/Sysinfo Information from "Specific R e q u i r e m e n t s " sections covers specific issues Sending files to Blue Coat: h t t p s : / / u p l o a d . u p g r a d e .220.220.x.2628 Toll Free (USA) +1. a n d services.2199 Direct +1. Meet c h a n g i n g m a r k e t d e m a n d s for n e w features.866. a n d d e p l o y m e n t decisions.302. Provide information to c u s t o m e r s that will help to p r o v i d e g u i d a n c e in m a k i n g purchase.com 188 .408.1 • o • • 8 x 5 Web S u p p o r t A d v a n c e H a r d w a r e Replacement Unlimited Access to OS Software Releases Gold Service • a o a Unlimited 8 x 5 P h o n e S u p p o r t 8 x 5 Web S u p p o r t A d v a n c e H a r d w a r e Replacement U n l i m i t e d Access to OS Software Releases T h e following information is required for all issues sent to Blue Coat Support: • Contact Information: • o • • • • Company name Contact n a m e Phone number E-mail a d d r e s s H a r d w a r e Serial N u m b e r : Issue: • • a • O Description: Time (s)/Frequency: Expectation: Reproducible (yes | no): Other Comments: • http://x.7.Blue Coat Educational Services — BCCPA Course v 1. p r o d u c t s . Contact Blue Coat Systems at: +1. c o m • • Put all files in o n e zip file Service Request (SR) n u m b e r Blue Coat S u p p o r t Policy • Make all reasonable efforts to protect o u r customer's investments.408.x.2250 Fax sales@bluecoat. b l u e c o a t . Deployment .Licensing . installation notes. Note: Support Services Blue Coat Systems s u p p o r t s its p r o d u c t s with o u t s t a n d i n g customer s u p p o r t p r o g r a m s d e s i g n e d to p r o v i d e seamless operation of Blue Coat products in the operating environment.Installations . All Blue Coat p r o d u c t s come w i t h a 90-day software a n d one-year h a r d w a r e warranty.Upgrades • Support Services .Software troubleshooting .WebPower logins • Technical Support . a n d FAQs 189 .RMAs Slide 1 9 .Renewals . All Blue Coat s u p p o r t services include a W e b P o w e r p a s s w o r d that provides access to the following: • • Online access to o p e n technical s u p p o r t cases.1 : Support o r g a n i z a t i o n Professional Services Blue Coat professional services is dedicated to providing superior on-site service for c u s t o m e r s . in essence. allowing y o u to review o p e n cases a n d a d d c o m m e n t s to existing cases Exclusive s u p p o r t d o c u m e n t a t i o n . a consulting t e a m w h o s e p r i m a r y responsibilities are: • • • Installation a n d configuration of Blue Coat products C u s t o m i z a t i o n of a d v a n c e d features Environment-specific k n o w l e d g e transfer Professional services are available for an additional per diem fee a n d are not i n c l u d e d in any s u p p o r t contract. The professional service organization is.Chapter 19: Service and Support Support Organization • Professional Services .Hardware troubleshooting . Blue Coat Educational Services — BCCPA Course v 1. Chinese. Malaysia Tokyo. U n i t e d States • • • London. United K i n g d o m Kuala L u m p u r . Blue Coat Systems' k n o w l e d g e a b l e a n d experienced o n . California.7.d u t y staff is e q u i p p e d to deliver w o r l d w i d e t e l e p h o n e s u p p o r t in English. b a s e d on the time of y o u r call a n d the region of the w o r l d y o u are calling from. J a p a n Your call m a y be t r a n s p a r e n t l y r o u t e d to the m o s t available technical assistance center (TAC). 190 . Japanese. a n d other l a n g u a g e s . 7 d a y s a w e e k (for c u s t o m e r s w i t h P l a t i n u m s u p p o r t ) .1 W i t h three s u p p o r t centers strategically positioned a r o u n d the globe. S u p p o r t is available 24 h o u r s a day. T h e Blue Coat technical s u p p o r t centers are located in: Sunnyvale. w h e n R M A Requests are received d u r i n g regular business h o u r s a n d d e e m e d necessary by Technical S u p p o r t before the R M A cut off time (see Limitations).Gold (8x5) • Advance hardware replacement . Requests received or verified by Blue Coat Systems Technical S u p p o r t after the cut off time will ship the following business day. Products covered u n d e r Gold Service are entitled to a d v a n c e replacement of h a r d w a r e products. Gold Support Products covered u n d e r Gold Service are entitled to 8 x 5 technical p h o n e a n d online s u p p o r t for an unlimited n u m b e r of incidents d u r i n g regular business h o u r s (see Limitations). 191 . prior to Blue Coat Systems receiving the faulty item. S u p p o r t m a y also include logging into customer s y s t e m s for diagnosis of problems or p r o v i d i n g a w o r k . identification of h a r d w a r e or software problems. Products covered u n d e r P l a t i n u m Service are entitled to a d v a n c e replacement of h a r d w a r e products. Blue Coat Systems p r o v i d e s quality technical s u p p o r t in accordance with generally recognized business practices a n d s t a n d a r d s .Platinum (24x7) .Forums Slide 1 9 .Case Management (WebPower) .Instant Support . Technical s u p p o r t p r o v i d e s assistance in the usage of covered E q u i p m e n t a n d Software including product configuration. Advance Hardware Replacement H a r d w a r e will be s h i p p e d s a m e day. 7 d a y s a w e e k — a n d 8 x 5 Technical Online S u p p o r t d u r i n g regular business h o u r s (see Limitations).Licensing & Asset Database .3 : Support a g r e e m e n t s and services Platinum Support Products covered u n d e r P l a t i n u m Service are entitled to Technical Phone S u p p o r t for an u n l i m i t e d n u m b e r of incidents 24 h o u r s a day.Chapter 19: Service and Support Support Agreements and Services • Flexible service level agreements .a r o u n d w h e n possible."Same Day Ship" hardware replacement service ® Online Services .Documentation . prior to Blue Coat Systems receiving the faulty item. a n d d o w n l o a d i n g of Software U p d a t e s . t r a d e m a r k . Benefits Include: • • Ability to create. If. C u s t o m e r has the right to duplicate d o c u m e n t a t i o n for its o w n internal use—in quantities equal to the n u m b e r of units of e q u i p m e n t a n d software specified on the p u r c h a s e o r d e r — p r o v i d e d that all copyright. price list. excluding holidays.7. 192 . Limitations Technical P h o n e S u p p o r t is p r o v i d e d in English 8 h o u r s a day. p e r s o n a l a n d secure Web access to Blue Coat Systems information a n d resources 24 h o u r s a day. from a n y w h e r e in the w o r l d . a n d other proprietary rights notices are also r e p r o d u c e d in the s a m e form a n d m a n n e r as on the original m e d i a provided. All commercially-reasonable efforts will be m a d e to get the replacement p r o d u c t delivered. i m m e d i a t e l y after the replacement is received. modify.1 All replacement parts will be furnished on an e x c h a n g e basis at no cost to the c u s t o m e r a n d will be s t a n d a r d or reconditioned c o m p o n e n t s of equal or greater quality. C u s t o m e r s will be responsible for s h i p p i n g inoperable units or subassemblies back to Blue Coat Systems. Units verified (by a Blue Coat Systems Technical S u p p o r t Engineer) as an O u t of Box Failure will be a d v a n c e d replaced w i t h a n e w p r o d u c t of the s a m e m a k e a n d m o d e l n u m b e r of the original. the C u s t o m e r shall p a y the list price p e r unit as stated in the then-current Blue Coat Systems. or u p d a t e Technical S u p p o r t requests Access to exclusive s u p p o r t materials & installation notes W e b P o w e r is available to Blue Coat Partners a n d C u s t o m e r s w h o o w n p r o d u c t s actively covered u n d e r the one-year w a r r a n t y or a Service Contract. 5 days a week." C u s t o m e r m a y be charged a fee of five percent (5%) of the t h e n . a n d functionality. All Software p r o v i d e d p u r s u a n t to a Service Offering will be g o v e r n e d u n d e r the s a m e t e r m s a n d conditions as set forth in the license a g r e e m e n t a c c o m p a n y i n g the original software licensed by Customer. d u r i n g any o n e (1) y e a r period. C u s t o m e r failure to p a y the list price or return E q u i p m e n t p r o m p t l y will result in the s u s p e n s i o n of Services by Blue Coat Systems. Blue Coat Systems will p r o v i d e w r i t t e n notification to C u s t o m e r in the event it i n t e n d s to a p p l y the fee identified in this p a r a g r a p h . revision level. If the inoperable unit or s u b a s s e m b l y is n o t r e t u r n e d to Blue Coat Systems within fourteen d a y s of receipt of the replacement.c u r r e n t list price of the actual u n i t or s u b s e q u e n t p r o d u c t (where the actual p r o d u c t is obsolete) for each unit or s u b a s s e m b l y r e t u r n e d after the fifteen (15%) percent threshold has been r e a c h e d — n o t including the u n i t w h o s e return results in meeting the fifteen (15%) threshold. Inc.Blue Coat Educational Services — BCCPA Course v 1. more than fifteen percent (15%) of the units or subassemblies r e t u r n e d to Blue Coat Systems for replacement are d i a g n o s e d as "No Trouble Found. 7 d a y s a week. WebPower W e b P o w e r is Blue Coat System's online C u s t o m e r S u p p o r t Service. W e b P o w e r users receive i m m e d i a t e . They are the interface between frontline support and development. The backline s u p p o r t engineers are the most senior t e a m m e m b e r s . Fixes are m a d e available via: • • • • C u s t o m e r specific releases Dot releases Minor release Major releases 193 .Chapter 19: Service and Support Escalation Process Slide 1 9 . This team walks customers t h r o u g h c o m m o n s u p p o r t issues a n d a n s w e r s general questions about the products. You can use: • • P h o n e (call the toll-free s u p p o r t line) E-mail WebPower The SRs are first h a n d l e d by the frontline s u p p o r t team. Complex issues for w h i c h a p r o p e r solution or w o r k a r o u n d is not available are escalated to development. it is sent up the escalation ladder to the backline s u p p o r t team.4 : Escalation process Customers a n d e v a l u a t o r s can s u b m i t service requests (SR) in different w a y s . This t e a m performs the function often labeled escalation in other organizations. Should an SR require special attention. Technical briefs. Blue Coat® Reporter™).1 Support Tools • • • * Software Release Notes Instant Support Blue Coat Forums Tech Briefs Slide 1 9 .7. Instant S u p p o r t enables y o u to find an i m m e d i a t e a n d detailed solution to the most c o m m o n issues.Blue Coat Educational Services — BCCPA Course v 1. The release notes contain useful information a n d k n o w n issues. are very p o p u l a r d o c u m e n t s a m o n g Blue Coat c u s t o m e r s . a n d responses are voluntary. The l a u n c h p a g e also contains a list of topics that Blue Coat u p d a t e s regularly. It is not u n c o m m o n to h a v e y o u r forum question a n s w e r e d by a Blue Coat s u p p o r t engineer or developer. T h e forums. Blue Coat® AV™ OS. are a v e r y useful w a y for c u s t o m e r s to exchange tips a n d tricks.5 : S u p p o r t t o o l s You s h o u l d a l w a y s read the release notes for each version of the Blue Coat p r o d u c t that y o u are installing (Blue Coat® SG™ OS. 194 . w h i c h s h o w y o u h o w to c o m p l e t e complex tasks. Blue Coat® Director™ OS. they cover a range of topics — from s p y w a r e protection to a d v a n c e d d o c u m e n t m a n i p u l a t i o n w i t h e m b e d d e d Java scripts. w h i c h are not filtered. The m a i n d r a w back to the forum is that there is no g u a r a n t e e d response time for questions. M a n y different technical briefs are available. y o u can scale from small to extremely large e n v i r o n m e n t s a n d y o u can build fault tolerance a n d redundancy. if y o u w a n t to proxy HTTP a n d HTTPS. Firewall Best Practice Regardless of h o w y o u decide to direct client traffic to the proxy. Figure 18-1: The deployment dilemma You m a y h a v e a very complex network. 195 . can be g r o u p e d into t w o m a i n categories: transparent a n d explicit. a firewall allows o u t b o u n d traffic from the clients to the Internet. In either case. Typically. b u t it can always be logically reduced to the simple d i a g r a m s h o w n in Figure A . y o u n o w m a y w a n t to block the traffic that y o u w a n t to go t h r o u g h the proxy. even if y o u are not. y o u s h o u l d modify the firewall configuration in order to enforce the u s e of the proxy. regardless of the d e p l o y m e n t strategy that y o u will implement. Your n e t w o r k is already d e s i g n e d to s e n d all o u t b o u n d traffic along a specific path. N o w y o u need to direct to the Blue Coat SG all the traffic that y o u w a n t it to m a n a g e . More restrictive policies m a y only allow HTTP a n d HTTPS traffic from the clients to the Internet. This configuration allows y o u to enforce the use of the proxy by all clients.Appendix A: Deployment Planning P l a n n i n g a n d designing the most efficient d e p l o y m e n t is the m o s t i m p o r t a n t decision y o u have to make. to route selected traffic from y o u r clients to the Blue Coat SG. The Deployment Question You m a y be n e w to the use of proxy servers. it is important that y o u review the m a n y w a y s in w h i c h the Blue Coat SG can be d e p l o y e d . Only the Blue Coat SG s h o u l d be allowed t h r o u g h the proxy. this solution also deters the most advanced users from b y p a s s i n g the proxy. The Blue Coat SG is engineered to offer y o u the m a x i m u m flexibility of d e p l o y m e n t . y o u s h o u l d block the clients from directly accessing outside resources over these protocols. s e c o n d only to the one of actually b u y i n g the Blue Coat® SG™. All of the solutions that y o u can think of.l . however. For instance. 16. can be easily bypassed. You can see h o w this m e t h o d is pretty straightforward.22 over port 8080.7. it is impractical for any organization but the smallest.com requests. one handles all o t h e r d o m a i n s . A client u s i n g explicit proxy does format the GET request to s u p p o r t proxy.b y 196 . however. T h e table b e l o w s h o w s the role of each proxy. Manual Configuration Every client is configured to forward all the traffic to the Blue Coat SG. Table 18.net requests. In this e x a m p l e y o u can configure four Blue Coat SG appliances (SG01 to SG04) as follows: O n e h a n d l e s all . a n d the last one is a hot s t a n d b y for the other three.90. the fourth will take over.1 Explicit Proxy Creating an explicit proxy is conceptually the easiest solution a n d in general does not require a n y a d d i t i o n a l software or h a r d w a r e .Blue Coat Educational Services — BCCPA Course v 1. For instance. M a n u a l configuration can still be useful for testing a n d d e b u g g i n g p u r p o s e s .1: Proxy Purpose SG01 SG02 SG03 SG04 com d o m a i n net domain all other d o m a i n s hot s t a n d . Proxy Auto-Configuration (PAC) File T h e Proxy Auto-Configuration (PAC) file is u s e d to distribute to the b r o w s e r the proxy configuration information from a remote JavaScript® file rather t h a n from static information entered directly. You can use a PAC file to create a very basic fault-tolerant a n d load-balanced environment. y o u can easily set y o u r b r o w s e r to send all HTTP requests to a proxy server. You can refer to the H T T P c h a p t e r of this book for more details. A s i m p l e packet capture can s h o w y o u if a client is using explicit proxy. unless it is p a i r e d w i t h g o o d firewall rules. In Figure A-2 below y o u can see h o w t h e configuration screen looks for a Firefox® client Figure 18-2: Firefox proxy configuration T h e client n o w s e n d s all HTTP requests to the proxy w i t h IP a d d r e s s 172. This m e t h o d requires a lot of a d m i n i s t r a t o r time a n d . If a n y of the three main proxies go d o w n . one h a n d l e s all . It is even possible to specify w h i c h proxies each u s e r can access. O n e of the main a d v a n t a g e of the PAC file is that it allows y o u to m a k e changes to y o u r proxy configuration w i t h o u t having to reconfigure each client. a client in the c l i e n t s . c l i e n t s . host) { if (isPlainHostName(host) return else if "DIRECT". sg04:8080". ". function FindProxyForURL(url. b l u e c o a t . The proxy servers c o m m u n i c a t e w i t h the clients over port 8080.mydomain.pac filename extension. com d o m a i n will query w p a d . Note: You s h o u l d save the JavaScript function to file with a . b l u e c o a t .n s . Figure 18-3: PAC configuration for Firefox Web Proxy Auto-Discovery (WPAD) Internet Explorer version 5 (and higher) a n d N e t s c a p e s u p p o r t Web Proxy Auto-Discovery (WPAD). r e t u r n " P R O X Y s g 0 1 : 8 08 0. the local sites (inside the network) are accessed by t h e clients directly. for example: "proxy. This a p p r o a c h can b e o p e n t o vulnerabilities because the third-level d o m a i n m a y not be a trusted one.p r o x y . "PROXY else if sg04:8 080". Below y o u can see the JavaScript necessary to achieve the results described above. You s h o u l d also configure y o u r server to m a p the . "PROXY else r e t u r n " P R O X Y s g 0 3 : 8 08 0. WPAD w o r k s by attaching w p a d to the system's fully-qualified d o m a i n n a m e a n d progressively r e m o v i n g s u b d o m a i n s until it either finds a WPAD server. " + The PAC file can reside on a s h a r e d resource. 197 .a u t o c o n f i g .pac filename extension t o the MIME type: a p p l i c a t i o n / x .pac". com.com")) (shExpMatch(host. This solution is d e s i g n e d to enable the browser to automatically detect proxy settings w i t h o u t user or a d m i n i s t r a t o r intervention. com a n d then w p a d .Appendix A: Deployment Planning In particular. (shExpMatch(host. "PROXY sg04:8080". For instance. b l u e c o a t . Each client needs to k n o w w h e r e the PAC file is located. "*.com")) " + || dnsDomainls(host.net")) " + r e t u r n " P R O X Y s g 0 2 : 8 0 8 0. Figure A-3 below s h o w s h o w a Firefox client configuration looks like for PAC. "*. F u r t h e r m o r e . y o u can configure the clients' proxy settings automatically via Active Directory® G r o u p Policy.7. each client m u s t be p a r t of the Active Directory forest. You can use Active Directory not o n l y to distribute a specific s e r v e r configuration but a m o r e generic PAC file Figure 18-5: Active Directory policy proxy configuration This solution will become m o r e feasible as m o r e companies roll out Active Directory for the entire o r g a n i z a t i o n a n d stop using o p e r a t i n g systems that are not s u p p o r t e d . Active Directory Policy If y o u are r u n n i n g any of the o p e r a t i n g systems listed below. 198 . Figure 18-4: Internet Explorer automatic proxy settings Figure A-4 above s h o w s h o w the configuration for Internet Explorer looks like w h e n there is a W P A D server. This configuration can be u s e d in conjunction with PAC files.Blue Coat Educational Services — BCCPA Course v 1.1 This solution requires a D N S c h a n g e a n d possibly a d e d i c a t e d server. • W i n d o w s ® 2000 Professional a n d Server W i n d o w s XP Professional W i n d o w s 2003 Server Note: W i n d o w s 9 x / M e a n d W i n d o w s X P H o m e Edition are not s u p p o r t e d . Unless y o u i m p l e m e n t m o r e restrictive firewall policies.l .Appendix A: Deployment Planning Issues with Explicit Proxy Based on the information p r o v i d e d above. w h i c h m a y not be significant. However. scalable. as a technology. more expensive a n d can be m o r e complex to set u p . the client's user agent believes that it is talking to the remote server directly. Figure 18-6: Blue Coat SG with Layer 4 switch If y o u c o m p a r e Figure A-6 w i t h Figure A . The traffic that y o u w a n t to proxy is redirected by the switch to the Blue Coat SG. transparent proxy is m o r e complex. a n d robust. however. in general. It needs to be in a position to inspect all o u t b o u n d traffic. The m a i n a d v a n t a g e is reduced cost. all other traffic is passed to the firewall (or other destinations). y o u can easily see h o w relying on explicit proxy raises several potential issues. t h a n explicit proxy — but it is also m o r e efficient. in a t r a n s p a r e n t proxy scenario. such as: • A d v a n c e d load balancing a D • D Most available Round-robin Least CPU utilization URL hashing 199 . In essence. Layer 4 Switches Switching technology has evolved from the Data Link Layer to cover up to the Application Layer. In general. A u s e r can take a d v a n t a g e of W P A D to o p e n security gaps. most Layer 4 switches are capable of h a n d l i n g up to Layer 7 a n d d o w n to Layer 2. Most Layer 4 switches offer a very useful set of a d d e d functions. Regardless of the solution that y o u choose for explicit proxy. the client's user agent k n o w s that it is s e n d i n g the connection requests to a proxy server. y o u can i m m e d i a t e l y notice w h e r e the Layer 4 switch needs to be installed. the possibility is remote because it requires a d v a n c e d skills. Transparent Proxy You can think of transparent proxy as exactly the opposite of explicit proxy. Even g r o u p policy can be b y p a s s e d by using a b r o w s e r other t h a n Internet Explorer. w i t h o u t intermediaries. a n y a d v a n c e d user can bypass the proxy setting that y o u are trying to enforce. w i t h o u t the client's k n o w l e d g e or consent. The goal of setting up t r a n s p a r e n t proxy is to redirect all of the desired traffic to the Blue Coat SG. Unfortunately it is also. W C C P version 2 allows y o u to redirect traffic from other ports a n d protocols. dollars.1 • A d v a n c e d Fault Tolerance a n d R e d u n d a n c y T h e only major obstacle to t h e d e p l o y m e n t a n d i m p l e m e n t a t i o n of Layer 4 switches is cost. Web Cache Communication Protocol (WCCP) You can configure a Blue Coat SG in a Web Cache C o m m u n i c a t i o n Protocol (WCCP) d e p l o y m e n t w h e n a WCCP-capable router collaborates w i t h a set of WCCP-configured Blue Coat SG a p p l i a n c e s to service requests. only o n e protocol version can be active on the Blue Coat SG at a time. both of w h i c h are s u p p o r t e d by Blue Coat. Traffic routing decisions can be b a s e d on several p a r a m e t e r s . protocol. W C C P is a Cisco-developed protocol that allows y o u to establish redirection of the traffic that flows t h r o u g h routers.7.Blue Coat Educational Services — BCCPA Course v 1. The active W C C P protocol set up in the Blue Coat SG configuration m u s t match the version r u n n i n g on the W C C P router. it can c h a n g e a direct H T T P G E T request to a proxy-style H T T P G E T request as s h o w n in Figure A-7 below. redirected traffic can be automatically distributed to up to 32 Blue Coat SG appliances. W C C P version 1 only redirects destination TCP port 80 (default HTTP traffic) IP packets. s u c h as destination a d d r e s s . For instance. a n d a combination of these. source address. Using WCCP and Transparent Redirection A W C C P .c a p a b l e router o p e r a t e s in conjunction with the Blue Coat SG appliances to t r a n s p a r e n t l y redirect traffic to a set of caches that participate in the specified W C C P protocol. 200 . The ability of a Layer 4 switch (also k n o w n as a content switch) to c h a n g e HTTP requests allows it to be compatible w i t h a n y proxy a n d not j u s t the m o r e a d v a n c e d ones like Blue Coat SG. T h e m a i n benefits of u s i n g W C C P are: • • Scalability: With no reconfiguration overhead. port. version 1 a n d version 2.S. Figure 18-7: HTTP request transformation You can see that the client u s e r a g e n t is not a w a r e that the connection will go via proxy server. A Layer 4 switch can also c h a n g e t h e w a y a particular request looks like. redirection stops a n d the router forwards traffic to the original destination a d d r e s s . for instance. W C C P has two versions. IP packets are redirected based on fields within each packet. H o w e v e r . s u c h devices can cost from few t h o u s a n d to tens of t h o u s a n d s of U. Redirection safeguards: If no Blue Coat SG appliances are available. W C C P version 2 protocol offers the s a m e capabilities as version 1.0(3)T a n d 12. Note: Note: Blue Coat r e c o m m e n d s that W C C P .0(3)T only s u p p o r t W C C P version 1.2(13)P. m i n i m u m IOS releases are 12.) O n e of the caches participating in the W C C P service g r o u p is automatically elected to configure the h o m e r o u t e r ' s redirection tables.1(18)CA a n d 11. The following are W C C P version 1 caveats: • • The h o m e router IP m u s t be configured on all participating interfaces a n d m u s t m a t c h the h o m e router a d d r e s s configured on the Blue Coat SG. Each applicable client IP packet received by the h o m e router is transparently redirected to a cache.c o m p l i a n t caches from different v e n d o r s be kept separate a n d that only one v e n d o r ' s routers be used in a service g r o u p . N o t e that releases prior to IOS 12. simultaneous service g r o u p s . Ensure that y o u are u s i n g the correct IOS software for the router a n d that the Blue Coat SG configuration protocol version n u m b e r a n d router protocol version n u m b e r match. This way. All caches periodically c o m m u n i c a t e w i t h the h o m e router to verify W C C P protocol synchronization a n d Blue Coat SG availability within the service g r o u p .0(5) a n d later releases s u p p o r t W C C P versions 1 a n d 2. up to 32 W C C P .c a p a b l e routers can transparently redirect traffic to a set of up to 32 Blue Coat SG appliances. o n e service g r o u p could redirect H T T P traffic a n d another could redirect FTP traffic. W C C P version 2 s u p p o r t s multiple service g r o u p s . WCCP Version 1 In W C C P version 1. Release 12. W C C P version 1 s u p p o r t s only a single service g r o u p . WCCP Version 2 For Cisco routers using W C C P version 2. For Cisco routers u s i n g W C C P version 1. Version 2 multicasting allows caches a n d routers to discover each other t h r o u g h a c o m m o n multicast service g r o u p a n d matching p a s s w o r d s . The a d a p t e r connected to the Blue Coat SG m u s t be Ethernet or Fast Ethernet. For example. 