Broadband Web Threat Test Report

Transcription

Broadband Web Threat Test Report
Blue Coat
Web Threat Report
A Broadband-Testing Report
By Steve Broadhead, Founder & Director, BB-T
Blue Coat Web Threat Report
First published October 2010 (V1.1)
Published by Broadband-Testing
A division of Connexio-Informatica 2007, Arinsal, Andorra
Tel : +376 633010
E-mail : info@broadband-testing.co.uk
Internet : HTTP://www.broadband-testing.co.uk
2010 Broadband-Testing
All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the
authors.
Please note that access to or use of this Report is conditioned on the following:
2
1.
The information in this Report is subject to change by Broadband-Testing without notice.
2.
The information in this Report, at publication date, is believed by Broadband-Testing to be accurate and reliable, but is not guaranteed. All use of and reliance on
this Report are at your sole risk. Broadband-Testing is not liable or responsible for any damages, losses or expenses arising from any error or omission in this
Report.
3.
NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY Broadband-Testing. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY Broadband-Testing. IN
NO EVENT SHALL Broadband-Testing BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT,
REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
4.
This Report does not constitute an endorsement, recommendation or guarantee of any of the products (hardware or software) tested or the hardware and
software used in testing the products. The testing does not guarantee that there are no errors or defects in the products, or that the products will meet your
expectations, requirements, needs or specifications, or that they will operate without interruption.
5.
This Report does not imply any endorsement, sponsorship, affiliation or verification by or with any companies mentioned in this report.
6.
All trademarks, service marks, and trade names used in this Report are the trademarks, service marks, and trade names of their respective owners, and no
endorsement of, sponsorship of, affiliation with, or involvement in, any of the testing, this Report or Broadband-Testing is implied, nor should it be inferred.
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
TABLE OF CONTENTS
TABLE OF CONTENTS ........................................................................................ 3
BROADBAND-TESTING ..................................................................................... 5
EXECUTIVE SUMMARY ...................................................................................... 6
INTRODUCTION: THE SECURITY WORLD IS CHANGING: USING URL FILTERING AS A
KEY DEFENCE LAYER ........................................................................................ 7
Blended Threats And Link Farms ............................................................... 11
WEB THREAT SECURITY – PUT TO THE TEST .................................................. 13
Test 1 – Comparative Web Threat Test ........................................... 15
Test 2 – Open Large-Scale Web Threat Test .................................... 17
REMOVING FALSE POSITIVES ........................................................................ 18
Test 3 – The Social Networking Ratings Test (Facebook Test) ............ 21
SUMMARY AND CONCLUSIONS ....................................................................... 24
APPENDIX 1: CONFIGURATION DETAILS........................................................ 25
Cisco IronPort S-Series ............................................................................ 25
McAfee Web Gateway 1100 ...................................................................... 26
WebSense V10000 G2 ............................................................................. 26
Barracuda WebFilter 410 .......................................................................... 28
Fortinet Fortigate 200B ............................................................................ 29
Palo Alto Networks PA-2020 ..................................................................... 30
Blue Coat ProxySG 210 ............................................................................ 31
APPENDIX 2: THE BLUE COAT WEB THREAT SOLUTION .................................. 32
The Tiered Blue Coat Web Threat Solution: How Does It Work? .................... 34
APPENDIX 3: K9 WEB PROTECTION – WEB FILTERING FOR ALL .................... 37
K9 Web Protection – In Use ........................................................... 37
TABLE OF FIGURES
Figure 1 – Email vs Social Networking Users ..........................................................................................................................7
Figure 2 – Blue Coat Web Filter .......................................................................................................................................... 10
Figure 3 – Link Farms Example .......................................................................................................................................... 11
Figure 4 – Web Threats Comparison URL Test ...................................................................................................................... 16
Figure 5 – Large Scale Web Threats Test............................................................................................................................. 19
Figure 6 – Facebook Test .................................................................................................................................................. 22
Figure 7 – Cisco IronPort................................................................................................................................................... 25
Figure 8 – IronPort Configurations/System Version............................................................................................................... 25
Figure 9 – McAfee Web Gateway 1100 ................................................................................................................................ 26
© Broadband-Testing 1995-2010 3
Blue Coat Web Threat Report
Figure 10 – McAfee Web Gateway – Category Content Filter ................................................................................................. 26
Figure 11 – WebSense V10000 G2 ..................................................................................................................................... 26
Figure 12 – WebSense V10000 G2 Configuration ................................................................................................................. 27
Figure 13 – Barracuda WebFilter ....................................................................................................................................... 28
Figure 14 –Barracuda WebFilter 410 .................................................................................................................................. 28
Figure 15 – Fortinet Fortigate 200B ................................................................................................................................... 29
Figure 16 – Fortinet Administration .................................................................................................................................... 29
Figure 17 – Palo Alto PA-2020 ........................................................................................................................................... 30
Figure 18 – PA-2020 Dashboard ........................................................................................................................................ 30
Figure 19 – ProxySG 210: WebPulse/WebFilter Enabled ....................................................................................................... 31
Figure 20 – ProxySG 210: Configuration............................................................................................................................. 31
Figure 21 – Blue Coat ProxySG 210 ................................................................................................................................... 32
Figure 22 – The Complete Blue Coat Web Threat Defence With WebPulse ............................................................................... 33
Figure 23 – K9 User Interface ........................................................................................................................................... 38
4
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
BROADBAND-TESTING
Broadband-Testing is Europe‘s foremost independent network testing facility and consultancy
organisation for broadband and network infrastructure products.
Based in Andorra, Broadband-Testing provides extensive test demo facilities. From this base,
Broadband-Testing provides a range of specialist IT, networking and development services to
vendors and end-user organisations throughout Europe, SEAP and the United States.
Broadband-Testing is an associate of the following:
NSS Labs (specialising in security product testing)
Limbo Creatives (bespoke software development)
Broadband-Testing Laboratories are available to vendors and end-users for fully independent
testing of networking, communications and security hardware and software.
Broadband-Testing Laboratories operates an Approval scheme which enables products to be
short-listed for purchase by end-users, based on their successful approval.
Output from the labs, including detailed research reports, articles and white papers on the latest
network-related technologies, are made available free of charge on our web site at
HTTP://www.broadband-testing.co.uk
Broadband-Testing Consultancy Services offers a range of network consultancy services
including network design, strategy planning, Internet connectivity and product development
assistance.
© Broadband-Testing 1995-2010 5
Blue Coat Web Threat Report
EXECUTIVE SUMMARY
The traditional, static methods of web threat defence are no longer applicable as
the security landscape changes. Last year web threats increased by over 500%.
The volume of malicious code variants increased by almost 300% during 2009
and phishing attacks by almost 600%. Ninety percent of Web threats now come
from trusted web sites.
