Broadband Web Threat Test Report
Transcription
Broadband Web Threat Test Report
Blue Coat Web Threat Report A Broadband-Testing Report By Steve Broadhead, Founder & Director, BB-T Blue Coat Web Threat Report First published October 2010 (V1.1) Published by Broadband-Testing A division of Connexio-Informatica 2007, Arinsal, Andorra Tel : +376 633010 E-mail : [email protected] Internet : HTTP://www.broadband-testing.co.uk 2010 Broadband-Testing All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this Report is conditioned on the following: 2 1. The information in this Report is subject to change by Broadband-Testing without notice. 2. The information in this Report, at publication date, is believed by Broadband-Testing to be accurate and reliable, but is not guaranteed. All use of and reliance on this Report are at your sole risk. Broadband-Testing is not liable or responsible for any damages, losses or expenses arising from any error or omission in this Report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY Broadband-Testing. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY Broadband-Testing. IN NO EVENT SHALL Broadband-Testing BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This Report does not constitute an endorsement, recommendation or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products, or that the products will meet your expectations, requirements, needs or specifications, or that they will operate without interruption. 5. This Report does not imply any endorsement, sponsorship, affiliation or verification by or with any companies mentioned in this report. 6. All trademarks, service marks, and trade names used in this Report are the trademarks, service marks, and trade names of their respective owners, and no endorsement of, sponsorship of, affiliation with, or involvement in, any of the testing, this Report or Broadband-Testing is implied, nor should it be inferred. © Broadband-Testing 1995-2010 Blue Coat Web Threat Report TABLE OF CONTENTS TABLE OF CONTENTS ........................................................................................ 3 BROADBAND-TESTING ..................................................................................... 5 EXECUTIVE SUMMARY ...................................................................................... 6 INTRODUCTION: THE SECURITY WORLD IS CHANGING: USING URL FILTERING AS A KEY DEFENCE LAYER ........................................................................................ 7 Blended Threats And Link Farms ............................................................... 11 WEB THREAT SECURITY – PUT TO THE TEST .................................................. 13 Test 1 – Comparative Web Threat Test ........................................... 15 Test 2 – Open Large-Scale Web Threat Test .................................... 17 REMOVING FALSE POSITIVES ........................................................................ 18 Test 3 – The Social Networking Ratings Test (Facebook Test) ............ 21 SUMMARY AND CONCLUSIONS ....................................................................... 24 APPENDIX 1: CONFIGURATION DETAILS........................................................ 25 Cisco IronPort S-Series ............................................................................ 25 McAfee Web Gateway 1100 ...................................................................... 26 WebSense V10000 G2 ............................................................................. 26 Barracuda WebFilter 410 .......................................................................... 28 Fortinet Fortigate 200B ............................................................................ 29 Palo Alto Networks PA-2020 ..................................................................... 30 Blue Coat ProxySG 210 ............................................................................ 31 APPENDIX 2: THE BLUE COAT WEB THREAT SOLUTION .................................. 32 The Tiered Blue Coat Web Threat Solution: How Does It Work? .................... 34 APPENDIX 3: K9 WEB PROTECTION – WEB FILTERING FOR ALL .................... 37 K9 Web Protection – In Use ........................................................... 37 TABLE OF FIGURES Figure 1 – Email vs Social Networking Users ..........................................................................................................................7 Figure 2 – Blue Coat Web Filter .......................................................................................................................................... 10 Figure 3 – Link Farms Example .......................................................................................................................................... 11 Figure 4 – Web Threats Comparison URL Test ...................................................................................................................... 16 Figure 5 – Large Scale Web Threats Test............................................................................................................................. 19 Figure 6 – Facebook Test .................................................................................................................................................. 22 Figure 7 – Cisco IronPort................................................................................................................................................... 25 Figure 8 – IronPort Configurations/System Version............................................................................................................... 25 Figure 9 – McAfee Web Gateway 1100 ................................................................................................................................ 26 © Broadband-Testing 1995-2010 3 Blue Coat Web Threat Report Figure 10 – McAfee Web Gateway – Category Content Filter ................................................................................................. 26 Figure 11 – WebSense V10000 G2 ..................................................................................................................................... 26 Figure 12 – WebSense V10000 G2 Configuration ................................................................................................................. 27 Figure 13 – Barracuda WebFilter ....................................................................................................................................... 28 Figure 14 –Barracuda WebFilter 410 .................................................................................................................................. 28 Figure 15 – Fortinet Fortigate 200B ................................................................................................................................... 29 Figure 16 – Fortinet Administration .................................................................................................................................... 29 Figure 17 – Palo Alto PA-2020 ........................................................................................................................................... 30 Figure 18 – PA-2020 Dashboard ........................................................................................................................................ 30 Figure 19 – ProxySG 210: WebPulse/WebFilter Enabled ....................................................................................................... 31 Figure 20 – ProxySG 210: Configuration............................................................................................................................. 31 Figure 21 – Blue Coat ProxySG 210 ................................................................................................................................... 32 Figure 22 – The Complete Blue Coat Web Threat Defence With WebPulse ............................................................................... 33 Figure 23 – K9 User Interface ........................................................................................................................................... 