Solved

Alternative to Bluecoat ProxySG

Posted on 2013-12-26
9
4,377 Views
Last Modified: 2016-03-17
Can you recommend an alternative to Bluecoat ProxySG? We are looking at product with content filtering, malware protection and proxy service. Is Cisco WSA a good alternative?
0
Comment
Question by:Brian Garcia
9 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 39740087
Squid can be a good alternative.
0
 
LVL 3

Author Comment

by:Brian Garcia
ID: 39740099
We have used squid but we don't like the filtering (dansgurdian, squidguard). We have problems passing other protocols (citrix, SSL VPN, etc.). So we used Bluecoat, but it's costly so we are looking for an alternative.

We are looking at Cisco Web Security Appliance since we can get for a much lower price but I don't know if it can replace the functionality of Bluecoat.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39741788
We use Sophos proxies with good results, but we don't inspect HTTPS as all the vendors we tried had issues, so maybe someone is doing it better these days. SafeSquid I've used in the past with good results, but the category lists from Sophos and others are typically better and more complete than what SafeSquid was using. The proxy should not be processing VPN traffic, well at least encrypted VPN traffic, you need a bypass/direct connection for them to work typically. Sophos is easy to use, good support and using WCCP instead of a PAC file was the best thing we did in our roll outs.
-rich
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 3

Author Comment

by:Brian Garcia
ID: 39745826
We need to inspect all internet traffic because this is part of our network policy. We may have a hard time implementing WCCP because of complex network routing and multiple network connection.

Bluecoat can do all our requirement even https inspection, SSL VPN and citrix access but its costly so we need to provide an alternative.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39745974
The VPN portion seems like a it would give you very little protection over what is already in place for most networks. When you are connected via VPN it's like you're in the office. I don't see the VPN as a critical from security perspective. Are your users not doing split-tunnel? I don't see the VPN inspection as a practical move, even if someone can do it.
Citrix too seems like a waste of resources, citrix is a remote control portal when your users are accessing it. 99% of the traffic is video, mouse and keyboard input, which isn't how a virus or unwanted exe get's into a network. The clipboard is the only part that would be remotely practical to inspect, and even then you should have AV on the server side that would catch it. I'm again not seeing why you'd inspect citrix.
As for the HTTPS, our clients have lots of trouble with every vendor we've used, we've POC'd BlueCoat and it was no better or worse, they (proxies)all suffer from not being able to do some sites and applications. The main benefit that comes from the proxies is always the site classifications, being able to curtail the users from visiting certain sites or types of sites is the best part overall. The second layer of AV is good too, especially when the AV vendor is different than what you are using already. BC allows you to choose from 5 different vendors, so if your PC's are using McAfee already don't use McAfee as the scanning engine in the proxy.
WCCP is perfect then, it allows you to FWD connections bound for HTTP/HTTPS based on certain criteria. You can base the rules that WCCP uses to fwd based on the physical interfaces, vlans, ip/subnet and mac addresses. A user moving around from port to port can still be fwd'd to the proxy if the rule is dynamic like using the subnet as a match.
-rich
0
 
LVL 3

Author Comment

by:Brian Garcia
ID: 39747757
Thanks Rich for your explanation. I agree with you that VPN and CItrix should not be under proxy because of certain limitations and redundancy. And the facilities which they run is already secured.  

For https, we don't have any issues forwarding this to Bluecoat Proxy.

But our dilemmas is we are supporting multiple clients with multiple SSL VPN. Some SSL VPNs are through internet while some is through the corporate WAN (e.g. US, Europe, India and Asia). We may have problems implementing WCCP so we are using PAC.

Are you suggesting we moved to WCCP instead of PAC? how can we do that given the above dilemma and how can I redirect other HTTP traffic which is in the corporate WAN?
0
 
LVL 3

Author Comment

by:Brian Garcia
ID: 39747760
We are also accessing multiple Citrix through Internet and Corporate WAN so how can we implement redirection through WCCP?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 39748823
WCCP can be used, but PAC files offer more flexibility. The only way to use WCCP effectively is to block egress 443 and port 80, where ever possible. If your networks are too messy to sort out who is a user and should be proxied, then you may have no choice and have to use PAC. If you have clearly defined subnets, WCCP is awesome, we have about 100 proxy by-passes or "directs" we use because (mostly) java applications don't work well with proxies. Web-ex, Fed-ex, citibank, lots of websites too don't work because of their java applets. But using WCCP we are able to use those sites and java applets. If you don't have any "return direct" statements in you PAC file it'd be the first I've ever seen :)
WCCP is hard if you have mixed use cases, if you can however properly isolate and segment functions using subnets then it's much easier.
Users = 10.10.10-30
Server = 10.10.100-120
Network = 10.10.200-220 (vpn, switches etc...)
Misc = 10.10.221-255
If you can't like that easily, then WCCP won't be easy, if you want to create a bunch of rules it could be done, but like you said it becomes an issue.
I've used the Sophos products with good success, WCCP and or PAC, but there are caveats, whitelists and bypasses for both.
-rich
1
 

Expert Comment

by:teo665
ID: 41511228
Websense is traditionally Blue Coat's primary competition.  If you are looking for cloud services that muddies the waters.  Do you want to host at multiple sites?  What sort of traffic are you looking to proxy?  What control do you want to exert over it? If you start looking for threat protection you can look at new players like zscaler. If you have workers that are in the field and not physically behind a proxy, you are going to start needing to install a client.  The dreaded client.
Regarding Citrix, this is not compatible with many proxies last I checked. Palo ALto Networks NGX FWs can do all of the proxy, content filtering, SSL decryption etc that most proxies can, and they have moved toward the cloud hosting bandwagon as well.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Tool to Build Android and iOS App 3 94
Places to advertise 6 46
Guest Wireless in a Business Environment 6 86
QQ problem 22 42
Read about achieving the basic levels of HRIS security in the workplace.
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This video teaches viewers how to create their own website using cPanel and Wordpress. Tutorial walks users through how to set up their own domain name from tools like Domain Registrar, Hosting Account, and Wordpress. More specifically, the order in…
Use Wufoo, an online form creation tool, to make powerful forms. Learn how to choose which pages of your form are visible to your users based on their inputs. The page rules feature provides you with an opportunity to create if:then statements for y…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question