BlueCoat vs. Open Source Proxy Solutions

Posted on mars 21st, 2007 by Océane.
Categories: Proxy.

This analysis will outline the differences in two separate proxy solutions which have been covered in more detail in each of their respective proposal documents.

BlueCoat: This a COMMERCIAL ENTERPRISE solution employing a BlueCoat proxy appliance, SmartFilter for content filtering, and McAfee for threat elimination. All of these products are considered enterprise quality and are market leaders in their particular solution.
Squid: This is an “Open Source” solution employing the use of a Squid caching engine (open source) running on commodity hardware, DansGuardian and URLBlacklist for content filtering (both solutions are COMMERCIAL solutions, not freeware) and MailScanner in conjunction with ClamAV for threat elimination (both are open source.)

Enterprise Business Concerns
Content Filtering
Authentication
Threat Elimination
Reporting
Security Concerns
DIY (“Do It Yourself”) vs. Appliance

Enterprise Business Concerns

One of the primary reasons COMMERCIAL ENTERPRISE solutions, like the Blue Coat solution, exist is to shift the burden of maintenance, upgrades, and support away from a customer’s internal IT staff. Commercial software companies take on the responsibility of operability, provide warranties on workmanship, defend against copyright infringements and intellectual property claims, and commit to supporting these platforms for predefined periods of time. Open source software, by its very nature, shifts all of those burdens to the customer. One must rely on the expertise and, just as important, the TIME () of internal staff.

The risks of the Open Source solution will depend somewhat on the environment, the industry the company is operating in, the knowledge and skill of internal personnel, the licensing model chosen, the organizational and governance models the company is employing, and whether intends to change the code. should develop a risk assessment team to examine each of the risks of open source, rate those risks in the context of the organization, and recommend strategies to mitigate those risks before proceeding with the development of an open source strategy.

The follow areas of risk should be considered:

• Warranty: If makes changes to the code and provides that code to other organizations via either a product or service using that code, it may be assuming liabilities for the quality and workmanship of the platform. Incidents of downtime or processing errors that affect business partners or customers could become a legal and financial liability.

• Copyright Infringement: Companies need to be especially careful around the topic of intellectual property. In the US, copyrights have been filed for not only lines of code, but also for topics such as look and feel, technical, or operational processes.
A programmer does not have to copy a line of code to infringe on a copyright or intellectual property.

• Regulatory Compliance: Companies in regulated industries have to be concerned with regulatory compliance. For example, the FDIC alone can issue more than 30 regulatory changes a year to the banking community.

• Operability: Companies that make open source components or products and services running on open source components available to customers or business partners run the risk that the code won’t work in the customer’s environment. Support for older hardware, integration with older releases of other operating platforms, and problem resolution assistance may be implied in the existing contracts between the company and its partner. Companies that are making open source components or systems available outside the walls of the organization need to make absolutely sure no contracts exist that place them at risk. Companies should undertake, with the assistance of their legal department, a review of all contracts for products and services that may exist in the organization. This includes any existing agreements for business products, services, and support.

• Licensing and Usage Rights: Companies can easily make a mistake surrounding the licensing of open source code, especially when employees often just click through the usage rights posted on free software Web sites. A GNU Public License, for example, could force the unwitting company to release to the open source community — and therefore to competitors — any code changes made to these platforms. This could be disastrous. And, the problem isn’t isolated to mistakes with the wrong license type. In some cases, a company’s commercial software licenses may restrict usage rights in such a way as to limit, or prevent, interfacing open source components to the platforms.

• Security: Open source advocates say these platforms are more secure than commercial software because they are open. Companies should not be lulled into a false sense of security with open source. It is OPEN, available to anyone that wants to do harm, and, therefore, needs to have special attention with testing and security (see “Security Concerns” section below.)

• Support: The biggest concern companies have with open source is the lack of support. Who do you hold accountable? Companies don’t always have the resources (to develop software) and they can’t afford the downtime or provide the necessary support that a manufacturer can give them 24/7. If you want to have systems you can guarantee you’re going to run a business on, somebody has to do quality assurance. Open Source can not provide that.

Content Filtering

This section deals primarily with the day-to-day functionality of both proposals.

Squid Solution
Squid can filter based on destination URL only. In conjunction with DansGuardian, phrase matching, PICS filtering and URL filtering can be added or extended. would own responsibility for the integration, testing, quality assurance, and support.

Blue Coat Appliance Solution
Bluecoat combines the filtering category (based on destination URL) with any other identifiable trigger in the user request. Triggers can include file type, mime type, user, group, cookie, http headers, user-agent (browser version) and many others. This gives far greater flexibility in making policy decisions in what to allow the user to bring into the enterprise

Examples of this include:
• If the customer wants to allow users to read Webmail, but not send mail attachments, the ProxySG can do this by implementing a policy that combines the URL category “Webmail” with the HTTP method “POST”.
• If the customer wants to restrict SSL traffic because it can be a threat to get undesired content in the network, a rule can be made that combines the protocol “HTTPS” with a set of desirable categories in the URL filter list such as “Business Sites”.
• If a customer wants to allow Instant Messaging “chats” but not file transfers, a rule can be made which blocks IM method “file transfer”.
• If a customer wants to enable partners to post files to a web site for a business-to-business application, the ProxySG can virus scan objects coming from group “Partners” to ensure the partner does not propogate a virus to the web server.
• The customer wants to enable streaming from specific sites on the Internet, but wants to limit the total bandwidth consumed.

Bluecoat’s content filtering goes further by filtering on full http content header types, both request headers and response headers can be fully edited, cookies can be modified giving us complete control over the entire application level transaction.

Authentication

Each solution offers multiple authentication methods. Blue Coat’s methods are considered native or “on-box” with the exception of NTLM. All authentication methods are configured via a single GUI Admin utility. Squid’s abilities require utilization of many different components of other software packages), but we are primarily concerned with only two:
RADIUS
Both solutions support authenticating to a RADIUS server in a basic sense, with the Blue Coat solution supporting RADIUS natively (built in) and enforcing multiple layers of policies based on the authentication response, including alerting and granular logging…no other components are required.

NTLM
Both solutions support NTLM (WinBind) authentication. Blue Coat utilizes a tightly integrated, Microsoft-approved agent running on an existing desktop to form trust relationships with the domain. Squid uses samba, a well-known open source package that is also known for difficult configuration schemes and performance issues, along with vulnerabilities from time to time.

As mentioned above, it is important to note that although both approaches support these authentication methods, major differences exist in how they are supported, and potential issues do exist with the Open Source implementation that may require further customization and integration.

Squid Authentication Implementation
Squid uses a freeware product called Samba to authenticate its users in an NTLM environment. This requires designating the server as a member-server in the windows domain. Most security experts recommend against doing this as it creates a security vulnerability within the Windows Domain.

Follows is a quote from Squid’s web site on how to configure Squid authentication (note the need to run “UglySolution.pl” on a periodic basis to change password):
[snip from Squid documentation]
Samba 2.2.x
Samba’s smbd daemon, while not strictly required by winbindd may be needed to manage the machine’s trust account.
Well behaved domain members change the account password on a regular basis. Windows and Samba servers default to changing this password every seven days.
The Samba component responsible for managing the trust account password is smbd. Smbd needs to receive requests to trigger the password change. If the machine will be used for file and print services, then just running smbd to serve routine requests should keep everything happy.
However, in cases where Squid’s winbind helpers are the only reason Samba components are running, smbd may sit idle. Indeed, there may be no other reason to run smbd at all.
There are two sample options to change the trust account. Either may be scheduled daily via a cron job to change the trust password.
UglySolution.pl is a sample perl script to load smbd, connect to a Samba share using smbclient, and generate enough dummy activity to trigger smbd’s machine trust account password change code.
smbpasswd.diff is a patch to Samba 2.2.5’s smbpasswd utility to allow changing the machine account password at will. It is a minimal patch simply exposing a command line interface to an existing Samba function.
Note: This patch has been included in Samba as of 2.2.6pre2.
Once patched, the smbpasswd syntax to change the password is:
smbpasswd -t DOMAIN -r PDC
[end snip from Squid Documentation]

Blue Coat Authentication Implementation
The Bluecoat implementation of NTLM is tightly integrated into the Operating System and fully supports policy availability. Blue Coat’s NTLM agent is a customized web-agent that is fully compliant to Microsoft development practices, and fully supported by Bluecoat Technical Support as part of the ProxySG OS.

The NTLM agent is regularly updated to reflect SG- OS updates and service releases.

BlueCoat offers the ability to use multiple authentication techniques at the same time. For example, an enterprise may have some users using RADIUS and another set of user using Windows authentication. BlueCoat enables the integration of multiple authentication methods without forcing the user to choose one over the other or forcing duplicate userid maintenance on the IT directory administration staff.

Threat Elimination

Generally speaking, both solutions support anti-virus scanning of content that passes through the proxy . The actual implementation and effectiveness of the two solutions vary greatly.

Blue Coat Threat Elimination
The Bluecoat ProxySG and ProxyAV combined solution incorporates the ICAP (Internet Content Adaptation Protocol) . The ICAP protocol on both devices is optimized to work in a cohesive reporting and logging environment.

The Bluecoat ProxyAV gives you the flexibility in choosing which vendor to provide anti virus. These anti-virus engines and definitions are fully supported by Bluecoat Systems.

The ProxySG can eliminate many threats that occur within the Internet:
• ProxySG can eliminate unauthorized applications such as Peer-to-peer file sharing or Instant Messaging from tunneling through port 80 in the firewall.
• ProxySG can eliminate the use of “Anonymizer” sites to get around URL filters.
• ProxySG can stop most spyware from being installed on the desktop PC. This is a feature unique to ProxySG that prevents “drive-by” installations of spyware.
• ProxySG can prevent users from going around porn filters by using Image Search Engines such as Yahoo and Google. These engines cache the porn content and therefore are often used to evade pornography filters. ProxySG can prevent this with a policy.
• ProxySG can control desktop viruses that create multiple connections to a specific website in order to initiate a Denial of Service (DOS) attack. Recent viruses created “zombies” which at a specified time all created multiple connections (2000 per second to www.sco.com in a recent example) which renders a customer’s network inoperable. The ProxySG can limit the number of connections per user so that these viruses are rendered harmless.

Squid Threat Elimination
Squid achieves anti-virus protection by integrating with ClamAV, a command-line, open source scanner. ClamAV runs on a Linux/Unix implementation, making it vulnerable to all exploits the OS may be prone to. ClamAV contains a good deal of documentation, and also has an online virus database. Its signatures, however, have not been exposed to the type of testing, scrutiny and research that the vendors utilized in Blue Coat’s solution undergo.

DansGuardian and URLBlackList are utilized to achieve URL filtering. Both solutions have limitations as to what they can be integrated with (for instance, DansGuardian has only been test with F-Prot, a commercial engine, and ClamAV), and require separate maintenance.

Reporting

While the Squid solution offers basic reporting on the proxy/cache activity as well as detailed reporting on user activity and content filtering (once all components are properly implemented), the Bluecoat ProxySG gives the option of creating ten different log files, far beyond just reporting on user access. The Reporter produces reports aimed at three different constituents in an enterprise:
• Human Resource type reporting – the ability to track where each user went, when, how long and how often. This is often used to report on users who are abusing the internet.
• Security type reporting – reports on viruses caught and spyware prevented. Reports on spyware “phone homes” for users already infected with spyware.

• Network utilization type reporting – reporting on bandwidth used by individual users and groups. Reports on bandwidth used to destination websites and/or URL categories. Reports on bandwidth used based on content type. Many, many different views to enable the network manager control policy.

The Blue Coat reporting tools give you the ability to support MySql, support more unlimited profiles, filtering options and email or SNMP notifications. The Blue Coat new Reporter version 7 is an outstanding reporting and administrative tool.

Security Concerns

This section deals primarily with aspects outside those that directly impact functionality.

With security issues at the forefront of most organization priority lists, vulnerability databases are providing some pretty good insight as to where vendors/open source stand in their enterprise arena focus. Especially to those organizations being driven to new policy by GLBA, Sarbanes-Oxley, HIPAA, etc., these databases should be one of the first places a security administrator checks before making any important implementation decision.

Squid Proxy Solution Vulnerability Listings
Please note that the below listings are JUST FOR THE SQUID PROXY/CACHE component, and not for all of the components needed to implement an effective solution that resembles enterprise functionality. DansGuardian, URLBlacklist, ClamAV, etc., all have their own maintenance cycles and security analysis should be done on each individual product AS WELL as when products are used in conjunction with one another.

With that in mind, the following was found when searching “squid proxy” via the Open Source Vulnerability Database:
12633 Squid Empty ACL Configuration Confusion Dec 22, 2004 New
12282 Squid Malformed Host Name Error Message Information Disclosure Nov 23, 2004 Stable
10675 Squid Web Proxy Cache asn_parse_header() Function DoS Oct 5, 2004 Stable
9551 Squid NTLM Authentication Malformed NTLMSSP Packet DoS Sep 2, 2004 New
6791 Squid NTLM Authentication Helper Overflow Jun 8, 2004 Stable
9801 Squid Proxy clientAbortBody() Overflow DoS Apr 27, 2004 Stable
5050 Squid Stellar-X Module msntauth User Name Format String Apr 8, 2004 New
5128 Squid FTP Proxy Data Channel Firewall Bypass or Hijacking Apr 8, 2004 New
5353 Squid Compressed DNS Response Overflow Apr 8, 2004 New
5377 Squid SNMP Memory Leak DoS Apr 8, 2004 New
5476 Squid HTTP Accelerator Mode ACL Bypass Apr 8, 2004 New
5916 Squid Proxy %xx URL Encoding ACL Bypass Feb 29, 2004 Stable
5917 Squid Proxy Gopher Client Non-descript Remote Code Execution Jul 3, 2002 Stable
5923 Squid Proxy FTP Server Directory Listing HTML Parser Remote Overflow Jul 3, 2002 Stable
5924 Squid Proxy FTP Channel Injection Jul 3, 2002 Stable
5925 Squid Web Proxy Cache msnt_auth Remote Overflow Jul 3, 2002 Stable
5926 Squid Web Proxy Cache Authentication Header Forwarding Information Disclosure Jul 3, 2002 Stable
9905 Squid Proxy squid_auth_ldap logging() Format String May 6, 2002 New
5378 Squid FTP URL Special Character Overflow Feb 21, 2002 Stable
5379 Squid squid.conf HTCP Restriction Bypass Feb 21, 2002 Stable
639 Squid Proxy mkdir-only PUT Request DoS Sep 21, 2001 New
1712 Squid Email Notification /tmp Symlink Arbitrary File Overwrite Jan 10, 2001 New
1125 Squid Web Proxy Newline Authentication Bypass Oct 25, 1999 New
28 Squid cachemgr.cgi Port Scanning Jul 23, 1999 New
9904 Squid Internet Object Cache Regular Expression ACL Bypass Feb 20, 1998 New

Squid typically relies on open source operating systems or expensive UNIX systems, leaving Squid vulnerable to the same exploits and shortfalls that effect the operating system. Furthermore, said operating systems are difficult to maintain due to the skill set needed to manage, maintain and operate the installations. Often times enterprises lack the skill pool to fully support UNIX /Linux systems. Squid implementations are vulnerable to the same short falls of the hosted system.

Squid is not known to hold any certifications, and documentation, while plentiful, is scattered across many sources depending upon the exact implementation scenario.

Blue Coat Appliance Security Listings
As mention in the Squid section, the same security assessment is suggested for the Blue Coat solution; however, each component that is used in the enterprise Blue Coat solution is independently audited by the vendor maintaining the product, placing significant importance on the security aspects of the products to be used by large, business-critical networks.

