The Shrine

Just a random question since we do have some IT people around... does anyone have any experience managing / configuring / etc a Web proxy for a company? PAC files, that sort of thing?

I'm looking to switch our company from Websense internet filtering to Bluecoat. So far I've been VERY impressed with the product but it's VERY different implementation and deployment. Websense is more of a passive filter whereas Bluecoat is an exclusive proxy and also inline of the traffic. Just curious if anyone else has had experience with working with either a corporate proxy server or Bluecoat products in general.

I've had experience with deep packet inspectors, but not transparent proxies. Didn't really think they were that difficult to tackle. I plan on putting one in my personal network when my kid is old enough, but no need for one right now.

What makes Bluecoat so different to implement?

Bluecoat and Websense are totally different beasts that try to do the same thing. Websense is a web filter that can be installed on almost any platform and integrate from anything from your Cisco firewalls to Microsoft ISA to a dozen other things. Bluecoat, on the other hand, works either as an explicit Proxy (meaning everyone's browsers are set to use it via a PAC file) and/or in-line where the appliance is actually sitting in the middle of all internet bound traffic (basically between your highest level router and your firewall). Both have their advantages and disadvantages... Bluecoat has more of the former.

Biggest thing against Websense is there's no appliance available-- if you want to use it you have to provide your own server hardware and OS. Windows is really the only viable OS to bother with and this is because troubleshooting (which you'll be doing a lot of) is much easier on it. Stability issues, random bugs and problems, I've had them all. Almost all of Websense's failings would be solved with an appliance and a more stable version of the software. Benefits are, of course, it's not a proxy... it can be installed ON a proxy (and at one time you could buy a Bluecoat appliance and install Websense on it) but normally you put it out-of-line. Our implementation is an integration with our Cisco firewalls (they send HTTP to Websense) and then all other protocols are picked up by a 2nd NIC card listening to the traffic pass by on a Mirror port and injecting garbage into the stream when it doesn't like something.


I'm just now starting to find how many more advantages there are when you're actually IN the line of traffic. Biggest thing is SSL interception. Ordinarily, and in Websense, HTTPS traffic is totally encrypted except for the destination IP address so that's what you have to filter on. Makes things very difficult with DNS on multiple IP's and such. Since Bluecoat is in the stream, it can be a man-in-the-middle. Instead of your SSL connection to, say, Google being 1 tunnel from you to the server; it is now an SSL connection between Google and Bluecoat, and you and Bluecoat. This requires some extra certificate juggling but in the end you're able to read the URLs of HTTPS traffic and filter accordingly without guessing.

There's also just so much more that Bluecoat is designed to do... Websense configuration consists of assigning objects (users, groups, IP's) to a policy. Policies consist of 2 parts: A Category Set or a White List, and a Protocol Set. The problem is you can only apply 1 policy per IP... you cannot merge multiple policies if you have them. Bluecoat, on the other hand, uses an ACL to do filtering. It's much more complicated because if you've ever built a firewall ACL it's all about the order-- once a rule matches I stop reading the list. This also means, however, that I can apply multiple policies to a single person depending on if they meet the criteria. It's quite powerful and half of the things you can do I don't even understand like Header rewriting and redirection and such.

Honestly, at this point I'd be happy if Bluecoat just did everything Websense did but stable... but it seems like it can do so much more and be so much more granular in what it does and how it acts.


Btw-- you mentioned filtering for personal use; I haven't looked into it but I was told by Bluecoat that they do sell a consumer version of their product. Would be much easier to buy software to put on the PC instead of building a proxy server.

EDIT-- I found it... it's actually Free... interesting.
http://www.bluecoat.com/products/k9web

Heh, sounds like a marriage between a deep packet inspector and a firewall/proxy. I wonder if it does other protocols besides HTTP/HTTPS.

SineSwiper wrote:Heh, sounds like a marriage between a deep packet inspector and a firewall/proxy. I wonder if it does other protocols besides HTTP/HTTPS.

Definitely; although I'm starting to fear that Websense can detect more protocols.

Public IM Traffic, Remote Access Tools, P2P, Streaming Media, etc.

Problem is, however, that while Websense can detect and block more protocols... it does a poor job sometimes. I was testing a IPS alarm I had created by running BitTorrent and for some reason Websense didn't notice me. Bluecoat didn't either, however... but Bluecoat will at least notice if you do one protocol on another port (such as SSH Tunneling on 443)