Thomas Shinder’s Anti-Bluecoat Rant

Thomas Shinder attempted to rebut a Bluecoat webcast in this blog entry from February. In their Webcast, Bluecoat apparently presented the results on a report from Broadband-Testing comparing ISA and Bluecoat in the area of HTTP security. Mr. Shinder clearly has a dog in the fight since apparently makes his living writing ISA books, as an MVP in ISA, and moderating on Looking at his other posts, he really has it in for Bluecoat. I’m not sure why.
I have used ISA 2000 and 2004 and am currently testing a Bluecoat appliance. I have read the Broadband-Testing document and I’ve probably seen the webinar he references.
Lets take it by the numbers. According to Shinder, Bluecoat asserts:
1. Bluecoat is more secure because its built on the SGOS rather than a Windows OS that needs constant patching.
I would say the SGOS is security through obscurity. However, its not going to be used as a firewall so it shouldn’t be held to the same standard as ISA. The bottom line is however, that with ISA you could be patching the OS monthly. Not so with Bluecoat.
2. ISA cant content inspect SSL traffic
Here, Shinder knows what they are talking about but misdirects the issue into that of content inspection of traffic that is reverse proxied (external to internal). The real issue is that if I’m behind an ISA firewall, my SSL traffic goes straight out. Bluecoat can play man in the middle and intercept SSL traffic and perform content inspection and antivirus. This becomes important as more and more traffic is sent over SSL.
From another one of Shinder’s articles it does appear that there is an add-on product for ISA that would compete with Bluecoat in this area.
3. ISA is unable to manage P2P and IM
Hinder answers as if the issue is blocking P2P. The idea is manage it. Does Bluecoat do as good a job as Akonix, Symantec, et al? No they don’t, but they certainly do more than ISA.
4. ISA has limited access control
I’m not really qualified to compare the depth and breadth of access control options. I think ISA’s control options are geared to the firewall not to http controls.
5. Performance
Shinder attacks the external study claiming the ISA server must have been mis-configured to attain such results.
The bottom line for me is that ISA works great at protecting OWA servers and allowing remote employees to access email. However, its not a great HTTP security system without a bunch of add-ons. Those add-ons just ultimately create a kludge rather than a solution.
Check out the comments from Shinder’s post. Its hard to tell who is actually the 18 year old kid the commenter named anti-Shinder or Shinder himself.


  1. Seems like you’re shilling for Blue Coat and you make the same factual and logical errors that the kid made on my blog. You clearly have limited understanding of the ISA Firewall’s capabilties and I doubt that you’ve ever read an ISA Help File or even a book on the subject. I’ve read the entire 1100 page Blue Coat manual and have worked with the product. I understnad both products in depth, and your comments about the ISA Firewall as an OWA proxy show that you’re just repeating what you’ve heard in the “hardware sales guys” idiot echo chamber.
    Try to put up some real facts if you’re interested in commenting on a subject.

Comments are closed.