Multiple, dynamic defence layers are now required and users should see cloudbased URL filtering as their first layer providing most of the protection… over 90%
of web threat detections in reality. Blue Coat‘s WebFilter provides over seven
billion URL ratings per day from a customer real-time input base in excess of 70
million users. The WebPulse cloud service is used to generate real-time URL
ratings from this community and supports more than 50 languages, integrating
multiple threat detection engines and threat analysis technologies.
Many companies engage with a URL filter vendor and simply don‘t check whether
that filter is actually accurate and doing the job it should. Meantime, many URL
tests are fundamentally flawed, ignoring significant over-blocking, using very
small, geographically narrow URL samples and flawed setup techniques.
We put the Blue Coat solution to the test against several competing products,
using a range of tests including URL samples of around 900,000, collected
globally over a seven day period, direct web threat comparison finds and a
Facebook specific test.
We found that, in each case, the Blue Coat solution was the most accurate, most
flexible and most capable URL filter, often by a very significant margin. In some
cases, competing products categorised less than 1% of the URLs categorised by
Blue Coat – and these were genuine instances, not a case of false positives and
over-blocking ruling.
In contrast, we did see evidence of serious over-blocking in the case of some of
the competitors. While this might look great in results of badly designed tests
(and it does, believe us!) in practise it is a very frustrating symptom of a badly
designed URL filter product and can prove very costly in every sense.
Overall, we showed that there is no substitute for a truly comprehensive, global,
cloud-based filter system – something that Blue Coat has clearly got very
successfully in place. Without this, it is evident that there is no way that the high
levels of accuracy and real flexibility – both of which are absolute requirements
nowadays in a URL filtering product – can be achieved.
6
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
INTRODUCTION: THE SECURITY WORLD IS CHANGING:
USING URL FILTERING AS A KEY DEFENCE LAYER
Securing a network has never been a trivial task.
However, to date the threats have been relatively straightforward to identify and block:
AV – check.
Firewall – check.
IDS/IPS – check.
And so forth. Such was the methodology, regardless of whether you went for an ―all in
one‖ UTM appliance type approach or a multi-appliance solution, depending on your
requirements. The point was, you created an IT security blanket and the threats were
(largely) blocked because they were well-defined and known, so you could match them
directly to a specific solution.
Unfortunately, that ―easy to identify, menu of security options‖ kind of solution is no
longer applicable in this malware era. Threats are no longer obvious and clearly labelled.
Multi-tiered threats, easily triggered by unknowing users innocently browsing the
Internet, are beyond the reach of traditional security tools. For example, according to
Blue Coat Labs, social networking has become the number one Web activity, representing
over 25% of all Web requests for the top ten Web categories they categorise and has
already overtaken email (see graph below – numbers in millions) and is pulling yet
further away from that traditional messaging format in terms of popularity.
Figure 1 – Email vs Social Networking Users
© Broadband-Testing 1995-2010 7
Blue Coat Web Threat Report
But social networking comes with a security cost: in 2009, cybercriminals effectively used
social network sites as a vector for launching and proliferating botnets. As of October
2009, the Zeus botnet sent over 1.5 million phishing messages on Facebook. Koobface B
targeted users of Bebo, Facebook, Friendster, hi5, MySpace, and Twitter to infect over
800,000 PCs while other versions of Koobface weren‘t far behind. Clearly, cybercriminals
are taking advantage of social networking‘s fundamental model of familiarity, trust,
sharing, and open communications to fool users and steal valuable data.
Not only is the source of the threat itself different, but so is the malware methodology.
Historical threats such as viruses and worms spread generically to as many potential
victims as possible, making them relatively easy to identify and block. But web-based
threats take a different path. For example, attacks can be extremely targeted, rather than
generic, focusing on anything from a geographical region down to a specific company or
group of users. They are also smarter in terms of their attack strategy. Rather than
simply going for the mass search and destroy tactics, the new threats have tiered
execution, triggering at different times. Something like a keystroke logger may log data
for hours or days before triggering. A botnet can be idle for indefinite periods before
being brought to life by a command and control server.
These variations and hidden background activity make malware far more difficult to deal
with – i.e. to detect, prevent and block – than traditional threats. It also doesn‘t fit into
the classical security lifecycle methodology from analysis through to signature distribution
to the vendor user base. The dynamic nature of malware means that, what is a relatively
long-winded process of identification and prevention for blocking traditional threats simply
does not work in time.
The Rapid Rise Of The Web Threat – Malware
It is generally accepted in the industry that the volume of malicious code variants
increased by almost 300% during 2009 and phishing attacks by almost 600%. Ninety
percent of Web threats now come from trusted web sites – a scary statistic. Beyond the
Conficker panic, primary threats were focused on criminal activity such as identity theft,
fraud, and botnet proliferation. Online theft now exceeds $1trillion annually and this is
likely to increase significantly year on year.
Last year, web threats as a whole increased by more than 500% - just think about that
number. Moreover, more than 40% of malicious code threats now target Internet
browsers rather than underlying operating systems, the traditional target.
The web browser is a relatively easy target for a number of reasons. First, web
applications tend to be vulnerable, making them easy to infect. Worse still, users tend to
wholly trust websites of well-known brands. However, big names such as Google and
Honda have been compromised and used for malware proliferation in the past, so no one
and nothing is sacred. The major search engines in general are targeted; crooks can
create bogus search results in link farms (see separate entry) that take unwary users to
web threats, time and time again.
8
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
The Rapid Rise Of The Web Threat – Malware And The Numbers It Generates
The reality is that global cybercrime now produces a new variant of malware every 1.5
seconds. Literally millions of new dynamic links are created each day, often containing
multiple types of rich media content, executable scripts, dynamic links, and XML tags
along with static text.
So, any one element in this daily dynamic link avalanche can contain a malicious payload
even when they originate from trusted sites. This is what catches users out and makes
the malware so difficult to contain.
So – to some numbers, taken from real Blue Coat customers:
1. A large financial customer with over 300,000 users to support blocks over 49,000 web
threats per day on average and over 1,700 inline AV detections per day.
2. A second financial customer, this time with over 270,000 users, reported over
548,000 web threats in one month, with over 9,000 inline AV detections.
In both cases, over 96% of threats were blocked by the URL defence layer, then layer two
with inline AV detection picked up the hidden paths (SSL) and user authenticated/token
web downloads where the cloud cannot analyse content.
These examples show how multiple defence layers are now required and customers
should see URL filtering as their first layer providing most of the protection… over 90% of
web threat detections.
From a timing perspective, then, the ability to identify and block the new threats in as
close to real-time as possible (zero-day becomes zero-hour becomes zero-minute…) is
basically impossible with traditional security tools. Instead, the ‗cloud‘ needs to be utilised
as a means of providing the speed and flexibility required to capture and block the new
web threats, with URL filtering as the first line of defence.