Blue Coat has only two listings in BugTRAQ (the commercial-equivalent of OSVDB):

1 Re: CacheFlow CacheOS Cross-site Scripting Vulnerability Rank: 1000
Last modified on: 2002-09-02
URL: http://www.securityfocus.com/archive/1/290197

2 CacheFlow Proxy Abuse (revisited) Rank: 154
Last modified on: 2003-09-09
URL: http://www.securityfocus.com/archive/1/336991

The Bluecoat ProxySG is commercially supported to the fullest extent, with annual support contracts and SLAs. Three development and support centers are located throughout the US and Canada, and additional support centers are in London and Tokyo.

Bluecoat ProxySG is certified by ICSA Labs, making Bluecoat the only Proxy appliance that holds the ICSA certification for content management. The document can be found here:
http://www.bluecoat.com/news/releases/2003/090203_ICSA_certification.html

All Bluecoat Systems Documentation can be found at the following link:
http://www.bluecoat.com/resources/resourcedocs/index.html

Summary of Security Concerns Section
The information above clearly shows the concentration of the open source solution is NOT security, but usability, as most open source tends to be. While the open source community tends to patch effectively if the need of the community is great enough, the timeline of patching is certainly lackluster in comparison to an enterprise vendor whose focus is the needs of large corporate/government customers.

DIY (“Do It Yourself”) vs. Appliance

Blue Coat Appliance Solution
The Blue Coat solution consists of an appliance with embedded logic that handles both the proxy and content filtering duties. Threat elimination is offloaded to a separate appliance utilizing any of three anti-virus scanning engines: McAfee, Sophos, or Panda. These scanning engines can operate individually or simultaneously to obtain a layered, “suspenders and belt” solution.

Because the operation is executed between the ProxySG and the ProxyAV, the ICAP transaction is fully optimized as Blue Coat controls both ends of the communication and can put into play any number of policies/algorithms to further enhance performance. For instance, utilizing the total Blue Coat solution would allow a “scan once, serve many” optimization, as the ProxySG would cache the scanned contents and eliminate the need to scan objects upon each request.

This solution has proven highly effective for Blue Coast as documented in the June 2004 Veritest Web AV Performance Results. This test was performed independently and documented Blue Coats throughput to be 20 times that of their closest competitor and with 1/20th the latency. A summary of this test is attached to this document.

The reporting data gathered by the Blue Coat solution is offloaded to an existing OR dedicated HTTP or FTP server, and a reporting client is used to parse the logs locally or in the directory structure created in the remote server.

Squid Implementation Components
No known independent tests of the Squid solution, or the components mentioned in the squid “enterprise” implementation, are available for comparison. However, the CACHING component is fully expected to perform at a level consistent or below that of the other competitors of Blue Coat in the Veritest report. Anti-virus scanning and other processor-intensive operations, however, could vary considerably due to the optimized nature of the ICAP implementation used by Blue Coat on its ProxyAV solution.

The proposed Squid solution runs on a single system, but is built by piecing together portions of the solution from various vendors and Open Source projects, requiring multiple levels of maintenance and support (particularly when patching.)

Reporting is handled by utilizing a dedicated server and several open source components, again requiring maintenance, configuration, and ongoing support.
Commercial support vs. In-house
The Blue Coat solution utilizes multiple vendors in an appliance format and makes available commercial support that will cover the entire framework. This gives one the advantage of having many options and superior flexibility, but only one point of contact for support.

There is no such option available with Squid. While commercial support is available on several of the individual components, there is no framework to support the entire integrated solution. Support for this solution rests largely on the skills of resources.

It is also worth noting that a good portion of the fees associated with the content filtering aspect of the BlueCoat solution go to fund the creation and ongoing maintenance of blocked URL lists (updated every 24 hours automatically on proxy.) While staff resources of SDS have drastically reduced the costs associated with this activity in the Squid solution, this will also mean a less extensive list due to the fact that SDS is using a much smaller vendor to provide this service.

