web analytics

BlueCoat ProxyClient

Jul 30

As I warned, I attended a BlueCoat seminar on Wednesday and I’m getting a few days worth of blog posts from that.

In March of 2009, I blogged that I was testing the BlueCoat ProxyClient.   The ProxyClient provides URL filtering via WebPulse and also attempts to provide acceleration to VPN users and users on slower network sites.   Each feature can be enabled or disabled automatically depending on location.  Last year I had ProxyClient deployed to the IT department for quite a while until it was time to test some HTTP SaaS solutions.  At that point I uninstalled ProxyClient from all computers.   I didn’t return it after I completed my HTTP bakeoff.   I only renewed with BlueCoat for one year and didn’t want to roll out something and then switch it only a year out.

Looking at this months desktop virus reports, its pretty clear that a large number of the infections occur while systems are remote.   Outside the facility they currently only have SEP11 as protection.   For a long while I felt that if I was going to offer protection, URL filtering wasn’t good enough.   I needed antivirus.   But from what I wrote about yesterday with WebPulse, I am now thinking this is a significant step up security wise.   Also it doesn’t have the SaaS risk. 

To be sure some of our users might revolt if we put one more security product on “their” desktop.   But I a strong case can be made for deploying ProxyClient.   If you own BlueCoat and you pay for BlueCoat WebFilter, then the ProxyClient is no charge.  At most companies, users are increasingly mobile.   Unless you’ve got some other strong protections (such as only allowing browsing through an always tunnel vpn connection, and also removing local admin rights) I’d take a strong look at adding this protection.


Go to Source

Read More

BlueCoat WebPulse

Jul 30

As I mentioned, I was at a BlueCoat Web Security briefing on Wednesday.

Most of the talks covered things I already knew.   I’m well aware of BlueCoat’s product line, and the web security stuff I received that in a meeting earlier in the year.   But the security stuff was good review.   It is rather interesting how BlueCoat is using a hybrid model for security.   Rather than simply having a Antivirus Engine and a URL filter database on site, they use the WebPulse Cloud service to provide better protection. 

At one point URL filtering exclusively used a local database that was updating periodically.   When sites aren’t categorized,  BlueCoat used to use a service called Dynamic Real-Time Threat Rating to submit the URL to the cloud and see if categorization was available, either in a newer database or through dynamic categorization.   That has evolved into BlueCoat Webpulse.   Its a cloud based service that uses 8-10 heuristic scanners to analyze requested websites.    With 62 million global users, there is a certain hope that a malicious site would have been seen and been categorized by the service.

This is why I don’t actually see very many viruses detected by the Kaspersky AV scanner that scans traffic.   A lot of malicious sites are already categorized and in the block list.   I need to check out BlueCoat Reporters reports on the malicious software category if I want to better justify web security.

While BlueCoat does use some of the more advanced detection functionality of Kaspersky locally on the appliance, they are doing detection in the cloud that couldn’t be done on locally on the appliance.


Go to Source

Read More

BlueCoat Security Briefing

Jul 30

On Wednesday, I went to the BlueCoat Security Briefing at the Tyson’s Corner Marriott. 

The big news for me was that our hardware (SG810-B and SG510-B) which I’d been led to believe was going to end-of-support in November is good for another year.  Even today the end of life matrix says TBD, but typically end of life comes three years after end of sale.   I had only renewed BlueCoat for one year last year based on the end of life information provided by the sales rep.   That’s good news.   If we stick with BlueCoat we’ll be able to get another year of life from this hardware.   I dont anticipate replacing this hardware to be cheap, its good to put that off.  However it does make it a bit tougher to justify leaving BlueCoat because of cost.

There were two briefings.   One by Mark Stanford, Director of Sales Engineering and another by Jeff Barker VP of Technical Marketing.    Technical Marketing.   Hmmm.   Sounds like an oxymoron.  

I plan string out posts about this meeting for a few days rather than engaging in one long post now.


Go to Source

Read More

Blackberry security

Jul 30

All the security settings in the world don’t matter if they aren’t turned on.

According to the Washington Examiner, the social security numbers names and addresses of nearly 700 Prince William County Virginia residents was potentially disclosed when a county issued Blackberry was stolen.  The Blackberry stolen from a vehicle parked in a county employee’s driveway overnight.  

Like most news we’ll probably never hear the rest of this.   It sounds IT negligence to deploy a Blackberry without a PIN timeout requirement and encryption enabled.  There wasn’t an existing policy about PII on the Blackberry.   And of course we have to think about physical security.   Its easy to have a false sense of security about the things we leave in our cars.


Go to Source

Read More

That’s Not from the Copier

Jul 30

A lot of copiers now have the ability to scan documents and email the result as a PDF. I’ve never quite understood why people don’t take the time to change the default subject line. On a Xerox it is something like “Scan from a Xerox WorkCentre” to something a bit more descriptive. Worse yet, I’ve seen people here send directly from the copier to their external person instead of sending the PDF to themselves, formating the email a bit more and then forwarding it on.

We must not be the only one in this habit. The bad guys are using it too. I just saw some virus alerts on our inbound email.

Subject: Scan from a Xerox WorkCentre Pro $3609550
Virus: Packed.Generic.306
From the Symantec website: “Packed.Generic.306 is a heuristic detection for files that may have been obfuscated or encrypted in order to conceal them from anti-virus software.”

No file name was listed in the virus alert, so I thought this might be a false positive. Since I don’t have access to release quarantined messages to myself, I checked the source IP. The IPs I checked were from Guatemala. Between that and the fake looking source email address, I’d say this is definitely malicious.

Update: Here’s a link to a Barracuda blog post on the subject.


Go to Source

Read More