Slide 1

1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – For Internal and Official Channel Partner Use Only

SECURE WEB GATEWAY

REFERENCE

ARCHITECTURE

Slide 2

2Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – For Internal and Official Channel Partner Use Only

SECURE WEB GATEWAY:

FUNCTIONS

Proxy ForwardingTransparent (Inline, WCCP, Loadbalanced) Explicit Proxy / PAC / WPAD

Policy / Enablement

SSL Inspection Authentication Authorization Logging

Categorization

Anti-malware

App & Operation ControlsDLP IDSWhite & Blacklisting

Sandboxing GEO Location (Roadmap)

Local Central

ICAP

& E-

Tap I

nteg

ratio

n

Connectivity

Platform

Policy

Services

Management

Cloud Virtual Appliance Appliance

Reporting: On-Premise, Cloud or UnifiedUnified Policy Appliance Monitoring

Hybrid

Global Intelligence Network

Object CachingSecurity Analytics Platform

La

st U

pd

ate

d: 2

0.1

2.2

013

Last Updated: 20.12.2013 Platform: - We provide a choice of deployment options for customers. They can deploy SWG

- on-premise as appliance or - as virtual appliance - using our cloud service or - hybrid

Connectivity: there are many ways to deploy SWG. Customer can deploy ProxySG transparent or explicit. - Transparent: this can be achieved by deploying ProxySG physically inline using bridge

interface configurations, WCCP to redirect traffic from Cisco switches / routers or by using traffic redirection from L4-L7 loadbalancers

- Explicit: this can be achieved by configuring proxy settings in browsers, by using PAC files or WPAD (in MS environments)

- Proxy forwarding: proxy systems can be chained and traffic can be forwarded from one to another proxy

Policy: Policy is the enabler for all services / functionalities on ProxySG. It triggers authentication, authorization, logging, ssl interception and also ICAP and encrypted TAP integration. Policy (Content Policy Language, CPL) is still a great differentiator and provides un-matched flexibility Services: SWG provides services like URL categorization, anti-malware scanning (via ICAP), application and operation controls, DLP (via ICAP), IDS (via enrypted TAP), Security Analytics Platform integration (via encrypted TAP), white and blacklisting (of URLs, IP addresses, applications, etc.), sandboxing (via ICAP – CAS&MAA or encrypted TAP - FEYE), object caching and integration into our Global Intelligence Network (WebPulse). GEO Location of the requested servers is on the roadmap. Management: SWG can be managed locally or using a central management system. In hybrid deployment, policy can be synchronized from Cloud to ProxySG (Unified Policy). Cloud or Central Manager can be used for detailed appliance monitoring. Customers have a choice of using Reporter on-premise for ProxySG, Cloud Reporting for Cloud or a unified deployment (Reporter for both or Cloud for both)

Slide 3

3Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – For Internal and Official Channel Partner Use Only

SECURE WEB GATEWAY:

DATA & WORKFLOW

GLOBAL INTELLIGENCE NETWORK

PROXY SG SSL

AUTH DBREPORTER

USER

REQUEST

CONTENT ANALYSIS

SYSTEM

SWG CORE

SECURITY ANALYTICS PLATFORM

DLP

Internet

ICA

P

E-T

ap

ICAP

MALWARE ANALYSIS

La

st U

pd

ate

d: 2

0.1

2.2

013

Last Updated: 20.12.2013 1: User requests a URL 2: ProxySG authenticates and authorizes the user 3: ProxySG categorizes the URL via BCWF database lookup and if necessary via Global Intelligence Network (WebPulse) (in real-time) 4: If traffic is SSL encrypted, ProxySG can decrypt it and also send a clear-text copy of the request to the Security Analytics Platform via encrypted TAP 5: Outbound data can be send to a DLP system using ICAP 6: ProxySG receives traffic from the OCS / Internet 7: Traffic can be send to Content Analysis System for malware scanning 7.1: Certain files (not known good and not known bad) can be send to MAA for deeper analysis via sandboxing. Note that this crosses the real-time border, analysis results will take at least 60 seconds

8: If traffic is SSL encrypted, ProxySG can decrypt it and also send a clear-text copy of the response to the Security Analytics Platform via encrypted TAP 9: Content gets served to the client 10: Access log data can be uploaded to Blue Coat Reporter 11: MAA provides feedback to CAS and if the file was malicious, subsequent requests will be blocked. Scanning results can also be sent to the Global Intelligence Network

Slide 4

4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – For Internal and Official Channel Partner Use Only

SECURE WEB GATEWAY: TOPOLOGY

USERS

CONTENT ANALAYSIS

MALWARE ANALYSIS

USER

DIRECTORY

SWITCH

INTERNET

GLOBAL

INTELLIGENCE

NETWORK

PROXY SG

(Forward

Proxy)

CENTRAL

MANAGEMENT

ADMIN

FIREWALL

FIREWALL

CLOUD SECURITY

SERVICE

REMOTE OFFICE

(direct to the Net)

MPLS

PROXY SG

REMOTE USER

PROXY SG

(Reverse Proxy)

La

st U

pd

ate

d: 2

0.1

2.2

013

Last Updated: 20.12.2013

This diagram shows an example deployment. SWG: - ProxySG is deployed at a central location, CAS is integrated via ICAP and MAA via CAS for

local malware scanning. - Note: CAS and MAA are located on the same subnet, connected to the same switch,

however there is no direct communication between ProxySG and MAA. MAA can only be integrated via CAS

- ProxySG is deployed at a branch office and configured to forward internet traffic to the cloud - At the same time the branch office is connected to the HQ via MPLS network.

- Remote users are protected by cloud. - Another ProxySG is deployed in the DMZ as reverse proxy in front of web servers - The lower part of the diagram shows users, admin workstation, central manager and a user

directory (for example MS Active Directory)

Slide 5

5Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.Blue Coat Confidential – For Internal and Official Channel Partner Use Only