Posts tagged ‘BlueCoat’

« Previous Entries

ProxyClient, Error 400 and MS12-006

January 24, 2012, 4:45 pm

This is just a case of bad timing.

Back in August, BlueCoat implemented some changes to the BlueCoat WebFilter.  It introduced some new categories and renamed some other categories.   On the ProxySG, no change was necessary for the renamed categories.   However for ProxyClient (the client side install that provides protection when off the corporate network), you needed to manually update the config.

Unfortunately for us, no one bothered to update that config.   While reviewing some BlueCoat best practices, I doublechecked our existing settings and found that we still had the old categories selected in ProxyClient.  I made the required changes and saved to server.   On my client, ran the updater and got an error back, “Received status 400 from server”.   I received the same error testing directly from my browser.

Opening a case with support they directed me to a Technical Alert – ProxyClient Installation is Failing with HTTP 400 response from server.   I’d seen that before running into this problem, but hadn’t read it since I wasn’t installing ProxyClient.   Didn’t remember the error 400 tiein.   It turns out, the problem occurs when making the SSL connection from the client to the server to pick up the configuration.   This is true of a new install or an updated configuration.

The cause of the problem is MS12-006.   Since this contains SSL fixes for the BEAST vulnerability, I’m going to have to ignore BlueCoat’s suggested workaround of uninstalling the Microsoft security update.   Not sure if this can be fixed with a new ProxyClient version or if I’ll be waiting for a ProxySG release which would involve much more testing.

Tags:
Category: General  |  Comment

BlueCoat Support

April 26, 2011, 10:50 am

I had my first experience with the “new” BlueCoat support model last week.

Around the time we switched from using third-party support back to BlueCoat, BlueCoat announced a change to support.   It sounded like they were making official what I had always experienced.   The first person you talk to will gather information for the more knowledgeable person you’ll eventually be escalated to.  My experience was a bit different from this understanding.

For the first time since this change, I had to open a ticket.   I prefer to open tickets either via email or a web portal.   BlueCoat has a web portal, so far, so good.   When opening the ticket, my choices for how I want support to contact me is limited to phone or webex.   Not so good.   Further I must supply two times blocks in a minimum of two hour chunks.

I find that I prefer large chunks of uninterrupted time to work on things.   Blocking out large chunks of time for support isn’t high on my list of desirable things.    A bit flustered, I picked the furthest time into the future and allowed a 24 hour availability block.   So a little while later I got an email that I had an appointment a week from now to webex at 5:30am to solve the problem.

My question was rather simple.   Why is my proxyAV attempting to send email back to BlueCoat.   It is getting blocked by the firewall.   I figured it was just performance statistics and there must be a opt-out I missed somewhere, but I couldn’t find it on a quick tour through the settings.   I figured this could easily be solved through email.   But no.   BlueCoat wants a phone call or webex.

I called support (seriously, the last thing I want to do) and selected their option to change the appointment time.   I had no intention of being available at 5:30am a week from now.    I was told two techs were available, I was transferred to one.  

The tech said, he would research it, and was it ok if he emailed me back.   Someone gets it.   A few hours later, I received an email with the answer I needed.

I hear that many BlueCoat customers have issues with the new support.   Changes may be coming.   I hope that I’ll be able to communicate with support via email or the web portal.   It really is the best way for minor questions until we determine we do need to get on webex.

Tags: ,
Category: General  |  Comment

The WebFilter and the Wikileak

December 15, 2010, 11:58 pm

When Wikileaks was first posted, I wondered to myself whether people with clearances could get themselves in trouble by viewing the website.   I was on vacation at the time, but 3 days later an email came out from the facility security officer.   Like many Federal government employees, we received a memo saying we cannot access those websites using company resources.   As the BlueCoat admin, I was asked to block access to Wikileaks.

Wikileaks has a number of different mirrors listed at wikileaks.info.   They have also asked individuals to mirror the site and announce the address via twitter.  Not wanting to play a game of wack-a-mole while on vacation I suggested to my colleague that he 1.  look at blocking everything with wikileaks in the domain name and 2) ask BlueCoat to categorize wikileaks as illegal/questionable.   