2 comments.

Comparatif de solutions de filtrage d’URLs et de proxy: BlueCoat, Squid, Websense

Posted on mars 7th, 2007 by Océane.
Categories: Proxy.

Cette étude propose des axes de réflexion sur une solution proxy en comparant 3 solutions dans le domaine du filtrage d’URLs et du cache Web (HTTP, FTP). Trois produits sont étudiés : Bluecoat, Squid et Websense. Les résultats attendus pour une telle solution sont de proposer aux clients du filtrage d’URLS et de contenu éventuellement (ie antivirus et antispyware) et de réduire le taux d’utilisation de la bande passante du trafic Web grâce au caching de contenu.

Tables des matières
« Cahier des charges »
Vue d’ensemble des solutions proxy
Points importants à prendre en compte
Filtrage de contenu
Squid la solution Open Source
La solution Appliance proxy/filtrage de Bluecoat
La solution logiciel de filtrage de contenu Websense
L’authentification
Elimination des menaces
Elimination des menaces par Bluecoat
Elimination des menaces par Squid
Elimination des menaces par Websense
Les rapports statistiques
Architectures possibles
Intégration d’une solution proxy/cache transparente
Intégration d’une solution de filtrage
Choix des Equipements et logiciels
Dimensionnement de l’équipement proxy + filtrage
Solution de filtrage uniquement
Conclusion
Références Bibliographiques

« Cahier des charges »
• Filtrage d’URLs et de contenu sur adresse IP source
• Fonctionnement utilisateur en mode proxy transparent
• Nombre de licences extensible aisément (Hard et Soft)
• Authentification des utilisateurs via Radius

Vue d’ensemble des solutions proxy
- BlueCoat (anciennement CacheFlow): C’est une solution commerciale destinée aux entreprises et aux ISP. Le proxy est implémenté sous forme d’une appliance (box+soft). Bluecoat WebFilter ou Websense Enterprise sont des logiciels utilisés pour le filtrage d’URLs. Tous ces produits sont des références dans leurs domaines respectifs.
- Squid : C’est un logiciel Open Source qui tourne sur une machine avec un système d’exploitation de type Unix (Linux, FreeBSD…). En filtrage de contenu il y a par exemple la combinaison DansGuardian + URLBlacklist ou Websense Enterprise (qui sont des solutions commerciales).
- Websense : Cette solution de filtrage de contenu Web permet d’améliorer la productivité des employés, d’éviter les problèmes juridiques liés au surf illégal, d’optimiser et d’améliorer l’infrastructure technique (Bande passante)

Points importants à prendre en compte
Une des raisons pour lesquelles il existe des solutions commerciales comme Bluecoat ou Websense est qu’elles permettent de décharger l’entreprise du poids de la mise à jour, de la maintenance et du support par rapport au travail du service informatique interne. L’éditeur de logiciel prend la responsabilité du bon fonctionnement, fourni des garanties sur la propriété intellectuelle et sur le support de sa solution sur une période déterminée. Les solutions Open Source, par définition, impliquent que l’entreprise prenne en charge elle-même tous ces aspects. L’entreprise ne peut compter que sur l’expertise et sur le temps de réactivité de son équipe afin d’exploiter au mieux sa solution de filtrage en place.

Filtrage de contenu
Squid la solution Open Source
Squid ne peut filtrer que les URLs de destination. Grâce à DansGuardian ou à Websense, il est capable de filtrer des phrases, des images et le filtrage d’URLs peut être ajouté ou étendu. L’entreprise doit assurer du début à la fin l’intégration, les tests, la qualité du fonctionnement et le support.

La solution Appliance proxy/filtrage de Bluecoat
Les équipements de sécurité de BlueCoat Systems forment les premières solutions du marché entièrement dédiées au Port 80 et destinées à la protection des réseaux d’entreprise contre les menaces issues du Web. L’offre de BlueCoat couvre une large gamme d’équipements de sécurité Web, des solutions de création et de configuration de règles de sécurité, un puissant logiciel de reporting et une solution de filtrage des contenus. Les principales fonctions technologiques incluent :

• Environnement de connaissances Web (Web Knowledge Framework)
• Capitalisant sur un savoir-faire en matière de Proxy cache, BlueCoat utilise une profonde connaissance des applications Web, des navigateurs et interfaces clients, des serveurs, des types d’objet, des types d’encodage MIME, des protocoles d’applications Web et des mécanismes d’authentification pour sécuriser entièrement le Port 80. L’environnement transactionnel dédié aux contenus de BlueCoat offre une sécurité parfaite des contenus. Sans cette expertise, développer une solution complète de sécurité Web est impossible.
• Moteur de développement de règles de sécurité (Policy Processing Engine)
• Le moteur de développement de règles de sécurité ultraperformant de BlueCoat offre une sécurité évolutive et granulaire, même pour les environnements les plus exigeants.
• Gestion des règles de sécurité
• Des règles de sécurité complexes et globales peuvent être déployées aisément. Grâce au Gestionnaire visuel de règles, les administrateurs de sécurité sont en mesure de développer et déployer rapidement des règles de sécurité souples, dans l’ensemble de l’entreprise
• Equipements de sécurité dédiés au Port 80
• Equipements de sécurité Web personnalisés et propriétaires conçus pour s’adapter au trafic des plus grandes entreprises, et faciles à déployer et à administrer

La solution logiciel de filtrage de contenu Websense
Gérant l’accès des employés à Internet et permettant la mise en place de politique d’utilisation d’Internet, Websense Entreprise permet aux entreprises d’équilibrer les besoins de navigation personnels et l’usage professionnel des employés, afin d’améliorer la productivité globale et de maintenir une bande passante acceptable sur le réseau.

Ce produit permet :

• Filtrage Internet complet et précis supporté par la base de données principale de Websense qui contient plus de 11 millions d’URL réparties sur plus de 90 catégories
• Equilibre la navigation professionnelle et personnelle et permet aux administrateurs d’établir des politiques d’accès personnalisées destinées à gérer l’utilisation d’Internet et du réseau par les employés
• Permet d’étendre le contrôle et l’application des politiques au niveau du réseau, à travers la gestion de plus de 59 protocoles, automatiquement mis à jour
• Inclut les catégories de Productivity PG (PG1) dans la base de données, afin de gérer l’accès des catégories suivantes:
  • Sites de Publicités
  • Sites permettant d’utiliser une messagerie instantanée
  • Sites consacrés aux clubs de discussions et de chat
  • Sites offrant du trading de bourse
  • Sites de navigation rémunérée
  • Sites de téléchargement de logiciels gratuits
• Inclut les catégories de Bandwidth PG (PG2) dans la base de données, afin de gérer l’accès des catégories suivantes :
  • Sites de radio & télévision Internet
  • Sites de téléphonie Internet permettant de passer des appels via Internet
  • Sites de partage de fichiers ou P2P comme Kazaa, Audio Galaxie…
  • Sites de stockage et sauvegarde de données personnelles
  • Sites de médias en direct proposant du contenu diffusé tel les bandes annonces

L’authentification
Chaque solution offre des méthodes d’authentification multiples des utilisateurs. Les méthodes de Bluecoat et de Websense sont implémentées en natif. Squid a besoin de différents composants à rajouter afin d’utiliser l’authentification. Une méthode d’authentification nous intéresse plus particulièrement: Radius

Les trois solutions supportent l’authentification via un serveur RADIUS. Bluecoat et Websense supporte RADIUS en natif, il n’y aucun composant ou module supplémentaire à rajouter, contrairement à Squid.

Bluecoat et Websense offre la possibilité d’utiliser plusieurs modes d’authentification à la fois. Par exemple certains clients peuvent choisir d’utiliser Radius et d’autres une authentification d’utilisateurs basée sur Windows.

Elimination des menaces
Les proxy Bluecoat et Squid intègrent des solutions de filtrage antivirus-antispyware Web. L’implémentation et l’efficacité des solutions des deux produits varient très fortement.