38 4 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report BROADBAND-TESTING Broadband-Testing is Europe‘s foremost independent network testing facility and consultancy organisation for broadband and network infrastructure products. Based in Andorra, Broadband-Testing provides extensive test demo facilities. From this base, Broadband-Testing provides a range of specialist IT, networking and development services to vendors and end-user organisations throughout Europe, SEAP and the United States. Broadband-Testing is an associate of the following: NSS Labs (specialising in security product testing) Limbo Creatives (bespoke software development) Broadband-Testing Laboratories are available to vendors and end-users for fully independent testing of networking, communications and security hardware and software. Broadband-Testing Laboratories operates an Approval scheme which enables products to be short-listed for purchase by end-users, based on their successful approval. Output from the labs, including detailed research reports, articles and white papers on the latest network-related technologies, are made available free of charge on our web site at HTTP://www.broadband-testing.co.uk Broadband-Testing Consultancy Services offers a range of network consultancy services including network design, strategy planning, Internet connectivity and product development assistance. © Broadband-Testing 1995-2010 5 Blue Coat Web Threat Report EXECUTIVE SUMMARY The traditional, static methods of web threat defence are no longer applicable as the security landscape changes. Last year web threats increased by over 500%. The volume of malicious code variants increased by almost 300% during 2009 and phishing attacks by almost 600%. Ninety percent of Web threats now come from trusted web sites. Multiple, dynamic defence layers are now required and users should see cloudbased URL filtering as their first layer providing most of the protection… over 90% of web threat detections in reality. Blue Coat‘s WebFilter provides over seven billion URL ratings per day from a customer real-time input base in excess of 70 million users. The WebPulse cloud service is used to generate real-time URL ratings from this community and supports more than 50 languages, integrating multiple threat detection engines and threat analysis technologies. Many companies engage with a URL filter vendor and simply don‘t check whether that filter is actually accurate and doing the job it should. Meantime, many URL tests are fundamentally flawed, ignoring significant over-blocking, using very small, geographically narrow URL samples and flawed setup techniques. We put the Blue Coat solution to the test against several competing products, using a range of tests including URL samples of around 900,000, collected globally over a seven day period, direct web threat comparison finds and a Facebook specific test. We found that, in each case, the Blue Coat solution was the most accurate, most flexible and most capable URL filter, often by a very significant margin. In some cases, competing products categorised less than 1% of the URLs categorised by Blue Coat – and these were genuine instances, not a case of false positives and over-blocking ruling. In contrast, we did see evidence of serious over-blocking in the case of some of the competitors. While this might look great in results of badly designed tests (and it does, believe us!) in practise it is a very frustrating symptom of a badly designed URL filter product and can prove very costly in every sense. Overall, we showed that there is no substitute for a truly comprehensive, global, cloud-based filter system – something that Blue Coat has clearly got very successfully in place. Without this, it is evident that there is no way that the high levels of accuracy and real flexibility – both of which are absolute requirements nowadays in a URL filtering product – can be achieved. 6 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report INTRODUCTION: THE SECURITY WORLD IS CHANGING: USING URL FILTERING AS A KEY DEFENCE LAYER Securing a network has never been a trivial task. However, to date the threats have been relatively straightforward to identify and block: AV – check. Firewall – check. IDS/IPS – check. And so forth. Such was the methodology, regardless of whether you went for an ―all in one‖ UTM appliance type approach or a multi-appliance solution, depending on your requirements. The point was, you created an IT security blanket and the threats were (largely) blocked because they were well-defined and known, so you could match them directly to a specific solution. Unfortunately, that ―easy to identify, menu of security options‖ kind of solution is no longer applicable in this malware era. Threats are no longer obvious and clearly labelled. Multi-tiered threats, easily triggered by unknowing users innocently browsing the Internet, are beyond the reach of traditional security tools. For example, according to Blue Coat Labs, social networking has become the number one Web activity, representing over 25% of all Web requests for the top ten Web categories they categorise and has already overtaken email (see graph below – numbers in millions) and is pulling yet further away from that traditional messaging format in terms of popularity. Figure 1 – Email vs Social Networking Users © Broadband-Testing 1995-2010 7 Blue Coat Web Threat Report But social networking comes with a security cost: in 2009, cybercriminals effectively used social network sites as a vector for launching and proliferating botnets. As of October 2009, the Zeus botnet sent over 1.5 million phishing messages on Facebook. Koobface B targeted users of Bebo, Facebook, Friendster, hi5, MySpace, and Twitter to infect over 800,000 PCs while other versions of Koobface weren‘t far behind. Clearly, cybercriminals are taking advantage of social networking‘s fundamental model of familiarity, trust, sharing, and open communications to fool users and steal valuable data. Not only is the source of the threat itself different, but so is the malware methodology. Historical threats such as viruses and worms spread generically to as many potential victims as possible, making them relatively easy to identify and block. But web-based threats take a different path. For example, attacks can be extremely targeted, rather than generic, focusing on anything from a geographical region down to a specific company or group of users. They are also smarter in terms of their attack strategy. Rather than simply going for the mass search and destroy tactics, the new threats have tiered execution, triggering at different times. Something like a keystroke logger may log data for hours or days before triggering. A botnet can be idle for indefinite periods before being brought to life by a command and control server. These variations and hidden background activity make malware far more difficult to deal with – i.e. to detect, prevent and block – than traditional threats. It also doesn‘t fit into the classical security lifecycle methodology from analysis through to signature distribution to the vendor user base. The dynamic nature of malware means that, what is a relatively long-winded process of identification and prevention for blocking traditional threats simply does not work in time. The Rapid Rise Of The Web Threat – Malware It is generally accepted in the industry that the volume of malicious code variants increased by almost 300% during 2009 and phishing attacks by almost 600%. Ninety percent of Web threats now come from trusted web sites – a scary statistic. Beyond the Conficker panic, primary threats were focused on criminal activity such as identity theft, fraud, and botnet proliferation. Online theft now exceeds $1trillion annually and this is likely to increase significantly year on year. Last year, web threats as a whole increased by more than 500% - just think about that number. Moreover, more than 40% of malicious code threats now target Internet browsers rather than underlying operating systems, the traditional target. The web browser is a relatively easy target for a number of reasons. First, web applications tend to be vulnerable, making them easy to infect. Worse still, users tend to wholly trust websites of well-known brands. However, big names such as Google and Honda have been compromised and used for malware proliferation in the past, so no one and nothing is sacred. The major search engines in general are targeted; crooks can create bogus search results in link farms (see separate entry) that take unwary users to web threats, time and time again. 