201 . the h o m e router r e s p o n d s to each cache w i t h information as to which Blue Coat SG appliances are available in the service g r o u p . In return. Version 2 WCCP-capable routers are capable of redirecting IP traffic to a set of Blue Coat SG appliances based on various fields within those packets.Appendix A: Deployment Planning Load balancing is achieved t h r o u g h a redirection h a s h table to d e t e r m i n e w h i c h Blue Coat SG will receive the redirected packet. m i n i m u m IOS releases are 11. along w i t h increased protocol security a n d multicast protocol broadcasts. caches can be transparently a d d e d a n d r e m o v e d from the W C C P service g r o u p w i t h o u t requiring operator intervention. In addition. Routers can transparently redirect IP packets based on their formats. This way. A Blue Coat SG from the g r o u p is selected to define the h o m e r o u t e r ' s redirection h a s h table for all caches.0(4). the WCCP-configured h o m e router transparently redirects TCP port 80 packets to a m a x i m u m of 32 Blue Coat SG appliances. Version 2 allows routers a n d caches to participate in multiple. caches can be transparently a d d e d a n d r e m o v e d from the W C C P service g r o u p w i t h o u t requiring operator intervention. (A Blue Coat SG is seen as a cache in W C C P protocol. Ensure that y o u use the correct IOS software for the router a n d that y o u have a match b e t w e e n the Blue Coat SG configuration W C C P version n u m b e r and router protocol version number. O n e of the caches participating in the W C C P service g r o u p is automatically elected to configure the h o m e r o u t e r ' s redirection tables. redirect. T h e Blue Coat SG becomes a single point of failure for the n e t w o r k a n d it is susceptible to o v e r l o a d or congestion. Figure 18-8: Blue Coat SG in bridging mode In the configuration s h o w n in Figure A-8 above. If the traffic matches a n y of the criteria set forth by the administrators. block. This solution allows y o u to create a t r a n s p a r e n t proxy e n v i r o n m e n t .Blue Coat Educational Services — BCCPA Course v 1. the Blue Coat SG receives all o u t b o u n d traffic a n d can inspect it. etc. if there are too m a n y n o d e s attached to that network. That is because the Blue Coat SG is n o w processing a n d forwarding all the packets a n d not just those that m a t c h given policies. cache. 202 .1 Blue Coat SG in Bridging Mode T h e Blue Coat SG can be configured to b r i d g e t w o sides an IP network.). the Blue Coat SG further inspects the traffic a n d can a p p l y a n y desired rule or action (allow.7. This solution is not r e c o m m e n d for m e d i u m or large n e t w o r k s (more t h a n 50 hosts). k n o w i n g that event B has h a p p e n e d . The device cannot d e t e r m i n e that a text p a g e contains a certain type of content. w h a t is the probability that the n e w bill will pass? The probability that the n e w bill will pass is P(B). we s h o u l d use a real-life example. y o u w a n t to d e t e r m i n e the probability of extracting a blue ball (P(Aj)).53 203 . to d e t e r m i n e h o w the probability changes.90 = 0.20 + 0. it is possible for the device to d e t e r m i n e the probability that a p a g e contains A d u l t / M a t u r e content.43 34 p e r c e n t — P ( R ) = 0 . however. We can a p p l y this theory to content filtering. a n d the probability of event B h a p p e n i n g conditional to the generic event A for each value of i. D a t a t r o m S t a t e o t C a l i f o r n i a R e g i s t r a r o t V o t e r s ( A p r i l ¿006) If y o u k n o w that 60 percent of the registered Democrats. the Bayes Theorem. as well as s p a m e-mail detection. a n d 90 percent of the others favor a n e w bill. k n o w i n g that y o u just picked up from the bag a red o n e (P(B)).60 + 0. We can perform an experiment. . 20 percent of the registered Republicans. t h r o u g h a controlled experiment. For example. 3 4 Other 23 p e r c e n t — P ( O ) = 0 . w h i c h we will call P(A¡ | B). Using the n u m b e r s above we d e t e r m i n e that the probability that the bill will pass is: (b) P(B)= 0. we w a n t to d e t e r m i n e the probability that event A¡ is g o i n g to h a p p e n . relies on s o m e fundamental t h e o r e m s of statistical analysis. In essence. referred to as event B. . based on the probability of certain events (prior probabilities). In the state of California the registered voters are d i v i d e d according to the table below Table 18. { You s h o u l d recall the t h e o r e m of the total probability as s h o w n in formula (a) below: r P(B) N £ P ( A ¡ ) P ( B | A ¡ ) Vi = i The formula (a) states that an event is the s u m of the probabilities of combined events.34 x 0. three red a n d three blue. both the probability of event B. To better u n d e r s t a n d the formula (a). h 2 3 N We can determine.43 x 0. the probability that a person belongs to a certain p a r t y is P(Ai). A } a n d define. the probability of the event A¡ h a p p e n i n g . a n d the probability that a person will vote a certain w a y is P(B | A[). This section a s s u m e s that y o u are familiar w i t h s o m e basic principles of statistics. u s i n g P(A¡). w i t h o u t having s o m e point of reference. Bayes Theorem Let us consider a set of m u t u a l l y exclusive events {A A . conditional to the event B. at a very high level. w h i c h we will call P(B). N e w s / M e d i a content.Appendix B: Conditional Probability — Bayes Theorem M o d e r n content-filtering technology. A .23 x . by c o m p a r i n g that probability to the probability that it contains s o m e other t y p e of content — for example.1: Registered voters in California Democrats Republicans 3 43 p e r c e n t —P(D)=0. You can d e t e r m i n e the probability of a future event based on k n o w l e d g e that a different event already occurred. y o u w a n t the device to recognize w h e n a p a g e contains A d u l t / M a t u r e content. No device can ever " k n o w " that a p a g e contains A d u l t / M a t u r e content p e r se. For example. if y o u h a v e a bag w i t h six balls. Suppose that y o u w a n t y o u r s y s t e m to recognize n e w a n d uncategorized text d o c u m e n t s (past events). We w a n t to calculate the probability of the event A¡. This section discusses. 2 3 a . 2 You can define the a p p e a r a n c e of a w o r d as event B. K n o w i n g that the bill w a s a p p r o v e d . A p p l y i n g the n u m b e r s listed a b o v e a n d the result of the formula (b) to formula (d). s h o w n b e l o w in formula (d): PCMB)- P < i> < l i> ^ A P B A f N £P(Ai)P(B|Ai) Vi = 1 U s i n g the e x a m p l e of the voters in California. A . We started k n o w i n g that a certain percentage of registered voters w o u l d vote a certain way. y o u obtain the Bayes theorem. y o u obtain the following formula (f) below: „. a n d so on. we d e t e r m i n e d that the probability that a voter b e l o n g e d to a certain party.7. the probability that a voter w a s a Democrat is 48 percent. y o u need to provide it w i t h a solid foundation.Blue Coat Educational Services — BCCPA Course v 1. . This probability can be expressed u s i n g the formula (c) below: P ( A i l B ) . s * ™ If y o u use the v a l u e of P(B) from the formula (a) a n d substitute in it the formula (c).„ . the probability that a p e r s o n of a given p a r t y v o t e d for the bill. A is Pornography.53 = 0. T h e next step is to try to d e t e r m i n e the probability of the event P(Ai | B).1 The formula (b) tells us that the bill can pass b u t by a n a r r o w margin. To teach a s y s t e m h o w to differentiate b e t w e e n the different categories. T h e Bayes t h e o r e m a l l o w e d us to reverse the probability. k n o w i n g that the bill w a s a p p r o v e d . You need to h a v e good d o c u m e n t s that the system can use to learn h o w to recognize different categories. A ) . for instance P(B) could be the probability of finding the w o r d "sex. we obtain: (e) P ( A ) = (0.6) / 0. the formula (d) allows us to calculate. . . y o u can 1t 2 3 n say that Aj is A d u l t / M a t u r e . k n o w i n g that t h e bill passed." So y o u can say: • • P ( A ) = Probability of a site being P o r n o g r a p h y 2 P(B | A ) = Probability of the w o r d "sex" a p p e a r i n g in a P o r n o g r a p h y pages 2 P(B)= Probability of finding the w o r d "sex" • P ( A | B)= Probability of a site being P o r n o g r a p h y w h e n the w o r d "sex" is found in it 2 U s i n g the p r e c e d i n g definitions.„ „ P(Pornography)P(Sex|Pornography) P(Pornography|Sex) = P(Sex) s V 204 . Application to Content Filtering T h e concept discussed in the p r e v i o u s section can be a p p l i e d to content categorization.48 d So. You define the categories a s the m u t u a l l y exclusive events { A A . For example.43 x 0. For instance.00086 0. This is i m p o r t a n t because the same w o r d m a y exist in m o r e than one l a n g u a g e b u t have different m e a n i n g s in the different languages.00236 ?® M Figure 18-1: Words "reservation" and "month" The w o r d (reservation) represents sites in J a p a n e s e with a probability of 0. y o u c a n n o t achieve 100 percent success in both accuracy a n d coverage. j p : Token Occurences 16 2 Probability 0. The s y s t e m processes the content of the pages a n d .00236. The first step is to recognize the l a n g u a g e of the Web site. c o . ultimately. h o w e v e r it m e a n s butter in Italian. D y n a m i c Real-Time Rating (DRTR) technology uses a two-step approach. coverage will suffer t r e m e n d o u s l y a n d vice versa.00081 0. if we process 100 sites that we e s t i m a t e d to be categorized as P o r n o g r a p h y . For instance the w o r d burro has the s a m e spelling both in Italian a n d Spanish. The result that DRTR p r o d u c e s for the site h t t p : / / w w w . learns h o w to recognize n e w pages that is h a s not seen before. y o u m u s t s u b m i t a series of d o c u m e n t s belonging to k n o w n categories to the automatic tool.00043 0.000 N e w s / M e d i a pages. The accuracy is d e t e r m i n e d as a percentage of correct results. h o w m a n y w e r e really p o r n sites? The coverage determines the miss rate of the tool. this will p r o v i d e y o u w i t h an accurate P(B | A ) . a n d so on.000405 0.Appendix B: Conditional Probability — Bayes Theorem Obviously. if 100 percent accuracy is achieved. The l a n g u a g e that has the highest w e i g h t becomes the a s s u m e d l a n g u a g e for that Web site. You can see an e x a m p l e in Figure B-l from the site h t t p : / / w w w . while it m e a n s donkey in Spanish! The s y s t e m needs to correctly d e t e r m i n e the l a n g u a g e before it can a p p l y a n y statistical analysis on the w o r d s . The p r o d u c t s of the probability of each l a n g u a g e token.00086 0. j p is s h o w n in Figure B-2: 1 0. 1. 2 It is i m p o r t a n t to consider other parameters a n y time y o u do any statistical analysis. For example. However. y o u can achieve 100 percent in one or the other.000 P o r n o g r a p h y pages. h o w m a n y did the tool catch? Unfortunately. s u b m i t 1. The goal is to find a sweet spot w h e r e accuracy is sufficient a n d the coverage is still good. y o u c a n n o t create these formulae manually.00052. You need to create a tool that can automatically calculate all of the different probabilities.00052 0. by calculating the multiple probabilities for the different events.00040 0. To achieve this result. while the word (month) represents Japanese sites w i t h a probability of 0.000809 Travel Travel Travel Political/Activist Groups mm 2 2 2 Figure 18-1: Terms "hotel. by the n u m b e r of occurrences are g r o u p e d a n d s u m m e d by l a n g u a g e . in a pool of X sites k n o w n to belong in the P o r n o g r a p h y category. j a l .00086 0. DRTR a d o p t s the s a m e a p p r o a c h for the categorization of a Web site. c o . You need to evaluate the accuracy of y o u r estimators a n d the coverage." "time table" and "reservation" You can see h o w there are three tokens that refer to the travel category a n d one that refers to Political/Activist G r o u p s category: • • # 7 * > (hotel) = Travel Hf (time table) = Travel 205 . Blue Coat WebFilter aims at 85-90 percent accuracy. j a l . 000809.7. while the w e i g h t associated w i t h Political/Activist G r o u p s category is only 0.There are actually many more t o k e n s used f o r b o t h language and category.1 * * ^Mi (reservation) = Travel t^TfJ (city) = Political/Activist G r o u p s T h e total w e i g h t associated w i t h the Travel category is 0. Therefore the site is a s s u m e d to be a travel site in J a p a n e s e .Blue Coat Educational Services — BCCPA Course v 1. 1 1 . 206 . this a p p e n d i x o n l y shows a f e w relevant one as an e x a m p l e .00253 (this is N O T a probability!). 7.Blue Coat Certified Proxy Administrator Course Labs version 1.2 . All other trademarks contained in this d o c u m e n t and in the Software are the property of their respective owners. published or distributed. M i d d l e East. WHETHER ARISING IN TORT. INC.2200 Asia Pacific Rim ( H o n g Kong): +852. Blue Coat RA™. BLUE COAT SYSTEMS.2 Contact Information Blue Coat Systems Inc. or translated to any electronic m e d i u m or other means w i t h o u t the written consent of Blue Coat Systems. Inc. No part of this d o c u m e n t may be reproduced by any m e a n s nor modified.220. Proxy AV™. Blue Coat SG™. disassembled.7. Inc. STATUTORY OR OTHERWISE. All right.bluecoat. A c c e s s N o w ® . Spyware Interceptor™. Accelerating The Internet®.30. All rights reserved w o r l d w i d e . ITS SUPPLIERS OR ITS LICENSORS BE LIABLE FOR A N Y DAMAGES.408. and its licensors.2166. Ositis®. DISCLAIMS ALL WARRANTIES. Blue Coat®. SGOS™.Blue Coat Educational Services — BCCPA Course v 1. WinProxy®.com Copyright© 1999-2006 Blue Coat Systems. a n d Africa (United K i n g d o m ) : +44 (0) 1276 854 100 training@bluecoat. Inc. IN NO EVENT SHALL BLUE COAT SYSTEMS. Inc. and CacheFlow®. 420 N o r t h M a r y A v e n u e Sunnyvale. California 94085 N o r t h A m e r i c a (USA) Toll Free: +1. Blue Coat WebFilter™.2628 (866. Blue Coat Reporter™.866.8121 E u r o p e . CacheOS™. Inc. ProxySG™. EXPRESS OR IMPLIED. MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE A N D NONINFRINGEMENT.com www.BCOAT) N o r t h A m e r i c a Direct (USA): +1. H A S BEEN ADVISED OF THE POSSIBILITY OF SUCH D A M A G E S . CONTRACT OR A N Y OTHER LEGAL THEORY EVEN IF BLUE COAT SYSTEMS. Powering Internet Management®. CONDITIONS OR OTHER TERMS. and The Ultimate Internet Sharing Solution® are registered trademarks of Blue Coat Systems. INC.302. in w h o l e or in part. Scope™ are trademarks of Blue Coat Systems. Ü . title and interest in and to the Software and documentation are and shall remain the exclusive property of Blue Coat Systems. Blue Coat Director™. ON SOFTWARE A N D DOCUMENTATION FURNISHED HEREUNDER I N C L U D I N G W I T H O U T LIMITATION THE WARRANTIES OF DESIGN. decompiled. Blue Coat AV™. INC.. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. distribute. including without limitation the rights to use. All rights reserved. OpenLDAP Copyright (c) 1999-2001 The OpenLDAP Foundation. and the following disclaimer In the documentation and/or other materials provided with the distribution. Poul-Henning Kamp Microsoft Windows Media Streaming Copyright (c) 2003 Microsoft Corporation. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. WITHOUT WARRANTY OF ANY KIND. WHETHER IN AN ACTION OF CONTRACT. 1990. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. 1992. subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. (2) distributions including binary code include the above copyright notice and this paragraph in its entirety in the documentation or other materials provided with the distribution. this list of conditions.org/software/release/Ucense. As long as you retain this notice you can do whatever you want with this stuff.openldap. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. MD5 RSA Data Security. and/or sell copies of the Software. Inc. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. All rights reserved. UNIX is a registered trademark in the US and other countries. Inc. RSA Data Security. Inc. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work. California. Finjan Software Copyright (c) 2003 Finjan Software. sublicense. ARISING FROM.Third Party Copyright Notices Blue Coat Systems. Redistribution and use in source and binary forms.0 NOTICE Acquisition. are permitted provided that: (1) source code distributions retain the above copyright notice and this paragraph in its entirety. INCLUDING. 1989. RSA Data Security. licensed exclusively through X/Open Company Ltd. 4BSD/ISODE SMP NOTICE Acquisition. large sections adapted from the 1977 public-domain program by Jim Glllogly. and 3. 1999. use. Lawrence Berkeley Laboratory and its contributors. with or without modification. publish. Consult the Preface in the User's Manual for the full terms of this agreement. Permission to copy and distribute verbatim copies of this document is granted. to deal in the Software without restriction. 1995. 2. TORT OR OTHERWISE. EXPAT Copyright (c) 1998. License is also granted to make and use derivative works provided that such works are Identified as "derived from the RSA Data Security. Permission is hereby granted. All rights reserved. DES Software DES functions written 12 Dec 1986 by Phil Karn. KA9Q. free of charge. 2000 Thai Open Source Software Center Ltd. All Rights Reserved. THE BEER-WARE LICENSE" (Revision 42): <phk@FreeBSD. All rights reserved.html The OpenLDAP Public License Version 2. 1993. Redwood City. http://www. DAMAGES OR OTHER LIABILITY. with or without modification. copy. Flowerfire Copyright (c) 1996-2002 Greg Ferrar ISODE ISODE 8. WITHOUT LIMITATION. Created 1991. It is provided "as is" without express or implied warranty of any kind. to any person obtaining a copy of this software and associated documentation files (the "Software"). 1996 The Regents of the University of California. and to permit persons to whom the Software is furnished to do so. merge. and distribution of this module and related materials are subject to the restrictions of a license agreement. MD5 Message-Digest Algorithm Copyright (c) 1991-2. 7 September 2001 Redistribution and use of this software and associated documentation ("Software"). Portions of this software are copyrighted by their respective owners as indicated in the copyright notices below. Redistributions In binary form must reproduce applicable copyright statements and notices. and (3) all advertising materials mentioning features or use of this software display the following acknowledgement: This product includes software developed by the University of California. and distribution of this module and related materials are subject to the restrictions given in the file SMP-READ-ME. USA. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. EXPRESS OR IMPLIED. use. If we meet some day. Inc. The following lists the copyright notices for: BPF Copyright (c) 1988. Inc. you can buy me a beer in return. modify.org» wrote this file. . THE SOFTWARE IS PROVIDED "AS IS". Inc. Redistributions of source code must retain copyright statements and notices.org <mailto:
[email protected]. Redistributions must contain a verbatim copy of this document. utilizes third party software from various sources. and you think this stuff is worth it. 1991. 1994. are permitted provided that the following conditions are met: 1. Inc. License to copy and use this software is granted provided that it is identified as the "RSA Data Security. The licences which components of this software fall under are as follows.hut. Title to copyright in this Software shall at all times remain with copyright holders. 1) As far as I am concerned. 2) The 32-bit CRC compensation attack detector in deattack. All rights reserved. I am not making any claims whether possessing or using this Is legal or not in your country. Ariel Futoransky <
[email protected]. IN NO EVENT SHALL THE OPENLDAP FOUNDATION. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE.The make-ssh-known-hosts script is no longer included . EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Blue Coat Educational Services — BCCPA Course v 1. INCIDENTAL.source code Copyright (c) 1998 CORE SDI S. Use only at your own responsibility..Blowfish Is now external. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER. are permitted provided that this copyright notice is retained. and patent office worldwide. [Tatu continues] However.fi>. SPECIAL. INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS). Argentina. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.IDEA is no longer Included. The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale. INCLUDING. found in the OpenSSL library .hut.0 (December 2000) Optimised ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen <vincent. Antoon Bosselaers and Paulo Barreto Is In the public domain and distributed with the following license: aversion 3. ITS CONTRIBUTORS. and If the derived work is incompatible with the protocol description In the RFC file. none of that term Is relevant at this point in time. . and instead we call BN code from OpenSSL . written prior permission. REPAIR OR CORRECTION. THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES ARE DISCLAIMED.RSA is no longer Included. OpenSSH Copyright (c) 1995 Tatu Ylonen <ylo@cs. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.. OR CONSEQUENTIAL DAMAGES (INCLUDING.com> 3) ssh-keygen was contributed by David Mazleres under a BSD-style license.2 The OpenLDAP Foundation may revise this license from time to time.DES is now external. Modification and redistribution in source and binary forms is permitted provided that due credit is given to the author and the OpenBSD project by leaving this copyright notice intact. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. Each revision is distinguished by a version number. [However.GMP is no longer used.A.RC4 support has been replaced with ARC4 support from OpenSSL . and the software includes parts that are not under my direct control. use or other dealing in this Software without specific. we will summarize and say that all components are under a BSD licence. INDIRECT. THERE IS NO WARRANTY FOR THE PROGRAM. In the OpenSSL library . BUT NOT LIMITED TO. STRICT LIABILITY.c was contributed by CORE SDI S. scientific library. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. OR PROFITS. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES.A.kuleuven. or a licence more free than that.core-sdi.rijmen@esat. OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE. SPECIAL. OpenLDAP Is a registered trademark of the OpenLDAP Foundation. OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT. EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. all Included source code is used in accordance with the relevant license agreements and can be used freely for any purpose (the GNU license being the most restrictive). SHOULD THE PROGRAM PROVE DEFECTIVE. it must be called by a name other than "ssh" or "Secure Shell". in the OpenSSL library [The licence continues] Note that any information and cryptographic algorithms used In this software are publicly available on the Internet and at any major bookstore. BUT NOT LIMITED TO.mit.1996 by David Mazleres <