BlueCoat just posted a blog entry about Wikileaks.   The post acknowledges that some organizations have expressed the desire to block wikileaks.   We’re not looking for a discussion of rightness or wrongness in blocking this.   Its our decision, just like blocking porn and not blocking shopping.   The BlueCoat WebFilter should be a tool allowing us to do this.   The writer of the BlueCoat blog believes BlueCoat webfilter does provide the flexibility for those who want to block wikileaks.   I dont agree.     UPDATE: BlueCoat now has a KB article on blocking wikileaks.   Option 2 is simple.   Its a static solution, but better than the block we put in.   Option 1 is blocking websites that are in both Political/Activist AND in NEWS/Media.   I’d have to do some testing to make sure that doesn’t have any collateral damage.   The remainder of my original post is below.   Also see the comments.

 The issue here is BlueCoat incorrectly categorizes wikileaks as Political/Activist Groups and News/Media.   I’ve also seen it categorized as Reference.   

Political/Activist contains sites like texasgop.org, aclu.org, rnc.org, dnc.org.  News/Media contains sites like cnn.com, foxnews.com, msnbc.msn.com.   WikiLeaks doesn’t fit in with these sites.   I can’t block those categories without a lot of collateral damage.   

If BCWF put wikileaks into a category I could safely block, I could also rely on BlueCoat Webpulse to dynamically categorize all new wikileak mirrors.    Instead I’m left in the cold.   Not even a knowledgebase article on how to block it manually.

Tags: ,
Category: General  |  4 Comments

BlueCoat ProxyClient 3.2.2.4

October 13, 2010, 2:23 pm

I was doing some testing with BlueCoat ProxyClient 3.2.2.3 and was seeing weird things.

ProxyClient is software installed on laptops so when the client is outside the corporation it will still do URL filtering with WebPulse.    I’ve written about it before and it seems like a nice middle ground between no protection and having to send all your traffic somewhere for santization.   It can also do acceleration but I dont use that.

I was having some issues as I tested 3.2.2.3.    Google Reader items weren’t keeping their “read” indication.   I couldn’t create a new item in Sharepoint 2010.   There was a Cox support webpage that had an error message.

Turns out there is a newer version 3.2.2.4 that I couldn’t see in BTO.   This version fixes software bug 145482 which apparently describes similar issues.   Hopefully the release notes will be posted soon.  

I’ve had so many  issues at this week.   I was just glad one was solved.

Tags:
Category: General  |  2 Comments

BlueCoat DNS

September 14, 2010, 10:38 am

I’ve been having some issues with BlueCoat DNS for a few days now.   Since I’m not seeing a huge outcry, I”m wondering if its just me.

It started with warning emails from each BlueCoat appliance saying they “Download of the BlueCoat WebFilter database failed.”   It is trying to download a file from https://list.bluecoat.com.  

A WHOIS query for bluecoat.com shows they have four authoritative name servers:
Name Server: EPONYM.BLUECOAT.COM
Name Server: SYNONYM.BLUECOAT.COM
Name Server: UDNS1.ULTRADNS.NET
Name Server: UDNS2.ULTRADNS.NET

The ultradns servers currently work.  The servers EPONYM and SYNONYM don’t respond at all.

A traceroute successfully leaves our network and our upstream provider.   It appears to be working until it gets to the destination network.
I have a  similar problem when I test from my home network.   That would seem to rule out issues here at work.

Tags:
Category: General  |  3 Comments

BlueCoat ProxyClient

July 24, 2010, 8:53 am

As I warned, I attended a BlueCoat seminar on Wednesday and I’m getting a few days worth of blog posts from that.

In March of 2009, I blogged that I was testing the BlueCoat ProxyClient.   The ProxyClient provides URL filtering via WebPulse and also attempts to provide acceleration to VPN users and users on slower network sites.   Each feature can be enabled or disabled automatically depending on location.  Last year I had ProxyClient deployed to the IT department for quite a while until it was time to test some HTTP SaaS solutions.  At that point I uninstalled ProxyClient from all computers.   I didn’t return it after I completed my HTTP bake-off.   I only renewed with BlueCoat for one year and didn’t want to roll out something and then switch it only a year out.

Looking at this months desktop virus reports, its pretty clear that a large number of the infections occur while systems are remote.   Outside the facility they currently only have SEP11 as protection.   For a long while I felt that if I was going to offer protection, URL filtering wasn’t good enough.   I needed antivirus.   But from what I wrote about yesterday with WebPulse, I am now thinking this is a significant step up security wise.   Also it doesn’t have the SaaS risk. 

To be sure some of our users might revolt if we put one more security product on “their” desktop.   But I a strong case can be made for deploying ProxyClient.   If you own BlueCoat and you pay for BlueCoat WebFilter, then the ProxyClient is no charge.  At most companies, users are increasingly mobile.   Unless you’ve got some other strong protections (such as only allowing browsing through an always tunnel vpn connection, and also removing local admin rights) I’d take a strong look at adding this protection.