8 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report The Rapid Rise Of The Web Threat – Malware And The Numbers It Generates The reality is that global cybercrime now produces a new variant of malware every 1.5 seconds. Literally millions of new dynamic links are created each day, often containing multiple types of rich media content, executable scripts, dynamic links, and XML tags along with static text. So, any one element in this daily dynamic link avalanche can contain a malicious payload even when they originate from trusted sites. This is what catches users out and makes the malware so difficult to contain. So – to some numbers, taken from real Blue Coat customers: 1. A large financial customer with over 300,000 users to support blocks over 49,000 web threats per day on average and over 1,700 inline AV detections per day. 2. A second financial customer, this time with over 270,000 users, reported over 548,000 web threats in one month, with over 9,000 inline AV detections. In both cases, over 96% of threats were blocked by the URL defence layer, then layer two with inline AV detection picked up the hidden paths (SSL) and user authenticated/token web downloads where the cloud cannot analyse content. These examples show how multiple defence layers are now required and customers should see URL filtering as their first layer providing most of the protection… over 90% of web threat detections. From a timing perspective, then, the ability to identify and block the new threats in as close to real-time as possible (zero-day becomes zero-hour becomes zero-minute…) is basically impossible with traditional security tools. Instead, the ‗cloud‘ needs to be utilised as a means of providing the speed and flexibility required to capture and block the new web threats, with URL filtering as the first line of defence. To this end, Blue Coat has created a cloud-based security community, made up of security software and ProxySG gateway devices – plus the Blue Coat ProxyClient/K9 Web protection remote clients and WebFilter – with an active community of over 70 million users, and a global cloud-based security service layer, WebPulse. Key here is the cooperation of the broad global community. These members provide realtime input of any new links or content to the Blue Coat WebPulse analysis centres. The links are then put through a series of automated security technologies and manual inspections for analysis (Dynamic Link Analysis or DLA). Malicious IP addresses, URLs, and Web content are added to the master cloud database providing immediate protection for cloud-connected Blue Coat gateways and clients. Flexibility is also vital here, since Blue Coat‘s cloud-based community solutions can be deployed alone or as part of a broader application networking initiative. © Broadband-Testing 1995-2010 9 Blue Coat Web Threat Report Figure 2 – Blue Coat Web Filter 10 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Cybercriminal Twitter Twitter, originally seen as a specialist tool for both social and professional networking, has shot into the limelight in the past 12 months. From being a relatively unknown technology in 2008 it has become a de facto choice for users who want to quickly share ideas in real-time. As a result, the number of ―tweets‖ per day grew from just 2.5 million in January 2009 to over 35 million by the end of the year, with no slowdown forecast or yet seen. Twitter‘s popularity brought it to the attention of cybercriminal organisations, which found several ways to manipulate the service into distributing malware and phishing links with enticing, socially engineered messages. As we said, nothing is safe or sacred… Blended Threats And Link Farms Blended threats are one of the fastest growing attack types, notably since 2009. In just one type of attack, potentially hundreds of web sites are created, some to serve as phishing sites, some to deliver multiple and different forms of malware, some appearing as fake search results, and others simply as bait pages. The latter are designed to attract visitors by giving the appearance of legitimacy by including semi-legitimate content and cross-referencing each other. Very clever in other words… Figure 3 – Link Farms Example Otherwise known as ‗link farms‘ the name refers to the way the victim is passed between sites around the link farm and ‗fed‘ regulated bits of information until their sensitivity to warning signs is diminished. Using link farms, cybercriminals are able to accomplish a number of tasks. A key task is to convince search engines to view link farms as being relevant to a specific set of search terms. Researching the most commonly searched terms, cybercriminals are able to ensure their pages target the biggest number of users possible. The high number of links fools search engines into thinking the target page is not only relevant but genuinely authoritative, simply based on the high link count referencing that page. By spamming blogs, forums and other UGC sites, the relevance of the target pages within search engines is increased. This spamming is automated with botnets set to auto-scan thousands of web sites enabling the blended threats to be generated very quickly and efficiently. Reach is further increased by tracking user behaviour and preferences. © Broadband-Testing 1995-2010 11 Blue Coat Web Threat Report In this way messages and tactics can be refined so link farms can still reach victims whose original search terms would not otherwise lead them to malicious sites. Each site provides links to other sites within the farm, where the attackers can track the user‘s behaviour and use that information to improve future iterations of the attack. A key factor in their success is the ability to hide the malware host location. Link farms can use one or more redirectors between the content and the malware, which helps hide the location of the malware host location. Hiding the host is the most difficult – and the most critical – part of the attack to implement. In addition to the collection of related content sites, two other site types have become common elements in these farms. Fake Antivirus, scanner-like offerings have been very successful, so the cybercriminal element have continued to make use of this technique through 2010 and undoubtedly beyond. Fake search engines have also become a common way to drive users to a link farm or malicious site because they mimic legitimate, trusted search engines in look and feel, as well as behaviour. Cloud-Based URL Filtering – Now A Critical Requirement With web threats now effectively a continuous attack, the traditional concept of passive URL filtering with downloaded updates on a scheduled basis is simply not up to the job. Because approximately one-third of web threats are detected on the fly using dynamic link analysis, unless the defence mechanism is capable of detecting these threats in realtime, then it no longer becomes a suitable form of defence. In other words, you cannot defend against dynamic attacks with a passive defence mechanism, typified by the classic remote user with a laptop and an AV engine which updates daily. At the same time, it is important to understand which vendors are purely paying ―lip service‖ to the cloud concept, and which are fully embracing it. For example, Blue Coat has created a cloudbased strategy with over 300 language-category automated rating libraries, over 16 cloud defence technologies & new defences that require no patching at the gateway or remote client end points, and up to four multi-category ratings per request (as nested classifications). The cloud-connected remote client (ProxyClient) is provided as part of the WebFilter solution, with no additional charge. Benefits of such an approach are multifold. In addition to no patch requirement, these end points have real-time security intelligence access. The cloud-based defence mechanism can expand with zero impact to end points. Contrast this with the disruption caused by huge downloads onto the client as is the case with traditional static defence mechanisms. As the Web becomes increasingly complex, a single classification methodology for URLs, even where there might be a secondary subclassification, is no longer enough. Instead, multiple nested classifications for Web applications and social networking are what is needed. Blue Coat provides a four-layer classification, with a view to providing better accuracy, improved policy controls and more detailed reporting as a result. Blue Coat claims to see more new web content than its competitors – something we put to the test here – and even provides a publicly accessible site review web page with a one-day http://sitereview.bluecoat.com/sitereview.jsp 12 © Broadband-Testing 1995-2010 SLA for suggested rating changes: Blue Coat Web Threat Report WEB THREAT SECURITY – PUT TO THE TEST In order to test the Blue Coat Web threat solution we created a test bed to capture real traffic from the Internet which we could then feed through the Blue Coat ProxySG 210 and six of its rivals, listed as follows: Cisco/IronPort S-Series McAfee Web Gateway 1100 WebSense V10000 G2 Barracuda WebFilter Fortinet Fortigate 200B Palo Alto Networks PA-2020 The Blue Coat ProxySG 210 Series under test was configured with SGOS v5.5.3.1 Proxy Edition, Web Filtering with the WebPulse Service dynamic categorisation enabled and Visual Policy Manager set to not blocking malware but logging it. All the rival products were configured with the latest software/firmware upgrades available (see appendix for details) and all critical features enabled in order to ensure best performance possible. We did note some points of interest here. For example, unless the Palo Alto device was set to block everything it would not log entries, so this is the only way we could get the category response information from it. The Cisco IronPort categorisation methodology – whereby it gives a rating +10/-10 reputation rating from positive to negative (negative being threats) – can only be described as ―interesting‖, given that it OEMs the BrightCloud URL filter database. We actually see it as essentially lazy; these ratings should be translated into meaningful text categorisations for easy reference. Obviously Cisco will see otherwise but we don‘t get it. One interesting point to observe about the WebSense device is that it has multiple management interfaces; we can only assume that this is a result of acquired technologies – not unusual in itself of course – that have been loaded onto the one platform but still run as individual applications effectively. We have experienced this scenario before with other vendor network products, so it is by no means an exception but still smacks of unfinished business where integration is concerned. © Broadband-Testing 1995-2010 13 Blue Coat Web Threat Report Testing URL Defence Layers – Not Trivial… Testing web threat detection by URL filtering can appear to be a trivial exercise. At its most basic (think dumbed-down) this could simply involve capturing the logs of one or more products over a given period of time and measuring how many URLs were blocked. It is easy to see why an innocent reader might think that a high score here – with no further analysis – is good; after all, the world is based around a general acceptance that bigger is better. However, over-blocking (the incorrect identification of false positives) is the biggest, most common and most damaging error a URL filter can make. Let‘s face it, if you want to block everything just set a firewall to deny all access. But this hardly makes for a workable environment, anything but. Over-blocking simply leads to more expense as angry users bombard the helpdesk and a product purchase in order to allegedly protect users and reduce OpEx actually creates the complete opposite. At Broadband-Testing labs, we have seen results from other tests (run by other parties) where there appears to be an astonishing performance gap between two or more vendors in terms of their ability to block web threats, but these clearly did not take over-blocking into account. In order to do so you need to manually analyse the blocked URLs and see exactly what has been blocked, how it has been categorised and then ask the question, Why?‖ In many cases you will find that the blocked web page has no threat (neither direct nor linked) and is often an innocent graphic or script. And in order to create a real-world test, in line with the day-to-day experiences of end users around the globe, the URL capture count needs to be as high as possible and as globally diverse as possible. Even where a user only works in one language (say English), thanks to link farms, or even innocent linking, they can be taken through a variety of countries and language content without them even knowing. Equally, when comparing different products, in order to get an apples to apples comparison, life ain‘t so easy! Each vendor has a different way of establishing their categorisations, or even how they capture and store the URL information in the same place, so it‘s not as simple as just pressing the ―go‖ button on each product. Instead, it is important to understand how each one works and configure it accordingly to ensure you get as close as possible to a true, equal configuration in each case. As we said, not trivial… 14 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Test 1 – Comparative Web Threat Test In this test our aim was to compare a list of web threats (malware and phishing based) captured in real-time by the Blue Coat community cloud-based WebPulse defence. Inputs to WebPulse included both gateways and remote clients (as any ProxySG or remote client reports a new unrated URL for immediate cloud analysis) with the capabilities of some its rivals to perform the same level of protection to their customers. So, new malware or phishing threats detected by Blue Coat cloud defence services were immediately tested against the six other web gateways in the test bed. This involved pushing the captured threat URLs through each device and comparing the logs captured. We have already identified in the report introduction that web threat creation is now reaching epidemic proportions, so the need to be able to accurately capture and report these new threats in as close to real-time (zero day) as possible is an essential security requirement now. Given that WebFilter provides over seven billion web ratings per day, mainly to ProxySG devices, the volume generation would seem to be substantially higher than that of its rivals as Blue Coat has over 70M users providing real-time inputs for web awareness. It might also explain the results, as we‘ll see in a moment. To make this test more comprehensive we were testing the threat URL every hour to see when a competitor does rate it, or even if no rating is ever provided by the competitor after several days. Given most of the competitors do not have real-time feedback loops from customer devices, nor real-time analysis technologies for web content and threats, the hourly check was removed from the analysis as initial test analysis proved the point. The point remains though, real-time inputs and rating technologies are very important in making URL filtering a web defence. In total, 15,840 URLs were captured as web threats, including malware sources, call-home attempts, potentially unwanted software or phishing sources by Blue Coat during a 48-hour period and cross-checked against competitors for this test, with the following breakdown by web gateway/URL filter vendor name and recognition of URLs as being either malware or phishing. The comparison focused on malware and phishing as not all vendors categorise the broader scope of web threats provided by Blue Coat. Therefore a total of 12,112 URLs provided the baseline. Of course, we would expect all vendors to perform equally, given a URL list with zero false positives – i.e. each URL is a validated threat. So let‘s see what our results showed… Blue Coat WebPulse McAfee WebGateway Barracuda Fortinet IronPort * PaloAlto WebSense Malware 3698 Phishing 8414 As % of BCF Malware 1121 30.31% Phishing 2163 25.71% Malware 250 6.76% Phishing 7 0.08% Malware 190 5.14% Phishing 679 8.07% Malware 1521 41.13% Phishing 3247 38.59% Malware 831 22.47% Phishing 239 2.84% Malware 1629 44.05% Phishing 1397 16.60% * Note: IronPort does not actually categorise threats into malware or phishing, but only as having a poor reputation (given a score of less than –6). For the totals in this test, we separated those URLs identified by IronPort as having a bad reputation into malware or phishing based on the classification of the URLs originally identified by the Blue Coat © Broadband-Testing 1995-2010 15 Blue Coat Web Threat Report As we can see, Blue Coat achieved the highest ratings on both malware and phishing with 3,698 entries for malware (the second highest was WebSense with 1629) and 8,414 instances of phishing (compared with the second highest score – 3,247 achieved by Cisco‘s IronPort, but see the note regarding its ―categorisation‖ methods). To put this into perspective, none of the competitors got near to recording 50% of the successful ratings achieved by the Blue Coat solution. Fortinet, Barracuda and PaloAlto trailed very badly – disastrously in some cases. Figure 4 – Web Threats Comparison URL Test We can only conclude from this that the Blue Coat capture and analysis methodologies are superior to those of its rivals. 