[email protected] is now external. TO THE EXTENT PERMITTED BY APPLICABLE LAW. In a library . with or without modification. The legal status of this program is some combination of all these permissions and restrictions. Cryptographic attack detector for ssh . EXEMPLARY. INCLUDING. All rights reserved This file Is part of the OpenSSH software. DATA. First.fi/crypto". NO WARRANTY BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. IN NO EVENT SHALL CORE SDI S. at "http://www. i. SPECIAL. BUT NOT LIMITED TO.g. Finland. LOSS OF USE. see below for details. All of these restrictively licenced software components which he talks about have been removed from OpenSSH. its use is deprecated .e.cs.edu>. Buenos Aires. INCIDENTAL. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. I am not implying to give any licenses to any patents or copyrights held by third parties. INCLUDING ANY GENERAL. OpenSSH contains no GPL code. YOU ASSUME THE COST OF ALL NECESSARY SERVICING.TSS has been removed . 4) The Rijndael implementation by Vincent Rijmen. EITHER EXPRESSED OR IMPLIED. and I am not taking any responsibility on your behalf.MD5 is now external. the code I have written for this software can be used freely for any purpose. WHETHER IN CONTRACT. Any derived versions of this software must be clearly marked as such. More information can be found e. INDIRECT. As far as I know.7. Redistribution and use in source and binary forms. Espoo. You will be responsible for any legal consequences yourself. under a BSD-style license. in the OpenSSL library .be> iv .com> <http://www.ac. BE LIABLE TO YOU FOR DAMAGES. Copyright 1995. BE LIABLE FOR ANY DIRECT. BUT NOT LIMITED TO. This package is an SSL implementation written by Eric Young (cay#cryptsofLromV The implementation was written so as to conform with Netscapes SSL. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package. INCLUDING. not just the SSL code. V . are permitted provided that the following conditions are met: 1.com>. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.be> ©author Paulo Barreto <paulo. If this package is used in a product. Redistributions in binary form must reproduce the above copyright notice.1992. INCIDENTAL. INCLUDING.com. All rights reserved. All rights reserved. BUT NOT LIMITED TO. RSA. OR PROFITS. 6) Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders: Markus Friedl Theo de Raadt Niels Provos Dug Song Aaron Campbell Damien Miller Kevin Steves Daniel Kouril Wesley Griffin Per Allansson Nils Nordman Simon Wilkinson Redistribution and use in source and binary forms. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. and as such any Copyright notices in the code are not to be removed.kuleuven.barreto@terra. OR CONSEQUENTIAL DAMAGES (INCLUDING. Eric Young should be given attribution as the author of the parts of the library used. DATA. The following conditions apply to all code found in this distribution. 2. be it the RC4. held by the University of California.corri). with or without modification. LOSS OF USE. OR PROFITS. SPECIAL. http://www. INCIDENTAL. BUT NOT LIMITED TO. DATA. LOSS OF USE. WHETHER IN CONTRACT. Redistributions of source code must retain the above copyright notice. LOSS OF USE. INCLUDING. EXEMPLARY.coin> and Tim I. Redistributions in binary form must reproduce the above copyright notice. BUT NOT LIMITED TO. SPECIAL. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE.1995 The Regents of the University of California. WHETHER IN CONTRACT. THIS SOFTWARE IS PROVIDED BY THE AUTHOR'' AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. WHETHER IN CONTRACT. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. STRICT LIABILITY.. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES.org/about/ OpenSSL is based on the excellent SSLeay library developed by Eric A.openssl. Hudson <mailto:tih@iTyptsoft. STRICT LIABILITY. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tih'?frypisoft. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. this list of conditions and the following disclaimer. OpenSSL Copyright (c) 1995-1998 Eric Young (eava'f ryptsoft. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. Copyright (c) 1983. since we pulled these parts from original Berkeley code. Redistributions of source code must retain the above copyright notice. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. Redistribution and use in source and binary forms. 1990. THIS SOFTWARE IS PROVIDED BY THE AUTHORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. STRICT LIABILITY. code.com). INDIRECT. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. SPECIAL. OR CONSEQUENTIAL DAMAGES (INCLUDING.Third Party Copyright Notices ©author Antoon Bosselaers <antoon. 3. BUT NOT LIMITED TO. with or without modification. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT. this list of conditions and the following disclaimer. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. INCIDENTAL. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Young <iTmilto:eay(g'cryptsofl. DES. lhash. The OpenSSL toolkit is licensed under a Apache-style license which basically means that you are free to get and use it for commercial and non-commercial purposes. are permitted provided that the following conditions are met: 1.openssl. BUT NOT LIMITED TO.ac.bosselaers@esat. 2.org/about/ http://www. INDIRECT. Copyright remains Eric Young's. This library is free for commercial and non-commercial use as long as the following conditions are adhered to. INDIRECT.br> This code is hereby placed in the public domain. OR CONSEQUENTIAL DAMAGES (INCLUDING. 1993. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. 5) One component of the ssh source code is under a 3-clause BSD license. DATA. EXEMPLARY. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. EXEMPLARY. OR PROFITS. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. etc. BUT NOT LIMITED TO.com)" THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. BUT NOT LIMITED TO.openssl. subject to the following restrictions: 1. OR PROFITS. BUT NOT LIMITED TO. and copyright by the University of Cambridge. EXPRESS OR IMPLIED. OR CONSEQUENTIAL DAMAGES (INCLUDING. and to redistribute it freely.csx. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY.ac. written by Philip Hazel. EXEMPLARY. Redistribution and use In source and binary forms.uk/pub/software/programmlng/pcre/ PHAOS SSLava and SSLavaThin Copyright (c) 1996-2003 Phaos Technology Corporation. RealSystem The RealNetworks® RealProxy™ Server is included under license from RealNetworks. Phone: +44 1223 334714. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 2. which is open source software.cam. This software is distributed In the hope that it will be useful. All Rights Reserved. This software or any other copies thereof may not be provided or otherwise made available to any other person. INDIRECT. STRICT LIABILITY. (http://www. Redistributions in binary form must reproduce the above copyright notice. A l l advertising materials mentioning features or use of this software must display the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. This product Includes software written by Tim Hudson (tjh@cryptsoft. Redistributions of source code must retain the copyright notice. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: "This product Includes software written by Tim Hudson (tjh@cryptsoft. RealNetworks. vi . The license and distribution terms for any publicly available version or derivative of this code cannot be changed. A l l advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes cryptographic software written by Eric Young (eay@cryptsoft. please contact
[email protected] Coat Educational Services — BCCPA Course v 1. SPECIAL.7. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. WHETHER IN CONTRACT. are permitted provided that the following conditions are met: 1. Inc. England. EVEN IF ADVISED OF THE POSSIBLITY OF SUCH DAMAGES. SNMP Copyright (C) 1992-2001 by SNMP Research. PHAOS SHALL NOT BE LIABLE TO THE OTHER OR ANY OTHER PERSON CLAIMING DAMAGES AS A RESULT OF THE USE OF ANY PRODUCT OR SOFTWARE FOR ANY DAMAGES WHATSOEVER. PHAOS MAKES NO WARRANTIES. Cambridge. IN NO EVENT WILL PHAOS BE LIABLE FOR SPECIAL. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. 3. PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. INCLUDING. INCIDENTAL. The software and any portions or copies thereof shall at all times remain the property of Phaos.org/)" 4.ac. PCRE Copyright (c) 1997-2001 University of Cambridge University of Cambridge Computing Service. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Redistributions in binary form must reproduce the above copyright notice. OR CONSEQUENTIAL DAMAGES (INCLUDING. without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. OR ITS USE AND OPERATION ALONE OR IN COMBINATION WITH ANY OTHER SOFTWARE. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.openssl. England.uk> Permission is granted to anyone to use this software for any purpose on any computer system. ftp://ftp. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. INCIDENTAL. No title to and ownership of the software is hereby transferred. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www. This software is furnished under a license and may be used and copied only in accordance with the terms of such license and with the Inclusion of the above copyright notice. Incorporated. Written by: Philip Hazel <phlO@cam. Incorporated. INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. LOSS OF USE. i. For written permission.com)" The word 'cryptographic' can be left out if the routines from the library being used are not cryptographic related:-). REGARDING THE SOFTWARE. but WITHOUT ANY WARRANTY. WHETHER IN CONTRACT. EXEMPLARY. INCLUDING. 3. Redistributions of source code must retain the above copyright notice. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. INDIRECT. the design and development of which have involved expenditure of substantial amounts of money and the use of skilled development experts over substantial periods of time. SPECIAL.com). STRICT LIABILITY. this list of conditions and the following disclaimer. 2.e. DATA. this code cannot simply be copied and put under another distribution license [including the GNU Public License. This product includes cryptographic software written by Eric Young (eay@cryptsoft. OR PROFITS.org.2 Redistribution and use in source and binary forms. Inc.com). All rights reserved. DATA. The information in this software is subject to change without notice and should not be construed as a commitment by SNMP Research. 2. Regular expression support is provided by the PCRE library package.] Copyright (c) 1998-2002 The OpenSSL Project. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE. 5. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT. are permitted provided that the following conditions are met: 1. BUT NOT LIMITED TO.org/)" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS" AND ANY EXPRESSED OR IMPLIED WARRANTIES. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. The software contains commercially valuable proprietary products of Phaos which have been secretly developed by Phaos. Copyright 1996-1999. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. LOSS OF USE. with or without modification. INCIDENTAL OR CONSEQUENTIAL DAMAGES. this list of conditions and the following disclaimer. with or without modification. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. All rights reserved. 4. 6. It is provided "as is" without express or implied warranty. 1993. STLport Copyright (c) 1999. THE SOFTWARE IS PROVIDED "AS IS". PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES. LOSS OF USE. and to permit persons to whom the Software is furnished to do so. 2. STRICT LIABILITY. SurfControl Copyright (c) 2003 SurfControl. Symantec Antivirus Scan Engine Copyright (c) 2003 Symantec Corporation. ICU License .227-7013. this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.ICU 1. zlib Copyright (c) 2003 by the Open Source Initiative This software is provided 'as-is'. OR PROFITS. and/or sell copies of the Software. EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. provided the above notices are retained. distribute and sell this software and its documentation for any purpose is hereby granted without fee. and a notice that the code was modified is included with the above copyright notice. Copyright (c) 1997 Moscow Center for SPARC Technology Permission to use. FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. 1994. The code has been modified.8. distribute. provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. DATA. copy. Redistributions of source code must retain the above copyright notice. provided the above notices are retained on all copies. INCIDENTAL. EXPRESS OR IMPLIED. Silicon Graphics makes no representations about the suitability of this software for any purpose. 2000 Boris Fomltchev This material is provided "as is". Permission to modify the code and to distribute modified code is granted. All rights reserved. 1995 The Regents of the University of California. Inc. BUT NOT LIMITED TO. WITHOUT WARRANTY OF ANY KIND. to deal In the Software without restriction. Permission to use or copy this software for any purpose is hereby granted without fee.X BSD (Berkeley Software Distribution) source. The above notice of copyright on this source code product does not Indicate any actual or Intended publication of such source code. All rights reserved. Permission is hereby granted. WHETHER IN CONTRACT. Copyright (c) 1994 Hewlett-Packard Company Copyright (c) 1996-1999 Silicon Graphics Computer Systems. Permission to use. are permitted provided that the following conditions are met: 1. INCLUDING. subparagraphs (c)(4) and (d) of the Commercial Computer Software-Restricted Rights Clause. provided that the above copyright notice(s) and this permission notice appear in all copies of the Software and that both the above copyright notlce(s) and this permission notice appear in supporting documentation. All rights reserved. with or without modification. this list of conditions and the following disclaimer. with absolutely no warranty expressed or implied. duplication. modify. copy. 1990. Their copyright header follows: Copyright (c) 1982. Inc. All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California. Berkeley and its contributors. Moscow Center for SPARC Technology makes no representations about the suitability of this software for any purpose. copy. It is provided "as is" without express or implied warranty. merge. OR CONSEQUENTIAL DAMAGES (INCLUDING. It is provided "as is" without express or implied warranty. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE BE LIABLE FOR ANY CLAIM. BUT NOT LIMITED TO. Redistribution and use in source and binary forms. distribute and sell this software and Its documentation for any purpose is hereby granted without fee. redistribution or other use of this work Is prohibited.227-19. modify. Unauthorized copying. copy. Any use is at your own risk. without any express or implied warranty. modify. SPECIAL. provided that die above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES. SmartFilter Copyright (c) 2003 Secure Computing Corporation. TCPIP Some of the files in this project were derived from the 4. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT. THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. or disclosure by the Government Is subject to restrictions as set forth in subparagraph (c)(1) (li) of the Rights in Technical Data and Computer Software clause at DFARS 252. Inc. FAR 52. OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY. 1988.1 and later COPYRIGHT AND PERMISSION NOTICE Copyright (c) 1995-2003 International Business Machines Corporation and others All rights reserved. In no event will the authors be held liable for any damages arising from the use of this software. provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. and in similar clauses in the NASA FAR Supplement and other corresponding governmental regulations. INDIRECT. OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE.Third Party Copyright Notices Restricted Rights Legend: Use. Hewlett-Packard Company makes no representations about the suitability of this software for any purpose. free of charge. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. All rights reserved. PROPRIETARY NOTICE This software is an unpublished work subject to a confidentiality agreement and is protected by copyright and trade secret law. publish. modify. Redistributions in binary form must reproduce the above copyright notice. All rights reserved. EXEMPLARY. 4. OR ANY SPECIAL vii . Permission to use. 1986. including without limitation the rights to use. INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY. distribute and sell this software and its documentation for any purpose is hereby granted without fee. Trend Micro Copyright (c) 1989-2003 Trend Micro. to any person obtaining a copy of this software and associated documentation files (the "Software"). or as required to translate it into languages other than English. in whole or in part. ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.2 INDIRECT OR CONSEQUENTIAL DAMAGES. EXPRESS OR IMPLIED. All Rights Reserved. such as by removing the copyright notice or references to the Internet Society or other Internet organizations.Blue Coat Educational Services — BCCPA Course v 1. use or other dealings in this Software without prior written authorization of the copyright holder.7. without restriction of any kind. However. The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns. INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. the name of a copyright holder shall not be used in advertising or otherwise to promote the sale. published and distributed. WHETHER IN AN ACTION OF CONTRACT. except as needed for the purpose of developing Internet standards in which case the procedures for copyrights defined in the Internet Standards process must be followed. . This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES. NEGLIGENCE OR OTHER TORTIOUS ACTION. OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE. this document itself may not be modified in any way. DATA OR PROFITS. provided that the above copyright notice and this paragraph are included on all such copies and derivative works. This document and translations of it may be copied and furnished to others. Copyright (C) The Internet Society (1999). and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared. Except as contained in this notice. copied. Table of Contents Blue Coat SG Initial Configuration Upgrading Blue Coat SG OS Configuring Services Explicit Proxy Configuration and Testing HTTP Compression Authentication Configuration — IWA Authentication Configuration — LDAP Creating Basic Policy Configuration Archive Content Filtering — Configuration Content Filtering — Policy Using the Local Database Managing Downloads — File Types and Exceptions Managing Instant Messaging Managing Peer-to-Peer Traffic Using Notification Objects Access Logging Creating Reporter Profiles and Generating Reports BlueCoat AV/Blue Coat SG Integration 1 13 19 23 27 33 39 45 49 51 55 63 67 79 91 99 105 109 119 ix . 7.Blue Coat Educational Services — BCCPA Course v 1.2 Using Instant Support Review: Authentication Review: Content Filtering 127 135 137 X . ) Steps You can access y o u r Blue Coat SG using three different m e t h o d s . y o u m a k e y o u r Blue Coat SG immediately available on the network. 3. Alternatively. This procedure starts on p a g e 2. Assigning a d m i n i s t r a t i v e login credentials. Finally.3 or higher PuTTY 0. r u n n i n g SGOS 4. The procedure for configuring y o u r appliance d e p e n d s on y o u r access m e t h o d . This lab a s s u m e s that y o u have: • • • Tera Term Pro 2.0.1 Before You Begin This lab requires that y o u h a v e a terminal e m u l a t i o n software a n d an SSH client. regardless of w h e t h e r the appliance is just o u t of the box or restored to factory default settings. Using a Web browser. y o u p r o v i d e y o u r Blue Coat SG w i t h the correct n e t w o r k settings a n d set up an administrative account. This procedure starts on p a g e 2. 1 . Using a terminal server. 2.Blue Coat SG Initial Configuration This lab w a l k s y o u t h r o u g h the steps required to configure a Blue Coat® SG™ appliance that has never been configured or that has been r e t u r n e d to its factory defaults. Each p r o c e d u r e is outline separately: 1.2. y o u can use HyperTerminal® instead of Tera Term Pro. Scenario Your first task as a s y s t e m administrator is to m a k e the Blue Coat SG accessible on the network. Using the serial cable.02 or higher All three applications are available on the Internet. Objectives • • Assigning a n e t w o r k a d d r e s s to the Blue Coat SG.57 or h i g h e r Firefox® 2. y o u need to connect to the M a n a g e m e n t Console to test that y o u r Blue Coat SG has been set up correctly a n d that y o u can c o m m u n i c a t e w i t h it. regardless of y o u r access a n d configuration m e t h o d . By following these few s i m p l e steps. (For example. Note: The screen c a p t u r e s are taken from a Blue Coat SG 400. Briefly. y o u can use any other software y o u m a y be familiar w i t h . This procedure starts on p a g e 6.3. You can telnet to t h e IP a d d r e s s of the t e r m i n a l server on the a s s i g n e d TCP p o r t a n d y o u will h a v e the s a m e interface as if y o u w e r e directly connected t h r o u g h a serial link to the device attached to the t e r m i n a l server on that port. 3. Click Open. This is normal. Each serial port is associated w i t h an a s s i g n e d T C P port n u m b e r . 2. A t e r m i n a l server can h a v e a n y n u m b e r of a s y n c h r o n o u s serial p o r t s a n d at least one L A N port.2 Using a Terminal Server A terminal server is a device that e m u l a t e s a serial line over a L A N . You s h o u l d n o w see a blank screen. Press the Enter key three times a n d the w e l c o m e screen a p p e a r s .Blue Coat Educational Services — BCCPA Course v 1. If y o u have p r e s s e d t h e Enter key three times a n d do not see t h e w e l c o m e p r o m p t . Your configuration s h o u l d look similar to the screen c a p t u r e below. Launch Putty a n d refer to the Serial Console Access section of the S t u d e n t Reference sheet for the IP Address a n d port number for y o u r t e r m i n a l server settings.7. starting from Step 4. 4. Follow the steps for the "Using t h e Serial Cable" p r o c e d u r e in t h e following section. 2 . contact y o u r instructor. 1. Click OK.Blue Coat SG Initial Configuration Using the Serial Cable All Blue Coat SG m o d e l s s u p p o r t configuration w i t h the serial cable.d o w n m e n u (typically COM1). This will let y o u exit the Initial Setup Console w i z a r d w i t h o u t saving any of the changes y o u m a d e . Note: If at a n y time y o u m a k e a mistake a n d w a n t to exit the Initial Setup Console. press the Esc key. 3 . A welcome message a p p e a r s in the serial w i n d o w . Insert the a p p r o p r i a t e values a n d then click OK. From the m a i n w i n d o w select Setup > Serial port. L a u n c h Tera Term Pro from the Start m e n u . They s h o u l d m a t c h exactly the values s h o w n in the screen c a p t u r e below. Press the Enter key three times to activate the Initial Setup Console wizard. 3. You need to use a nine-pin male-male n u l l . See the topic Restarting the Initial Setup Console in the A d d i t i o n a l Reading section that follows this lab. From the initial configuration screen select the Serial option a n d the a p p r o p r i a t e serial port from the Port: d r o p . 1. 2.m o d e m cable. Verify t h a t the connection p a r a m e t e r s are correct. the configuration w i n d o w a p p e a r s . The account gives y o u privileges to a d m i n i s t e r the Blue Coat SG. I f y o u are a s k e d t o E n t e r i n t e r f a c e n u m b e r t o c o n f i g u r e . a n d pressing the Enter key will invoke it. IP gateway.O ] . b. the Initial Setup Console w i z a r d asks if y o u w a n t t o m a k e any changes. I f y o u receive the p r o m p t E n t e r t h e b r i d g e n a m e [ p a s s t h r o u g h . press the Y key to restart t h e s e q u e n c e of questions. Once y o u h a v e a n s w e r e d all the questions. To a n s w e r Y e s / N o questions.7. a. a n d D N S server. Note: If the desired response is w i t h i n the s q u a r e brackets in the Setup Console.2 4. press the N key. Enter y o u r user n a m e a n d p a s s w o r d s at the a p p r o p r i a t e s y s t e m p r o m p t s to set up y o u r a d m i n i s t r a t o r account. O t h e r w i s e . The information requested m a y vary.Blue Coat Educational Services — BCCPA Course v 1. Both the u s e r n a m e a n d p a s s w o r d s are case-sensitive: Table 1-1: Setup Console Passwords Console Username Console Password Enable Password admin pass pass 4 . If y o u w a n t to m a k e a change. c. it is the default response. press the Y or N key. then simply press the Enter key. d e p e n d i n g on the Blue Coat SG m o d e l that y o u are configuring. 6. Enter n e t w o r k information as directed by the p r o m p t s . select the default [0:0] 5. s u b n e t mask. Refer to the s t u d e n t h a n d o u t to a n s w e r the remaining questions about the IP address. you will not configure the access control list during training. N o t e that y o u m u s t enter two p a s s w o r d s . For the prompt Would you l i k e t o r e s t r i c t a c c e s s t o a n a u t h o r i z e d w o r k s t a t i o n ? Y/N [Yes]. The console p a s s w o r d is u s e d to log into the Blue Coat SG's Web interface a n d the first layer of its text interface. You have completed the initial setup. y o u cannot v i e w or change the appliance's configuration. you limit administrative access to clients whose IP addresses you select. the Blue Coat SG asks y o u for a password every time y o u access the serial console. You should see a screen similar to the one shown below. 5 . WARNING: If y o u secure the serial port. type N and press the Enter key. this is a good idea because it increases security. The Blue Coat SG will be available to the network in about 10 seconds. 11. Without the enable p a s s w o r d . However. 