To this end, Blue Coat has created a cloud-based security community, made up of
security software and ProxySG gateway devices – plus the Blue Coat ProxyClient/K9 Web
protection remote clients and WebFilter – with an active community of over 70 million
users, and a global cloud-based security service layer, WebPulse.
Key here is the cooperation of the broad global community. These members provide realtime input of any new links or content to the Blue Coat WebPulse analysis centres. The
links are then put through a series of automated security technologies and manual
inspections for analysis (Dynamic Link Analysis or DLA). Malicious IP addresses, URLs,
and Web content are added to the master cloud database providing immediate protection
for cloud-connected Blue Coat gateways and clients.
Flexibility is also vital here, since Blue Coat‘s cloud-based community solutions can be
deployed alone or as part of a broader application networking initiative.
© Broadband-Testing 1995-2010 9
Blue Coat Web Threat Report
Figure 2 – Blue Coat Web Filter
10
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Cybercriminal Twitter
Twitter, originally seen as a specialist tool for both social and professional networking,
has shot into the limelight in the past 12 months. From being a relatively unknown
technology in 2008 it has become a de facto choice for users who want to quickly share
ideas in real-time. As a result, the number of ―tweets‖ per day grew from just 2.5 million
in January 2009 to over 35 million by the end of the year, with no slowdown forecast or
yet seen. Twitter‘s popularity brought it to the attention of cybercriminal organisations,
which found several ways to manipulate the service into distributing malware and
phishing links with enticing, socially engineered messages. As we said, nothing is safe or
sacred…
Blended Threats And Link Farms
Blended threats are one of the fastest growing attack types, notably since 2009. In just
one type of attack, potentially hundreds of web sites are created, some to serve as
phishing sites, some to deliver multiple and different forms of malware, some appearing
as fake search results, and others simply as bait pages. The latter are designed to attract
visitors by giving the appearance of legitimacy by including semi-legitimate content and
cross-referencing each other. Very clever in other words…
Figure 3 – Link Farms Example
Otherwise known as ‗link farms‘ the name refers to the way the victim is passed between
sites around the link farm and ‗fed‘ regulated bits of information until their sensitivity to
warning signs is diminished. Using link farms, cybercriminals are able to accomplish a
number of tasks. A key task is to convince search engines to view link farms as being
relevant to a specific set of search terms. Researching the most commonly searched
terms, cybercriminals are able to ensure their pages target the biggest number of users
possible. The high number of links fools search engines into thinking the target page is
not only relevant but genuinely authoritative, simply based on the high link count
referencing that page.
By spamming blogs, forums and other UGC sites, the relevance of the target pages within
search engines is increased. This spamming is automated with botnets set to auto-scan
thousands of web sites enabling the blended threats to be generated very quickly and
efficiently. Reach is further increased by tracking user behaviour and preferences.
© Broadband-Testing 1995-2010 11
Blue Coat Web Threat Report
In this way messages and tactics can be refined so link farms can still reach victims
whose original search terms would not otherwise lead them to malicious sites. Each site
provides links to other sites within the farm, where the attackers can track the user‘s
behaviour and use that information to improve future iterations of the attack. A key factor
in their success is the ability to hide the malware host location. Link farms can use one or
more redirectors between the content and the malware, which helps hide the location of
the malware host location.
Hiding the host is the most difficult – and the most critical – part of the attack to
implement. In addition to the collection of related content sites, two other site types have
become common elements in these farms. Fake Antivirus, scanner-like offerings have
been very successful, so the cybercriminal element have continued to make use of this
technique through 2010 and undoubtedly beyond. Fake search engines have also become
a common way to drive users to a link farm or malicious site because they mimic
legitimate, trusted search engines in look and feel, as well as behaviour.
Cloud-Based URL Filtering – Now A Critical Requirement
With web threats now effectively a continuous attack, the traditional concept of passive
URL filtering with downloaded updates on a scheduled basis is simply not up to the job.
Because approximately one-third of web threats are detected on the fly using dynamic
link analysis, unless the defence mechanism is capable of detecting these threats in realtime, then it no longer becomes a suitable form of defence. In other words, you cannot
defend against dynamic attacks with a passive defence mechanism, typified by the classic
remote user with a laptop and an AV engine which updates daily. At the same time, it is
important to understand which vendors are purely paying ―lip service‖ to the cloud
concept, and which are fully embracing it. For example, Blue Coat has created a cloudbased strategy with over 300 language-category automated rating libraries, over 16 cloud
defence technologies & new defences that require no patching at the gateway or remote
client end points, and up to four multi-category ratings per request (as nested
classifications).
The cloud-connected remote client (ProxyClient) is provided as part of the WebFilter
solution, with no additional charge. Benefits of such an approach are multifold. In addition
to no patch requirement, these end points have real-time security intelligence access. The
cloud-based defence mechanism can expand with zero impact to end points. Contrast
this with the disruption caused by huge downloads onto the client as is the case with
traditional static defence mechanisms. As the Web becomes increasingly complex, a
single classification methodology for URLs, even where there might be a secondary subclassification, is no longer enough. Instead, multiple nested classifications for Web
applications and social networking are what is needed. Blue Coat provides a four-layer
classification, with a view to providing better accuracy, improved policy controls and more
detailed reporting as a result. Blue Coat claims to see more new web content than its
competitors – something we put to the test here – and even provides a publicly accessible
site
review
web
page
with
a
one-day
http://sitereview.bluecoat.com/sitereview.jsp
12
© Broadband-Testing 1995-2010
SLA
for
suggested
rating
changes:
Blue Coat Web Threat Report
WEB THREAT SECURITY – PUT TO THE TEST
In order to test the Blue Coat Web threat solution we created a test bed to capture real
traffic from the Internet which we could then feed through the Blue Coat ProxySG 210
and six of its rivals, listed as follows:

Cisco/IronPort S-Series

McAfee Web Gateway 1100

WebSense V10000 G2

Barracuda WebFilter

Fortinet Fortigate 200B

Palo Alto Networks PA-2020
The Blue Coat ProxySG 210 Series under test was configured with SGOS v5.5.3.1 Proxy
Edition, Web Filtering with the WebPulse Service dynamic categorisation enabled and
Visual Policy Manager set to not blocking malware but logging it.
All the rival products were configured with the latest software/firmware upgrades
available (see appendix for details) and all critical features enabled in order to ensure
best performance possible.
We did note some points of interest here. For example, unless the Palo Alto device was
set to block everything it would not log entries, so this is the only way we could get the
category response information from it.
The Cisco IronPort categorisation methodology – whereby it gives a rating +10/-10
reputation rating from positive to negative (negative being threats) – can only be
described as ―interesting‖, given that it OEMs the BrightCloud URL filter database. We
actually see it as essentially lazy; these ratings should be translated into meaningful text
categorisations for easy reference. Obviously Cisco will see otherwise but we don‘t get it.