16 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Test 2 – Open Large-Scale Web Threat Test This test was an open, large-scale general web test aimed at identifying the accuracy of Blue Coat‘s URL filtering categorisation capabilities, both in isolation and in comparison with the competitors listed above. Open sourced URLs where each vendor has an equal chance to detect malware or phishing sites side by side. It involved a week-long capture of URLs from regions across the globe from remote clients (ProxyClient, K9 Web Protection and OEM Partners to Blue Coat) seeking a rating from the WebPulse cloud service. These are open URLs provided from remote users, not testing URLs, hand selected URLs or filtered in any manner. The remote users from around the globe provide a large source of URLs– almost 900,000 in total, meaning this is real-world testing; the kind of numbers seen by the biggest companies in the world. This ―Go Large‖ approach is essential in order to generate meaningful test results when we are looking at general URL analysis. Here we were looking for absolute accuracy in identifying potential threats. Over-blocking of URLs (generating false positives) is something we absolutely did not want to see here, as this renders a URL filter not only a complete waste of time and money, but potentially damaging to job and work productivity. Therefore we chose to manually investigate blocked URLs in order to validate their categorisations. The results proved to be very interesting… In the process of web filtering, each vendor has a different set of categories which they assign to URLs and these are not always obvious to equate between vendors. When assessing the capabilities of each vendor to block threats, we wanted to ensure that the categories used by each vendor as equivalent as possible. Note that Cisco IronPort does not provide categories for Malware or Phishing, so Reputation Ratings for IronPort against all vendors are reviewed later in the test report. We matched the categories of web threats (malware, scripts, etc) and phishing in the following way for the remaining vendors: Blue Coat Barracuda Fortinet Spyware/ Malware Sources Spyware Spyware and Malware Spyware Effects/ Privacy Concerns Spyware PaloAlto McAfee WebSense malware-sites Malicious Sites spyware-andadware Malicious Web Sites Spyware/ Adware/ Keyloggers Keyloggers Phishing Phishing and Other Frauds keyloggersandmonitoring Phishing phishingfraud Phishing Web Threats phishing-andother-frauds Phishing © Broadband-Testing 1995-2010 17 Blue Coat Web Threat Report Numbers from this test initially included false positives for all vendors‘ products, which made results look favourable for both McAfee and WebSense for Web Threat URLs and more favourable for Blue Coat for Web Threat URLs and Phishing. However, upon detailed analysis and removal of false positives, the results below provide a truer picture. After elimination of URLs regarded as not being a threat, the numbers were as follows: Web Threat URLs Phishing Blue Coat 256 355 McAfee Barracuda 255 116 10 18 Fortinet Palo Alto 40 54 11 1 WebSense 34 7 Removing False Positives We first identified all URLs which were obviously graphic or text files – where the URL ended in .jpg, .jpeg, .gif, .png. ico, .css, .xml, .js. In the majority of cases we loaded these into the browser to make sure that they were really the files types specified – all were as expected. Next, we identified all Shockwave and Flash Video URLs – all these files were downloaded and checked with antivirus and anti-malware – none of these were found to contain malware. In this way, for example, we had to reduce the number of Web Threat URLs categorised by McAfee by 355 false positives. We had a similar experience with WebSense, also showing a high false positive count. We next totalled up the number of URLs assessed as threats by each vendor where at least one other vendor agreed with the category – we regarded this rating by the vendor as being a true positive. So, for example, 52 URLs categorised by McAfee as web threats were regarded as true positives. The remaining URLs were then hand-checked by loading them up into a web browser (Firefox). As an aid here, we enabled the threat and web forgery blocking by Firefox and also checked the rating given by Web of Trust (WOT). In this way, a number of URLs rated by McAfee WebGateway and WebSense were checked, resulting in more false positives, leading to the numbers shown left being definite or possible malware threats. 18 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Calling Home Blue Coat Web Filter malware categorisation consists of spyware/malware sources and spyware effects (AKA ―call-home‖ traffic). The company believes this level of visibility is more flexible and specific than that of other vendors, helping to identify infected systems for remediation. Indeed, some vendors require a separate product for call home analysis which is therefore not part of their URL filtering solution nor real-time or cloud-based to see a wider view of web traffic from millions of users. Figure 5 – Large Scale Web Threats Test Again we can see that Blue Coat scored extremely well in both phishing and web threat categorisations, with only McAfee coming close in terms of web threat categorisation and all the rivals performing very poorly in terms of categorisation phishing. In addition to categorising URLs as Web Threat or Phishing URLs, three vendors also categorise (in different ways) by reputation: The Blue Coat Web filter has a category of ‗Suspicious‘. IronPort filters URLs for threats based on reputation only with no ability to identify Malware, Call-Home, or Phishing. McAfee, in addition to identifying web threats and phishing URLs also identifies whether a URL is ‗High Risk‘. © Broadband-Testing 1995-2010 19 Blue Coat Web Threat Report Given these abilities, we identified for Blue Coat Web Filter the numbers of URLs in these 2 categories: Spyware Effects (call-home) Spyware/Malware Sources Both Total 23 225 8 256 For the URLs identified by IronPort and McAfee as having a poor reputation we identified how many of these URLs matched the threats identified by the other vendors as follows: Percentage of IronPort reputation URLs matched by other vendors Blue Coat Web Pulse Phishing 6.05% Web Threats 2.85% Phishing & Reputation Web & Web Threats Reputation Threat 0.00% 0.42% 0.07% 0.14% 2.22% 1.81% All 9.31% McAfee WebGateway 2.02% Barracuda 0.63% 0.63% Fortinet 0.07% 0.07% Palo Alto 0.00% 0.00% WebSense 0.69% 0.28% 4.24% 0.97% Percentage of McAfee reputation URLs matching other vendors Phishing Blue Coat Web Pulse 0.14% Web Threats Phishing & Reputation Web & Web Threats Reputation Threat All 0.41% 1.65% 2.19% WebSense 1.65% 0.27% 1.92% Barracuda Fortinet 1.78% 0% Palo Alto 0% 1.78% As can be seen above, very few of the URLs rated as having a bad reputation are matched by other vendors as being a threat. In fact, in many cases during analysis, we found that these URLs often lead to sites with pornographic content to a greater or lesser extent and so had a poor reputation for being extreme porn sites or to sites where WOT users marked the site down as giving a bad ―customer experience‖. For example, the user paid for a download and clicked on the link provided, and was led to further links, but never managed to download what they had ordered. As such, then, reputation ratings do not provide much protection from web threats, or what sort of risk the