9. This increases security. y o u w i l l be unable to access the serial console. In practice. The system asks if you want to set up the forwarding host. y o u may n e e d to R M A the Blue Coat SG to Blue Coat. If that occurs. Or access the URL indicated in the message to access the M a n a g e m e n t Console.Blue Coat SG Initial Configuration 7. The p a s s w o r d s are not displayed w h i l e y o u are typing. You can press the Enter key three times to activate the serial console. type N and press the Enter key. If you configure the access control list. For the prompt Would you l i k e to s e t up t h e f o r w a r d i n g h o s t now? Y/N [No]. The enable p a s s w o r d is required to access the second layer of the text interface. T h e system asks if you want to set up an access control list. but be aware that if y o u lose your password. 10. .201as a t u t d s t . w l i g t t accept t i c r i i a e f r the purpose o i e t f i g the Web s t 172.7. 2. oiy ie hs Before accepting t i c r i i a e vou should examine t i s t s cerbhcate c r F l v Hie you hs e t f c t .Your browsei does not recognize the C r i i a e A t o i y t a i s e the s t s c r i i a e etfct u h r t h t s u d ie e t f c t .Blue Coat Educational Services — BCCPA Course v 1. ies e t f c t icniuain .. Click OK to start t h e configuration p r o c e d u r e .2 Using a W e b Browser Important: You can perform t h e initial configuration of a Blue Coat SG t h r o u g h a Web b r o w s e r only if all of t h e r e q u i r e m e n t s listed b e l o w are met: 1. eiv dniy r s e ie ! ' -—• P s i l reasons f r t i e r r osbe o hs r o : . Your Blue Coat SG h a s a b r i d g i n g card installed a n d is active.bluecoat. 2.521 osbv ban cnieta ifrain ofdnil nomto. You need to confirm the identity of y o u r Blue Coat SG.. O p e n y o u r Web browser a n d verify that it is not configured to u s e a p r o x y The screen captures s h o w Firefox. Your b r o w s e r is nor configured to use a p r o x y server.20!? iln o o hs etfct o f dniyn ie j Examine Certificate. 3.You are connected to a s t pretending to be 1 2 2 1 . p s i l to o t i your ie 7. Also verify the serial n u m b e r a n d t h e m o d e l of the unit.. as s h o w n in the screen c a p t u r e below. Please n t f the s t s webmaster about t i problem. 0 .2.The s t ' c r i i a e is incomplete due to a server m s o f a r t o . You d e p l o y e d Blue C o a t SG in b r i d g i n g m o d e . j Accept t i c r i i a e permanently hs etfct * Accept t i c r i i a e t m o a i y f r t i session hs etfct e p r r l o hs • Do not accept t i c r i i a e and do not connect to t i Web s t hs e t f c t hs ie L_?JL_J 3.15.15. hs i e aeul.com:8083. I Cancel ! The b r o w s e r displays the Proxy SG Initial Configuration screen. b u t y o u can u s e a n y compatible browser. You s h o u l d receive a message alerting y o u that y o u received a digital certificate issued by an u n k n o w n authority. 1. 6 . Access t h e URL https://proxysg. Unable to v r f the i e t t of 172.2. and DNS Server values. Locate the Network Parameters dialog box in the Web browser and enter the IP Address. 7 . Subnet Mask.Blue Coat SG Initial Configuration 4. Your instructor should have given you the appropriate parameters. Gateway. S c r o l l d o w n i n the Web b r o w s e r t o the Console Account s e c t i o n o f the c o n f i g u r a t i o n process. Y o u can use a n y a l p h a n u m e r i c sequence f o r t h e user n a m e . use the v a l u e s i n the t a b l e b e l o w a n d scroll d o w n t o t h e Enable Password s e c t i o n . Bear i n m i n d t h a t the user n a m e a n d p a s s w o r d are case-sensitive. F o r t h i s l a b .7. E n t e r the Enable password in t h e a p p r o p r i a t e f i e l d s . 8 .2 5. Table 1 -2: Web Browser Passwords User name admin Password pass Enable Password pass 6. D e f i n e the a d m i n i s t r a t o r u s e r n a m e a n d t h e p a s s w o r d .Blue Coat Educational Services — BCCPA Course v 1. it s h o u l d be similar to the one in the screen c a p t u r e below. as s h o w n in the screen capture below. 10.Blue Coat SG Initial Configuration 7. 11. Click Configure Device. The system n o w s h o w s a s u m m a r y of the configuration process so far. You have successfully configured y o u r Blue Coat SG. 9. Do not enable the Secure Serial Port option. The final screen s h o w s the connection p a r a m e t e r s that y o u need to connect to Blue Coat SG: • Via Web browser: h t t p s : / / [ y o u r p r o x y ' s IP a d d r e s s ] : 8082 9 . You need to define the Default Policy for Proxied Services. Select Allow. The system asks if y o u w a n t to secure the serial port. Select the o p t i o n Accept this certificate permanently a n d then click OK. O p e n y o u r b r o w s e r a n d access the URL: h t t p s : / / { e n t e r y o u r Blue Coat SG IP A d d r e s s here}:8082/ as s h o w n in the screen capture below. Enter the A d m i n i s t r a t o r account information: Username: admin Password: pass 10 .2 O • O O Serial Number Model MAC address Software Connecting Through the Management Console You h a v e configured y o u r Blue Coat SG u s i n g one of the three m e t h o d s listed above. This step allows y o u to verify that configuration w a s successful. 2. 3.7.Blue Coat Educational Services — BCCPA Course v 1. As a final step. y o u need to connect to t h e Blue Coat SG u s i n g a Web browser. 1. You m a y receive a m e s s a g e w a r n i n g about the digital certificate similar to the o n e s h o w n below. Verify that y o u h a v e the correct version of the SGOS installed. 11 .Blue Coat SG Initial Configuration 4. You s h o u l d n o w see a w e l c o m e screen similar to the one s h o w n in the screen capture below. 2 12 .7.Blue Coat Educational Services — BCCPA Course v 1. Your configuration s h o u l d look similar to the screen c a p t u r e below. This is normal. 13 . Steps 1. If y o u h a v e pressed the Enter key three times a n d do not see the w e l c o m e p r o m p t . You w a n t to d o w n l o a d the OS i m a g e to a Web server local to y o u r organization a n d then u p g r a d e the different Blue Coat SGs. Before u p g r a d i n g . y o u s h o u l d u s e Director for this procedure. You s h o u l d n o w see a blank screen. if y o u have m o r e t h a n 4 Blue Coat SG appliances. Scenario You h a v e m u l t i p l e Blue Coat SGs in y o u r organization. Click Open. 2. 3. check the current version r u n n i n g on y o u r Blue Coat SG.Upgrading Blue Coat SG OS Objective U p g r a d i n g (or d o w n g r a d i n g ) the OS version on the Blue Coat SG. Note: The u s e of Director is not discussed in this lab. contact y o u r instructor. however. Launch Putty a n d refer to the Serial Console Access section of the Student Reference sheet for the IP Address a n d port number for y o u r t e r m i n a l server settings. Press the Enter key three times a n d the w e l c o m e screen a p p e a r s . You h a v e been given the assignment of u p g r a d i n g to the latest version of the Blue Coat SG o p e r a t i n g system. 8. Once t h e d o w n l o a d is complete. verify y o u are at a later version t h r o u g h the CLI as described in Step 5 above. T h r o u g h the C o m m a n d Line Interface (CLI) t y p >en >password:**** >show ver M a k e note of the current version.2 4. Keep the serial connection o p e n as y o u go t h r o u g h the next steps. select Maintenance > Upgrade a n d then enter the URL y o u r Instructor gives y o u for the i m a g e to be d o w n l o a d e d a n d press the Download b u t t o n . Alternatively.Blue Coat Educational Services — BCCPA Course v 1. y o u can restart the m a c h i n e t h r o u g h the M a n a g e m e n t Console: Select Maintenance > Upgrade a n d then click the Restart b u t t o n . It m a y not be necessary to k e e p the serial connection o p e n in a p r o d u c t i o n e n v i r o n m e n t but is helpful in this training e n v i r o n m e n t . 6. Type 1 at the Enter Option c o m m a n d line to launch the C o m m a n d Line Interface. 5. Note: 7. After rebooting. 14 .7. y o u can restart t h r o u g h the CLI using the c o m m a n d : >en Enable Password: #restart upgrade ***** 9. T h r o u g h the M a n a g e m e n t Console. 4. 15 . 5. y o u receive a link w h e r e y o u can d o w n l o a d the n e w version of the OS. T h e s y s t e m validates y o u r information a n d allows (or denies) y o u r request.]/2xx.bluecoat.Upgrading Blue Coat SG OS Upgrading in a Production Environment 1.chk. 2. 3. If y o u store the i m a g e on a W i n d o w s system. select Maintenance > Upgrade a n d then click on the Show me b u t t o n .. The link is similar to http://www. T h r o u g h the M a n a g e m e n t Console.bin to avoid potential issues. in the w i n d o w y o u can see the u p g r a d e p a g e w i t h the o p t i o n s available to y o u . Important: You cannot p e r f o r m this step d u r i n g the lab session because the serial n u m b e r s are tied to specific e-mail addresses. If y o u r request is valid. D o w n l o a d the file from the link that y o u received.com/[. Note: The s y s t e m asks y o u for the Blue Coat SG serial number. M a k e sure that y o u h a v e entered the correct e-mail address. This action o p e n s a n e w b r o w s e r w i n d o w . M a k e the file available on y o u r n e t w o r k via HTTP d o w n l o a d . You can copy a n d paste the serial n u m b e r from the h o m e p a g e of the M a n a g e m e n t Console. Fill out the request information on the p a g e s h o w n in the screen capture above a n d then click the SUBMIT b u t t o n .. y o u s h o u l d r e n a m e the file's extension from x h k to . 1. 3. t y p e r e s t o r e . parity n o n e 1 s t o p bit no flow control Press the Enter key three times. 4. The unit n o w reboots. as they are functionally the same). Command L i n e Interface.Blue Coat Educational Services — BCCPA Course v 1. y o u m u s t connect to the appliance from a PC over a serial cable (or terminal server.7. A t the p r o m p t . 9600 bits per second 8 d a t a bits.2 Additional Tasks Restoring the Blue Coat SG to its Factory Default Settings To restore a Blue Coat SG to its factory default settings.i n i t i a l i z a t i o n ? Press the Y key. y o u can perform the following steps. 5. 16 . Press the Enter key. You need to r e d o the initial configuration u s i n g one of the m e t h o d s detailed a b o v e . If y o u w a n t to switch o p e r a t i n g s y s t e m s after y o u r appliance is set up on y o u r network. t y p e the letters e n . 6.d e f a u l t s factory-defaults. At t h e p r o m p t . Choose option 1 . Press the Enter key. The p r o m p t changes from a right angle bracket (>) to a p o u n d sign (#). This p u t s y o u into enable (or privileged) m o d e . The s y s t e m asks: C o n t i n u e w i t h s y s t e m r e . All of the configuration is lost. Switching Operating Systems Up to five SGOS images can reside on a Proxy SG at the s a m e time. L a u n c h Tera Term Pro a n d configure it w i t h the following settings: • • • • 2. The screen c a p t u r e b e l o w s h o w s the full s e q u e n c e of commands. O p e n PuTTY. At the prompt type the following commands: SGOS> en E n a b l e p a s s w o r d : **** SGOS#conf t SGOS#(config)installed-systems SGOS#(config i n s t a l l e d . C l i c k Open.s y s t e m s ) v i e w 17 . 3. T y p e the IP address of the Blue C o a t SG in the Host Name (or IP address) f i e l d a n d select SSH as the Protocol o p t i o n . Login using the admin account.Upgrading Blue Coat SG OS 1. 2. 2. A t the p r o m p t .9. Version: M/A.1. (oldest unlocked system) Current running system: 4 Blue Coat SG200 Series . one per line. Lock Status: Unlocked Boot Status: La3t boot succeeded. Version: SGOS 5. 18 . login as: admin admin6172.mybluecoatsg^conf t Enter configuration commands. Lock Status: Locked Boot Status: Last boot succeeded.1. Release ID: 26398 Tlmrsday July 6 2006 20:32:40 UTC. The Blue Coat S G executes the SGOS i m a g e y o u chose.blT.7. Release ID: 27046 Monday September 25 2006 20:50:30 UTC. Your hardware is not registered with Bluecoat.1.mybluecoatsg>£n Enable Password: Blue Coat SG200 Series . You n o w can r e t u r n to t h e serial console or close t h e w i n d o w . Version: SGOS 5. Last Successful Boot: Unknown 3.7.1.3. Last Successful Boot: Unknown Default system to run on next hardware restart: 4 Default replacement being used. The screen capture b e l o w s h o w s t h e entire s e q u e n c e of c o m m a n d s a n d the s y s t e m r e s p o n s e . Lock Status: Unlocked Boot Status: Unknown. Press Ctrl+Z.9.15.2D1's password: This device is operating in the trial period. The s y s t e m n o w displays a list of SGOS i m a g e s available. You s h o u l d see s o m e t h i n g v e r y similar. Last Successful Boot: Monday August 2 8 2 17 :14 : IS UTC 2.mybluecoatsgs(config installed-systems) §] 5.mybluecoatsg# (conf ig) installed-systeitis Blue Coat SG200 Series .iecoat. Last Successful Boot: Honday October 2 2 22:47:16 UTC 5.1. Type r e s t a r t u p g r a d e . Please register Blue Coat SG200 Series . 6. Blue Coat SG200 Series . End with CTRL-Z.Blue Coat Educational Services — BCCPA Course v 1. Trial expiration date is 2006-11-29 Please visit https://service3. Release ID: N/A ( EMPTY ) No Timestamp. then press Ctrl+Z again. I f y o u have only one i m a g e y o u can j u s t type the n u m b e r c o r r e s p o n d i n g to the location of t h e image. Lock Status: Unlocked Boot Status: Unknown. Release ID: 26247 Thursday June IS 2006 21:38:37 UTC.1.1. type d e f a u l t a n d then the i m a g e n u m b e r . Release ID: 26398 Thursday July 6 2006 20:32:40 UTC.rnybluecoatsg#(config installed-systenss) view ProxySG Appliance Systems 1. Last Successful Boot: Honday October 2 2 19:50:03 UTC 4. Version: SGOS 5.caw for license administration for this device.2. Version: SGOS 4.2 4. Lock Status: Unlocked Boot Status: Last boot succeeded. Creating a proxy service for H T T P on port 8072. Click Apply if y o u n e e d e d to c h a n g e the policy. 3. Testing the configuration. T h r o u g h the M a n a g e m e n t Console. m a k e sure that the Allow option is selected. In the Default Proxy Policy section. Setting the default proxy policy to Allow. T h e Blue Coat SG can detect s o m e k n o w n protocols a n d — d e p e n d i n g on y o u r policy — intercept or b y p a s s traffic that uses those protocols. Setting the Default Proxy Policy to Allow 1.Configuring Services Objective Setting a service to allow H T T P traffic to be intercepted on port 8072. Steps The lab is p e r f o r m e d in four stages: 1. Scenario The Services feature in the Blue Coat® SG™ M a n a g e m e n t Console allows y o u to create services to detect certain protocols. Configuring y o u r b r o w s e r to be explicitly proxied t h r o u g h the Blue Coat® SG™. 4. 19 . 2. 2. S o m e c o m p a n i e s use p o r t s other t h a n the default 80 or 8080 w h e n creating a proxy service for H T T P traffic. In this lab y o u create a service to detect H T T P traffic on port 8072 from users w h o s e b r o w s e r s are explicitly proxied. select Configuration > Policy > Policy Options. In the Add Service dialog box: a. T h r o u g h the M a n a g e m e n t Console.7. b. 20 . select Configuration > Services > Service ports. Type in 8072 in the Port field a n d m a k e s u r e the Enabled option is checked. 4. Select the All from the IP d r o p . M a k e s u r e that HTTP is selected from t h e Protocol d r o p . Click OK.Blue Coat Educational Services — BCCPA Course v 1. Check the Explicit o p t i o n in the Attributes field.d o w n m e n u . Click the Apply b u t t o n in the M a n a g e m e n t Console. Click the New b u t t o n . 5. select Configuration > Services > Service Ports a n d highlight the HTTP Port 8072 r o w a n d verify that the On c o l u m n is set to yes.d o w n m e n u . 3. d.2 Creating a Proxy Service for HTTP on Port 8072 1. The Add Service dialog box a p p e a r s . c. T h r o u g h t h e M a n a g e m e n t Console. 2. 2. The Edit Service box appears. 2. Reset HTTP Service on Port 8080 1. select Tools > Options > General > Advanced. L a u n c h the Firefox® browser a n d from the M e n u bar. d. The Connection Settings dialog box a p p e a r s In the Connections Settings dialog box: a. Click on the N e t w o r k tab a n d the Settings b u t t o n in the Connections section. Uncheck Enable a n d click OK. M a k e s u r e that the select the Use this proxy for all protocols check box is selected. Testing the Configuration 1. 2. Click Apply in the M a n a g e m e n t Console. 4. Connect to h t t p : / / w w w .. e. T h r o u g h the M a n a g e m e n t Console. Type the IP a d d r e s s of y o u r Blue Coat SG into the HTTP Proxy field. Select the Manual proxy configuration o p t i o n . select Configuration > Services > Service Ports a n d highlight the HTTP Port 8080 row and click Edit. select Configuration > Services > Service Ports and highlight the HTTP Port 8080 r o w a n d Click Edit. 7. Configuring Your Browser to be Explicitly Proxied 1. c. 3. N o t e the results: You s h o u l d be able to access the site t h r o u g h the Blue Coat SG. Your b r o w s e r proxy configuration s h o u l d look like the screen capture below. 3.Configuring Services 6. Verify that the On column is set to Yes on the H T T P Port 8080 row. 21 . N o w set the b r o w s e r to connect to the Internet t h r o u g h y o u r SG appliance on port 8080. g o o g l e . Type 8072 in the Port field. 3. w i t h the browser. T h r o u g h the M a n a g e m e n t Console. 5. c o m . b. N o t e the results: The b r o w s e r s h o u l d refuse the connection. Select the check box next to Enabled and Click OK. Clear the cache of the Firefox browser. Click Apply. Click OK in the Connection Setting w i n d o w a n d OK in the browser O p t i o n s window. Blue Coat Educational Services — BCCPA Course v 1.7.2 22 . You can d o w n l o a d t h e m both from y o u r local FTP site in the Tools directory. You will c o m p a r e the b r o w s e r request based on w h e t h e r it is using a proxy (in explicit mode) or not. Click on the Network tab then the Settings button in the Connections section.0.2 or higher on y o u r system. 3.Explicit Proxy Configuration and Testing Objectives • • Configuring y o u r b r o w s e r to use proxy traffic via the ProxySG U s i n g H T T P Live H e a d e r s to observe the different behavior of the b r o w s e r w h e n it is u s i n g a proxy a n d w h e n it is not. Install Firefox v 2. First configure Firefox to not go t h r o u g h a proxy by selecting Tools > Options > Advanced in the m e n u bar. (You can also use Ethereal to analyze the actual traffic at a lower level. 2.) Scenario In this exercise. Before You Begin • This lab a s s u m e s that the default policy is set to Allow. y o u will configure y o u r Firefox b r o w s e r to access the Web via the ProxySG.0. 23 . a n d then set the default proxy policy option to Allow. • • Steps 1. T h r o u g h the M a n a g e m e n t Console.Click OK. select Configuration > Policy > Policy Options. The Connection Settings dialog box a p p e a r s Select the Direct connection to the Internet radio button. if it isn't installed on y o u r system. Install Ethereal. Stop the c a p t u r e a n d note the Ethereal packet capture such as circled in the screen capture below: 24 .7. Access w w w . 6. g o o g l e . c o m . 5.Blue Coat Educational Services — BCCPA Course v 1.2 4. Start Ethereal a n d set it to m o n i t o r only H T T P traffic. Observe the differences in the IP a d d r e s s . The proxy request uses the Blue Coat SG IP a d d r e s s as the destination. • a Note: The direct connection uses w w w . Stop the c a p t u r e a n d note the Ethereal packet capture this time as it goes t h r o u g h the proxy. The definition of explicit proxy is exactly w h a t is stated in Step 15. Configure Firefox to access the Web via the Blue Coat SG on p o r t 8080 a n d a d d y o u r Blue Coat SG's IP address to the No Proxy For dialog box. The destination IP a d d r e s s for the browser HTTP request is the IP a d d r e s s of the proxy a n d not the one of the OCS. Click OK. 10.com.Explicit Proxy Configuration and Testing 7. g o o g l e . Restart Ethereal a n d set it to m o n i t o r only port 8080 traffic.google. 8. The difference is circled in the screen capture below. c o m IP a d d r e s s as destination. 9. Access www. 25 . 11. request.port == 80 ip.b. The table below s h o w s s o m e of the w i d e l y u s e d filter options in Ethereal packet capture Table 4.method == "GET" Effect C a p t u r e packets w i t h a "GET" request in them. 26 .d a n d a GET request.b.c.addr == a.c.d "GET" tcp.7.2 12.d && http.request.c.Blue Coat Educational Services — BCCPA Course v 1.1 : Filter Options in Ethereal Packet Capture Filter O p t i o n http.method == Capture packets w i t h IP a d d r e s s a.addr == a.c.d ip.b.b. C a p t u r e packets w i t h destination TCP port 80 C a p t u r e packets w i t h IP a d d r e s s a. You m a y also w a n t to see the differences in the Ethereal c a p t u r e m e t h o d s based on different filter o p t i o n s . Before You Begin • M a k e s u r e that the default policy on y o u r Blue Coat SG is set to Allow. T h r o u g h the M a n a g e m e n t Console. In this lab y o u configure the Blue Coat SG to retrieve content from an OCS a n d deliver it to the client c o m p r e s s e d . a n d then set the default proxy policy option to Allow.10. if the client s u p p o r t s compression.10 from the local website to analyze packet capture statistics. a n y combination is acceptable. The Blue Coat SG can retrieve c o m p r e s s e d or u n c o m p r e s s e d content a n d serve it c o m p r e s s e d or u n c o m p r e s s e d . Install i e H T T P H e a d e r s v l . 6 on y o u r system. D o w n l o a d a n d install Ethereal® vO. • • Steps Configuring y o u r Blue Coat SG to s u p p o r t HTTP compression is d o n e in t w o steps: • • Client side compression Server side compression 27 . Pages can be s e n t from the Web server to the b r o w s e r in plain ASCII text or in c o m p r e s s e d format (typically g z i p or deflate). You can d o w n l o a d it from y o u r local FTP site. select Configuration > Policy > Policy Options. even w h e n the OCS does and does not s u p p o r t compression.HTTP Compression Objective Configuring the Blue Coat® SG™ to enable HTTP client-side a n d server-side compression Scenario Browsers a n d Web servers can negotiate the d a t a format for the content delivery. Configure y o u r Internet Explorer® b r o w s e r to point t o w a r d s y o u r proxy a n d m a k e s u r e that the H T T P 1. click the New b u t t o n a n d t h e n select Set Client HTTP Compression from the d r o p . 4. In the VPM. The A d d Client H T T P Compression Object dialog box a p p e a r s as s h o w n in the screen c a p t u r e below. 2.d o w n m e n u . 28 .d o w n m e n u . select Configuration > Policy > Visual Policy Manager.7.. Click Install Policy. T h e n click OK on the Set Action Object dialog box. 5. None Settings retrieved from ProxySG Appliance mybluecaatsg 7. T h r o u g h the M a n a g e m e n t Console. t h e layer w i t h a n e w e m p t y rule appears. Accept the default values a n d click OK.2 Client-Side Compression 1. a n d then click the Launch button. TP x -> 1 >! In >i" ?" n L H t i ' 'i"in £J R Name: rciientHTTPCompressionl | . 1 Destination ' Action 1 Track ' Comment 1 JAny ClientHTTPCompressio. IF C I N R Q E T COMPRESSED A D O L \ LE T E U S S N NY UNCOMPRESSED C N E T IS A AL B E O TN V IA L: | 0 Compress content before serving O Serve uncompressed content ft ! IF C I N R Q E T UNCOMPRESSED C NE T A D J LE T E U S S D LN N O L COMPRESSED C N E T IS A AL B E NY O TN V IA L: J 0 Decompress content before serving it 0 Retrieve uncompressed content from server I [ OK | | Cencel | | Help | 6. box a n d then click OK. select Policy > Add Web Content Layer The A d d N e w Layer dialog box a p p e a r s .1 option is not enabled in y o u r browser settings. From the Visual Policy M a n a g e r (VPM) m e n u bar. The V P M s h o u l d look like the screen c a p t u r e below.Move Down ~J I ^ Install Policy Add Rule Delete Rule 1 1 ClientSide Compression No. t y p e Client Side Compression in the the Layer Name d i a l o g 3. In the Set Action Object dialog box. T h e Set Action Object dialog box a p p e a r s .Blue Coat Educational Services — BCCPA Course v 1. Right-click in the Action field of the n e w rule a n d select Set from the d r o p . Server-Side Compression 1. JG NINE £ N T VISIIDL POHLY MARIER (Blue A File Edit Policy Configuration View Hefp j J -f Move Up i] 4. In t h e A d d N e w Layer dialog box.. d o w n m e n u . 29 . Notice the response from the OCS. The A d d Server H T T P Compression Object dialog box a p p e a r s . 7.com. 6. in particular the lack of an Accept Encoding h e a d e r in the client request. select Policy > Add Web Content Layer The A d d N e w Layer dialog box a p p e a r s . enable i e H T T P H e a d e r s . click the New b u t t o n a n d then select Set Server HTTP Compression from the d r o p . The Set Action Object dialog box a p p e a r s . 8. In the A d d N e w Layer dialog box.microsoft. In the VPM. the layer w i t h a n e w e m p t y rule appears. type Server Side Compression in the the Layer Name dialog box a n d then click OK. Access the site www. In the Set Action Object dialog box.HTTP Compression 2. a n d t h e n m o n i t o r the traffic sent a n d received by y o u r browser. From the Visual Policy M a n a g e r (VPM) m e n u bar.d o w n m e n u . Right-click in the Action field of the default rule a n d then select Set from the d r o p . O p e n IE. 3. 4. 5. microsoft.15.68. Click OK a n d OK a g a i n on the Set Action Object d i a l o g box. s r c p o r t : h t t p ( 8 0 ) .76 (207. 15.c a c h e \ r \ n cache-control: no-cache\r\n content-Type: text/html.2 9. 0. 12.173. Start a packet c a p t u r e u s i n g Ethereal.com. 0 \ r \ n P3P: CP="BUS CUR CONO FIN IVDO ONL OUR PHY SAMO T E L o " \ r \ n s : appB32\r\n x-Powered-By: A S P .W i ' content-encoded e n t i t y body ( g z i p ) m Line-based text data: text/html V 30 . 02 Oct 2006 19:15:26 GMT\r\n server: M i c r o s o f t . 201 (172. Notice that the Blue Coat SG gets c o m p r e s s e d d a t a from www. 11.V e r s i o n : 2.n s / 6 .microsoft. O p e n Internet Explorer a n d m a k e sure that y o u r proxy is explicitly configured. 201) Transmission c o n t r o l P r o t o c o l .15. charset=utf-8\r\n cache-control: private\r\n c o n t e n t . 14. 50727\r\n pragma: n o . s e q : 1.7. 2.Blue Coat Educational Services — BCCPA Course v 1.A s p N e t .A l i v e \ r \ n f content-Encoding: gzipV"\n ^ * . N E T \ r \ n X . D s t : 00:d0:83:04:aa:d8 i n t e r n e t P r o t o c o l . ffl SI IB Si B Frame 35 (1514 bytes on w i r e . The V P M s h o u l d look like the screen capture below. Dst P o r t : 1248 (1248). Dst Addr : 172 . 13. Stop the packet c a p t u r e in Ethereal.l e n g t h : 11873\r\n connection: K e e p . 1514 byres c a p t u r e d ) E t h e r n e t I I .76). d e c o m p r e s s e s the d a t a a n d serves only u n c o m p r e s s e d d a t a to the client.68. s r c Addr: 207. Click Install Policy.com. Select the Always request HTTP Compression option in t h e A d d Server HTTP Compression Object dialog box. 2. S r c : 0 0 : 1 4 : 6 a : 5 0 : f 2 : f f . 16. Access the site www.173. Ack: 537. M a k e s u r e that y o u uncheck the Include unsupported client compression types box. 1 200 O K \ r \ n Date: Mon. L e n : 1448 Hypertext T r a n s f e r p r o t o c o l IB H T T P / 1 . Clear the i e H T T P H e a d e r s w i n d o w . 10. HTTP Compression 17. Gain tab. The green n u m b e r (U) s h o w s the a m o u n t of u n c o m p r e s s e d data received. 2. You can review a report that s h o w s the effect of compression. from the server point of view. a n d the blue n u m b e r (C) s h o w s the a m o u n t of compressed d a t a s e r v e d to the client. right-click each layer a n d select Delete from the d r o p d o w n m e n u . Click the Install Policy button to accept the n e w policy. Policy Clean-up 1. 31 . O p e n the M a n a g e m e n t Console a n d select Statistics tab > HTTP/FTP History > Server Comp. To set the policy back to dafault for the next lab. Blue Coat Educational Services — BCCPA Course v 1.7.2 32 . Accept the default value of no. click Next to begin the installation. Select a p o r t n u m b e r w h e r e y o u w a n t B C A A A to listen for the incoming connection. c. y o u can c h a n g e it as long as y o u m a k e sure that this c h a n g e is reflected in the configuration of the IWA realm in the Blue Coat SG. H o w e v e r . This also allows y o u to generate reports based on user n a m e s a n d not s i m p l y IP a d d r e s s e s or workstation h o s t n a m e s . Click Next. Otherwise. Click Next. y o u will create a n e w IWA authentication realm so that y o u can create policies for i n d i v i d u a l users a n d g r o u p s . b. As an option. however. Install B C A A A on any machine w i t h the following characteristics: D a a o Uses W i n d o w s XP Professional. 33 . h. w h i c h assumes the machine n a m e as the value. Click Next. Note: You can install multiple BCAA agents on separate machines of y o u foresee m a n y connections to BCAAA. If y o u are satisfied.) Once y o u h a v e identified a suitable machine. You are n o w a s k e d to save the certificate. there m u s t not be any firewall that blocks connections to the machine (on which BCAAA is installed) on p o r t 16101 (You can c h a n g e this port. W i n d o w s 2003 Is a m e m b e r of the d o m a i n (or forest) w h e r e y o u w a n t to authenticate users' requests H a s a static IP a d d r e s s Is reachable (at n e t w o r k level) from the Blue Coat SG Also. The installation p r o g r a m n o w s h o w s y o u a s u m m a r y of the options that y o u have selected. f. a n d then click Next. Scenario In this exercise.Authentication Configuration — IWA Objective Configuring an authentication realm for IWA (Integrated W i n d o w s Authentication). y o u can launch the BCAAA installation. You can leave the default v a l u e (blank). Either select the default or pick a different p a t h on y o u r system. Select the location w h e r e y o u w a n t to place the files n e e d e d for BCAAA to run. g. complete the installation. y o u m a y require SSL connections between BCAAA a n d the Blue Coat SG. W i n d o w s 2000 Sever or Professional. You can h a v e up to 99 threads listening for a connection on any m a c h i n e . Set the n u m b e r of threads. the r e c o m m e n d e d n u m b e r is t w o . d. Before You Begin • D o w n l o a d a n d install the Blue Coat Systems Authentication a n d Authorization Agent (BCAAA) from the Blue Coat Web site. On the Welcome screen. You also do not need to obtain a valid certificate to connect. The default v a l u e is 16101. You do not n e e d to enforce it. B C A A A m a y require an SSL connection from the Blue Coat SG. Click Next. Enter the Certificate Subject. e. Click Next. go back a n d change the options y o u need. You will navigate t h r o u g h a series of screens: a. so m a k e sure it is a p p r o p r i a t e .2 Steps 1. 2. 34 . select Configuration > Authentication > IWA a n d then click the IWA Realms tab.110 (or the hostname) Port: 16101 3.16. T h r o u g h the M a n a g e m e n t Console. Click the New button. Click OK.90.Blue Coat Educational Services — BCCPA Course v 1. so the n a m e chosen for the n e w realm is Blue Coat IWA. create a n e w realm u s i n g these p a r a m e t e r s : O O • Realm n a m e : Blue_Coat_IWA Primary server host: 172. For example. In the A d d IWA R e a l m dialog box. Note: The n a m e y o u choose for a realm will be referenced elsewhere. for this exercise the directory server is Microsoft's IWA.7. You need to create an a p p r o p r i a t e policy to configure the Blue Coat SG to request users to authenticate. Verify that y o u r settings look the s a m e as those in the screen c a p t u r e below a n d t h e n click Apply. The n e w realm is available to the Blue Coat SG to create policies. The configuration is n o w complete. 35 . Select the IWA General tab.Authentication Configuration — IWA 6. Note: Creating a realm d o e s not force the users to authenticate n o r initiate the logging and reporting by u s e r n a m e . In t h e Visual Policy Manager. The A d d User Object dialog box a p p e a r s .d o w n m e n u . 4. T h e Set Source Object dialog box a p p e a r s . click New a n d then select User from the d r o p .7. In the Set Source Object dialog box. select Policy > Add Web Access Layer. delete a n y existing layers y o u m a y h a v e by right-clicking the layer tab a n d selecting Delete Layer.Blue Coat Educational Services — BCCPA Course v 1. 3. In t h e Visual Policy Manager. 5. 6. 7. Right-click in the Source field of the n e w l a y e r ' s default rule a n d t h e n click Set from the d r o p . Click OK to accept the default Web Access Layer n a m e . 36 . select Policy > Visual Policy Manager a n d then click Launch. T h r o u g h the M a n a g e m e n t Console.d o w n m e n u . 2. The Add Layer dialog box appears. Click Insall Policy.2 Testing Authentication Configuration 1. You can n o w proceed to the ' Policy C l e a n . 9. If a list of users a p p e a r s similar to the screen shot below. y o u r IWA realm configurations are correct a n d the lab is complete. select the realm Blue_CoatJWA from the Authentication Realm d r o p . Note: 37 .Authentication Configuration — IWA In the A d d User Object dialog box.d o w n m e n u . Click the Browse button.u p " section. the process times out. t h r o u g h the M a n a g e m e n t Console.2 Note: If the realm w a s not set up correctly. To set the policy back to default for the next lab. Policy Clean-up 1.Blue Coat Educational Services — BCCPA Course v 1. Right-click each Policy layer tab a n d select Delete from the d r o p d o w n m e n u . 38 .7. select Policy > Visual Policy Manager and click Launch. 2. Click the Install Policy b u t t o n to accept the n e w policy. y o u will create a n e w Lightweight Directory Access Protocol (LDAP) authentication realm so policy can be w r i t t e n to m a k e use of it. Scenario A u t h e n t i c a t i o n is one of the m o s t complex but important aspects of policy. 39 . select Configuration > Authentication > LDAP > LDAP Realms. Steps T h r o u g h the M a n a g e m e n t Console. In this exercise. Click the New button. An A d d LDAP Realm w i n d o w a p p e a r s .Authentication Configuration — LDAP Objective Configuring an authentication realm for LDAP™. i t i s a g o o d i d e a t o c o m p a r e the settings y o u e n t e r e d i n the p r e v i o u s screen w i t h those i n the screen c a p t u r e b e l o w . C l i c k O K i n the L D A P R e a l m s w i n d o w . c d. b.90. t h e n c l i c k the Apply b u t t o n t o save a n d activate the changes. Realm name: Blue_Coat_LDAP Type of LDAP Server: Microsoft Active Directory Primary server host: 172.2 2.Blue Coat Educational Services — BCCPA Course v 1. 3. 4. H o w e v e r . Based o n d e f a u l t settings a n d i n f o r m a t i o n y o u s u p p l i e d . the L D A P s e r v e r s h o u l d b e set u p correctly.16. Select the LDAP Servers tab. s o m a k e s u r e i t i s matches the step a b o v e .7. I n t h e A d d L D A P R e a l m d i a l o g b o x u s i n g these p a r a m e t e r s : a. e.110 Port: 389 User attribute type: sAMAccountName Note: T h e n a m e y o u choose f o r a r e a l m w i l l b e r e f e r e n c e d elsewhere. 40 . 8.Authentication Configuration — LDAP 5. 41 . dc=bluecoat. T y p e dc=sunnyvale. click Apply to save t h e c h a n g e s . V e r i f y t h a t y o u r settings l o o k the s a m e as those in the screen c a p t u r e b e l o w a n d t h e n c l i c k t h e New b u t t o n . 7. Click OK. dc=training. Select the LDAP DN tab. dc=com in t h e Add Base DN w i n d o w . T h e A d d L D A P Base D N d i a l o g b o x appears. 9. 6. In t h e M a n a g e m e n t Console. In the Visual Policy Manager. To give the Blue Coat SG the capability to search the directory. Testing Authentication Configuration 1. 13. Click OK. The object Blue_Coat-LDAP is available to the Blue Coat SG to create policies. y o u n o w m u s t s u p p l y a u s e r n a m e a n d p a s s w o r d of a u s e r w i t h i n the L D A P server that has the a p p r o p r i a t e credentials. Note: Creating a realm d o e s not force the users to authenticate nor initiate the logging a n d reporting by u s e r n a m e . select Policy > Visual Policy Manager a n d t h e n click Launch.2 10. T h r o u g h the M a n a g e m e n t Console. In the M a n a g e m e n t Console click Apply to save changes. To do this. click the Change Password b u t t o n a n d type the password y o u r instructor gives y o u in the New Password a n d Confirm New Password dialog boxes. Anonymous Search: U n c h e c k e d Search User DN: cn=bcadmin. cn=users.7. 12. 42 . select t h e LDAP Search & Groups tab.Blue Coat Educational Services — BCCPA Course v 1. You need to create an a p p r o p r i a t e policy to configure the Blue Coat SG to request users to authenticate. dc=training. To enter the p a s s w o r d . 2. dc=bluecoat. Click Apply to s a v e the changes. a n d then type the following information into the a p p r o p r i a t e fields as s h o w n in the screen c a p t u r e below: a. b. select Policy > Add Web Access Layer and accept the default name. dc=sunnyvale. dc=com 11. The configuration is n o w complete. select the r e a l m AD-LDAP f r o m the Authentication Realm drop-down menu. T h e Set Source Object d i a l o g b o x appears. T h e Add User Object d i a l o g box appears. R i g h t .d o w n m e n u .d o w n m e n u . c l i c k New a n d t h e n select User f r o m the d r o p . 4.c l i c k i n t h e Source f i e l d o f t h e n e w l a y e r ' s d e f a u l t r u l e a n d t h e n c l i c k Set f r o m the d r o p . 5. In the Add User Object d i a l o g box. 43 . In the Set Source Object d i a l o g box.Authentication Configuration — LDAP 3. 2 6. If y o u are not successful.Blue Coat Educational Services — BCCPA Course v 1.7. the b r o w s e r w i n d o w will h a n g . click Cancel. W h e n y o u are successful. Cancel a n d Cancel to get y o u back to Visual Policy Manager. If the realm w a s set up correctly. 44 . a list of users a p p e a r s . Exit Visual Policy M a n a g e r w i t h o u t installing the policy or accepting a n y changes m a d e to the policy. Click the Browse b u t t o n . the process times out. If the realm w a s not set up correctly. 7. In the A d d N e w Layer dialog box. In the A d d Force A u t h e n t i c a t e Object dialog box. Right-click in the Action field of the n e w rule a n d select Set from the d r o p . a n d then click the Launch button. type Blue_coat_IWA in the Name field. T h r o u g h the M a n a g e m e n t Console. c o m Scenario You w a n t to create a very basic policy to test that t h e Blue Coat SG is configured correctly a n d that the authentication realms are w o r k i n g as expected. 6. The Set Action Object dialog box a p p e a r s . 4. accept the default n a m e a n d then click OK. This lab also a s s u m e s that y o u r default policy is already set to Allow. In the Set Action Object dialog box. The A d d Force Authenticate Object dialog box appears. 5. From the Visual Policy M a n a g e r (VPM) m e n u bar. click the New button a n d then select Force Authenticate from the d r o p . select Configuration > Policy > Visual Policy Manager. 3.d o w n m e n u . Before You Begin • • This lab a s s u m e s t h a t y o u have a l r e a d y created a n d configured at least one authentication realm.Creating Basic Policy Objective • • I m p l e m e n t i n g a basic policy using an authentication realm Blocking all u s e r s from w w w . Steps 1. The A d d N e w Layer dialog box a p p e a r s . In the VPM. the layer w i t h a n e w e m p t y rule a p p e a r s . select Policy > Add Web Authentication Layer. 45 . g a m e s . 2. This s h o u l d be the case if y o u r class is following the exercises in order.d o w n m e n u . The V P M s h o u l d look like the screen c a p t u r e below: 9. From V P M m e n u bar. The A d d N e w Layer dialog box a p p e a r s . click the New button a n d then select Destination Host/Port from the d r o p . The A d d Destination Object dialog box a p p e a r s .com in the Host field. The A d d Destination H o s t / P o r t Object dialog box appears. In the A d d Destination Object dialog box. Alternatively. In the A d d Destination H o s t / P o r t Object dialog box: a.7.d o w n m e n u next to the Host field. Right-click in the Destination field of the n e w rule a n d then select Set from the d r o p .d o w n m e n u . d. Type 80 in the Port field. 12. 10. Type www. In the A d d N e w Layer dialog box.d o w n m e n u . c. Select Exact Match from the d r o p . 11. select Policy>Add Web Access Layer from the d r o p . The layer w i t h a n e w e m p t y rule a p p e a r s in the VPM. y o u can leave the field blank. 14.2 Select Blue_coat_IWA in the Realm d r o p d o w n m e n u . Click the Add button a n d then click the Close button. b. Click OK a n d t h e n click OK in the Set Action Object dialog box.Blue Coat Educational Services — BCCPA Course v 1. Click OK in the Set Destination Object d i a l o g box. accept t h e default n a m e a n d then click OK. 13. The V P M s h o u l d look like the screen c a p t u r e below. 46 .d o w n m e n u .games. 47 . Click the Install Policy b u t t o n to accept the n e w policy. Try to access w w w . To set the policy back to dafault for the next lab. Policy Clean-up 1. g a m e s . 3. c o m a n d verify that y o u are being blocked. Testing the Policy 1. right-click each layer a n d select Delete from the d r o p d o w n m e n u . M a k e sure t h a t y o u r b r o w s e r is u s i n g y o u r Blue Coat SG as its proxy on port 8080. 2. c n n . c o m . Try to access w w w . Click the Install Policy button.Creating Basic Policy 15. N o t e t h a t y o u are asked to authenticate a n d verify that y o u can see the content from the Web site. Blue Coat Educational Services — BCCPA Course v 1.2 48 .7. In this exercise.Configuration Archive Objective Backing up Blue Coat SG configurations. Before You Begin • Be a w a r e that the configuration y o u save is viewable within a text viewer. select Configuration . 2. In the View Current Configuration section. y o u w a n t to s a v e all the configurations. Note: This will not allow y o u to install the configurations on a n o t h e r Blue Coat SG because of s o m e h a s h e d p a s s w o r d values. 49 . once y o u u n d e r s t a n d the syntax. Steps 1. it is a g o o d idea to back up the current configuration in case y o u need to revert quickly to the last k n o w n w o r k i n g state. It is beyond the scope of this class to train a d m i n i s t r a t o r s to dissect the configuration. it will allow y o u to completely restore the configuration for y o u r system. Scenario Before m a k i n g changes to the Blue Coat SG. y o u can not only back up configurations but also create templates for m a s s Blue Coat SG d e p l o y m e n t s . The M a n a g e m e n t Console offers an easy-to-use feature that allows y o u to view the current Blue Coat SG configuration a n d load a previously saved configuration. Notice that y o u can view m u l t i p l e levels of configurations.expanded from the View File d r o p . T h r o u g h the M a n a g e m e n t Console. select Configuration > General > Archive. The Archive Configuration dialog box a p p e a r s in the M a n a g e m e n t Console w i n d o w . However. a n d then click the View button.d o w n m e n u . however. 3.2 A n e w W e b b r o w s e r w i n d o w a p p e a r s c o n t a i n i n g t h e c o n f i g u r a t i o n text. t h e n n a m e the f i l e a n d save it as a text f i l e .7. select File > Save Page As.Blue Coat Educational Services — BCCPA Course v 1. To save t h e f i l e f r o m w i t h i n t h e b r o w s e r . 50 . Websense. 51 . d e p e n d i n g on y o u r Blue Coat SG o p e r a t i n g system. a n d it d o w n l o a d s the database. You also m a y set up the Blue Coat SG to check for u p d a t e s a n d d o w n l o a d t h e m a s they become available. S m a r t Filter. organizations w o u l d h a v e to scour the Internet to categorize Web sites a n d a d d sites to a blocking list. For example. M a k e sure that y o u h a v e the s t u d e n t h a n d o u t . a n d w h e t h e r Web sites can be assigned to multiple categories. accuracy in category assignments. n u m b e r of categories. Before You Begin In this exercise. But w i t h content-filtering databases. They do this by identifying a n d automatically blocking sites w h e n they contain a certain category of content. Objective Installing a content-filtering database. Content filtering databases enable organizations to keep i n a p p r o p r i a t e Web site content from entering their networks. y o u will d o w n l o a d install the Blue Coat Web Filter database. W i t h o u t content-filtering databases. which has the information y o u need to d o w n l o a d a n d install the database. Once y o u h a v e chosen a content-filtering vendor. an organization can block all a d u l t a n d g a m b l i n g sites at all times a n d allow access to n e w s sites d u r i n g lunch a n d after regular w o r k hours.Content Filtering — Configuration C o n t e n t filtering is a valuable tool for m a n y organizations. They are Blue Coat Web Filter. organizations s i m p l y select categories a n d w r i t e rules for them. Scenario Blue Coat SG s u p p o r t s several content-filtering databases. SurfControl. a n d W e b w a s h e r a n d several others. technology u s e d to categorize the database. frequency of d a t a b a s e u p d a t e s . The c o m p a n i e s ' software differs in cost. y o u provide y o u r subscription credentials to the Blue Coat SG. n u m b e r of URLs the database can contain. so the d o w n l o a d normally can take c o u p l e of minutes.2 Steps 1.Blue Coat Educational Services — BCCPA Course v 1. U s i n g the s t u d e n t h a n d o u t . However. Click the Download Now b u t t o n . A browser w i n d o w s h o u l d a p p e a r s h o w i n g the statistics of a successful d o w n l o a d . 52 . select Configuration > Content Filtering > Blue Coat. the d o w n l o a d in class s h o u l d take no m o r e than a m i n u t e . t y p e in the URL for the content-filtering database. Wait w h i l e the d a t a b a s e is d o w n l o a d e d . T h r o u g h the M a n a g e m e n t Console. because b o t h the Blue Coat SG a n d the server w i t h the database are on the s a m e LAN. 3.7. Click Close a n d Apply in the M a n a g e m e n t Console. Verify the d o w n l o a d w a s a success by clicking the View Download Status. A Download Status dialog box a p p e a r s . The Blue Coat Web Filter w i n d o w displays in the M a n a g e m e n t Console. 2. P r o v i d e the Blue Coat SG w i t h a p a t h to d o w n l o a d Blue Coat Web Filter software. Do not u s e the URL that a p p e a r s by default in the URL w i n d o w . d e p e n d i n g on server connection s p e e d . Databases m a y be larger t h a n 40 megabytes. the Macy's URL is part of the d a t a b a s e ' s shopping category 53 . In the Providers section.Content Filtering — Configuration 6.com in the URL field. 7. If the database w a s correctly installed a n d is available. 9. a n e w Web browser w i n d o w a p p e a r s displaying a list of categories for the URL tested. 8. In t h e Diagnostics section. enter www. Click the Test button.macys. Test the installation by p r o v i d i n g a URL for the d a t a b a s e to categorize. In the the M a n a g e m e n t Console. select Configuration > Content Filtering > General. click in the check box next to Blue Coat Web Filter. In the screen capture below. Activate the d a t a b a s e within the Blue Coat SG by selecting Configuration > Content Filtering > General. Click Apply to save the changes. 2 54 .7.Blue Coat Educational Services — BCCPA Course v 1. Scenario Once content-filtering software has been installed on the Blue Coat SG. y o u can write policies to use the d a t a b a s e to prevent clients on y o u r n e t w o r k from accessing certain types of Web site content. L a u n c h y o u r b r o w s e r configured to go t h r o u g h y o u r Blue Coat SG on port 8080.travel. 2. Before You Begin • This exercise a s s u m e s that y o u h a v e d o w n l o a d e d a n d installed the Blue Coat Web Filter for SGOS 4. allowing y o u to write policies for different servers on y o u r network.Content Filtering — Policy Objectives • • Blocking a URL category w i t h content filtering. Test the present policy state by accessing a test travel site.com (http://www.x. Creating y o u r o w n c u s t o m category. Steps Database Category: Blocking all Travel Web Sites 1. You also can create y o u r o w n c u s t o m d a t a b a s e categories.com). p a r t n e r sites. or a p p r o v e d leisure sites. 55 .x. y o u can try to access the site again to see if the policy has taken effect. Once y o u h a v e completed writing the policy. such as Travel. (In the screen captures below. the layer is n a m e d URL Filter. 56 . give the layer a n a m e that m a k e s sense to y o u . In t h e A d d N e w Layer dialog box. select Configuration > Policy > Visual Policy Manager a n d then click the Launch b u t t o n . Click the New b u t t o n a n d then select Request URL Category from the d r o p .2 T h r o u g h the M a n a g e m e n t Console.) 5. Right-click the Destination field of the n e w rule.7. (If the V P M is a l r e a d y open.Blue Coat Educational Services — BCCPA Course v 1.d o w n m e n u .d o w n m e n u . a n d then click Set in the d r o p . close a n d then relaunch it. select Policy > Add Web Access Layer. The Set Destination Object dialog box a p p e a r s .) In Visual Policy Manager. 6. The A d d Request URL C a t e g o r y Object dialog box a p p e a r s . Click OK. In the Categories w i n d o w . click on the plus sign next to Blue Coat to display the list of categories. Keep this in m i n d w h e n y o u create category objects a n d choose n a m e s carefully. The n e w Travel object appears in the Set Destination Object dialog box 9. type Travel in the Name field. a n d t h e n click OK. 57 .Content Filtering — Policy In the A d d Request URL Catagory Object box. Click the check box next to Travel. Note: A category object d o e s n ' t h a v e to belong to just one category. You can create categories to create a c u s t o m category g r o u p . Access t h e following Web sites to m a k e sure that no existing policy is blocking them: a • • 2. and Asterix Web sites 1. Your policy s h o u l d look like the screen c a p t u r e below. click the Install Policy button.com http://www.com In t h e VPM. 58 . m a k e sure that the URL Filter tab (the tab of the layer y o u created in Step 3 of the p r e v i o u s section) is highlighted a n d t h e n click Add Rule. test the n e w policy by trying to access t h e Travel.asterix. You s h o u l d see an Access Denied message. With y o u r b r o w s e r explicitly p r o x i e d to y o u r Bluecoat SG on p o r t 8080. http://www.2 10.com http://www. 11.7. In t h e VPM.Blue Coat Educational Services — BCCPA Course v 1. C u s t o m Category: Blocking Yahoo.com).yahoo.travel. Forbes.com Web site (http://www.forbes. b. H i g h l i g h t Categories > Policy. d. This step creates a c u s t o m category. f. then select Request URL Category from the d r o p . 