One interesting point to observe about the WebSense device is that it has multiple
management interfaces; we can only assume that this is a result of acquired technologies
– not unusual in itself of course – that have been loaded onto the one platform but still
run as individual applications effectively. We have experienced this scenario before with
other vendor network products, so it is by no means an exception but still smacks of
unfinished business where integration is concerned.
© Broadband-Testing 1995-2010 13
Blue Coat Web Threat Report
Testing URL Defence Layers – Not Trivial…
Testing web threat detection by URL filtering can appear to be a trivial exercise.
At its most basic (think dumbed-down) this could simply involve capturing the logs of one
or more products over a given period of time and measuring how many URLs were
blocked. It is easy to see why an innocent reader might think that a high score here –
with no further analysis – is good; after all, the world is based around a general
acceptance that bigger is better.
However, over-blocking (the incorrect identification of false positives) is the biggest, most
common and most damaging error a URL filter can make. Let‘s face it, if you want to
block everything just set a firewall to deny all access. But this hardly makes for a
workable environment, anything but. Over-blocking simply leads to more expense as
angry users bombard the helpdesk and a product purchase in order to allegedly protect
users and reduce OpEx actually creates the complete opposite.
At Broadband-Testing labs, we have seen results from other tests (run by other parties)
where there appears to be an astonishing performance gap between two or more vendors
in terms of their ability to block web threats, but these clearly did not take over-blocking
into account.
In order to do so you need to manually analyse the blocked URLs and see exactly what
has been blocked, how it has been categorised and then ask the question, Why?‖ In many
cases you will find that the blocked web page has no threat (neither direct nor linked) and
is often an innocent graphic or script.
And in order to create a real-world test, in line with the day-to-day experiences of end
users around the globe, the URL capture count needs to be as high as possible and as
globally diverse as possible. Even where a user only works in one language (say English),
thanks to link farms, or even innocent linking, they can be taken through a variety of
countries and language content without them even knowing.
Equally, when comparing different products, in order to get an apples to apples
comparison, life ain‘t so easy! Each vendor has a different way of establishing their
categorisations, or even how they capture and store the URL information in the same
place, so it‘s not as simple as just pressing the ―go‖ button on each product. Instead, it is
important to understand how each one works and configure it accordingly to ensure you
get as close as possible to a true, equal configuration in each case.
As we said, not trivial…
14
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Test 1 – Comparative Web Threat Test
In this test our aim was to compare a list of web threats (malware and phishing based)
captured in real-time by the Blue Coat community cloud-based WebPulse defence. Inputs
to WebPulse included both gateways and remote clients (as any ProxySG or remote client
reports a new unrated URL for immediate cloud analysis) with the capabilities of some its
rivals to perform the same level of protection to their customers. So, new malware or
phishing threats detected by Blue Coat cloud defence services were immediately tested
against the six other web gateways in the test bed. This involved pushing the captured
threat URLs through each device and comparing the logs captured. We have already
identified in the report introduction that web threat creation is now reaching epidemic
proportions, so the need to be able to accurately capture and report these new threats in
as close to real-time (zero day) as possible is an essential security requirement now.
Given that WebFilter provides over seven billion web ratings per day, mainly to ProxySG
devices, the volume generation would seem to be substantially higher than that of its
rivals as Blue Coat has over 70M users providing real-time inputs for web awareness. It
might also explain the results, as we‘ll see in a moment. To make this test more
comprehensive we were testing the threat URL every hour to see when a competitor does
rate it, or even if no rating is ever provided by the competitor after several days. Given
most of the competitors do not have real-time feedback loops from customer devices, nor
real-time analysis technologies for web content and threats, the hourly check was
removed from the analysis as initial test analysis proved the point. The point remains
though, real-time inputs and rating technologies are very important in making URL
filtering a web defence. In total, 15,840 URLs were captured as web threats, including
malware sources, call-home attempts, potentially unwanted software or phishing sources
by Blue Coat during a 48-hour period and cross-checked against competitors for this test,
with the following breakdown by web gateway/URL filter vendor name and recognition of
URLs as being either malware or phishing. The comparison focused on malware and
phishing as not all vendors categorise the broader scope of web threats provided by Blue
Coat. Therefore a total of 12,112 URLs provided the baseline. Of course, we would expect
all vendors to perform equally, given a URL list with zero false positives – i.e. each URL is
a validated threat. So let‘s see what our results showed…
Blue Coat WebPulse
McAfee WebGateway
Barracuda
Fortinet
IronPort *
PaloAlto
WebSense
Malware
3698
Phishing
8414
As % of
BCF
Malware
1121
30.31%
Phishing
2163
25.71%
Malware
250
6.76%
Phishing
7
0.08%
Malware
190
5.14%
Phishing
679
8.07%
Malware
1521
41.13%
Phishing
3247
38.59%
Malware
831
22.47%
Phishing
239
2.84%
Malware
1629
44.05%
Phishing
1397
16.60%
* Note: IronPort does not actually categorise
threats into malware or phishing, but only as
having a poor reputation (given a score of
less than –6). For the totals in this test, we
separated those URLs identified by IronPort
as having a bad reputation into malware or
phishing based on the classification of the
URLs originally identified by the Blue Coat
© Broadband-Testing 1995-2010 15
Blue Coat Web Threat Report
As we can see, Blue Coat achieved the highest ratings on both malware and phishing with
3,698 entries for malware (the second highest was WebSense with 1629) and 8,414
instances of phishing (compared with the second highest score – 3,247 achieved by
Cisco‘s IronPort, but see the note regarding its ―categorisation‖ methods).
To put this into perspective, none of the competitors got near to recording 50% of the
successful ratings achieved by the Blue Coat solution. Fortinet, Barracuda and PaloAlto
trailed very badly – disastrously in some cases.
Figure 4 – Web Threats Comparison URL Test
We can only conclude from this that the Blue Coat capture and analysis methodologies
are superior to those of its rivals.
16
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Test 2 – Open Large-Scale Web Threat Test
This test was an open, large-scale general web test aimed at identifying the accuracy of
Blue Coat‘s URL filtering categorisation capabilities, both in isolation and in comparison
with the competitors listed above. Open sourced URLs where each vendor has an equal
chance to detect malware or phishing sites side by side.
It involved a week-long capture of URLs from regions across the globe from remote
clients (ProxyClient, K9 Web Protection and OEM Partners to Blue Coat) seeking a rating
from the WebPulse cloud service. These are open URLs provided from remote users, not
testing URLs, hand selected URLs or filtered in any manner. The remote users from
around the globe provide a large source of URLs– almost 900,000 in total, meaning this is
real-world testing; the kind of numbers seen by the biggest companies in the world. This
―Go Large‖ approach is essential in order to generate meaningful test results when we are
looking at general URL analysis.
