Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Security Empowers Business
DA
TAS
HE
ET
SSL VISIBILITY
APPLIANCES
GREATER VISIBILITY INTO NETWORK TRAFFIC, HIGHER PERFORMANCE FOR SECURITY APPLICATIONSA new offering within the Security and Policy Enforcement Center, the Blue Coat SSL Visibility Appliance decrypts multiple streams of SSL content across all network ports to provide intrusion detection and prevention (IDS/IPS), logging, forensics, and data loss prevention. The SSL Visibility Appliance preserves complete network and web traffic histories necessary for compliance, threat analysis, and more. This enables organizations to add SSL inspection capabilities to their network security architecture and close the security loophole created by SSL; it also allows network appliance manufacturers to provide their security applications with visibility into both SSL and non-SSL network traffic and increase their applications’ performance.
Features and Benefits
The unique capabilities of the Blue Coat SSL Visiblity Appliance helps to remove risks arising from lack of visibility into SSL traffic while also increasing the performance of security and network appliances.
• Line-rate Network Performance:
› Non-SSL flows will be sent to the attached security appliance(s) or cut-through in less than 40 microseconds, minimizing delay for applications, such as VoIP.
› Supports decryption of up to 4 Gbps of SSL traffic for a variety of SSL versions and cipher suites.
• Scalable Flow-based Processing: At up to 40 Gbps, the SSL Visibility appliance supports the analysis of up to 6,000,000 simultaneous TCP flows to check if they contain SSL.
• High Connection Rate/Flow Count: The SSL Visibility Appliance supports up to 400,000 concurrently active SSL sessions that are being inspected. The setup and teardown rate of up to 11,500 SSL sessions per second is more than 10x higher than other solutions.
• Network Transparency: Deploying the SSL Visibility Appliance is transparent to end systems and to intermediate network elements and does not require network reconfiguration, IP addressing or topology changes, or modification to client IP and web browser configurations.
• Application Preservation: Intercepted plaintext is delivered to security appliances as a generated TCP stream with the packet headers as they were received. This allows applications and appliances, such as IDS, IPS, forensics and data loss prevention, to expand their scope to provide benefits for SSL-encrypted traffic.
• Input Aggregation: Allows aggregation of traffic from multiple network taps onto a single passive-tap segment for inspection.
• Output Mirroring: Allows the SSL Visibility Appliance to feed traffic to up to two attached passive security appliances in addition to the primary security appliance.
• Management: Powerful web UI management interface. Custom web UI and third-party management options for OEMs.
• High Availability: Integrated fail-to-wire/ fail-to-open hardware and configurable link
state monitoring and mirroring for guaranteed network availability and network security.
• FIPS 140-2 Level 2 Certification: Versions of the product that are certified to FIPS 140-2 Level 2 will be available. (In process)
• Flexibility: Supports both passive and active appliances.
› In-line and Tap modes of operation
› Inbound and outbound SSL visibility
› Support for asymmetrically routed traffic
• SSL Policy Enforcement: Provides a single point to control usage of SSL throughout the enterprise.
• Web-based Management: The SSL Visibility Appliance is configured and managed via an SSL-secured, web-based graphical user interface, keeping administration simple.
• E-mail Alerting: Logs can be configured to trigger alerts that can be forwarded via email immediately or at intervals to designated network administrators.
• SSL Session Identification: The session log provides details of all SSL flows, inspected or not, allowing suspicious trends or patterns of SSL use to be detected.