5. Click the Add b u t t o n The Object N a m e dialog box a p p e a r s 4. In the A d d Category Object dialog box.d o w n m e n u . N a m e the object by t y p i n g CustomBlock in the w i n d o w a n d then click OK. highlight Categories > Policy > CustomBlock.Content Filtering — Policy Create a n e w destination trigger in the A d d Request URL Category Object dialog box: a. c. You will n o w associate d o m a i n s w i t h it. click the New button. Select Set from the d r o p . Type Custom Block in t h e Name field.d o w n m e n u . do not click the check box beside it. However. In the Set Destination Object dialog box. Click the Edit URLs button 59 . Right-click the Destination field of the n e w policy rule. the category is empty. However. e. one p e r l i n e . 7.2 6. 9. 60 . C l i c k OK. In the Add Request URL Category Object d i a l o g box. c l i c k in the check b o x beside the c a t e g o r y n a m e CustomBlock. 8.Blue Coat Educational Services — BCCPA Course v 1. A d d d o m a i n s t o t h e CustomBlock c a t e g o r y b y t y p i n g t h e m i n t o the w i n d o w .7. T h e Edit Locally defined category Object d i a l o g b o x a p p e a r s . C l i c k OK. In the Set Destination Object dialog box. In the VPM. highlight CustomBlock from the list of destination objects. 11. 12.Content Filtering — Policy 10. click the Install Policy button. 61 . Click OK. To set the policy back to default for the next lab. 62 . Click the Install Policy b u t t o n to accept the n e w policy. Right-click each Policy layer tab a n d select Delete from the d r o p d o w n m e n u .Blue Coat Educational Services — BCCPA Course v 1. a n d Asterix sites. test the n e w policy by trying to access the Yahoo. t h r o u g h the M a n a g e m e n t Console. You s h o u l d see an Access Denied m e s s a g e each time.7. Policy Clean-up 1.2 13. Forbes. select Policy > Visual Policy Manager and click Launch. 2. With y o u r browser explicitly proxied to y o u r Blue Coat SG on port 8080. com mcafee.com Symantec. The Blue Coat SG enables a d m i n i s t r a t o r s to create their o w n category list. a n d then periodically d o w n l o a d the list if u p d a t e s occur. Steps 1.Using the Local Database Objectives • • Creating a s h a r e d repository of m a n u a l l y categorized files to share a m o n g multiple Blue Coat SG appliances Scheduling daily a u t o m a t i c d o w n l o a d s of this list Scenario Blue Coat SG offers a d m i n i s t r a t o r s the ability to easily define c u s t o m categories a n d then e n s u r e they are automatically u p d a t e d from a local central server. store it on a local server. select Content Filtering > Local Database. Create a text file w i t h the following syntax a n d t h e category names a n d URLs y o u w a n t to h a v e in the list: define category microsoft. type the adminitrator u s e r n a m e given to y o u by then instructor.com end define category playboy.com sex. Click Change Password a n d use the p a s s w o r d given to y o u by y o u r instructor. Use the FTP location on y o u r s t u d e n t h a n d out to post his file on the training room internal Web site as s h o w n in the screen capture below: T h r o u g h the M a n a g e m e n t Console.com hacking. On the Local Database tab in the Download section. 63 .com whitelist blacklist end 2. This exercise s h o w s h o w local database content filtering can be i m p l e m e n t e d u s i n g the Blue Coat SG. T h r o u g h the M a n a g e m e n t C o n s o l e . I n the URL d i a l o g b o x . select Content Filtering > Local Database > Automatic Download. S c h e d u l e h o w o f t e n y o u w a n t t o h a v e the B l u e Coat S G r e t r i e v e t h i s i n f o r m a t i o n . Start the d o w n l o a d by c l i c k i n g the Download Now b u t t o n .7.16. 64 . once a w e e k is a reasonable f r e q u e n c y f o r t h i s t y p e of a p p l i c a t i o n . 7. For e x a m p l e : http://172.90. I n m o s t cases.txt. t y p e t h e p a t h t o y o u r f i l e o n the w e b s e r v e r . A d o w n l o a d can take a f e w seconds to a m i n u t e to c o m p l e t e d e p e n d i n g on the database size. C l i c k the View Download Status b u t t o n t o c o n f i r m y o u r local database w a s successfully imported and compiled.Blue Coat Educational Services — BCCPA Course v 1.2 5. 6.110/student12/CustomLocalDatabase. 65 . select Content Filtering > General a n d then click in the check box for the Use Local Database option as s h o w n in the screen capture below. Launch the V P M a n d create a Web Access Layer with a rule to block the blacklist category of y o u r local database. (If the V P M is already open.) 12. Close the VPM. An e m p t y (but enabled) local database m a y cause conflict with the other content filters. Test the policy by accessing the denied websites y o u defined in y o u r local database file. Note: You s h o u l d n a m e the categories in the local d a t a b a s e in a w a y that will clearly distinguish t h e m from other categories y o u m a y use. 2. Right-click each Policy layer tab a n d select Delete from the d r o p d o w n m e n u . Policy Clean-up 1. close a n d then re-launch it. You should prefix the category n a m e w i t h an identifier like "ldb_". To set the policy back to dafault for the next lab. Important: Do not enable the local database if y o u do not h a v e one configured. 14. Click Apply in the M a n a g e m e n t Console. select Policy > Visual Policy Manager and click Launch. T h r o u g h the M a n a g e m e n t Console. 10. Click the Install Policy b u t t o n to accept the n e w policy. 13.Using the Local Database 9. t h r o u g h the M a n a g e m e n t Console. 11. Click the Install Policy button. N o w y o u need to enable the local d a t a b a s e to be available in the Visual Policy M a n a g e r (VPM) so y o u can create rules. 2 66 .Blue Coat Educational Services — BCCPA Course v 1.7. y o u create policy t h r o u g h the Blue Coat SG to keep users from d o w n l o a d i n g several different types of information: 1. T h e A d d N e w Layer dialog box a p p e a r s . The Blue Coat® SG™ also enables y o u to create exceptions the d o w n l o a d limitations y o u h a v e set. 4.Managing Downloads — File Types and Exceptions Files d o w n l o a d e d from the Internet or sent by e-mail can pose a h a z a r d to the enterprise. 2. Objectives Becoming familiar w i t h Web Access Layer policy in the Visual Policy M a n a g e r (VPM) • Using rules w i t h i n the layer to block v a r i o u s types of data from being d o w n l o a d e d Scenario In this lab. select Configuration > Policy > Policy Options. 2. n a m e the layer Block Downloads Layer a n d click OK. The default p r o x y policy on y o u r Blue Coat SG is set to Allow. T h r o u g h the M a n a g e m e n t Console. 3. In the Default Proxy Policy section. a n d then click the Launch button. Exécutables u s i n g a p p a r e n t data types Before You Begin This lab a s s u m e s that: • • You h a v e c o m p l e t e d the earlier content-filtering labs a n d h a v e installed the Blue Coat® WebFilter™ database. Files m a y contain viruses or other m a l w a r e . allowing staff u n l i m i t e d ability to surf the Internet d u r i n g w o r k i n g h o u r s can reduce productivity a n d expose e m p l o y e e s to materials that they m a y find offensive. If not. The Blue Coat® SG™ enables y o u to block d o w n l o a d s of selected types of information based u p o n various criteria s u c h as URL category. select Policy > Add Web Access Layer. w h i c h allows blocking by URL category. file extension a n d a p p a r e n t data type. file MIME type. The n e w layer w i t h an e m p t y rule a p p e a r s in the VPM. All P D F files by MIME type All i m a g e s from all n e w s sites by MIME type Create an exception to d o w n l o a d i n g PDF files. verify that the Allow o p t i o n is selected. 3. select Configuration > Policy > Visual Policy Manager. T h r o u g h the M a n a g e m e n t Console. Steps Blocking PDF Files by MIME Type 1. In addition. select it a n d then click Apply. In the A d d N e w Layer dialog box. From the Visual Policy M a n a g e r (VPM) m e n u bar. 67 . Blue Coat Educational Services — BCCPA Course v 1. 7. The Set Destination Object dialog box a p p e a r s . 5.2 4.d o w n m e n u . 68 . 6. In the Set Destination Object dialog box.d o w n m e n u . Click Add Rule a n d then click Move Up as s h o w n in the screen c a p t u r e below. Right-click the Destination field of the n e w rule a n d then select Set from the d r o p . The A d d H T T P MIME Type Object dialog box a p p e a r s . click New a n d then select HTTP MIME Types from the d r o p .7. Right-click t h e Action field of the rule a n d select Allow. Managing Downloads — File Types and Exceptions 8. In the A d d HTTP MIME Types Object dialog box, n a m e the object PDF_Files. Then scroll d o w n the list of MIME t y p e s to find application/pdf a n d select it. Click OK. 9. Confirm the object n a m e in the Set Destination Object dialog box a n d then click OK. 10. In the VPM, click Install Policy. 11. Test the n e w rule by launching y o u r browser set to use y o u r Blue Coat SG as the proxy on port 8080 a n d accessing a site that offers PDF d o w n l o a d s . For Example: h t t p : / / w w w . b l u e c o a t . c o m / r e s o u r c e s / d a t a s h e e t s . h t m l . W h e n y o u a t t e m p t to d o w n l o a d a PDF file, y o u s h o u l d receive a m e s s a g e telling y o u that access is denied. 69 Blue Coat Educational Services — BCCPA Course v 1.7.2 Blocking Images from News Sites by MIME Type 1. 2. 3. In the VPM, position the cursor on Rule N o . 1 a n d click the Add Rule button. Right-click in the Destination field of the n e w rule a n d t h e n select Set from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s . In the Set Destination Object dialog box, click the New b u t t o n a n d the select Combined Destination Object... from the d r o p - d o w n m e n u . The Set C o m b i n e d Destination Object dialog box a p p e a r s . 4. In the Set C o m b i n e d Destination Object dialog box, click New a n d then select HTTP MIME Types from the d r o p - d o w n m e n u . T h e A d d H T T P MIME Types dialog box a p p e a r s . 70 Managing Downloads — File Types and Exceptions 5. In the A d d HTTP MIME Types dialog box, n a m e the object lmages„Files. 6. 7. Scroll d o w n the list of MIME types to find various c o m m o n MIME types. Select i m a g e MIME types, s u c h as image/jpeg a n d then click OK. In the A d d C o m b i n e d Destination Object dialog box, a d d the object lmages_Files to the u p p e r - r i g h t object box. H i g h l i g h t the object a n d then click the top Add » button. 71 Blue Coat Educational Services — BCCPA Course v 1.7.2 In the A d d C o m b i n e d Destination Object dialog box, click New a n d then select Request URL Category... from the d r o p - d o w n m e n u . The A d d Request URL Category dialog box a p p e a r s . 9. In the dialog box Categories w i n d o w , type News/Media in the Name field. Click on the p l u s sign next to Blue Coat to d i s p l a y the available categories. Scroll d o w n , select the News/Media category, a n d t h e n click OK. 72 Managing Downloads — File Types and Exceptions 10. In the A d d C o m b i n e d Destination Object dialog box, a d d the object News/Media to the l o w e r object box. Highlight the object a n d then click the b o t t o m Add » button. 11. Click OK a n d then click OK in the Set Destination Object dialog box. 12. In the VPM, click Install Policy. 13. Test the policy by visiting s o m e n e w s sites, s u c h as w w w . c n n . c o m a n d www.foxnews.com. You s h o u l d see the text on the sites but not the images. Note: If y o u are not going to go further in this lab, please follow the Policy Clean-up Procedure at the e n d of the lab. Creating Exceptions to Download Rules 1. 2. Right-click the Destination field of Rule N o . 1 w h i c h is currently set to PDF_Files a n d select Set from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s . In the Set Destination Object dialog box, click the New b u t t o n a n d the select Combined Destination Object... from the d r o p - d o w n m e n u . T h e Set C o m b i n e d Destination Object dialog box a p p e a r s . 73 Blue Coat Educational Services — BCCPA Course v 1.7.2 3. In the Set Combined Destination Object d i a l o g box, h i g h l i g h t PDF_Files a n d t h e n c l i c k the u p p e r Add » b u t t o n as s h o w n in t h e screen c a p t u r e b e l o w . 4. In the same Set Combined Destination Object d i a l o g b o x , c l i c k New a n d t h e n select Request URL f r o m the d r o p d o w n m e n u . T h e A d d Request U R L Object d i a l o g b o x appears. I n t h e A d d Request U R L Object d i a l o g box: a. b. c. Select the Simple Match o p t i o n . T y p e www.bluecoat.com in the URL field i m m e d i a t e l y b e l o w the Simple Match o p t i o n . C l i c k Add. 5. 6. 7. C l i c k the Close b u t t o n . In the Set Combined Destination Object d i a l o g box, h i g h l i g h t Request URL: www.bluecoat.com a n d t h e n c l i c k the l o w e r Add » b u t t o n . In the l o w e r At least one of these objects box, select the Negate check box. 8. 74 Managing Downloads — File Types and Exceptions 9. In the Set Combined Destination Object dialog box, type PDF Download Exception in the Name field. 10. The Add Combined Destination Object dialog box s h o u l d look like the screen c a p t u r e below. 11. Click OK a n d t h e n click OK in the Set Destination Object dialog box. 12. In the VPM, click Install Policy. 13. Test the n e w rule by accessing h t t p : / / w w w . b l u e c o a t . c o m / r e s o u r c e s / d a t a s h e e t s . h t m l . W h e n y o u a t t e m p t to d o w n l o a d a PDF file, y o u s h o u l d be able to d o w n l o a d a n d view the PDF file. Further test the rule by accessing a n o t h e r site w i t h PDF files. You s h o u l d be d e n i e d access. Blocking Exécutables Using Apparent Data Types Starting w i t h SGOS 4.2.x, y o u can control file d o w n l o a d s using the a p p a r e n t data type, in addition to the file extension or the declared MIME type. T h e a p p a r e n t d a t a type refers to special data, located at the b e g i n n i n g of a file, that is used to indicate its type. The Blue Coat SG scans data files to d e t e r m i n e if t h e special data is present. 1. 2. 3. In the VPM, position the cursor on Rule N o . 2 a n d click the Add Rule button. Right-click in the Destination field of the n e w rule a n d then select Set from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s . In the Set Destination Object dialog box, click the New b u t t o n a n d the select Combined Destination Object from the d r o p - d o w n m e n u . The Set C o m b i n e d Destination Object dialog box a p p e a r s . 75 7. T h e A d d A p p a r e n t D a t a T y p e Object d i a l o g b o x appears. 5. Select the DOS /Windows Exécutables o p t i o n a n d t h e n c l i c k OK.2 In the Set D e s t i n a t i o n Object d i a l o g box. C l i c k OK in the Set D e s t i n a t i o n Object b o x . c l i c k New a n d the select Apparent Data Type f r o m the drop-down menu.Blue Coat Educational Services — BCCPA Course v 1. 76 . 6. 3 s h o w s Apparent Data Typel i n t h e D e s t i n a t i o n f i e l d . C l i c k the Install Policy b u t t o n t o accept the n e w policy. Test the n e w p o l i c y b y a t t e m p t i n g t o d o w n l o a d a n executable f i l e t h a t has been r e n a m e d w i t h a text f i l e e x t e n s i o n . y o u s h o u l d receive a message t e l l i n g y o u t h a t access i s d e n i e d .16. t h r o u g h the M a n a g e m e n t Console. To set the p o l i c y b a c k to d e f a u l t f o r the n e x t lab. select Policy > Visual Policy Manager and c l i c k Launch. R u l e N o . W h e n y o u a t t e m p t to d o w n l o a d the f i l e .Managing Downloads — File Types and Exceptions I n the V P M . 7. Policy Clean-up I. 8. C l i c k Install Policy.c l i c k each P o l i c y l a y e r tab a n d select Delete f r o m the d r o p d o w n m e n u .110/Downloads/ADT/Putty.txt. 77 . R i g h t .90. Access http://172. 2 78 .7.Blue Coat Educational Services — BCCPA Course v 1. (Gaim is an instant messaging client that w o r k s on multiple platforms a n d s u p p o r t s m a n y IM systems. Proprietary information can escape t h r o u g h text messages. 3. M S N ® a n d Yahoo!® IM c o m m u n i c a t i o n s based on: • • • Users Groups File t y p e s a n d n a m e s Objective U s i n g rules w i t h i n the Web Access Layer to control usage of instant messaging (IM) Scenario Your task is to p r e v e n t the transmission of selected types of information to clients t h r o u g h Yahoo! Messenger. The m o s t effective w a y to control IM traffic is t h r o u g h a proxy server.0 installed.5." w h i c h is the internal code n a m e for an u p c o m i n g secret merger All m e s s a g e s to a specific IM user All executable files All Excel files • All files w i t h i n a given size r a n g e In addition. The Blue Coat® SG™ enables y o u to control AOL®. Checking for the Instant M e s s e n g e r (IM) licenses Activating IM service on the Blue Coat SG Configuring the Gaim IM client to c o m m u n i c a t e w i t h the Blue Coat SG 79 . Verify that the default policy for the proxy is set to Allow. Before you Begin • • A s k y o u r instructor for a Yahoo! IM screen n a m e a n d p a s s w o r d .Managing Instant Messaging Instant m e s s a g i n g (IM) can be useful to an organization. 2. y o u will create a c u s t o m i z e d notification message to the end u s e r to display w h e n a policy is violated. a n d viruses a n d other m a l w a r e can be i n t r o d u c e d into the n e t w o r k from files s h a r e d t h r o u g h IM clients. • Steps Blocking instant m e s s a g i n g is performed in four stages: 1. a n d M S N . it also raises serious concerns about security. AOL. helping co-workers communicate quickly a n d easily. including Yahoo!. You n e e d to block the following from IM transfer: • • • All m e s s a g e s that contain the w o r d s "Project Paris. Verify that y o u have G a i m IM client version 1. H o w e v e r . A v a l i d license f o r I M m u s t b e p r e s e n t o n t h e B l u e C o a t S G t o enable I M m o n i t o r i n g a n d c o n t r o l .This step i s necessary o n l y i f y o u use I M i n n a t i v e m o d e . C h e c k the Enabled o p t i o n i n the E d i t Service d i a l o g b o x . I f y o u r B l u e C o a t S G has a v a l i d license. Select the Edit b u t t o n to c h a n g e the d e f a u l t v a l u e s of no i n t h e O n c o l u m n . Activating Yahoo! IM Service on the Blue Coat SG 1. T h r o u g h t h e M a n a g e m e n t C o n s o l e . 2. T h r o u g h t h e M a n a g e m e n t C o n s o l e . a n d y o u s h o u l d receive the a p p r o p r i a t e license. I f n o t . U s i n g the V i s u a l P o l i c y M a n a g e r ( V P M ) t o c o n t r o l I M t r a f f i c Checking for the IM License i. t e l l y o u r i n s t r u c t o r . select Configuration > Services > Service Ports. H i g h l i g h t the service p o r t f o r Yahoo IM. select Maintenance > Licensing. 2.7. 80 .2 4. Scroll d o w n t h r o u g h the l i c e n s e d c o m p o n e n t s u n t i l y o u locate Yahoo Instant Messaging.Blue Coat Educational Services — BCCPA Course v 1. c o n t i n u e w i t h the rest o f t h i s lab. C l i c k OK. Click the Accounts button. Configuring the Gaim Client to Communicate with Blue Coat SG 1. select Yahoo from the Protocol: d r o p . click the Add button. 2. 3. Click the Apply b u t t o n to enable the changes y o u m a d e to take effect. Select Intercept from the d r o p . a n d click Save. 3. Highlight the service p o r t for SOCKS.d o w n m e n u a n d verify that the port is set to 1080. this s t e p is not necessary.Managing Instant Messaging If y o u are t u n n e l i n g the traffic over HTTP or u s i n g explicit HTTP or SOCKS proxy. 4. 5. 81 . In the Add Account w i n d o w . In the Accounts w i n d o w that a p p e a r s . Start the Gaim client.d o w n m e n u . Enter the screen n a m e a n d the p a s s w o r d that y o u r instructor assigned to you. M a k e s u r e that the SOCKS proxy is also set to Intercept over port 1080. 4. I n t h e m a i n G a i m w i n d o w . 10. select Network. 9.d o w n m e n u . c l i c k Preferences. 12. Password: E n t e r the p a s s w o r d f r o m y o u r S t u d e n t Reference Sheet. 13. Port: E n t e r 1080 User: E n t e r the u s e r n a m e f r o m y o u r S t u d e n t Reference Sheet.2 6. Y o u r screen n a m e s h o u l d n o w a p p e a r i n the Accounts w i n d o w . Select SOCKS 4 f r o m the Proxy Server d r o p . 8. C l i c k Close. Test t h e setup b y s e n d i n g a n I M t o y o u r a s s i g n e d b u d d y . E n t e r the f o l l o w i n g v a l u e s f o r the f i e l d s l i s t e d b e l o w : • a • • Host: E n t e r the IP address of y o u p r o x y .Blue Coat Educational Services — BCCPA Course v 1. 82 . a s s h o w n b e l o w . T h e Preferences w i n d o w appears.7. 11. C l i c k Close. In the Preferences w i n d o w . 7. 83 . 5. m a k e sure t h a t Project_Paris object appears in the w i n d o w . select Configuration > Policy > Visual Policy Manager a n d t h e n c l i c k Launch. T h e A d d I M Message Text Object d i a l o g b o x appears.. T h e text is case-insensitive.. I n the A d d N e w L a y e r d i a l o g b o x . C l i c k OK. F r o m the V P M M e n u bar. f r o m t h e d r o p . c. 8. c o n f i r m t h a t the Service field of R u l e 1 c o n t a i n s Project_Paris a n d t h a t the Action f i e l d is set to Deny. T y p e Project_Paris in t h e Name i n p u t f i e l d . 3. R i g h t . 9. In t h e Set Service Object d i a l o g box.d o w n m e n u next t o the Text f i e l d . n a m e the l a y e r I M Access a n d t h e n click OK. In t h e Set Service Object d i a l o g b o x . 2. In the V P M . T h r o u g h the M a n a g e m e n t C o n s o l e .d o w n m e n u . Select the Text check b o x .c l i c k i n t h e Service f i e l d o f t h e n e w r u l e a n d t h e n select Set f r o m the d r o p . b. T h e l a y e r w i t h a n e w e m p t y r u l e appears i n t h e V P M . d. e.d o w n m e n u . T h e Set Service Object d i a l o g b o x appears. I n t h e A d d I M Message Text Object d i a l o g box: a. T y p e project paris in the Text f i e l d . 7. c l i c k the New b u t t o n a n d the select IM Message Text. 4. C l i c k OK. M a k e s u r e t h a t Contains i s selected i n the i n the d r o p . select Policy a n d t h e n select Add Web Access Layer f r o m the drop-down menu. 6.Managing Instant Messaging Using the Visual Policy Manager to Control IM traffic Blocking Messages Containing "Project Paris" 1. t y p e the I M screen n a m e f o r the user y o u w a n t t o b l o c k .. 84 . 3.c l i c k i n the Destination f i e l d o f the n e w r u l e a n d t h e n select Set f r o m the d r o p . b. I n the I M Buddy w i n d o w .d o w n m e n u . C l i c k Install Policy. c. It is a g o o d practice to n a m e t h e object as the b u d d y n a m e . 5.2 10.d o w n m e n u . Test the n e w r u l e b y a t t e m p t i n g t o s e n d a n I M c o n t a i n i n g the restricted text (Project Paris) t o y o u r lab partner. A c c e p t the d e f a u l t v a l u e Exact Match in the d r o p .Blue Coat Educational Services — BCCPA Course v 1. s o y o u c a n i m m e d i a t e l y t e l l w h a t t h a t object does w h e n y o u l o o k a t the p o l i c y . In the Set D e s t i n a t i o n Object d i a l o g box. c l i c k New a n d t h e n select IM Buddy. 11. y o u can use the n a m e bcsi_student_12 a n d ask y o u r i n s t r u c t o r t o l o g i n u s i n g t h a t screen name. C l i c k OK. T h e Set D e s t i n a t i o n Object d i a l o g b o x appears. f r o m t h e d r o p . R i g h t . 2.d o w n m e n u .. T y p e a n a m e f o r the object in the Name f i e l d . T h e A d d I M B u d d y Object d i a l o g b o x appears. Blocking Messages to a Specific Yahoo! IM User 1.7. d. In the Set D e s t i n a t i o n Object d i a l o g box. C l i c k the Add Rule. I n the A d d I M B u d d y Object d i a l o g box: a. c l i c k OK. d o w n m e n u . c. I n the I M File Transfer Object d i a l o g box: a. T y p e the r e g u l a r e x p r e s s i o n \. I n the V P M .d o w n m e n u . v e r i f y t h a t t h e I M _ E x e c u t a b l e s object appears in the w i n d o w and then click OK. c l i c k New a n d t h e n select IM File Transfer. 2. R i g h t . Test the n e w p o l i c y b y a t t e m p t i n g t o contact the b u d d y w h o s e n a m e y o u u s e d i n t h e p r e v i o u s steps. b. 5. select IM Access l a y e r > Add Rule. e. 4. 8.c l i c k i n the Service f i e l d o f the n e w r u l e a n d t h e n select Set f r o m the d r o p .. 3. T h e Set Service Object d i a l o g b o x appears. Select the File: check box. 7. f r o m the drop-down menu. Y o u s h o u l d receive a message i n y o u r I M w i n d o w t h a t the c o m m u n i c a t i o n i s d e n i e d . 