Here we were looking for absolute accuracy in identifying potential threats. Over-blocking
of URLs (generating false positives) is something we absolutely did not want to see here,
as this renders a URL filter not only a complete waste of time and money, but potentially
damaging to job and work productivity. Therefore we chose to manually investigate
blocked URLs in order to validate their categorisations. The results proved to be very
interesting…
In the process of web filtering, each vendor has a different set of categories which they
assign to URLs and these are not always obvious to equate between vendors. When
assessing the capabilities of each vendor to block threats, we wanted to ensure that the
categories used by each vendor as equivalent as possible. Note that Cisco IronPort does
not provide categories for Malware or Phishing, so Reputation Ratings for IronPort against
all vendors are reviewed later in the test report. We matched the categories of web
threats (malware, scripts, etc) and phishing in the following way for the remaining
vendors:
Blue Coat
Barracuda
Fortinet
Spyware/
Malware
Sources
Spyware
Spyware
and
Malware
Spyware
Effects/
Privacy
Concerns
Spyware
PaloAlto
McAfee
WebSense
malware-sites Malicious Sites
spyware-andadware
Malicious
Web Sites
Spyware/
Adware/
Keyloggers
Keyloggers
Phishing
Phishing and
Other Frauds
keyloggersandmonitoring
Phishing
phishingfraud
Phishing
Web Threats
phishing-andother-frauds
Phishing
© Broadband-Testing 1995-2010 17
Blue Coat Web Threat Report
Numbers from this test initially included false positives for all vendors‘ products, which
made results look favourable for both McAfee and WebSense for Web Threat URLs and
more favourable for Blue Coat for Web Threat URLs and Phishing. However, upon detailed
analysis and removal of false positives, the results below provide a truer picture.
After elimination of URLs regarded as not
being a threat, the numbers were as
follows:
Web
Threat
URLs
Phishing
Blue Coat
256
355
McAfee
Barracuda
255
116
10
18
Fortinet
Palo Alto
40
54
11
1
WebSense
34
7
Removing False Positives
We first identified all URLs which were obviously
graphic or text files – where the URL ended in .jpg,
.jpeg, .gif, .png. ico, .css, .xml, .js. In the majority
of cases we loaded these into the browser to make
sure that they were really the files types specified –
all were as expected.
Next, we identified all Shockwave and Flash Video
URLs – all these files were downloaded and checked
with antivirus and anti-malware – none of these
were found to contain malware. In this way, for
example, we had to reduce the number of Web
Threat URLs categorised by McAfee by 355 false
positives. We had a similar experience with
WebSense, also showing a high false positive count.
We next totalled up the number of URLs assessed as
threats by each vendor where at least one other
vendor agreed with the category – we regarded this
rating by the vendor as being a true positive. So, for
example, 52 URLs categorised by McAfee as web
threats were regarded as true positives.
The remaining URLs were then hand-checked by
loading them up into a web browser (Firefox). As an
aid here, we enabled the threat and web forgery
blocking by Firefox and also checked the rating
given by Web of Trust (WOT). In this way, a number
of URLs rated by McAfee WebGateway and
WebSense were checked, resulting in more false
positives, leading to the numbers shown left being
definite or possible malware threats.
18
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Calling Home
Blue Coat Web Filter malware categorisation consists of spyware/malware sources and
spyware effects (AKA ―call-home‖ traffic). The company believes this level of visibility is
more flexible and specific than that of other vendors, helping to identify infected systems
for remediation. Indeed, some vendors require a separate product for call home analysis
which is therefore not part of their URL filtering solution nor real-time or cloud-based to
see a wider view of web traffic from millions of users.
Figure 5 – Large Scale Web Threats Test
Again we can see that Blue Coat scored extremely well in both phishing and web threat
categorisations, with only McAfee coming close in terms of web threat categorisation and
all the rivals performing very poorly in terms of categorisation phishing.
In addition to categorising URLs as Web Threat or Phishing URLs, three vendors also
categorise (in different ways) by reputation:
The Blue Coat Web filter has a category of ‗Suspicious‘.
IronPort filters URLs for threats based on reputation only with no ability to identify
Malware, Call-Home, or Phishing.
McAfee, in addition to identifying web threats and phishing URLs also identifies
whether a URL is ‗High Risk‘.
© Broadband-Testing 1995-2010 19
Blue Coat Web Threat Report
Given these abilities, we identified for Blue Coat Web Filter the numbers of URLs in these
2 categories:
Spyware Effects (call-home)
Spyware/Malware Sources
Both
Total
23
225
8
256
For the URLs identified by IronPort and McAfee as having a poor reputation we identified
how many of these URLs matched the threats identified by the other vendors as follows:
Percentage of IronPort reputation URLs matched by other vendors
Blue Coat Web Pulse
Phishing
6.05%
Web
Threats
2.85%
Phishing &
Reputation
Web
& Web
Threats
Reputation Threat
0.00%
0.42%
0.07%
0.14%
2.22%
1.81%
All
9.31%
McAfee WebGateway
2.02%
Barracuda
0.63%
0.63%
Fortinet
0.07%
0.07%
Palo Alto
0.00%
0.00%
WebSense
0.69%
0.28%
4.24%
0.97%
Percentage of McAfee reputation URLs matching other vendors
Phishing
Blue Coat Web Pulse
0.14%
Web
Threats
Phishing &
Reputation
Web
& Web
Threats
Reputation Threat
All
0.41%
1.65%
2.19%
WebSense
1.65%
0.27%
1.92%
Barracuda
Fortinet
1.78%
0%
Palo Alto
0%
1.78%
As can be seen above, very few of the URLs rated as having a bad reputation are
matched by other vendors as being a threat. In fact, in many cases during analysis, we
found that these URLs often lead to sites with pornographic content to a greater or lesser
extent and so had a poor reputation for being extreme porn sites or to sites where WOT
users marked the site down as giving a bad ―customer experience‖.
For example, the user paid for a download and clicked on the link provided, and was led
to further links, but never managed to download what they had ordered. As such, then,
reputation ratings do not provide much protection from web threats, or what sort of risk
the URL may subject a user to.
20
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Test 3 – The Social Networking Ratings Test (Facebook
Test)
Facebook – so it may be one of the most popular applications on the Internet, both within
home and office, but is it something that can be trusted to protect the user from
malicious content and links? It‘s social networking, yes, but it‘s also a lot more than that
– both good and bad.
