SG800 Inspects Port 80 Web Traffic

By Cameron Sturdevant  |  Posted 2002-09-02 Print this article Print

CacheFlow appliance good for mid- to large-size organizations.

It seems like every company is becoming a security firm these days, and CacheFlow Inc. (now Blue Coat Systems Inc.) is no exception. Blue Coat celebrated its new incarnation by releasing the Security Gateway 800, a gussied-up caching tool that does a good job of filtering hard-to-control Port 80 Web traffic.

With the SG800, Blue Coat is building on its expertise in packet inspection and Web usage patterning to rapidly inspect Web-based traffic that is usually passed through firewalls without a second glance. The SG800, released last month, is worth a look because of its focus on controlling threats from Port 80 traffic.

Vendors such as Kavado Inc. and Sanctum Inc. are also approaching the Port 80 problem, but from an application protection point of view. Most traditional firewall vendors are still figuring out the potential for Port 80 problems, so the SG800 is a good complement to an organizations firewall.

The SG800 comes in five models, ranging in price from $5,995 to $29,995. The low-end model, suitable for a midsize organization—has a single 17GB drive, 512MB of RAM and two on-board Ethernet ports. At the high end, the SG800 has four 73GB drives and 2GB of RAM, plus an optional slot for a 1000BaseT or an SX interface.

The products single biggest weakness is that it is not an SSL (Secure Sockets Layer) terminator, so encrypted Web traffic is still going to go right by unless another device is placed in front of the SG800 to decode this traffic.

Otherwise, eWeek Labs tests show that the product should work well for most medium- or large-size enterprises. The 1U, or 1.75-inch, SG800 has hot-swappable drives, so that the unit can be serviced in the field. Furthermore, because it is not an in-line appliance but rather acts by proxy, it wont be a single point of failure. And while no operating system is completely airtight, the SG800s proprietary operating system is customized and hardened so that compromising the system would be very difficult.

Like its predecessor, the SG600/6000, the SG800 integrates with Web filtering products such as Websense Inc.s Websense Enterprise and Secure Computing Corp.s SmartFilter to set boundaries for Internet surfing. The SG800 uses only these products for its block lists and does an adequate job of tracking employee Internet usage.

IT managers can set up their own URL blocks as well. After we got the hang of writing rules, it was a snap to fine-tune where our client machines could browse. It will take some time to learn all the tricks of the trade, and, based on our experience with the product, it will take at least several weeks to hone rules so that Web sites are correctly filtered. For example, by making a simple typing error, we set up a rule that blocked access to all sites except a gambling site that we had set out to proscribe.

An additional product called Director is required to share policies across more than one Security Gateway, a needless hassle. And organizations will have to buy Reporter, another separate module, to get centralized reports. We hope these basic features are better integrated in future Security Gateway offerings.

The SG800 integrates with products from anti-virus providers Trend Micro Inc. and Symantec Corp. The cool thing about the anti-virus integration is that once a Web object is scanned, it is cached so that subsequent requests for the same object can bypass the anti-virus checkout. This is one area where the former CacheFlows experience with content caching really makes sense in its new life as a security tool company.

We used the SG800 to protect our client systems by having it strip out mobile code and active content. The product uses "content transformation policies" to either strip out the code entirely, display a message or let the code through based on the origin URL. So, for example, we could strip out all active code except from sites that we approved, such as This stopped potential problem traffic at the perimeter before our client machines had a chance to go bad.

Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@

Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel