Click on the categories below
to learn more about aspects of Web Object Processing:
Overview
Unique to ProxySG is the SGOS object-based operating system with integrated
caching. Unlike Windows, Linux or other file based operating systems,
the SGOS is a web object container designed from the ground up to process
web objects very efficiently. SGOS is not a file system and general-purpose
applications will not operate in its environment. Small in size, the
SGOS and its configuration are stored five times on each disk within
ProxySG appliances for quick back-up, recovery and a failover design.
Beyond SGOS is a custom TCP stack also designed for optimal processing
of web communications.
Together, the SGOS and its unique TCP communication
stack provide unmatched low latency and scalability for
web communications. In performance tests the ProxySG
provides latency times of 5-7ms while managing traffic
loads up into the 90+% CPU utilization range, whereas
general purpose operating systems show significant latency
at the 60% CPU utilization range with a fraction of the
load factor.
As a proxy appliance, the ProxySG provides proxy services
for the protocols and applications below with visibility
into more than 580 web request/reply elements, all at
unmatched performance throughputs with low latency.
ProxySG manages HTTP, HTTPS, FTP, P2P, Telnet, SOCKS,
DNS, IM (AIM, MSN, Yahoo), Streaming Media (MMS, Real,
QuickTime), plus a TCP-Tunnel for unique applications.
Web Request/Response
Visibility
As the Blue Coat proxy appliances see all Web requests and responses,
they gather complete details on the transaction between users and servers.
Details gathered can be used to implement policies and produce reports
on usage.
Some of the knowledge attributes gathered include:
- Valid user information
- Group membership
- Site and IP address of workstation
- Time & day and elapsed time of communication
- Protocol used
- Agent (browser or media player version)
- Web page category (from filtering list)
- File and mime-type
- Complete URL of all objects
- History of all requests
- Active content types
- Bandwidth utilized
Policy Processing Engine
The Blue Coat proxy appliances include a granular policy-processing engine
that can manipulate data based on rules defined by the system manager.
Data manipulation decisions are defined using the information gathered
by the Web Request/Response elements noted above, with multiple level
policies using logical operands AND, NOR and NOT.
The policies can perform the following actions:
- Allow the content through to the user unchanged
- Block the content from the user
- Replace the requested content with other content
(perhaps a local web usage page)
- Send the content to ProxyAV (for virus scanning),
sending the data to the user after ProxyAV has performed
its task
As an example, you can set a policy to block all Visual
Basic scripts except those that are known to originate
from a trusted source such as an internal server. Or
perhaps, you want all Active-X scripts to be scanned
regardless of their origin. For spyware prevention, you
may desire to allow page views after harmful drive-by
installers have been removed. You have the flexibility
to adapt policies to your own circumstances and to emerging
security threats.
The Visual Policy Manager allows an administrator to
easily define powerful security policies based on almost
limitless policy combinations based on:
- Individual users
- Groups of users
- Time of day
- Location
- Protocol type
- User agent
- Content type
- Bandwidth usage
Effective policy control includes the process of determining
which users have rights to access your valuable corporate
data. These steps are known as authentication, authorization,
and accounting.
Authentication, Authorization
and Accounting
An effective Enterprise web security infrastructure begins with the three
A's -Authentication, Authorization, and Accounting. These services serve
as the jumping off point for user and content control. Every network
already has authentication systems deployed, as users power up their
systems they are challenged to enter a valid name and password to access
network resources. Blue Coat proxy appliances do not require system managers
to create and administer another set of valid user databases, rather
they leverage existing authentication realms, either challenging users
when they attempt to access Web resources or transparently checking existing
authentication services.
There are many ways to identity a user, including:
- User identity: based on a successful challenge
and valid authentication to a security database or
directory. The authentication method can come in many
forms, including password, certificate, and tokens.
The authentication credentials are passed to the security
database or directory for authentication. A successful
authentication identifies the user.
- Group identity: similar to user specific
authentication, group-based identity determines a given
user's role within an organization. Typically this
is membership in a group or attribute condition within
a given namespace.
- Network identity: based on an IP address,
subnet or network identifier.
Once the system determines the identity for a given
request, the next step, Authorization, is to associate
policy with the authentication identifier. In short,
authorization is the set of rules that govern what resources
a user can access and what the users can do with those
resources.
Here, the visual policy management software allows
the system manager to create access rules for individual
users or groups as defined within the existing authentication
services.
The last piece of the AAA puzzle is accounting. Systems
that grant access to resources must also effectively
track the use of those resources. This accounting information
is necessary to effectively audit events in the case
of fraud, malicious use, or to determine proof.
The Blue
Coat Reporter application provides graphical reports
of usage by user and group definitions.
The Blue Coat Solution
SGOS Descriptor
Blue Coat proxy appliances are able to control inbound
and outbound web access while delivering web content
at line-speed to users because of the performance of
the operating system underlying all aspects of the devices.
SGOS is a higher performance, multi-threaded object-based
operating system, originally designed for the fastest
access to disk subsystems with none of the overheads
of general-purpose operating systems that can cause delay
in delivering data.
SGOS uses an object store subsystem, with a hash table
kept in RAM. This enables read and write commands to
be executed with one disk I/O, faster than FAT-table
based operating systems.
The disks have a background disk optimizer, placing data
in the optimal position for fast retrieval of related objects.
Multiple objects are requested in parallel (object pipelining)
and as the proxy appliance parses the HTML page, requests
are made by the device before the user agent. |