So, from a URL filtering perspective, simply recording a Facebook URL as ―social
networking‖ is worse than useless from a business perspective. While one option for
companies is to simply block all Facebook access in the workspace, not only will this
cause disgruntled employees but it also negates some of the positive elements of using
Facebook as a business tool. Given that Facebook is the largest domain in social
networking with over 500 million users, with support for over 70 language variants, it
makes an excellent test scenario for social networking. It is therefore important to be able
to categorise Facebook URLs beyond the basic application and analyse and report on the
content of that Facebook page being viewed. In this way intelligent decisions can be
made about what Facebook entries are valid and which are clearly not.
First Category
Blue Coat
Third
Category
Second Category
Social
Networking
Games
Chat/Instant
Messaging
1616
1
1
Society/
Daily
Living Games Entertainment
358
548
297
All Other
13
categories
456
14 URLs
computing-technology, social-networking
Barracuda
1618
Fortinet
Social
Networking
Games
All Other
1467
148
3
No second and third categories identified
social networking, reputation of +8.8
IronPort
1618
Social-networking
PaloAlto
1618
Social
Networking
McAfee
WebGateway
WebSense
Games
1327
Social
Networking
98
Games
743
393
EntertainGame/Cartoon
ment
All Other Sports Games
Violence
All Other
133
60
Entertainment
All Other
274
9
4
6
7
2
categories
4 URLs
No second and third categories identified
208
To put this to the test we sampled 1600+ URLs for Facebook applications and analysed
them using Blue Coat‘s solution, then those of the competitors. Here we were specifically
looking to see how the URL filters would categorise and sub-categorise the Facebook
pages we capture; thus providing visibility into specific applications, games, and activities
within Facebook. In total 1618 URLs were tested where all vendors had given a rating.
Ideally we were looking for all vendors to provide multiple category rating – as many as
three – per web request in order to provide some meaningful information for the user.
Otherwise Facebook can become a potential liability when, in practise, it can be a useful
working tool.
© Broadband-Testing 1995-2010 21
Blue Coat Web Threat Report
As can be seen in the table, the Barracuda WebFilter, the Palo Alto PA-2020 and the
IronPort categorised all the URLs as Social Networking (or their equivalent term). IronPort
also gave each URL a web reputation of +8. Also note that default setting of an IronPort
web gateway is to not use inline AV engines for URLs with ratings over a +6 reputation
rating. In each of these cases this is clearly worse than useless as it gives the user no
understanding of any potential abuses or threat correlated content.
With WebSense all URLs were only given one rating, with no secondary categorisation
whatsoever. Blue Coat WebFilter meantime rated 1,616 URLs as Social Networking, with
the 2 other URLs rated only as Games and Chat/Instant Messaging respectively. Of the
URLs rated as Social Networking, 1,611 URLs were also given a second category rating,
the majority being Games, Entertainment or Society/Daily Living. The McAfee Web
gateway rated 1,327 URLs as Social Networking, 133 as Entertainment and 98 as Games.
24 URLs were given a second category rating and 4 a third category.
Figure 6 – Facebook Test
The above charts depict the breakdown of the categories given, for those vendors where
more than one category was identified. For the Blue Coat Web Filter (BCWF) these are the
categories given in addition to the first category.
22
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Bearing in mind that this was designed to show how each product could provide true
visibility into Facebook as a web community, the Blue Coat solution again scored
extremely well with multi-categorisation capabilities enabling an administrator within a
company to really understand the true use of Facebook and where users are spending the
most time, what areas may require time restrictions or bandwidth restriction, plus
trending to plan future network resources.
Ideally an administrator would like to see a report showing the Top10 web applications in
Facebook, and the top users for time spent in these web applications. If we compare this
requirement with a product that only has a single rating URL scheme, it clearly cannot
provide the level of analysis required in order to be of any real use. For example, if all
ratings are Social Networking only, or are spread across a single rating scheme and thus
lumped into all web Games and Entertainment they provide no value to the observer.
In contrast, we want to see URL filtering rating schemes advancing to rate within web
communities and the evolving web applications within as, not only does this make an
administrator‘s life far easier but it also genuine and deep implications for compliance,
data loss prevention, productivity and understanding resource utilisation.
In other words, not only is it a practical tool, but one that could prevent serious legal
costs too. The Blue Coat categorisation capabilities tick all the right boxes here.
© Broadband-Testing 1995-2010 23
Blue Coat Web Threat Report
SUMMARY AND CONCLUSIONS
Our testing here has shown us that, when it comes to contemporary web threat
defences, there is no substitute for a truly comprehensive, global, cloud-based URL
filter system – something that Blue Coat has clearly got very successfully in place.
Without this, it is evident that there is no way that the high levels of accuracy and
real flexibility – both of which are absolute requirements nowadays in a URL filtering
product – can be achieved. Multiple, dynamic defence layers are now required and
users should see cloud-based URL filtering as their first layer providing most of the
protection… over 90% of web threat detections in reality.
Putting the Blue Coat solution to the test against several competing products, using a
range of tests including URL samples of around 900,000, collected globally over a
seven day period, direct web threat comparison finds and a Facebook specific test, we
found that, in each case, the Blue Coat solution was the most accurate, most flexible
and most capable URL filter, often by a very significant margin. In some cases,
competing products categorised less than 1% of the URLs categorised by Blue Coat –
and these were genuine instances, not a case of false positives and over-blocking
ruling.
In contrast, we did see evidence of serious over-blocking in the case of some of the
competitors. While this might look great in results of badly designed tests (and it
does, believe us!) in practise it is a very frustrating symptom of a badly designed URL
filter product and can prove very costly in every sense.
There is obvious logic at work here; Blue Coat‘s WebFilter provides over seven billion
URL ratings per day from a customer real-time input base in excess of 70 million
users. The WebPulse cloud service is used to generate real-time URL ratings from this
community and supports more than 50 languages, integrating multiple threat
detection engines and threat analysis technologies. This is the kind of engine that is
required in order to deliver a successful web threat defence in 2010 and beyond.
It looks like a lot of other vendors are playing catch-up right now…
.
24
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
APPENDIX 1: CONFIGURATION DETAILS
As we explained in the report, in order to get as close as possible to an eggs to eggs
comparison, we carefully configured all the appliances we tested, in order to maximise
their abilities for Web threat capture, ensured all actions were logged – so we didn‘t miss
anything – and ensured that all firmware and software versions were bang up to date.
Cisco IronPort S-Series
Figure 7 – Cisco IronPort
The IronPort was loaded with Async OS Version – 6.3.3 -01. We enabled Acceptable Use
Controls and the Dynamic Content Engine in order to capture all traffic and ensure that
the device attempted to categorise all URLs (it OEMs BrightCloud URL filtering).
Figure 8 – IronPort Configurations/System Version
© Broadband-Testing 1995-2010 25
Blue Coat Web Threat Report
McAfee Web Gateway 1100
The McAfee product uses the SmartFilter URL filter database.
Figure 9 – McAfee Web Gateway 1100
The system was supplied was Gateway v7.0 and the Category Content Filter was enabled.