BLUE COAT SSL VISIBILITY APPLIANCESSV1800 / SV2800 / SV3800
Security Empowers Business
Security Empowers Business
DA
TAS
HE
ET
Blue Coat Systems Inc. www.bluecoat.com
Corporate Headquarters Sunnyvale, CA
+1.408.220.2200
EMEA Headquarters Hampshire, UK
+44.1252.554600
APAC Headquarters Singapore
+65.6826.7000
© 2013 Blue Coat Systems, Inc. All rights reserved. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Information contained in this document is believed to be accurate and reliable as of the date of publication; however, it should not be interpreted to be a commitment on the part of Blue Coat, and Blue Coat cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Blue Coat makes no warranties, express, implied, or statutory, as to the information in this document. The information contained in this document was developed for products and services offered in the U.S. Blue Coat may not offer the products, services, or features discussed in this document in other countries. Consult your local Blue Coat representative for information on the products and services currently available in your area. Blue Coat products, technical services, and any other technical data referenced in this document are subject to U.S. export control and sanctions laws, regulations and requirements, and may be subject to export or import regulations in other countries. You agree to comply strictly with these laws, regulations and requirements, and acknowledge that you have the responsibility to obtain any licenses, permits or other approvals that may be required in order to export, re-export, transfer in country or import after delivery to you. Blue Coat may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. Blue Coat, ProxySG, PacketShaper, CacheFlow, IntelligenceCenter and BlueTouch are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. v.DS-SSL-VISIBILITY-APPLIANCES-SV1800-SV2800-SV3800-EN-v2e-0613
Multiple Segment Support
Supports multiple in-line or tap segments that feed one or more active or passive attached appliances. Number of segments varies depending on model number.
Support for multiple re-signing CAs, as well as server keys, allowing rules based per-flow signatures and keys.
Port MirroringDecrypt once, feed many
Capable of sending copies out to many devices over the additional ports on the SSL Visibility Appliances. This allows you to feed all traffic (decrypted and non-SSL) to additional passive devices on the network.
Network 1 InNetwork 1 Out
Network 2 OutNetwork 2 In
Forensics / APMCompliance / IDSIn-line IPS, XPS,
Malware
Network In Network Out
SV1800 SV2800 SV3800PERFORMANCE
Total Throughput 4 Gbps (line rate) 20 Gbps (line rate) 40 Gbps
SSL Inspection Throughput 1.5 Gbps 2 Gbps 4 Gbps
Cut-through Latency <40µs <40μs <40µs
Concurrent SSL Flow States 100,000 200,000 400,000
SSL Flow Setups/Teardowns 6,500 per second 9.500 per second 11,500 per second
SSL Session Log Entries 50,000,0000 50,000,0000 50,000,0000
SPECIFICATIONS
Configurations Network Interfaces: Fixed 8 x 1 Copper or 8 x 1 Fiber (SX)
Network Interfaces: 3 Netmod Slots - Various 1 Gbps and 10 Gbps Interface Options
Network Interfaces: 7 Netmod Slots - Various 1 Gbps and 10 Gbps Interface Options
Power Supplies 1+1 Redundant 450W 1+1 Redundant 650W 1+1 Redundant 750W
Management Interfaces 2 x RJ45 2 x RJ45 2 x RJ45
Display LCD 20 x 2 Char. Display LCD 20 x 2 Char. Display LCD 20 x 2 Char. Display
Operating Temperature 5°-40°C 10°- 35°C 10°-35°C
Storage Temperature -10-60° C -10-60° C -10-60° C
Dimensions (in.) H x W x D 1.75 x 17 x 20 1.75 x 17.5 x 29 3.5 x 17.5 x 29
Regulatory and Environmental Standards/Compliance
CE (EN55022, EN55024, EN60950), FCC part 15 class A, UL60950-1
Modes of Operation (per network segment)
Passive Tap, Passive In-line, Active In-line (Fail-to-wire), Active In-line (Fail-to-Appliance)
Proxying Modes (per network segment)
Controlled-client (Re-sign) Mode [In-line Only], Controlled-server (Known-key) Mode
Encryption TLS 1.0, TLS 1.1, TLS 1.2, SSL3, partial SSL2
Public Key Algorithms RSA, DHE, ECDHE
Symmetrical Key Algorithms AES, 3DES, DES, RC4, Camellia
Hashing Algorithms MDS, SHA-1, SHA-2
RSA Keys 512-8192 bits
SSL VisibilityAppliance
CN: GmailCA: ProxySG Cert
Security SolutionProxyAV, DLP, etc.
Encrypted Traffic
ProxySG
Decrypted Traffic
CERTIFICATE
CN: GmailCA: ProxySG Cert
CERTIFICATE
CN: GmailCA: Verisign
CERTIFICATE