URL may subject a user to. 20 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Test 3 – The Social Networking Ratings Test (Facebook Test) Facebook – so it may be one of the most popular applications on the Internet, both within home and office, but is it something that can be trusted to protect the user from malicious content and links? It‘s social networking, yes, but it‘s also a lot more than that – both good and bad. So, from a URL filtering perspective, simply recording a Facebook URL as ―social networking‖ is worse than useless from a business perspective. While one option for companies is to simply block all Facebook access in the workspace, not only will this cause disgruntled employees but it also negates some of the positive elements of using Facebook as a business tool. Given that Facebook is the largest domain in social networking with over 500 million users, with support for over 70 language variants, it makes an excellent test scenario for social networking. It is therefore important to be able to categorise Facebook URLs beyond the basic application and analyse and report on the content of that Facebook page being viewed. In this way intelligent decisions can be made about what Facebook entries are valid and which are clearly not. First Category Blue Coat Third Category Second Category Social Networking Games Chat/Instant Messaging 1616 1 1 Society/ Daily Living Games Entertainment 358 548 297 All Other 13 categories 456 14 URLs computing-technology, social-networking Barracuda 1618 Fortinet Social Networking Games All Other 1467 148 3 No second and third categories identified social networking, reputation of +8.8 IronPort 1618 Social-networking PaloAlto 1618 Social Networking McAfee WebGateway WebSense Games 1327 Social Networking 98 Games 743 393 EntertainGame/Cartoon ment All Other Sports Games Violence All Other 133 60 Entertainment All Other 274 9 4 6 7 2 categories 4 URLs No second and third categories identified 208 To put this to the test we sampled 1600+ URLs for Facebook applications and analysed them using Blue Coat‘s solution, then those of the competitors. Here we were specifically looking to see how the URL filters would categorise and sub-categorise the Facebook pages we capture; thus providing visibility into specific applications, games, and activities within Facebook. In total 1618 URLs were tested where all vendors had given a rating. Ideally we were looking for all vendors to provide multiple category rating – as many as three – per web request in order to provide some meaningful information for the user. Otherwise Facebook can become a potential liability when, in practise, it can be a useful working tool. © Broadband-Testing 1995-2010 21 Blue Coat Web Threat Report As can be seen in the table, the Barracuda WebFilter, the Palo Alto PA-2020 and the IronPort categorised all the URLs as Social Networking (or their equivalent term). IronPort also gave each URL a web reputation of +8. Also note that default setting of an IronPort web gateway is to not use inline AV engines for URLs with ratings over a +6 reputation rating. In each of these cases this is clearly worse than useless as it gives the user no understanding of any potential abuses or threat correlated content. With WebSense all URLs were only given one rating, with no secondary categorisation whatsoever. Blue Coat WebFilter meantime rated 1,616 URLs as Social Networking, with the 2 other URLs rated only as Games and Chat/Instant Messaging respectively. Of the URLs rated as Social Networking, 1,611 URLs were also given a second category rating, the majority being Games, Entertainment or Society/Daily Living. The McAfee Web gateway rated 1,327 URLs as Social Networking, 133 as Entertainment and 98 as Games. 24 URLs were given a second category rating and 4 a third category. Figure 6 – Facebook Test The above charts depict the breakdown of the categories given, for those vendors where more than one category was identified. For the Blue Coat Web Filter (BCWF) these are the categories given in addition to the first category. 22 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Bearing in mind that this was designed to show how each product could provide true visibility into Facebook as a web community, the Blue Coat solution again scored extremely well with multi-categorisation capabilities enabling an administrator within a company to really understand the true use of Facebook and where users are spending the most time, what areas may require time restrictions or bandwidth restriction, plus trending to plan future network resources. Ideally an administrator would like to see a report showing the Top10 web applications in Facebook, and the top users for time spent in these web applications. If we compare this requirement with a product that only has a single rating URL scheme, it clearly cannot provide the level of analysis required in order to be of any real use. For example, if all ratings are Social Networking only, or are spread across a single rating scheme and thus lumped into all web Games and Entertainment they provide no value to the observer. In contrast, we want to see URL filtering rating schemes advancing to rate within web communities and the evolving web applications within as, not only does this make an administrator‘s life far easier but it also genuine and deep implications for compliance, data loss prevention, productivity and understanding resource utilisation. In other words, not only is it a practical tool, but one that could prevent serious legal costs too. The Blue Coat categorisation capabilities tick all the right boxes here. © Broadband-Testing 1995-2010 23 Blue Coat Web Threat Report SUMMARY AND CONCLUSIONS Our testing here has shown us that, when it comes to contemporary web threat defences, there is no substitute for a truly comprehensive, global, cloud-based URL filter system – something that Blue Coat has clearly got very successfully in place. Without this, it is evident that there is no way that the high levels of accuracy and real flexibility – both of which are absolute requirements nowadays in a URL filtering product – can be achieved. Multiple, dynamic defence layers are now required and users should see cloud-based URL filtering as their first layer providing most of the protection… over 90% of web threat detections in reality. Putting the Blue Coat solution to the test against several competing products, using a range of tests including URL samples of around 900,000, collected globally over a seven day period, direct web threat comparison finds and a Facebook specific test, we found that, in each case, the Blue Coat solution was the most accurate, most flexible and most capable URL filter, often by a very significant margin. In some cases, competing products categorised less than 1% of the URLs categorised by Blue Coat – and these were genuine instances, not a case of false positives and over-blocking ruling. In contrast, we did see evidence of serious over-blocking in the case of some of the competitors. While this might look great in results of badly designed tests (and it does, believe us!) in practise it is a very frustrating symptom of a badly designed URL filter product and can prove very costly in every sense. There is obvious logic at work here; Blue Coat‘s WebFilter provides over seven billion URL ratings per day from a customer real-time input base in excess of 70 million users. The WebPulse cloud service is used to generate real-time URL ratings from this community and supports more than 50 languages, integrating multiple threat detection engines and threat analysis technologies. This is the kind of engine that is required in order to deliver a successful web threat defence in 2010 and beyond. It looks like a lot of other vendors are playing catch-up right now… . 