Figure 10 – McAfee Web Gateway – Category Content Filter
WebSense V10000 G2
Figure 11 – WebSense V10000 G2
26
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
The WebSense Triton was appliance version 7.5.0, based on the V10000 G2 hardware
platform.
All key features such as content categorisation, tunnelled protocol protection, security
threat content scanning and file scanning, and anti-virus scanning were enabled.
Likewise, all updates were managed correctly.
Figure 12 – WebSense V10000 G2 Configuration
© Broadband-Testing 1995-2010 27
Blue Coat Web Threat Report
Barracuda WebFilter 410
Figure 13 – Barracuda WebFilter
The Barracuda WebFilter was installed with firmware v4.2.0.014, virus definition
v3.2.0.421, content filter definition v1.0.1271 and spyware definition v1.0.2054.
Figure 14 –Barracuda WebFilter 410
28
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Fortinet Fortigate 200B
Figure 15 – Fortinet Fortigate 200B
The Fortigate 200B was installed with firmware v4.0, build 0279,100519 (MR2 Patch 1
update) and all databases and definitions were updated correctly.
Figure 16 – Fortinet Administration
© Broadband-Testing 1995-2010 29
Blue Coat Web Threat Report
Palo Alto Networks PA-2020
Figure 17 – Palo Alto PA-2020
In order for the Palo Alto PA-2020 to log its filtered URLs (it uses BrightCloud) everything
needs to be blocked – interesting… The BrightCloud URL filter was upgraded so as to be
as up to date as possible.
Figure 18 – PA-2020 Dashboard
30
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Blue Coat ProxySG 210
The ProxySG 210 was configured to use WebPulse/WebFilter.
Figure 19 – ProxySG 210: WebPulse/WebFilter Enabled
Figure 20 – ProxySG 210: Configuration
It was configured with software version SGOS 5.5.3.1 Proxy Edition and software release
ID: 46382.
© Broadband-Testing 1995-2010 31
Blue Coat Web Threat Report
APPENDIX 2: THE BLUE COAT WEB THREAT SOLUTION
The Blue Coat web threat defence solution is not based on a single product per se, but a
layered approach that includes the ProxySG appliance, the WebFilter software that sits on
the appliance and WebPulse, the cloud-based defence that keeps WebFilter ratings up to
date.
The Blue Coat ProxySG appliance range is just one part of a plethora of security and WAN
acceleration products from the vendor. The full Proxy Edition of ProxySG appliances are
part of the ADN – Application Delivery Network - infrastructure that is designed to provide
complete application visibility, acceleration and security.
Figure 21 – Blue Coat ProxySG 210
For the testing in this report we are using what is actually one of the lower-end options
from the range, the ProxySG 210.
Regardless of the model however, the whole range is designed to be a scalable proxy
platform architecture to secure Web communications as well as accelerating the delivery
of business applications. The ProxySG is based on the SGOS operating system with
multithreading, providing 1Gbps throughput for large high availability deployments. SGOS
is a micro kernel built for Web object processing which has been designed for minimal
hands-on management. Health checks and monitoring provide administrator awareness,
plus a Director enables centralised device, license and policy management of ProxySG
Web gateways. Reporter provides visibility of all Web gateway and remote users with
custom dashboards and reports on a single server with an included, optimised database
supporting up to 10 billion log lines in the premium edition.
The ProxySG forms the physical element of the total threat defence that features the
WebPulse cloud-based defence mechanisms that generate new defence information 7x24.
WebPulse brings together over 70 million users – more than the entire population of the
United Kingdom and Ireland, for example, for Web awareness to new Web content and
threats. Inputs to WebPulse come from ProxySG web gateways, ProxyAV inline threat
detection devices, ProxyClient remote users, CacheFlow web gateways used by Service
Providers, PacketShaper v8.6 that now includes WebFilter, K9 Web Protection remote
clients, plus OEM relationships and third party data feeds.
The solution creates a hybrid design aimed at providing the best of on-premise controls
with the collective intelligence of the cloud service. As we have highlighted, each is an
absolute requirement nowadays in order to repel and control contemporary Web threats.
32
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
Combining ProxySG with WebFilter, WebPulse and ProxyClient provides remote user
protection, filtering and acceleration in one solution. Teamed with ProxyAV, this provides
inline threat analysis, including SSL, with a choice of leading anti-malware engines, so the
customer can choose which elements they want and need.
Figure 22 – The Complete Blue Coat Web Threat Defence With WebPulse
The total Blue Coat Web threat solution provides the following features and benefits:
Web 2.0 threat protection.
Real-time web content ratings.
On-demand cloud intelligence.
Web 2.0 mashed up content filtering.
Inline threat analysis (stream scanning).
Social networking threat protection.
True file type checks.
Compressed archive analysis.
© Broadband-Testing 1995-2010 33
Blue Coat Web Threat Report
File and attachment filtering.
Hardware based SSL performance.
Data loss prevention integration.
Data loss content policy controls
Proxy avoidance blocking.
Web application controls.
Protocol method controls.
Bandwidth management.
Media stream splitting & caching.
Acceleration & optimisation.
Transparent or Explicit deployments.
Full IPv6 implementation.
IPv4 to IPv6 migration.
IPv6 advanced policy management.
The Tiered Blue Coat Web Threat Solution: How Does It Work?
With WebFilter, WebPulse and the combination of physical ProxySG appliances and
remote clients (ProxyClient, K9), Blue Coat creates a complete web threat solution, but
how does each component work and how do they interwork?
The solution is designed to block malware, Web threats, fake software updates, fake AV
offers, phishing offers and botnets or keyloggers calling home. Importantly it blocks only
genuine Web threats using DLA inspection. It also provides Web 2.0 filtering for mashedup or customised web portals, blocking panels and dynamic content per policy settings.
Coverage is provided in over 50 languages using proprietary machine analysis, knowledge
algorithms and human raters in combination.
While very much a hybrid solution, each component has its own role. Starting with
WebFilter, this combines URL filtering, anti-malware and threat detection technologies to
create collaborative cloud defence architecture. It provides over seven billion ratings per
day for over 70 million users located in the largest enterprise and service provider
networks around the world. WebFilter is 100% user driven in order to provide a totally
relevant, real-time Web content rating service that categorises both popular sites and
dynamically rates relevant sites in the long tail of the web, without the need for Web
crawlers or artificial analysis. Third party feeds for malware and phishing are analyzed,
compared and merged into WebPulse ratings as well. No third party feed is allowed to
change an existing rating, a mistake made often by competitors relying on third party
ratings.
