Solved

AV on the BlueCoat v.s. enabling in Checkpoint firewall

Posted on 2014-07-28
6
1,227 Views
Last Modified: 2014-08-13
Hello EE,

I have a checkpoint firewall and my Bluecoat AV Appliance is coming up on maintenance renewal.
I am wondering as I heard the Checkpoint firewall can do Anti Virus as well if this is at the same level.
What are the pro/con of going with it all in one v.s. maintaining the separate appliance?
0
Comment
Question by:operationsIT
  • 3
  • 2
6 Comments
 
LVL 61

Expert Comment

by:btan
ID: 40226526
For Checkpoint, it is actually its part of their UTM offering. They termed it under as "Antivirus Software Blade" which can be either within the box and augment with checking online with their Cloud intelligence e.g. ThreatCloud. User's Service Contract File does need to include the relevant "Anti-Virus update" SKU for the device e.g. their Secure Web Gateway Appliance and Threat Prevention Appliance.
http://www.checkpoint.com/products/antivirus-software-blade/

CP claimed for their for antivirus and URL filtering software blades
a) Up to 20 times antivirus throughput improvement, with over 1Gbps for a 2-core system and 3Gbps for a 4-core system
b) Up to 80 times antivirus and URL filtering connection capacity improvements with over 500,000 concurrent connections

One use case they shared in value of the AV s/w blade is detecting the Eurograbber banking Zeus trojan. It detects the bad URLs and block the requests at the network before it infects the user’s computer, and  calculate the MD5 hash of the reply, recognize it as bad and will block the download of the malicious application.
@ http://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pdf

Coming to Bluecoat it has one appliance called ProxyAV, which works in tandem with Blue Coat ProxySG appliances. As an inline scanning device, the ProxyAV appliance analyzes all file downloads from user-authenticated Web 2.0 sites, webmail, file sharing and other methods of content delivery.

BC ProxyAV  can scan files up to 2GB in size and analyze compressed archives up to 99 layers deep. ProxyAV integrates with multiple threat awareness clouds, including Blue Coat
WebPulse. in specific, ProxyAV supports four modes of content analysis, including traditional object analysis, trickle first or last stream analysis, and deferred scan.

https://www.bluecoat.com/products/proxyav

As a whole comparing to CP and BC AV, the differences may not lie in the AV but the capability of the appliance to scale up to layer other security services such as IPS, Content filter, Cloud services and Appl aware filtering in either single box or external web interface (RESTful or JSON etc).

There are Gartner on secure gateway and NSS lab which you may find the specific but i do suggest engage both sales to better advice the values and difference wrt to those 3rd party assessment reports so that it is not a "Apples" vs "Orange" situation as well as flashed out the limitation explicitly based on the assessment criteria

https://www.gartner.com/doc/2776117/magic-quadrant-secure-web-gateways
https://www.gartner.com/doc/2709919/magic-quadrant-enterprise-network-firewalls

https://www.nsslabs.com/next-generation-firewall-reports
https://www.nsslabs.com/reports/product-types/secure-web-gateway
0
 
LVL 21

Accepted Solution

by:
eeRoot earned 250 total points
ID: 40228377
Can you monitor the CPU & memory resources on the Checkpoint?  Adding AV duties will increase its workload, but will allow you to simplify your network design.
0
 
LVL 61

Expert Comment

by:btan
ID: 40228495
probably the past assessment from 3rd party can be useful on testing the CP UTM. Indeed performance will be key considerations and having a all in one box will required to factor in the single point of failure as well e.g. any modules failure should not render box malfunction or stoppage unnecessary to ongoing traffic e.g. fail open or for some if fail close (or fail secure)
http://www.networkworld.com/article/2303641/network-security/how-we-tested-check-point-firewall.html
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:operationsIT
ID: 40229165
Hello,

So if CP detected Eurograbber, did BlueCoat not?

Does BlueCoatAV not work with BlueCoatSG.  We have both but I'm trying to determine if I move the AV and SG to the CheckPoint or just the AV to the Checkpoint, or keep separate.

I see the report overview but no detail @breadtan

We plan to cluster the firewall which would eliminate single point of failure but the BC are currently one appliance so single point of failure, yet I am concerned with loading the firewall resources to doing all these other things.  I am curious what others would do as I've engaged sales on both sides and of course both can give you the world.  Any other questions to help me get to the real details?
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 40229190
report required subscription and if the vendor can share the accreditation that will help and strengthen their ground. Eurograbber is just one instance - BC has their own use case and strength esp in caching  (or all vendor has such esp with an R&D team backing - for BC they has threat lab which contribute with the Webpulse feeds collected) - see https://bto.bluecoat.com/doc/7430 (specific to BC use of their content policy language (CPL) ) - see the anti malware section

Each time a browser request is received, the ProxySG checks its object store for a cached copy, if one is found that was analyzed with the most recent AV-heuristics engine version, it can be delivered immediately. If the object in cache was analyzed before an update to the AV-heuristics engine, then the object is re-analyzed before delivery to the user. For non-cacheable objects, a finger print cache is kept to avoid analyzing the same file on frequent requests. Once an AV-heuristics engine update occurs, the finger print cache for non-cacheable objects restarts. Note that ProxyAV has four options for analysis, it can scan, trickle first, trickle last or defer scan (for long load objects).

Note: ICAP can be used for both inbound and outbound traffic analysis. Typically ProxyAV is deployed for inbound traffic analysis while a data loss prevention solution is deployed for outbound traffic analysis. Multiple ProxyAVs can be load balanced from a ProxySG device.
For BC, you may want to note their threatblade suite and how ProxySG come into the deployment with those content / malware analysis blade appliances
https://www.bluecoat.com/products/content-analysis-system-atp
0
 

Author Closing Comment

by:operationsIT
ID: 40258427
Excellent points!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now