85 . C l i c k OK.Managing Instant Messaging 6. In the Set Service Object d i a l o g box. C l i c k Install Policy. In the V P M . v e r i f y t h a t the n a m e o f the I M B u d d y Object appears i n the Destination f i e l d o f R u l e 2. d.. T h e A d d I M File Transfer Object d i a l o g b o x appears. T y p e IM_Executable_Files i n the N a m e f i e l d . Blocking all Executable Files 1. In the Set Service Object d i a l o g box.exe$ in the w i n d o w n e x t to File: Select RegEx f r o m the d r o p . Blue Coat Educational Services — BCCPA Course v 1. T h e A d d I M File Transfer Object d i a l o g b o x appears.xls$ in the w i n d o w n e x t to File:. T h e Set Service Object d i a l o g b o x appears.c l i c k i n t h e Service f i e l d o f t h e n e w r u l e a n d t h e n select Set f r o m the d r o p . 3. Blocking all Files Within a Given Size Range 1. In the Set Service O b j e c t d i a l o g b o x .7. Blocking all Excel Files 1. d. I n the A d d I M File T r a n s f e r Object d i a l o g box: 86 . as y o u d i d in Step 3 of t h e t w o p r e v i o u s sections. In the Set Service Object d i a l o g b o x . 4. C l i c k Add Rule. b. as y o u d i d in Step 3 o f t h e p r e v i o u s s e c t i o n o f this lab. T y p e IM_Excel_Files in the Name w i n d o w . 3. 4. v e r i f y t h a t t h e I M _ E x c e l object appears i n t h e w i n d o w and then click OK. R i g h t .. c l i c k the N e w b u t t o n a n d select IM File Transfer. T y p e the r e g u l a r e x p r e s s i o n \. I n t h e Set Service Object d i a l o g b o x .d o w n m e n u . T h e Set Service Object d i a l o g b o x appears.. c l i c k New a n d t h e n select IM File Transfer.2 T h e V P M s h o u l d l o o k l i k e t h e screen c a p t u r e b e l o w . R i g h t .c l i c k i n t h e Service f i e l d o f the n e w r u l e a n d t h e n select Set f r o m the d r o p . T h e Add IM File Transfer Object appears. 2. c. 2. e. Select the File: check box. C l i c k New Rule. In the Add IM File Transfer Object d i a l o g b o x : a. C l i c k OK. Select RegEx f r o m t h e d r o p ... 5.d o w n m e n u .d o w n m e n u . A t t e m p t t o c o n f i r m R u l e 5 b y s e n d i n g a n I M c o n t a i n i n g a f i l e o u t s i d e the p r o h i b i t e d size r a n g e t o y o u r lab p a r t n e r . T h e d e f a u l t n a m e is Blue Coat Proxy SG. t y p e 2048 i n t h e w i n d o w closest t o Size: a n d 8192 i n the w i n d o w n e x t t o the f i r s t window. T h e c o m m u n i c a t i o n s h o u l d succeed. T y p e IM_File_Size in the Name w i n d o w . 87 . 5. T y p e t h e l o w e r a n d u p p e r l i m i t s o f t h e p r o h i b i t e d f i l e t r a n s f e r size r a n g e . a t t e m p t t o v i o l a t e R u l e 3 b y s e n d i n g a n I M c o n t a i n i n g a n executable file. a n d t h e n c l i c k OK. A t t e m p t t o v i o l a t e R u l e 5 b y s e n d i n g a n I M c o n t a i n i n g a f i l e w i t h i n the p r o h i b i t e d size r a n g e t o y o u r lab p a r t n e r . 7. Customizing the IM Admin Buddy Names and Alerts Y o u can c u s t o m i z e the n a m e of the b u d d y t h a t y o u use to send a n o t i f i c a t i o n to the user t h a t a p o l i c y w a s v i o l a t e d . C l i c k OK. e. b. Select the Size: check box. 6. 8. d. In the Set Service Object d i a l o g box. 9. 1. Y o u can also r e t u r n a c u s t o m i z e d message to the user. t h r o u g h the M a n a g e m e n t Console. A t t e m p t t o v i o l a t e R u l e 4 b y s e n d i n g a n I M c o n t a i n i n g a n Excel f i l e t o y o u r b u d d y . select Configuration > Services > IM Proxies > IM Alert Settings. Y o u n o w test the last three rules t h a t b l o c k t y p e s o f files. v e r i f y t h a t t h e IM_File_Size object appears in the w i n d o w . 10. a n d t h e n c l i c k Install Policy. Select KBytes f r o m t h e d r o p . c. T h e n c l i c k Apply. T o m o d i f y the b u d d y n a m e u s e d t o s e n d the alerts. V e r i f y t h a t y o u r p o l i c y i n the V P M l o o k s l i k e t h e screen c a p t u r e b e l o w . C h a n g e it to IM Policy Administrator f o r a l l three s u p p o r t e d I M p r o t o c o l s . d e t a i l i n g the a c t u a l policy violation. F o r this lab. I n the G a i m I M w i n d o w . T h e c o m m u n i c a t i o n s h o u l d f a i l .Managing Instant Messaging a.d o w n w i n d o w . T y p e IM_Policy_Violation in the Name: field. select the I M Access L a y e r . For the o t h e r r u l e s in the IM_Access layer.2 Y o u s h o u l d see s o m e t h i n g s i m i l a r t o t h e screen c a p t u r e b e l o w . t h e n select Set > New > Send IM Alert. b.Blue Coat Educational Services — BCCPA Course v 1. C l i c k OK. y o u n e e d t o create a n I M A l e r t object i n the V P M . I n t h e V P M .c l i c k the Action f i e l d o f a n y o f the policies t h a t y o u j u s t created. I n the A d d S e n d I M A l e r t Object d i a l o g b o x : a. T y p e " T h e I M message y o u sent v i o l a t e s c o m p a n y p o l i c y . r i g h t . Y o u can replace the s t a n d a r d D e n y a c t i o n w i t h a m o r e d e f i n e d message.7.c l i c k on the Action f i e l d . " i n the Alert Text: p a n e . select Set > IM_Policy_Violation f r o m the l i s t of Existing Action Objects. 4. r i g h t . 88 . c. T o m o d i f y t h e message t h a t users receive. C l i c k Install Policy on the V P M . 7. Repeat Step 4 f o r a l l o t h e r p o l i c i e s in the IM_Access layer. N o t e t h a t the message appears i n a n e w w i n d o w o r a n e w tab. 89 . A t t e m p t s e n d i n g a message t o y o u r I M b u d d y .Managing Instant Messaging Y o u m a y need t o s c r o l l d o w n the list t o f i n d it. N o t i c e t h a t y o u are b l o c k e d a n d y o u s h o u l d receive t h e f o l l o w i n g message. 5. 6. 7.2 90 .Blue Coat Educational Services — BCCPA Course v 1. y o u can select another P2P client if y o u prefer. use LimeWire to again connect to Gnutella a n d search for different m o v i e titles.90. In this lab. It is i m p o r t a n t that y o u do not d o w n l o a d or u p l o a d copyrighted material. a n d check the statistics for the P2P traffic. However. Before You Begin • • This lab uses LimeWire P2P client because it has little or no s p y w a r e c o m p a r e d with other P2P client applications. Rewrite the policy to block P2P traffic and. federal law. because it constitutes a violation of U. P2P also opens the door for m a l w a r e a n d raises a host of legal concerns s t e m m i n g from potential copyright infringement. connect to the Gnutella P2P network. search for m o v i e titles. This lab a s s u m e s that the internal s u b n e t is 172. T h e lab a s s u m e s that y o u h a v e the p r o p e r connection to the Internet a n d that there are no firewall rules blocking the connection to the P2P networks.Managing Peer-to-Peer Traffic Objective Configuring y o u r Blue Coat® SG™ to transparently allow or block connections to P2P n e t w o r k s Scenario The u s e of peer-to-peer (P2P) clients to d o w n l o a d music a n d video files c o n s u m e s valuable b a n d w i d t h on an organization's n e t w o r k a n d reduces productivity. Important: 91 .S. The illustration below s h o w s the n e t w o r k connectivity of the Blue Coat SG a n d the client.x/24. y o u learn to: • • • Configure the Blue Coat SG to intercept the P2P traffic a n d create a policy to allow P2P traffic Use the LimeWire P2P client to access the Internet t h r o u g h y o u r Blue Coat SG.16. In t h e L o c a l A r e a C o n n e c t i o n P r o p e r t i e s d i a l o g b o x . T h r o u g h y o u r B l u e C o a t SG M a n a g e m e n t C o n s o l e . I n the I n t e r n e t P r o t o c o l ( T C P / I P ) d i a l o g box. R i g h t . 2. 92 .Blue Coat Educational Services — BCCPA Course v 1. Set t h e I n t e r c e p t f u n c t i o n f o r H T T P : a. 2. C l i c k Add b e l o w the Default Gateway p a n e . h i g h l i g h t Internet Protocol (TCP/IP) a n d t h e n c l i c k the Properties b u t t o n . f. e. b. d. c.2 Steps T h i s lab i s p e r f o r m e d i n f i v e stages: 1. I n t h e T C P / I P A d d r e s s d i a l o g b o x . t y p e the I P address o f y o u r Blue Coat S G a n d t h e n c l i c k Add. C l i c k O K o r Close i n the r e m a i n i n g d i a l o g boxes. a s s h o w n i n the screen c a p t u r e below. a n d h i g h l i g h t HTTP.c l i c k Local Area Connection a n d t h e n select Properties > General. C o n f i g u r i n g the B l u e C o a t SG to i n t e r c e p t P2P t r a f f i c C r e a t i n g a p o l i c y to a l l o w P2P t r a f f i c D o w n l o a d i n g L i m e W i r e and searching on Gnutella C r e a t i n g a p o l i c y to b l o c k P2P t r a f f i c Connecting to Gnutella a n d searching again Configuring the Blue Coat SG to Intercept P2P Traffic 1.d o w n m e n u . Set y o u r P C d e f a u l t g a t e w a y t o b e the I P address o f y o u r B l u e C o a t SG: a. select t h e General tab a n d t h e n a n d t h e n c l i c k Advanced. 3. select Intercept f r o m the d r o p . 4. 5.7. select Configuration > Services > Proxy Services. Select Start > Control Panel > Network and Internet Connections > Network Connections. I n t h e Destination I P r o w a n d t h e Action c o l u m n . b. E n a b l e IP f o r w a r d i n g . T h r o u g h the M a n a g e m e n t C o n s o l e . 5. T h e E d i t Service d i a l o g b o x appears. Creating a Policy to Allow P2P Traffic 1. c l i c k Apply. C l i c k Apply. T h r o u g h the M a n a g e m e n t C o n s o l e . a n d t h e n c l i c k Launch.d o w n w i n d o w . I n t h e d i a l o g box: a. C l i c k OK. Set t h e I n t e r c e p t f u n c t i o n f o r D e f a u l t T C P T u n n e l p r o x y services: a. select Intercept f r o m the Action d r o p . select Configuration > Services > Proxy Services. 7. b. T h r o u g h the M a n a g e m e n t C o n s o l e . a n d m a k e sure t h a t the Enable IP forwarding check b o x is selected. C l i c k the Edit b u t t o n near t h e b o t t o m o f the screen. M a k e sure t h a t the Detect P r o t o c o l check b o x is selected. c. 6. Y o u m a y n e e d t o s c r o l l t o the b o t t o m o f the list. select Configuration > Network > Routing. I n the M a n a g e m e n t C o n s o l e . select Configuration > Policy > Visual Policy Manager.Managing Peer-to-Peer Traffic 3. b. In t h e Listeners pane. 93 . a n d t h e n h i g h l i g h t Default. 94 .7.2 2. select Policy > Add Web Access Layer. c l i c k New a n d t h e n select P2P Client f r o m t h e d r o p . I n t h e P2P layer. 5.d o w n menu. In t h e Add New Layer d i a l o g b o x . 4. 3. r i g h t . T h e Set Source Object d i a l o g b o x appears.Blue Coat Educational Services — BCCPA Course v 1.c l i c k t h e Source f i e l d o f t h e n e w l a y e r ' s d e f a u l t r u l e a n d t h e n select Set f r o m the d r o p . g i v e t h e l a y e r t h e n a m e P2P a n d t h e n click OK.d o w n m e n u . In t h e Set Source Object d i a l o g b o x . F r o m t h e V i s u a l P o l i c y M a n a g e r ( V P M ) M e n u bar. it is helpful to observe s o m e statistics. c o m / L i m e W i r e W i n B o t h . n a m e the object All P2P. D o w n l o a d a n d install the LimeWire P2P client from the local FTP server in the lab or directly from this site: h t t p : / / w w w . m a k e sure that the All P2P Clients option is selected. l i m e w i r e . Before y o u d o w n l o a d . Downloading LimeWire and Searching on Gnutella 1. m a k e s u r e that the Action field is set to Allow. 2. a n d then click OK. N o t e the v a l u e of the Previous 24 hour period. 7. T h r o u g h the M a n a g e m e n t Console. The Policy Installed dialog box a p p e a r s . 8. Click Install Policy. select Statistics > P2P History > P2P Bytes. 9. 6. H e r e y o u can see the statistics of the sessions. In the Add P2P Client Object dialog box. Click OK. In the VPM. 95 . In the Set Source Object dialog box m e n u . select All P2P a n d then click OK.Managing Peer-to-Peer Traffic The A d d P2P Client Object dialog box a p p e a r s . R e t u r n to the Statistics > P2P History > P2P Bytes tab. T h e s e a r c h s h o u l d r e t u r n s o m e titles. Select Deny f r o m the d r o p d o w n m e n u . 4. 2. 96 .2 3.7. select Configuration > Policy > Visual Policy Manager. I n the V P M . 5.Blue Coat Educational Services — BCCPA Course v 1. C l i c k Install Policy. Creating a Policy to Block P2P Traffic 1. Y o u n e e d to m o v e y o u r m o u s e o v e r the Previous 24 hour period section to see the values. a n d t h e n c l i c k Launch. 3.c l i c k the Action f i e l d . Use the search w i n d o w o n the left side o f t h e L i m e W i r e interface t o search f o r v i d e o files w i t h the t i t l e Star Trek. Launch LimeWire. select t h e l a y e r y o u n a m e d P2P a n d r i g h t . T h r o u g h the M a n a g e m e n t C o n s o l e . C h e c k the usage of the P2P traffic f o r the Previous 24 hour period. Managing Peer-to-Peer Traffic Connecting to Gnutella and Searching Again 1. 2. R u n the Lime Wire search again. However, this time, search for video files w i t h the title CSI. You s h o u l d receive an error message from the Lime Wire client. Conclusion This lab d e m o n s t r a t e s the ability of the Blue Coat SG appliance to intercept P2P traffic. Interception allows y o u to block or allow the traffic. This is useful in situations w h e r e y o u w a n t to block clients from accessing P2P networks. Viewing statistics allows y o u to k n o w h o w m u c h P2P traffic goes t h r o u g h the Blue Coat SG. 97 Blue Coat Educational Services — BCCPA Course v 1.7.2 98 Using Notification Objects Objectives • • Creating a notification p a g e for users w h o are blocked from g a m b l i n g sites Creating a s p l a s h p a g e to r e m i n d each user every d a y that access to the Internet will be m o n i t o r e d a n d infractions of the Acceptable Usage Policy (AUP) will be sanctioned accordingly Creating a coaching page, w a r n i n g users that access to sites categorized as Web-based e-mail is generally not allowed; however, users can continue a n d access the desired resource on the Internet. • Scenario It is i m p o r t a n t that u s e r s be told clearly w h y they are not allowed to access a given resource on the Internet. A clear explanation reduces the likelihood that users will o p e n service requests with the IT d e p a r t m e n t . W i t h o u t a p r o p e r explanation, users w h o c a n n o t access a certain site m a y think the n e t w o r k is malfunctioning. Blue Coat SG allows a c o m p a n y to r e m i n d each employee, every day, of the current AUP, before the first Internet request is fulfilled. Before You Begin • This Lab a s s u m e s that y o u h a v e Blue Coat Web Filter installed, configured a n d up to date. Refer to the lab "Content Filtering — Configuration" if y o u need to install it Steps This exercise is p e r f o r m e d in four stages: 1. 2. 3. 4. Creating basic policies using the Visual Policy M a n a g e r (VPM). Creating a splash page. Creating a coaching page. Creating a notification page. Creating Basic Policies Using the V P M 1. 2. T h r o u g h the M a n a g e m e n t Console, select Policy > Visual Policy Manager a n d then click the Launch button. From the m e n u bar in the Visual Policy M a n a g e r (VPM), select Policy a n d then Add Web Access Layer from the d r o p - d o w n m e n u . In the A d d N e w Layer dialog box a p p e a r s , accept the default name. In the VPM, right-click in the Destination field a n d then select Set from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s . In the Set Destination Object dialog box, click the New b u t t o n a n d then select Request URL Category from the d r o p - d o w n m e n u . The A d d Request URL Category Object dialog box appears. In the A d d C a t e g o r y Object dialog box, type Gambling in the Name field. 3. 4. 5. 99 Blue Coat Educational Services — BCCPA Course v 1.7.2 6. Click the plus sign next to Blue Coat in o r d e r to display the available categories. Click in the box next to Gambling a n d then click OK. 7. 8. 9. Click OK in t h e Set Destination Object dialog box. You h a v e just created a policy that blocks e v e r y b o d y from accessing g a m b l i n g Web sites. In the VPM, click the Add Rule b u t t o n . T h e n right-click in the Destination field a n d select Set from the d r o p - d o w n m e n u . The Set Destination Object dialog box a p p e a r s . In the Set Destination Object dialog box, click the New b u t t o n a n d t h e n select Request URL Category from the d r o p - d o w n m e n u . The A d d Category Object dialog box a p p e a r s . 10. In the A d d Category Object dialog box, t y p e Email in the Name field. 11. Click the plus sign next to Blue Coat to display the available categories. Click in the box next to Email a n d then click OK. 12. Click OK in the Set Destination Object dialog box. You h a v e just created a policy that blocks e v e r y o n e from accessing e-mail Web sites. 13. In the V P M , position y o u r curser at Rule N o . 2 a n d click the Add Rule button. The n e w l y created rule blocks e v e r y b o d y from all destinations. The resulting policy looks like the figure s h o w n below. 14. Click Install Policy. 100 Using Notification Objects N o w that y o u have created the policies, y o u n e e d to set up the notification events accordingly. The first policy is for y o u r splash page. Creating a Splash Page 1. In t h e VPM, right-click in the Action field of the last rule that y o u created w h i c h blocks e v e r y b o d y from all destinations, then select Set from the d r o p - d o w n m e n u . The Set Action Object dialog b o x a p p e a r s . In the Set Action Object dialog box, click the New b u t t o n a n d then select Notify User from the d r o p - d o w n m e n u . The A d d Notify U s e r Object dialog box a p p e a r s , as s h o w n in the screen capture below 2. In t h e A d d Notify User Object dialog box: a. b. Type Splash-Page in the Name field. Type Friendly Reminder in t h e Title field. c. In the Body w i n d o w , replace < ! - - R E P L A C E T H E F O L L O W I N G W I T H Y O U R M E S S A G E - - > with s o m e meaningful text. For instance, y o u can type: < h 2 x c e n t e r > X Y Z Inc. - A c c e p t a b l e Usage Policy</center></h2> <p> Y o u a r e n o t a l l o w e d t o : <li> A c c e s s G a m b l i n g W e b S i t e s <li> E m a i l S i t e s (unless y o u h a v e a n i m m e d i a t e b u s i n e s s n e e d ) < p x c e n t e r > Happy Surf ing! </center> d. In the Notify users again section, click third radio button. Then select Midnight from the d r o p - d o w n m e n u a n d type 1 in t h e day(s) field. e. 4. Click OK. Click OK in the Set Action Object dialog box. 101 Blue Coat Educational Services — BCCPA Course v 1.7.2 Creating a Coaching Page 1. 2. Right-click on the Action field in the D e n y Email rule, then select Set from the d r o p - d o w n m e n u . T h e Set Action Object dialog box a p p e a r s . In the Set Action Object dialog box, click the New b u t t o n a n d then select Notify User from the d r o p - d o w n m e n u . The A d d Notify User Object dialog box a p p e a r s . It is the dialog box d i s p l a y e d in the screen capture above. In t h e A d d Notify User Object dialog box: a. b. 3. Type Coaching-Page in the Name field. Type Warning! You are accessing a restricted site in the Title field. c. In t h e Body w i n d o w , replace the < ! - - R E P L A C E T H E F O L L O W I N G W I T H Y O U R M E S S A G E - - > w i t h s o m e m e a n i n g f u l text. For instance, y o u can type: < h 2 x c e n t e r > X Y Z Inc. - Acceptable Usage P o l i c y < / c e n t e r x / h 2 > <p> Y o u a r e n o t a l l o w e d t o a c c e s s t h e r e s o u r c e r e q u e s t e d . I f y o u h a v e a n <b> i m m e d i a t e b u s i n e s s n e e d < / b > y o u c a n c l i c k o n t h e link b e l o w and access the site. Be aware that y o u will be m o n i t o r e d and your a c t i v i t y reported. d. e. In t h e Notify Mode section, click the radio b u t t o n next to Notify on every host. In the Notify users again section, click the radio b u t t o n next to At next browser session. f. 4. Click OK. Click OK in the Set Action Object dialog box. Creating a Notification Page 1. 2. 3. Right-click in the Action field of the D e n y G a m b l i n g rule, then select Set from the d r o p - d o w n m e n u . The Set Action Object dialog box a p p e a r s . In the Set Action Object dialog box, click the N e w button a n d then select Notify User from the d r o p - d o w n m e n u . The A d d Notify User Object dialog box a p p e a r s . In the A d d Notify User Object dialog box: a. b. c. Type Notify-Page in the N a m e field. Type Warning! You are accessing a restricted site in the T i t l e field. In the Body w i n d o w , replace the < ! - - R E P L A C E T H E F O L L O W I N G W I T H M E S S A G E - - > w i t h s o m e meaningful text. For instance y o u can type: YOUR < h 2 x c e n t e r > X Y Z Inc. - Acceptable Usage P o l i c y < / c e n t e r x / h 2 > <p> Y o u a r e n o t a l l o w e d t o a c c e s s t h e r e s o u r c e r e q u e s t e d . B e aware that this request h a s b e e n recorded and m o n i t o r e d and y o u r activity reported. d. R e m o v e the lines: Click on Accept after reading this message. w h i c h y o u can c u s t o m i z e . --> <!-- The following is the Accept button, < p x a h r e f ="$ ( e x c e p t i o n . d e t a i l s ) " o n c l i c k = " A c c e p t () ;" > A c c e p t < / a > e. In the Notify Mode section, click t h e radio b u t t o n next to Notify on every host. f. Click OK. 102 Using Notification Objects 4. Click OK in the Set Action Object dialog box. The final policy in the V P M s h o u l d resemble the screen capture below. 5. 6. Click the Install Policy button. Test y o u r n e w policy. As result, y o u s h o u l d receive a p a g e s h o w i n g the c o m p a n y ' s A U P once a day, a coaching p a g e w h e n y o u access Web based e-mail sites, a n d a denied p a g e w h e n y o u access g a m b l i n g sites. If y o u w a n t the splash p a g e to display again, simply e m p t y y o u r b r o w s e r ' s cookie jar. Note: Below are screen captures of w h a t the b r o w s e r displays for each of the notification objects that y o u h a v e j u s t created. Notification Page 103 Blue Coat Educational Services — BCCPA Course v 1. 104 . t h r o u g h t h e M a n a g e m e n t C o n s o l e .7. T o set the p o l i c y back t o d a f a u l t f o r the next lab. 2.c l i c k each P o l i c y l a y e r tab a n d select Delete f r o m t h e d r o p d o w n m e n u .2 Coaching Page Splash Page Policy Clean-up 1. select Policy > Visual Policy Manager and c l i c k Launch. C l i c k t h e Install Policy b u t t o n t o accept the n e w p o l i c y . R i g h t . They typically contain the time each request w a s m a d e . server results. 2. T h r o u g h the M a n a g e m e n t Console.. T h r o u g h the M a n a g e m e n t Console. a n d object size. URL requested.d o w n m e n u labeled Log. t y p e of content. A d m i n i s t r a t o r s use these logs to create reports s h o w i n g t o p Web users. Notice Access Logging is not enabled by default. time taken to serve the request. Click Apply to save the changes. From the d r o p . select main. Click the check box next to Enable Access Logging near the t o p of the Default Logging tab. The logs also contain the r e q u e s t o r ' s u s e r n a m e a n d content category if authentication or content filtering is enabled. Steps 1. 6.Access Logging Objectives • • • Turning on access logging Configuring access log u p l o a d preferences Confirming access log u p l o a d success Scenario Access logs are r a w text files of client requests. 4. select Configuration > Access Logging > Logs > Upload Client. a n d as well as other useful information. client IP. peak traffic load. 5. 3. select Configuration > Access Logging > General. cache results. Verify HTTP is set to main in the Default Logging Policy w i n d o w . top URLs visited. 105 . 16. For e x a m p l e : a o o • Host: 172. In t h e Client type d r o p .Blue Coat Educational Services — BCCPA Course v 1.2 7.110 Port: 21 Path: /student<x>/ (Where x is your student number) Username: bcadmin 106 . select FTP Client a n d t h e n c l i c k the Settings b u t t o n .90. T h e FTP Client settings d i a l o g b o x appears. Use the s t u d e n t h a n d o u t t o i n s e r t the FTP server s e t t i n g s .d o w n m e n u .7. 1 1 0 / s t u d e n t x / ( W h e r e x is y o u r student number. 15. For e x a m p l e : h t t p : / / 1 7 2 .. c l i c k the Apply b u t t o n to save a l l the changes. 11. O p e n a Web b r o w s e r a n d connect to t h e class FTP server y o u entered in the FTP C l i e n t settings to v e r i f y it is e m p t y .) Note: It is a g o o d i d e a to press the F5 k e y to refresh the FTP d i r e c t o r y l i s t i n g . T h e Change Primary Password d i a l o g b o x appears. In t h e Upload Client s e c t i o n . T h r o u g h the M a n a g e m e n t C o n s o l e . 9 0 . Y o u m a y need t o press F 5 t o refresh y o u r screen. 13. 107 . 16. 10. T y p e i n the FTP server p a s s w o r d p r o v i d e d i n the s t u d e n t h a n d o u t a n d t h e n c l i c k OK. V e r i f y t h a t a n e w f i l e c a l l e d main_upload_result has been created in y o u r FTP f o l d e r as s h o w n i n the screen c a p t u r e b e l o w . 12. C l i c k the Change Primary Password b u t t o n . 14. T h r o u g h the M a n a g e m e n t Console.Access Logging 9. An Upload Test Started w i n d o w w i l l appear.d o w n m e n u . 