34
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
The global, cloud-based security service layer, WebPulse, uses DLA to check popular Web
sites for attack injections and search engine results for bait pages, both leading to Web
threats via dynamic links. It then provides cloud intelligence to the ProxySG Web
Gateways, ProxyClient and K9 Web Protection remote clients, plus PacketShaper and
CacheFlow deployments. While WebFilter provides over 7B web request ratings per day
(or nearly 50B requests per week), WebPulse has five operation centres to support cloud
defence deep analysis of over two billion new and unrated Web requests per week.
The Human Element
While the vast majority of the web URL filtering process is automated, there is still a
requirement for human interaction, discretion that comes only with a real understanding
of malicious web traffic and the experience to make the right decisions.
So the Blue Coat labs perform this service where there is a doubt as to the exact threat a
URL poses which would lead to an initial classification as potentially harmful, but in need
of further investigation for absolutely accurate categorisation. For example, where a link
requests an executable – this might be malware, but it might not. By running these
through AV scanners and deep threat analysis tools and techniques, the Blue Coat cloud
defence is able to make an informed decision. Where a third-party feed leads to an
unknown domain, it may appear innocent but the actual origin of that link may give the
game away as to its threat nature. Other key identifiers are common paths through link
farms and category correlations, language hopping or the injection of scripts given
specific variables within a dynamic link path. These are the kinds of identification
examples that save users from web threats that will get through most defence
mechanisms. Other examples are seemingly mislabelled file types (where an ‗html‘ is
actually an ‗exe‘ for example) that can be identified and flagged in real time.
Another common problem is where a threat is looking to exploit servers that can trigger
literally dozens of exploits directly or via links. In this instance just identifying the key
element means that all the exploits can be flagged up immediately. Similarly, traffic from
bots and exploit servers may appear to be from very different sites but carry clear
identification elements making them categorisable as the same threat. Often there are
linguistic clues, fake domain names and other evidence that require as many different
processes as possible to accurately identify them and pinpoint more precisely the source
and weight of these attacks. Techniques such as fingerprinting, page content and style
identification and location (these regularly changed so must be tracked and identified)
identification and matching are all important tools that feature in accurately identifying
threats and flagging them up in as close to real time as possible.
New Web content or links detected by Web gateways or remote clients are sent in realtime to the WebPulse cloud for DLA inspection where updates to the master WebFilter
database provide immediate protection.
© Broadband-Testing 1995-2010 35
Blue Coat Web Threat Report
Cloud analysis of new Web links takes place using proactive machine analysis, a bank of
anti-malware engines, Web correlations and categorisations, human analysts, active
script analysis, PDF-analyzers and sandboxing including call-home analysis.
WebFilter is continuously updated by WebPulse which uses 16 advanced threat analysis
tools to provide immediate and continuous protection against known and unknown Webbased threats. Importantly, it does all this without the requirement of software downloads
or other update cycles. Blue Coat combines multiple defences with security experts that
fine tune these defences, creating a very fast feedback cycle to advance defences to their
most effective level, while lowering false positives.
ProxyClient provides enterprise remote users with WebFilter cloud protection requiring no
downloads or update cycles for protection in any location or Web service. A Client
Manager provides custom filtering policies for ProxyClient, plus customised allow/deny
URLs and categories. K9 Web Protection (see separate section) further extends the cloud
protection of WebFilter for protection in any consumer or home location at no charge.
Web gateways and clients are cloud connected for immediate protection, plus Web
gateways can receive five minute updates for security category changes, and six hour
updates for all categories to improve Web gateway efficiency. Blue Coat claims that
WebFilter is the only URL filtering solution to provide a comprehensive real-time Web
content rating service in 17 languages across multiple categories, a public accessible site
review service, and a one business day resolution process for ratings.
It is designed to quickly learn user Web trends with real-time feedback for relevance in
new ratings. WebFilter analyses objectionable content within traditional image searches,
cached content and translation services for accurate ratings and compliance with its realtime rating service. ProxySG also provides enforcement of Safe Search web requests for
search engines using newly created techniques that hide origin information for search
results. URL filtering can also be extended with custom categories, plus ProxySG
supports up to four URL lists simultaneously enabling global, regional and local filtering
possibilities, including child protection as necessary.
WebFilter provides reputation ratings so policy controls can opt for inline threat analysis,
or blocking downloads such as drive-by installers and executables from these sites. Proxy
Avoidance protection comes from WebFilter ratings plus ProxySG controls for user-agents
and invalid SSL certificates and session controls.
36
© Broadband-Testing 1995-2010
Blue Coat Web Threat Report
APPENDIX 3: K9 WEB PROTECTION – WEB FILTERING
FOR ALL
K9 Web Protection (aka K9) is designed to provide the same levels of protection expected
in the office when you‘re at home – working or just browsing and is designed to be
family-friendly.
K9 is not antivirus, anti-spam or firewall software, but a Web filter that controls and
protects the web browser at enterprise-levels. In other words, with K9, you get the same
advanced Web filtering technology used by enterprise and government institutions
worldwide — but with a simple interface designed for controlling the Internet at home. K9
can filter on category or specific website. Working with WebFilter and WebPulse, the
combined community – in excess of 70 million people – provides over seven billion web
content ratings each day.
The DRTR – Dynamic Real-Time Rating – technology that is specific to Blue Coat,
automatically determines the category of an unrated Web page, and allows or blocks it
according to your specifications. K9 includes SafeSearch - supported by many leading
search engines as a way to block search results for offensive topics. For example,
SafeSearch might not show any results in a search for adult photos and is designed with
K9 to work with Google, A9, AltaVista, Microsoft Live, Yahoo, Ask and Orange.
In addition, you have the option to block the use of search engines that do not support
SafeSearch. K9 is also compatible with a wide range of 3rd party firewall and Internet
security products. Another feature is NightGuard — a convenient way to block all Web
access during certain times of the day or night.
As part of the Blue Coat Community Outreach Program, K9 Web Protection is free. But
because K9 Web Protection uses the same technology offered to enterprise customers, it
is not a one-off product that gets out of date quickly but is upgraded continuously to
ensure it can continue to help fight malware in real time. For Blue Coat of course, the
benefit is that the K9 community helps contribute significantly to its web threat database,
helping enterprise customers help home users and vice-versa.
K9 Web Protection – In Use
During our testing we ran K9 on a mix of desktop and laptop computers to gauge how
effective it is. While it could be seen as intrusive at the highest security levels, it is very
flexible in its configuration options and – as a means of protecting younger users – very
effective indeed.
The interface – see over – is very straightforward to use and all aspects of the product
are password protected, so control is absolute. Web activity is summarised and listed on
columns with drill down options so you can go into more and more detail, as required.
Another important point to note is what a useful URL gathering tool K9 is as part of the
total Blue Coat protection mechanism.
© Broadband-Testing 1995-2010 37
Blue Coat Web Threat Report
Figure 23 – K9 User Interface
38
© Broadband-Testing 1995-2010