24 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report APPENDIX 1: CONFIGURATION DETAILS As we explained in the report, in order to get as close as possible to an eggs to eggs comparison, we carefully configured all the appliances we tested, in order to maximise their abilities for Web threat capture, ensured all actions were logged – so we didn‘t miss anything – and ensured that all firmware and software versions were bang up to date. Cisco IronPort S-Series Figure 7 – Cisco IronPort The IronPort was loaded with Async OS Version – 6.3.3 -01. We enabled Acceptable Use Controls and the Dynamic Content Engine in order to capture all traffic and ensure that the device attempted to categorise all URLs (it OEMs BrightCloud URL filtering). Figure 8 – IronPort Configurations/System Version © Broadband-Testing 1995-2010 25 Blue Coat Web Threat Report McAfee Web Gateway 1100 The McAfee product uses the SmartFilter URL filter database. Figure 9 – McAfee Web Gateway 1100 The system was supplied was Gateway v7.0 and the Category Content Filter was enabled. Figure 10 – McAfee Web Gateway – Category Content Filter WebSense V10000 G2 Figure 11 – WebSense V10000 G2 26 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report The WebSense Triton was appliance version 7.5.0, based on the V10000 G2 hardware platform. All key features such as content categorisation, tunnelled protocol protection, security threat content scanning and file scanning, and anti-virus scanning were enabled. Likewise, all updates were managed correctly. Figure 12 – WebSense V10000 G2 Configuration © Broadband-Testing 1995-2010 27 Blue Coat Web Threat Report Barracuda WebFilter 410 Figure 13 – Barracuda WebFilter The Barracuda WebFilter was installed with firmware v4.2.0.014, virus definition v3.2.0.421, content filter definition v1.0.1271 and spyware definition v1.0.2054. Figure 14 –Barracuda WebFilter 410 28 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Fortinet Fortigate 200B Figure 15 – Fortinet Fortigate 200B The Fortigate 200B was installed with firmware v4.0, build 0279,100519 (MR2 Patch 1 update) and all databases and definitions were updated correctly. Figure 16 – Fortinet Administration © Broadband-Testing 1995-2010 29 Blue Coat Web Threat Report Palo Alto Networks PA-2020 Figure 17 – Palo Alto PA-2020 In order for the Palo Alto PA-2020 to log its filtered URLs (it uses BrightCloud) everything needs to be blocked – interesting… The BrightCloud URL filter was upgraded so as to be as up to date as possible. Figure 18 – PA-2020 Dashboard 30 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Blue Coat ProxySG 210 The ProxySG 210 was configured to use WebPulse/WebFilter. Figure 19 – ProxySG 210: WebPulse/WebFilter Enabled Figure 20 – ProxySG 210: Configuration It was configured with software version SGOS 5.5.3.1 Proxy Edition and software release ID: 46382. © Broadband-Testing 1995-2010 31 Blue Coat Web Threat Report APPENDIX 2: THE BLUE COAT WEB THREAT SOLUTION The Blue Coat web threat defence solution is not based on a single product per se, but a layered approach that includes the ProxySG appliance, the WebFilter software that sits on the appliance and WebPulse, the cloud-based defence that keeps WebFilter ratings up to date. The Blue Coat ProxySG appliance range is just one part of a plethora of security and WAN acceleration products from the vendor. The full Proxy Edition of ProxySG appliances are part of the ADN – Application Delivery Network - infrastructure that is designed to provide complete application visibility, acceleration and security. Figure 21 – Blue Coat ProxySG 210 For the testing in this report we are using what is actually one of the lower-end options from the range, the ProxySG 210. Regardless of the model however, the whole range is designed to be a scalable proxy platform architecture to secure Web communications as well as accelerating the delivery of business applications. The ProxySG is based on the SGOS operating system with multithreading, providing 1Gbps throughput for large high availability deployments. SGOS is a micro kernel built for Web object processing which has been designed for minimal hands-on management. Health checks and monitoring provide administrator awareness, plus a Director enables centralised device, license and policy management of ProxySG Web gateways. Reporter provides visibility of all Web gateway and remote users with custom dashboards and reports on a single server with an included, optimised database supporting up to 10 billion log lines in the premium edition. The ProxySG forms the physical element of the total threat defence that features the WebPulse cloud-based defence mechanisms that generate new defence information 7x24. WebPulse brings together over 70 million users – more than the entire population of the United Kingdom and Ireland, for example, for Web awareness to new Web content and threats. Inputs to WebPulse come from ProxySG web gateways, ProxyAV inline threat detection devices, ProxyClient remote users, CacheFlow web gateways used by Service Providers, PacketShaper v8.6 that now includes WebFilter, K9 Web Protection remote clients, plus OEM relationships and third party data feeds. The solution creates a hybrid design aimed at providing the best of on-premise controls with the collective intelligence of the cloud service. As we have highlighted, each is an absolute requirement nowadays in order to repel and control contemporary Web threats. 32 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report Combining ProxySG with WebFilter, WebPulse and ProxyClient provides remote user protection, filtering and acceleration in one solution. Teamed with ProxyAV, this provides inline threat analysis, including SSL, with a choice of leading anti-malware engines, so the customer can choose which elements they want and need. Figure 22 – The Complete Blue Coat Web Threat Defence With WebPulse The total Blue Coat Web threat solution provides the following features and benefits: Web 2.0 threat protection. Real-time web content ratings. On-demand cloud intelligence. Web 2.0 mashed up content filtering. Inline threat analysis (stream scanning). Social networking threat protection. True file type checks. Compressed archive analysis. © Broadband-Testing 1995-2010 33 Blue Coat Web Threat Report File and attachment filtering. Hardware based SSL performance. Data loss prevention integration. Data loss content policy controls Proxy avoidance blocking. Web application controls. Protocol method controls. Bandwidth management. Media stream splitting & caching. Acceleration & optimisation. Transparent or Explicit deployments. Full IPv6 implementation. IPv4 to IPv6 migration. IPv6 advanced policy management. The Tiered Blue Coat Web Threat Solution: How Does It Work? With WebFilter, WebPulse and the combination of physical ProxySG appliances and remote clients (ProxyClient, K9), Blue Coat creates a complete web threat solution, but how does each component work and how do they interwork? The solution is designed to block malware, Web threats, fake software updates, fake AV offers, phishing offers and botnets or keyloggers calling home. Importantly it blocks only genuine Web threats using DLA inspection. It also provides Web 2.0 filtering for mashedup or customised web portals, blocking panels and dynamic content per policy settings. Coverage is provided in over 50 languages using proprietary machine analysis, knowledge algorithms and human raters in combination. While very much a hybrid solution, each component has its own role. Starting with WebFilter, this combines URL filtering, anti-malware and threat detection technologies to create collaborative cloud defence architecture. It provides over seven billion ratings per day for over 70 million users located in the largest enterprise and service provider networks around the world. WebFilter is 100% user driven in order to provide a totally relevant, real-time Web content rating service that categorises both popular sites and dynamically rates relevant sites in the long tail of the web, without the need for Web crawlers or artificial analysis. Third party feeds for malware and phishing are analyzed, compared and merged into WebPulse ratings as well. No third party feed is allowed to change an existing rating, a mistake made often by competitors relying on third party ratings. 