17. V e r i f y main is selected in the Log d r o p . c l i c k the Test Upload b u t t o n . C l i c k OK. C i c k OK in the FTP Client settings d i a l o g box. select Configuration > Access Logging > Logs > Upload Client. 1 6 . select Configuration > Access Logging > Logs > Upload Schedule. 108 . click t h e Upload Now b u t t o n . In the Upload the log file: section. 19. You m a y n e e d to press F5 to refresh y o u r FTP browser screen. T h r o u g h the M a n a g e m e n t Console.2 18.Blue Coat Educational Services — BCCPA Course v 1. Verify that y o u r log files are in y o u r FTP folder.7. W h e n y o u create a profile. y o u can use v7 profiles to process m a i n log files if y o u need to filter t h e m extensively. V7 profiles enable a d m i n i s t r a t o r s to easily m a n a g e heavily customized log formats from the Blue Coat SG. The v8 profile type w o r k s only w i t h Blue Coat SG m a i n access logs. A v8 profile to process m a i n logs that can be a n a l y z e d for Web usage A v7 profile to process Instant Messaging logs You also generate reports from these profiles. 2. Objectives • • Becoming familiar w i t h creating profiles U n d e r s t a n d i n g the differences between creating v7 a n d v8 profile types Generating reports from Blue Coat SG m a i n a n d IM log files Scenario In this lab. The v8 profile type uses a database d e s i g n e d to h a n d l e large a m o u n t s of log data. w h i c h p r o d u c e smaller data sets than m a i n files. The format of the log d a t a d e t e r m i n e s the database structure as well as the default reports that Reporter generates from the database. a n d c u s t o m ELFF formats. Streaming. A l t h o u g h y o u cannot use v8 profiles to process n o n . Main access logs can g r o w to t r e m e n d o u s size because of the nature of H T T P traffic. w h i c h are the default logs for H T T P traffic. 109 . y o u create t w o profiles in Reporter: 1. Reporter associates it w i t h a specific type of Blue Coat SG log.2. including Instant Messaging.Creating Reporter Profiles and Generating Reports Blue Coat® Reporter™ uses profiles to m a n a g e different types of log d a t a p r o d u c e d by the Blue Coat® SG™. Install the Blue Coat Reporter 8. Reporter then processes the log data into a d a t a b a s e that is tied to that profile.1. The v7 profile type is d e s i g n e d to w o r k w i t h n o n . Before You Begin • • This lab a s s u m e s that y o u h a v e completed the earlier access logging a n d instant m e s s a g i n g labs.2 on y o u r local machine. Reporter s u p p o r t s t w o t y p e s of profiles. v8 a n d v7.m a i n access logs.m a i n access logs. They also allow a d m i n i s t r a t o r s to a p p l y extremely flexible filters to control h o w log d a t a is processed a n d displayed. Blue Coat Educational Services — BCCPA Course v 1.7.2 Steps Creating a v8 Profile 1. L o g o n t o R e p o r t e r b y l a u n c h i n g y o u r W e b b r o w s e r a n d n a v i g a t i n g t o http://127.0.0.1:8987. 2. The f i r s t t i m e y o u l a u n c h Reporter, t h e a p p l i c a t i o n asks y o u t o create a n a d m i n i s t r a t i v e user account. Create a user n a m e a n d p a s s w o r d t h a t m a t c h y o u r B l u e C o a t S G console account. I f y o u h a v e a l r e a d y created a n a d m i n i s t r a t i v e a c c o u n t , t h e n l o g i n u s i n g those c r e d e n t i a l s . R e p o r t e r ' s A d m i n ( a d m i n i s t r a t i v e ) p a g e a p p e a r s i n the browser. I f a n a d m i n i s t r a t i v e a c c o u n t has a l r e a d y been c o n f i g u r e d o n y o u r s y s t e m , please ask y o u r i n s t r u c t o r f o r the a c c o u n t i n f o r m a t i o n . I n the event t h a t y o u c a n n o t get the a c c o u n t i n f o r m a t i o n , y o u can reset the a d m i n i s t r a t i v e user b y d e l e t i n g the f i l e users.cfg f r o m the d i r e c t o r y C:\Program Files\Blue Coat Reporter\LogAnalysislnfo. Note: 3. C l i c k Create New Profile. T h e N e w P r o f i l e w i z a r d a p p e a r s i n a n e w w i n d o w . 4. 5. 6. Leave t h e d e f a u l t selection f o r a v8 p r o f i l e a n d c l i c k Next to c o n f i g u r e the l o g source. C l i c k the Log Source Type d r o p - d o w n m e n u a n d select FTP. F i l l i n the Hostname, Username, a n d Password f i e l d s w i t h the FTP server c o n f i g u r a t i o n . 110 Creating Reporter Profiles and Generating Reports 7. C o n f i g u r e t h e Pathname f i e l d w i t h t h e FTP d i r e c t o r y u s e d i n the p r e c e d i n g Access L o g g i n g labs f o r y o u r H T T P m a i n logs. A d d t h e s t r i n g SG_main*.log.gz t o the p a t h s o t h a t o n l y c o m p r e s s e d l o g files are m a t c h e d . C h e c k t h e Pattern is a wildcard expression b o x . 8. 9. C l i c k Show Matching Files to v e r i f y the l o g source c o n f i g u r a t i o n . T h e m a t c h i n g l o g files a p p e a r in a n e w w i n d o w . 10. C l i c k Next. T h e A u t h e n t i c a t e d Users d i a l o g b o x appears. Select My logs contain authenticated usernames. 111 Blue Coat Educational Services — BCCPA Course v 1.7.2 11. C l i c k Next, a n d d e f i n e a n a m e f o r the p r o f i l e in the Profile name t e x t b o x . T h e p r o f i l e is n a m e d as Personal HTTP in the screen c a p t u r e b e l o w . C l i c k Finish to c o m p l e t e the p r o f i l e c r e a t i o n process. T h e N e w P r o f i l e w i z a r d saves the p r o f i l e a n d closes. R e p o r t e r ' s A d m i n page reloads, d i s p l a y i n g the n e w l y created p r o f i l e . Note: L o g Processing b e g i n s i m m e d i a t e l y f o r v 8 p r o f i l e s . R e p o r t e r m o n i t o r s the l o g source d i r e c t o r y a n d a u t o m a t i c a l l y a d d s n e w l o g d a t a t o the database. Y o u can v i e w r e p o r t s f o r a p r o f i l e by c l i c k i n g the Show Reports l i n k . T h e Show Config l i n k opens a page f r o m w h i c h y o u can e d i t the p r o f i l e ' s c o n f i g u r a t i o n . Creating a v7 Profile 1. 2. 3. C l i c k Create New Profile. T h e N e w P r o f i l e w i z a r d a p p e a r s i n a n e w w i n d o w . C h a n g e the selection to Create a v7 Profile a n d click Next to c o n f i g u r e the l o g source. Repeat Steps 5 t h r o u g h 9 f r o m the p r e v i o u s section. W h e n s p e c i f y i n g the l o g source p a t h n a m e , use the d i r e c t o r y w i t h y o u r i n s t a n t m e s s a g i n g l o g files. C l i c k Next, a n d R e p o r t e r tries t o a u t o - d e t e c t the l o g f o r m a t . T h e Log Format d i a l o g b o x appears. 4. 112 Creating Reporter Profiles and Generating Reports 5. Select Blue Coat Instant Messenger Log Format a n d t h e n c l i c k Next. Important: I f l o g f o r m a t a u t o - d e t e c t i o n i s unsuccessful, R e p o r t e r d i s p l a y s a l o n g list o f possible l o g f o r m a t s . D o n o t force a selection f r o m this list. Y o u need t o c l i c k Back, a n d t h e n w o r k t o resolve the a u t o - d e t e c t i o n issue. T h i s t y p i c a l l y i s caused b y a n i n c o r r e c t p a t h n a m e o r b y a c o r r u p t f i l e i n the target directory. M a k e s u r e t h a t the f i r s t f i l e i n the d i r e c t o r y l i s t i n g i s a n I n s t a n t M e s s a g i n g l o g file. 6. T h e Log format options - numeric fields d i a l o g b o x d i s p l a y s . T h i s controls w h i c h k i n d s of n u m e r i c d a t a to t r a c k f o r a p r o f i l e . These o p t i o n s change based on the l o g f o r m a t t y p e . Select at least one o f these o p t i o n s a n d t h e n c l i c k Next. 7. T h e Date/Time tracking d i a l o g b o x appears. A c c e p t the d e f a u l t s a n d c l i c k Next. 113 Blue Coat Educational Services — BCCPA Course v 1.7.2 N a m e t h e p r o f i l e a n d c l i c k Finish. T h e p r o f i l e i s n a m e d Personal I M i n the screen c a p t u r e b e l o w . T h e P r o f i l e W i z a r d saves the p r o f i l e a n d closes. T h e n e w p r o f i l e i s n o w l i s t e d o n the A d m i n page. Note: I n o r d e r t o process the l o g files s p e c i f i e d i n the v 7 p r o f i l e l o g source, y o u m u s t c l i c k Show Reports to b e g i n l o g p r o c e s s i n g . A l t e r n a t i v e l y , the R e p o r t e r Scheduler can be u s e d t o r e g u l a r l y s c h e d u l e database u p d a t e s w i t h n e w d a t a f r o m the l o g source d i r e c t o r y . Generating v8 Profile Dashboard Reports 1. O n the A d m i n page, c l i c k the Show Reports l i n k next t o the v 8 p r o f i l e y o u created. T h e b r o w s e r d i s p l a y s the D a s h b o a r d . T h e D a s h b o a r d i s e m p t y the f i r s t t i m e y o u access it. 2. U s e t h e Choose a Report d r o p - d o w n m e n u i n the u p p e r r i g h t p a r t o f the page t o select a n assortment of reports. 114 Creating Reporter Profiles and Generating Reports The reports a p p e a r as small i n d i v i d u a l w i n d o w s on the D a s h b o a r d . 3. C l i c k o n the Edit l i n k s i n the m i n i a t u r e reports. N o t i c e t h a t t h e reports g i v e y o u several o p t i o n s f o r v i e w i n g the data; y o u can v i e w s o m e m i n i a t u r e r e p o r t s i n the f o r m o f a table o r a p i e c h a r t . R e p o r t e r saves y o u r selection o f D a s h b o a r d reports f o r each p r o f i l e . C l i c k on the Full Report l i n k at the b o t t o m of a m i n i a t u r e r e p o r t . 4. 115 Blue Coat Educational Services — BCCPA Course v 1.7.2 T h e c o m p l e t e r e p o r t a p p e a r s i n the b r o w s e r w i n d o w . Generating v8 Profile Pre-Defined Reports 1. C l i c k o n the Reports t a b . T h e b r o w s e r d i s p l a y s the R e p o r t s page. T h e c e n t r a l p a n e p r o v i d e s filter options. 116 a p p l y a date filter or choose one or m o r e filter fields. 4. Click on the Filter link at the top of the report. 117 . 3.u p w i n d o w .u p w i n d o w . 6. The b r o w s e r p a g e displays details a b o u t that report element. Click the Save link b e l o w the report title to save y o u r modified report. Click the Save and Close button to a p p l y the filter and close the p o p . 5. The browser displays processing status a n d then the c o m p l e t e d report.u p w i n d o w . In the p o p . Click on report elements in blue text. Filter o p t i o n s a p p e a r in a p o p .Creating Reporter Profiles and Generating Reports The left navigation p a n e displays a list of pre-defined reports. The report reloads in the browser. Select a pre-defined report from the left navigation p a n e . You can u s e the Zoom Options tab to c h a n g e the default report v i e w y o u see w h e n y o u click on a table item. 2. The options are identical to those in the central frame of the Reports page w h e n y o u first access it. A p p l y a date range.d e f i n e d r e p o r t f r o m the left n a v i g a t i o n pane.2 Note: W h e n y o u create a f i l t e r i n a p r o f i l e . T h e b r o w s e r d i s p l a y s the O v e r v i e w R e p o r t f o r t h e p r o f i l e . b u t y o u can create o n l y one f i l t e r p e r p r o f i l e . A p o p .d e f i n e d r e p o r t s .Blue Coat Educational Services — BCCPA Course v 1. 3. Y o u can c l i c k o n l i n k s w i t h i n the r e p o r t t o v i e w m o r e d e t a i l e d i n f o r m a t i o n a b o u t a r e p o r t e l e m e n t a n d select Zoom Options. C l i c k o n the w h i t e Filter l i n k o r i c o n a t the t o p o f the page. Select a p r e . C l i c k the Admin l i n k a t t h e t o p o f the page t o r e t u r n t o the A d m i n page. j u s t a s y o u d i d w i t h the v 8 p r o f i l e r e p o r t . T h e left n a v i g a t i o n pane d i s p l a y s a list o f p r e . i t i s a p p l i e d t o a l l the reports t h a t y o u generate f r o m t h a t p r o f i l e . T h e b r o w s e r d i s p l a y s the r e p o r t i n the c e n t r a l p a n e . C l i c k o n the Show Reports l i n k next t o the v 7 p r o f i l e y o u created. Create a f i l t e r a n d a p p l y it. Y o u c a n activate o r d e a c t i v a t e t h e f i l t e r f o r i n d i v i d u a l r e p o r t s . 5.u p w i n d o w a l l o w i n g y o u t o isolate a specific p e r i o d o f l o g f i l e d a t a appears. C l i c k the Save l i n k b e l o w t h e r e p o r t t i t l e t o save y o u r m o d i f i e d r e p o r t . A p o p . 4.7. C l i c k o n the w h i t e Date Range l i n k o r i c o n a t the t o p o f the page. 118 .u p w i n d o w c o n t a i n i n g f i l t e r f i e l d o p t i o n s appears. Generating v7 Profile Pre-Defined Reports 1. 6. 7. 2. Defining a n d configuring ICAP settings for the BlueCoat AV Defining a n d configuring the ICAP o p t i o n on the Blue Coat SG Configuring a n d constructing a Blue Coat virus policy Creating an optional patience page Testing the configuration a n d n e w policyBlue Coat SG This exercise uses a BlueCoat AV v i r u s . See that v e n d o r ' s d o c u m e n t a t i o n for specific ICAP configuration information for its products. 2. H o w e v e r . w h e r e m o s t viruses a n d w o r m s p r o p a g a t e Web s p a m or e-mail s p a m . 5. w o r m . Trojan. w h i c h activates Trojan d o w n l o a d s or h i d d e n s p y w a r e Browser-based file d o w n l o a d s that bypass existing virus scanning defenses Before You Begin The BlueCoat AV's virus-scanning capabilities are i m p l e m e n t e d t h r o u g h an "off-box" solution u s i n g Internet Content A d a p t a t i o n Protocol (ICAP) as the communication m e c h a n i s m between the Blue Coat SG a n d the BlueCoat AV(or other ICAP virus scanning servers). A table listing the URLs of s u p p o r t e d ICAP servers a p p e a r s at the e n d of this exercise. 4. Note: 119 .BlueCoat AV/Blue Coat SG Integration Objectives • • Installing the BlueCoat AV Configuring t h e BlueCoat AV a n d the Blue Coat SG for virus scanning Scenario Web v i r u s s c a n n i n g is the process of examining files to d e t e r m i n e if they are infected with an Internet-based threat (virus. BlueCoat AV appliances enable organizations to scan for s u c h m a l w a r e entering their n e t w o r k s via: • • • Personal Web e-mail accounts. the s a m e ICAP configuration steps a p p l y if y o u are using a Blue Coat SG a n d a n o t h e r vendor's scanning server. or s p y ware). 3.s c a n n i n g appliance a n d a Blue Coat SG appliance. Be a w a r e that d e p l o y i n g ICAP w i t h the Blue Coat SG a n d the BlueCoat AV appliances is performed in five stages: 1. 2 Steps Defining and Configuring ICAP on the Blue Coat SG You will create t w o n e w ICAP services: one for o u t b o u n d requests (uploads) a n d t h e other for i n b o u n d requests ( d o w n l o a d s ) . 120 . a n d t h e n click the Edit button.Blue Coat Educational Services — BCCPA Course v 1. 1. T h e Edit ICAP Service I n b o u n d dialog box a p p e a r s . Click the Apply b u t t o n in the M a n a g e m e n t Console. highlight the inbound ICAP service y o u just defined. 3. 2. : Java Applet Window. In the Add ICAP Service w i n d o w . then click OK. t y p e Inbound for the ICAP service n a m e . 4. T h r o u g h the Proxy SG M a n a g e m e n t Console.7. Click the New b u t t o n . The M a n a g e m e n t Console displays the ICAP Services page. The A d d list item dialog box a p p e a r s . select Configuration> External Services > ICAP. T h r o u g h t h e Blue Coat SG M a n a g e m e n t Console. BlueCoat AV/Blue Coat SG Integration 5. In the Service URL field of the dialog box. 6. w h i c h a p p e a r s on y o u r class h a n d o u t . click the Sense settings button. 121 . 7. This is the IP a d d r e s s and service n a m e of the BlueCoat AV appliance. In the ICAP v. C h e c k t h e Enable box next to Patience page delay a n d t y p e 5 in the seconds dialog box. A dialog box a p p e a r s asking y o u to confirm that y o u w a n t to retrieve settings from the ICAP server.1. enter the virus scan server's ICAP service p a t h icap://<ICAPVirusScan Server's IP Address>/avscan.0 Options section. Click OK. A dialog box a p p e a r s .2 8. a n d click the Apply button. The Visual Policy M a n a g e r (VPM) a p p e a r s . then select Set from the d r o p . 12. U n d e r Health Check options. a s k i n g y o u confirm that y o u w a n t to register the service for health checks. 122 . Return to t h e Blue Coat SG M a n a g e m e n t Console. then click OK on the Edit ICAP Service I n b o u n d dialog box. select Policy > Add Web Content Layer. Click Close. 2. 13. A n e w dialog box a p p e a r s w h e n Blue Coat SG registers the settings. 9.d o w n m e n u . 1.7. 3. The Set Action Object dialog box a p p e a r s . 10. Right-click the Action field. Click OK on the dialog box. From the V P M m e n u bar. Configuring and Constructing a Blue Coat Virus Policy You n o w n e e d to w r i t e a policy for ICAP r e s p o n s e (inbound) service y o u previously defined. T h e A d d N e w Layer dialog box a p p e a r s . click the Register b u t t o n . 11. select Configuration> Policy > Visual Policy Manager a n d then click the Launch b u t t o n . T h r o u g h the Proxy SG M a n a g e m e n t Console.Blue Coat Educational Services — BCCPA Course v 1. Click OK. A C o m m i t Results dialog b o x a p p e a r s . Return to the Edit ICAP Service Inbound dialog box. Accept the default n a m e by clicking OK. BlueCoat AV/Blue Coat SG Integration 4. Click the New button, then select Set ICAP Response Service from the d r o p - d o w n m e n u . The A d d ICAP Response Service Object dialog box a p p e a r s 5. 6. M a k e s u r e that the radio b u t t o n next to Use ICAP response service is selected. Select inbound from the d r o p - d o w n m e n u . In the Error handling section, m a k e sure that the radio button next to Deny the client request is selected. Note: Error handling options enable y o u to decide w h e t h e r the Blue Coat SG s h o u l d allow the client to receive the object if the ICAP server is nonresponsive. If y o u choose the Deny the client request option, the client does not receive a n y content. Blue Coat recommends this option for optimum security. The second option is Continue without further ICAP response processing. If this option is selected, the client receives the original, u n s c a n n e d content. 123 Blue Coat Educational Services — BCCPA Course v 1.7.2 7. 8. Click OK in the A d d ICAP R e s p o n s e Service Object a n d the Set Action Object dialog boxes. In the VPM, click the Install Policy b u t t o n . You h a v e n o w e n a b l e d the BlueCoat AV or other virus-scanner server to scan i n b o u n d files. Creating an Optional Patience Page You can create a c u s t o m patience p a g e to notify users w h e n the BlueCoat AV is scanning large attachments. 1. T h r o u g h the Blue Coat SG M a n a g e m e n t Console, select Configuration > External Services > ICAP a n d t h e n click on the ICAP Patience Page tab. Note: T h e Header, Summary, Details, a n d Help b u t t o n s enable y o u t o c u s t o m i z e y o u patience page. 124 BlueCoat AV/Blue Coat SG Integration Testing the Configuration and New Policy Check the Blue Coat SG's e v e n t log to m a k e sure that the n e w virus-scanning service is w o r k i n g . 1. Type this URL in the b r o w s e r y o u h a v e configured to go t h r o u g h y o u r Blue Coat SG as proxy: http://www.eicar.org a n d click t h e AntiMalware Testfile link. 2. Click the link for eicar com.zip. Successful configuration of the Blue Coat SG a n d the BlueCoat AV will p r o d u c e an error result from the BlueCoat AV 3. 4. If y o u are able to d o w n l o a d eicar.com, y o u need to recheck y o u r configurations on both appliances. To test y o u r patience page go to the URL y o u r instructor has p r o v i d e d for you. Policy Clean-up 1. To set the policy back to dafault for the next lab, t h r o u g h the M a n a g e m e n t Console, select Policy > Visual Policy Manager and click Launch. 125 Blue Coat Educational Services — BCCPA Course v 1.7.2 2. Right-click each Policy layer tab a n d select Delete from the d r o p d o w n m e n u . Click the Install Policy b u t t o n to accept the n e w policy. Supported ICAP Servers Table 19.1: Server Type URL BlueCoat AV Symantec SAVSE v. 4 Finjan SurfinGate 6.05 Webwasher icap: / / IPaddressoftheserver icap: / / I P a d d r e s s o f t h e s e r v e r : 1344/avscan icap: / / I P a d d r e s s o f t h e s e r v e r : 1344 icap://IPaddressoftheserver:1344/wwrespmod 126 Using Instant Support Objective U s i n g Blue Coat Instant S u p p o r t . Scenario Instant S u p p o r t is a self-help online tool that is continually being u p d a t e d by Blue Coat Systems® s u p p o r t technicians. U n d e r s t a n d i n g h o w to use it can enable y o u to get instant a n s w e r s to y o u r questions a b o u t Blue C o a t ' s p r o d u c t s . Steps 1. Go to the Blue Coat Web site (http://www.bluecoat.com) a n d then click Instant Support in the u p p e r right section of the p a g e . 127 Blue Coat Educational Services — BCCPA Course v 1.7.2 T h e b r o w s e r opens a separate W e l c o m e t o B l u e C o a t I n s t a n t S u p p o r t w i n d o w . 2. 3. In the Name f i e l d , t y p e Guest. I n t h e Product f i e l d , select SGOS 4.x f r o m t h e d r o p - d o w n m e n u a n d t h e n c l i c k Go. 128 Using Instant Support T h e b r o w s e r w i n d o w d i s p l a y s a page w i t h a t e x t b o x w h e r e y o u can t y p e i n a q u e s t i o n . 4. T y p e NTLM Authentication i n t o the Guest text w i n d o w a n d t h e n c l i c k Go. 129 N o t e t h a t y o u can scroll up the p a g e to see the history of y o u r i n p u t s in the Instant S u p p o r t system a n d the s y s t e m ' s responses. .7. 5.Blue Coat Educational Services — BCCPA Course v 1. Click the radio b u t t o n next to the option 08)You want instructions for configuring NTLM/IWA Authentication on the ProxySG.2 T h e b r o w s e r w i n d o w displays a list of options for p r o v i d i n g Instant S u p p o r t w i t h details a b o u t y o u r question. The b r o w s e r w i n d o w d i s p l a y s information related to y o u r question. A l t e r n a t i v e l y .Using Instant Support A l s o n o t e t h a t y o u can p r i n t t h e page w i t h y o u r answer. 6. R e s p o n d to t h e q u e s t i o n at the b o t t o m of t h e page: Did this help to answer your question? 131 . y o u can s c r o l l t o near the b o t t o m of the page a n d click a l i n k to have the solution e-mailed to y o u . Blue Coat Educational Services — BCCPA Course v 1.2 If y o u a n s w e r Yes. the b r o w s e r w i n d o w p r o v i d e s a Feedback link t h a t gives y o u the o p p o r t u n i t y to ask additional questions. 132 .7. Blue Coat System's online c u s t o m e r s u p p o r t service. N o t e that y o u also h a v e the o p t i o n to o p e n a case in WebPower.Using Instant Support If y o u a n s w e r No. the b r o w s e r returns y o u to the previous p a g e containing options for asking questions. 133 . 7.2 134 .Blue Coat Educational Services — BCCPA Course v 1. news.m. D u e to the u n d e s i r e d lower morale after blocking n e w s resources. Scenario In this exercise. Lunch is defined as M o n d a y t h r o u g h Friday. y o u will i m p l e m e n t authentication according to the internal m e m o s a n d the additional instructions below. All Web activity m u s t be tied to individual users. If the proxy clock is not set. 135 .m. 2. allow employees the ability to access these sites d u r i n g their lunch break. Special Instructions • • A c o m b i n e d t i m e object is needed for this task.com. 11 a. Internal Memo 2 Attention: A d m i n i s t r a t o r From: H u m a n Resources Priority: L o w Action: 1. 2. policy p r o b a b l y will not w o r k . Block Sales from accessing online s h o p p i n g sites.Review: Authentication Objective Testing y o u r u n d e r s t a n d i n g of authentication a n d time-based policies. Internal Memo 1 Attention: A d m i n i s t r a t o r From: H u m a n Resources Priority: H i g h Action: 1. to 1 p.com. No o n e is allowed to use c o m p a n y resources to v i e w n e w s articles from the followings sites: cnn. 2 136 .Blue Coat Educational Services — BCCPA Course v 1.7. d e f a u l t J Internal Memo 1 Attention: A d m i n i s t r a t o r From: H u m a n Resources Priority: H i g h Action: Block all sports sites until further notice. Scenario In this exercise.com.monster. but allow users to read their e-mail.com casino. A d d the m e s s a g e "<Client IP> a t t e m p t e d to reach <URL>" to the even log every time a u s e r s tries to access a forbidden site. Test by trying to access www.com Additional Instructions • • • Block all Web mail a t t a c h m e n t s a n d posting. Important: You need to reset y o u Blue Coat® SG™ to factory defaults before starting this exercise. y o u will i m p l e m e n t policy according to the internal m e m o s a n d the additional instructions below. D e n y access to all job-search sites. From the enable m o d e of the CLI.Review: Content Filtering Objective Testing y o u r u n d e r s t a n d i n g of policy a n d content filtering. Internal Memo 2 Attention: A d m i n i s t r a t o r From: H u m a n Resources Priority: L o w Action: Block the following i n d i v i d u a l sites: • • amazon. w o u l d Yahoo!® be allowed or denied? 137 .com outpost. use the c o m m a n d : SGOS4# r e s t o r e . Question If rules blocked business sites a n d then search engines.d e f a u l t s f a c t o r y . 2 138 .7.Blue Coat Educational Services — BCCPA Course v 1.