Tags: ,
Category: General  |  4 Comments

BlueCoat WebPulse

July 23, 2010, 12:19 pm

As I mentioned, I was at a BlueCoat Web Security briefing on Wednesday.

Most of the talks covered things I already knew.   I’m well aware of BlueCoat’s product line, and the web security stuff I received that in a meeting earlier in the year.   But the security stuff was good review.   It is rather interesting how BlueCoat is using a hybrid model for security.   Rather than simply having an Antivirus Engine and a URL filter database on site, they use the WebPulse Cloud service to provide better protection. 

At one point URL filtering exclusively used a local database that was updating periodically.   When sites aren’t categorized,  BlueCoat used to use a service called Dynamic Real-Time Threat Rating to submit the URL to the cloud and see if categorization was available, either in a newer database or through dynamic categorization.   That has evolved into BlueCoat Webpulse.   It’s a cloud based service that uses 8-10 heuristic scanners to analyze requested websites.    With 62 million global users, there is a certain hope that a malicious site would have been seen and been categorized by the service.

This is why I don’t actually see very many viruses detected by the Kaspersky AV scanner that scans traffic.   A lot of malicious sites are already categorized and in the block list.   I need to check out BlueCoat Reporters reports on the malicious software category if I want to better justify web security.

While BlueCoat does use some of the more advanced detection functionality of Kaspersky locally on the appliance, they are doing detection in the cloud that couldn’t be done on locally on the appliance.

Tags: ,
Category: General  |  1 Comment

BlueCoat Security Briefing

July 23, 2010, 1:19 am

On Wednesday, I went to the BlueCoat Security Briefing at the Tyson’s Corner Marriott. 

The big news for me was that our hardware (SG810-B and SG510-B) which I’d been led to believe was going to end-of-support in November is good for another year.  Even today the end of life matrix says TBD, but typically end of life comes three years after end of sale.   I had only renewed BlueCoat for one year last year based on the end of life information provided by the sales rep.   That’s good news.   If we stick with BlueCoat we’ll be able to get another year of life from this hardware.   I dont anticipate replacing this hardware to be cheap, its good to put that off.  However it does make it a bit tougher to justify leaving BlueCoat because of cost.

There were two briefings.   One by Mark Stanford, Director of Sales Engineering and another by Jeff Barker VP of Technical Marketing.    Technical Marketing.   Hmmm.   Sounds like an oxymoron.  

I plan string out posts about this meeting for a few days rather than engaging in one long post now.

Tags: ,
Category: General  |  Comment

Zscaler protects against IE Zero Day

March 10, 2010, 11:20 pm

On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.
The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.
Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn’t get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.

Tags: , , , , , ,
Category: Microsoft  |  4 Comments

VanMorrison.com Iframe

October 21, 2009, 3:55 pm

Saw a virus alert today. A user performed an AOL Search (that alone should be banned in our end user behavior policy) on “van morrison” (another termination offense). He/She clicked on a link for www.vanmorrison.com. The antivirus detected an iframe attack.
Manually looking at www.vanmorrison.com’s source, I currently see a iframe loading ‘http://iqsp.ru:8080/index.php’. Perhaps someone can remind me, aren’t there sites like virus total where you can send them a link and they’ll tell you what’s up. I haven’t yet learned javascript deobfuscation but that didn’t look like good stuff was happening.
So I took a sacrificial lamb system. (still dangerous don’t try this at home). And went to www.vanmorrison.com using various security systems to see what the result was.
Bluecoat – detected the virus on the site. Blocked Access to the entire site.
Scansafe – detected the virus on the site. blocked access to the entire site.
Purewire – site loaded. Wanted me to install Flash (seemed legit but I didn’t do it). Java started up. I was prompted to download a file and run a ActiveX control. I chose not to install the ActiveX control but I did download the file. It was a pdf file.
Virus total saw the pdf file first on October 16th (today is the 21st). Currently 13 out of 41 venders are detecting this as a virus. Did I mention signature detection is dead dead dead.
Did you notice the link to the Russian site is on port 8080? I wonder how many HTTP security implementation are proxying 8080 traffic in addition to 80.
Update 10/23/09
I see Sophos and eweek have linked to this article. Thanks!
Pob is correct, the infection changed after I posted this entry. I went back yesterday to see if anyone cleaned it. I found the site on Google’s naughty list and the site had obfuscated code like he screenshots. Didn’t check on it today.

Tags: , , ,
Category: General  |  5 Comments
« Previous Entries