Solved

Alternative to Bluecoat ProxySG

Posted on 2013-12-26
9
3,950 Views
Last Modified: 2016-03-17
Can you recommend an alternative to Bluecoat ProxySG? We are looking at product with content filtering, malware protection and proxy service. Is Cisco WSA a good alternative?
0
Comment
Question by:jb_yow
9 Comments
 
LVL 6

Expert Comment

by:Ramakrishna Prabhu
ID: 39740087
Squid can be a good alternative.
0
 
LVL 3

Author Comment

by:jb_yow
ID: 39740099
We have used squid but we don't like the filtering (dansgurdian, squidguard). We have problems passing other protocols (citrix, SSL VPN, etc.). So we used Bluecoat, but it's costly so we are looking for an alternative.

We are looking at Cisco Web Security Appliance since we can get for a much lower price but I don't know if it can replace the functionality of Bluecoat.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39741788
We use Sophos proxies with good results, but we don't inspect HTTPS as all the vendors we tried had issues, so maybe someone is doing it better these days. SafeSquid I've used in the past with good results, but the category lists from Sophos and others are typically better and more complete than what SafeSquid was using. The proxy should not be processing VPN traffic, well at least encrypted VPN traffic, you need a bypass/direct connection for them to work typically. Sophos is easy to use, good support and using WCCP instead of a PAC file was the best thing we did in our roll outs.
-rich
0
 
LVL 3

Author Comment

by:jb_yow
ID: 39745826
We need to inspect all internet traffic because this is part of our network policy. We may have a hard time implementing WCCP because of complex network routing and multiple network connection.

Bluecoat can do all our requirement even https inspection, SSL VPN and citrix access but its costly so we need to provide an alternative.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 39745974
The VPN portion seems like a it would give you very little protection over what is already in place for most networks. When you are connected via VPN it's like you're in the office. I don't see the VPN as a critical from security perspective. Are your users not doing split-tunnel? I don't see the VPN inspection as a practical move, even if someone can do it.
Citrix too seems like a waste of resources, citrix is a remote control portal when your users are accessing it. 99% of the traffic is video, mouse and keyboard input, which isn't how a virus or unwanted exe get's into a network. The clipboard is the only part that would be remotely practical to inspect, and even then you should have AV on the server side that would catch it. I'm again not seeing why you'd inspect citrix.
As for the HTTPS, our clients have lots of trouble with every vendor we've used, we've POC'd BlueCoat and it was no better or worse, they (proxies)all suffer from not being able to do some sites and applications. The main benefit that comes from the proxies is always the site classifications, being able to curtail the users from visiting certain sites or types of sites is the best part overall. The second layer of AV is good too, especially when the AV vendor is different than what you are using already. BC allows you to choose from 5 different vendors, so if your PC's are using McAfee already don't use McAfee as the scanning engine in the proxy.
WCCP is perfect then, it allows you to FWD connections bound for HTTP/HTTPS based on certain criteria. You can base the rules that WCCP uses to fwd based on the physical interfaces, vlans, ip/subnet and mac addresses. A user moving around from port to port can still be fwd'd to the proxy if the rule is dynamic like using the subnet as a match.
-rich
0
 
LVL 3

Author Comment

by:jb_yow
ID: 39747757
Thanks Rich for your explanation. I agree with you that VPN and CItrix should not be under proxy because of certain limitations and redundancy. And the facilities which they run is already secured.  

For https, we don't have any issues forwarding this to Bluecoat Proxy.

But our dilemmas is we are supporting multiple clients with multiple SSL VPN. Some SSL VPNs are through internet while some is through the corporate WAN (e.g. US, Europe, India and Asia). We may have problems implementing WCCP so we are using PAC.

Are you suggesting we moved to WCCP instead of PAC? how can we do that given the above dilemma and how can I redirect other HTTP traffic which is in the corporate WAN?
0
 
LVL 3

Author Comment

by:jb_yow
ID: 39747760
We are also accessing multiple Citrix through Internet and Corporate WAN so how can we implement redirection through WCCP?
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 39748823
WCCP can be used, but PAC files offer more flexibility. The only way to use WCCP effectively is to block egress 443 and port 80, where ever possible. If your networks are too messy to sort out who is a user and should be proxied, then you may have no choice and have to use PAC. If you have clearly defined subnets, WCCP is awesome, we have about 100 proxy by-passes or "directs" we use because (mostly) java applications don't work well with proxies. Web-ex, Fed-ex, citibank, lots of websites too don't work because of their java applets. But using WCCP we are able to use those sites and java applets. If you don't have any "return direct" statements in you PAC file it'd be the first I've ever seen :)
WCCP is hard if you have mixed use cases, if you can however properly isolate and segment functions using subnets then it's much easier.
Users = 10.10.10-30
Server = 10.10.100-120
Network = 10.10.200-220 (vpn, switches etc...)
Misc = 10.10.221-255
If you can't like that easily, then WCCP won't be easy, if you want to create a bunch of rules it could be done, but like you said it becomes an issue.
I've used the Sophos products with good success, WCCP and or PAC, but there are caveats, whitelists and bypasses for both.
-rich
1
 

Expert Comment

by:teo665
ID: 41511228
Websense is traditionally Blue Coat's primary competition.  If you are looking for cloud services that muddies the waters.  Do you want to host at multiple sites?  What sort of traffic are you looking to proxy?  What control do you want to exert over it? If you start looking for threat protection you can look at new players like zscaler. If you have workers that are in the field and not physically behind a proxy, you are going to start needing to install a client.  The dreaded client.
Regarding Citrix, this is not compatible with many proxies last I checked. Palo ALto Networks NGX FWs can do all of the proxy, content filtering, SSL decryption etc that most proxies can, and they have moved toward the cloud hosting bandwagon as well.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Read about achieving the basic levels of HRIS security in the workplace.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This video teaches users how to migrate an existing Wordpress website to a new domain.
Learn how to set-up custom confirmation messages to users who complete your Wufoo form. Include inputs from fields in your form, webpage redirects, and more with Wufoo’s confirmation options.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now