34 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report The global, cloud-based security service layer, WebPulse, uses DLA to check popular Web sites for attack injections and search engine results for bait pages, both leading to Web threats via dynamic links. It then provides cloud intelligence to the ProxySG Web Gateways, ProxyClient and K9 Web Protection remote clients, plus PacketShaper and CacheFlow deployments. While WebFilter provides over 7B web request ratings per day (or nearly 50B requests per week), WebPulse has five operation centres to support cloud defence deep analysis of over two billion new and unrated Web requests per week. The Human Element While the vast majority of the web URL filtering process is automated, there is still a requirement for human interaction, discretion that comes only with a real understanding of malicious web traffic and the experience to make the right decisions. So the Blue Coat labs perform this service where there is a doubt as to the exact threat a URL poses which would lead to an initial classification as potentially harmful, but in need of further investigation for absolutely accurate categorisation. For example, where a link requests an executable – this might be malware, but it might not. By running these through AV scanners and deep threat analysis tools and techniques, the Blue Coat cloud defence is able to make an informed decision. Where a third-party feed leads to an unknown domain, it may appear innocent but the actual origin of that link may give the game away as to its threat nature. Other key identifiers are common paths through link farms and category correlations, language hopping or the injection of scripts given specific variables within a dynamic link path. These are the kinds of identification examples that save users from web threats that will get through most defence mechanisms. Other examples are seemingly mislabelled file types (where an ‗html‘ is actually an ‗exe‘ for example) that can be identified and flagged in real time. Another common problem is where a threat is looking to exploit servers that can trigger literally dozens of exploits directly or via links. In this instance just identifying the key element means that all the exploits can be flagged up immediately. Similarly, traffic from bots and exploit servers may appear to be from very different sites but carry clear identification elements making them categorisable as the same threat. Often there are linguistic clues, fake domain names and other evidence that require as many different processes as possible to accurately identify them and pinpoint more precisely the source and weight of these attacks. Techniques such as fingerprinting, page content and style identification and location (these regularly changed so must be tracked and identified) identification and matching are all important tools that feature in accurately identifying threats and flagging them up in as close to real time as possible. New Web content or links detected by Web gateways or remote clients are sent in realtime to the WebPulse cloud for DLA inspection where updates to the master WebFilter database provide immediate protection. © Broadband-Testing 1995-2010 35 Blue Coat Web Threat Report Cloud analysis of new Web links takes place using proactive machine analysis, a bank of anti-malware engines, Web correlations and categorisations, human analysts, active script analysis, PDF-analyzers and sandboxing including call-home analysis. WebFilter is continuously updated by WebPulse which uses 16 advanced threat analysis tools to provide immediate and continuous protection against known and unknown Webbased threats. Importantly, it does all this without the requirement of software downloads or other update cycles. Blue Coat combines multiple defences with security experts that fine tune these defences, creating a very fast feedback cycle to advance defences to their most effective level, while lowering false positives. ProxyClient provides enterprise remote users with WebFilter cloud protection requiring no downloads or update cycles for protection in any location or Web service. A Client Manager provides custom filtering policies for ProxyClient, plus customised allow/deny URLs and categories. K9 Web Protection (see separate section) further extends the cloud protection of WebFilter for protection in any consumer or home location at no charge. Web gateways and clients are cloud connected for immediate protection, plus Web gateways can receive five minute updates for security category changes, and six hour updates for all categories to improve Web gateway efficiency. Blue Coat claims that WebFilter is the only URL filtering solution to provide a comprehensive real-time Web content rating service in 17 languages across multiple categories, a public accessible site review service, and a one business day resolution process for ratings. It is designed to quickly learn user Web trends with real-time feedback for relevance in new ratings. WebFilter analyses objectionable content within traditional image searches, cached content and translation services for accurate ratings and compliance with its realtime rating service. ProxySG also provides enforcement of Safe Search web requests for search engines using newly created techniques that hide origin information for search results. URL filtering can also be extended with custom categories, plus ProxySG supports up to four URL lists simultaneously enabling global, regional and local filtering possibilities, including child protection as necessary. WebFilter provides reputation ratings so policy controls can opt for inline threat analysis, or blocking downloads such as drive-by installers and executables from these sites. Proxy Avoidance protection comes from WebFilter ratings plus ProxySG controls for user-agents and invalid SSL certificates and session controls. 36 © Broadband-Testing 1995-2010 Blue Coat Web Threat Report APPENDIX 3: K9 WEB PROTECTION – WEB FILTERING FOR ALL K9 Web Protection (aka K9) is designed to provide the same levels of protection expected in the office when you‘re at home – working or just browsing and is designed to be family-friendly. K9 is not antivirus, anti-spam or firewall software, but a Web filter that controls and protects the web browser at enterprise-levels. In other words, with K9, you get the same advanced Web filtering technology used by enterprise and government institutions worldwide — but with a simple interface designed for controlling the Internet at home. K9 can filter on category or specific website. Working with WebFilter and WebPulse, the combined community – in excess of 70 million people – provides over seven billion web content ratings each day. The DRTR – Dynamic Real-Time Rating – technology that is specific to Blue Coat, automatically determines the category of an unrated Web page, and allows or blocks it according to your specifications. K9 includes SafeSearch - supported by many leading search engines as a way to block search results for offensive topics. For example, SafeSearch might not show any results in a search for adult photos and is designed with K9 to work with Google, A9, AltaVista, Microsoft Live, Yahoo, Ask and Orange. In addition, you have the option to block the use of search engines that do not support SafeSearch. K9 is also compatible with a wide range of 3rd party firewall and Internet security products. Another feature is NightGuard — a convenient way to block all Web access during certain times of the day or night. As part of the Blue Coat Community Outreach Program, K9 Web Protection is free. But because K9 Web Protection uses the same technology offered to enterprise customers, it is not a one-off product that gets out of date quickly but is upgraded continuously to ensure it can continue to help fight malware in real time. For Blue Coat of course, the benefit is that the K9 community helps contribute significantly to its web threat database, helping enterprise customers help home users and vice-versa. K9 Web Protection – In Use During our testing we ran K9 on a mix of desktop and laptop computers to gauge how effective it is. While it could be seen as intrusive at the highest security levels, it is very flexible in its configuration options and – as a means of protecting younger users – very effective indeed. The interface – see over – is very straightforward to use and all aspects of the product are password protected, so control is absolute. Web activity is summarised and listed on columns with drill down options so you can go into more and more detail, as required. Another important point to note is what a useful URL gathering tool K9 is as part of the total Blue Coat protection mechanism. © Broadband-Testing 1995-2010 37 Blue Coat Web Threat Report Figure 23 – K9 User Interface 38 © Broadband-Testing 1995-2010