Elimination des menaces par Bluecoat
Le ProxySG peut éliminer un bon nombre de menaces provenant de l’Internet :

• Les applications non autorisées telles que le Peer-to-Peer ou la Messagerie Instantanée qui utilisent un tunneling au travers du port 80 du firewall
• L’utilisation de site Anonymizer pour éviter les filtres en place
• Les spywares des sites Web de s’installer sur les postes clients
• Les utilisateurs de consulter les images pornographiques en utilisant les moteurs de recherche d’images de Yahoo ou Google.
• ProxySG peut contrôler les postes infectés par des virus qui peuvent initier un grand nombre de connexions vers un site Web bien spécifique afin de réaliser une attaque par Déni de Service (DOS). ProxySG peut prévenir ce phénomène en limitant le nombre de connexions TCP simultanées provenant de chaque poste client. Lorsqu’un client a atteint la limite des connexions, ProxySG va soit arrêter de répondre aux requêtes du client ou soit terminer les connexions.

Elimination des menaces par Squid
Squid intègre la protection anti-virus en association avec ClamAV, un antivirus Open Source en ligne de commande. ClamAV tourne sur Unix/Linux. ClamAV met à disposition une documentation ainsi qu’une base de signatures antivirus en ligne.
DansGuardian et URLBlakList sont employés dans le filtrage d’URLs. Les deux solutions sont limités dans le sens ou ils ne sont compatibles qu’avec certains éditeurs et requièrent une maintenance séparée. Par exemple DansGuardian n’a été homologué qu’avec F-Prot, un éditeur antivirus commercial et ClamAV.

Elimination des menaces par Websense
Non disponible sur Websense Enterprise. Le filtrage peut être étendu aux menaces avec le produit Websense Security Filtering.

Les rapports statistiques
Squid offre des rapports statistiques détaillés sur l’activité proxy/cache ainsi que la traçabilité des utilisateurs et le filtrage de contenu. Bluecoat en plus de Squid, permet de créer des rapports personnalisés en fonction du niveau de technicité de la personne au sein d’une entreprise :

• Rapport de type ressources humaines : permet de suivre à la trace un utilisateur pour éviter des abus
• Rapport Sécurité : rapport détaillé sur l’activité virale et des spywares bloqués des sites consultés
• Utilisation du réseau : taux d’utilisation de la bande passante par utilisateurs, groupes d’utilisateurs. Rapports basés sur la bande passante consommée à destination des sites/urls consultés, sur les fichiers téléchargés… Les logs peuvent être stockés sous différents formats (squid, Websense, Surfcontrol). Support de la base de données MySql.

Websense intègre les outils de reporting suivants:

• Websense Reporter, qui permet de gérer des rapports sur l’utilisation et des applications. Instantané ou programmé, il permet d’utiliser soit des modèles prédéfinis soit des modèles personnalisés
• Websense Real-Time Analyzer, qui offre une vision en temps réel des activités réseau et permet de répondre rapidement à d’importantes questions liées au réseau.

Conclusion
Nous avons vu les enjeux qui sont en œuvre que ce soit pour une solution opensource ou une solution commerciale ainsi que les différentes architectures possibles. L’avantage d’intégrer une solution de filtrage d’URLs Websense avec le PIX est qu’elle peut être rapidement mise en œuvre (s’agissant d’un logiciel téléchargeable) mais elle n’intègre pas la fonction de cache Web et ne concerne que les clients Internet. Une solution de type proxy et filtrage de contenu intégré permet de faire du filtrage et de plus, on est en droit d’attendre une économie de la bande passante Internet (flux Web) de l’ordre de 20 à 40%.
Un des points qui n’a pas été abordé faute de temps est la sécurité des solutions en elles-mêmes, je veux parler des failles de sécurité et du temps de réactivité des éditeurs à produire des patchs de sécurité.

Références Bibliographiques
Sites Internet :
Squid : www.squid-cache.org
BlueCoat : www.bluecoat.com
Websense: www.websense.com

0 comments.