SG800 Inspects Port 80 Web Traffic

CacheFlow appliance good for mid- to large-size organizations.

It seems like every company is becoming a security firm these days, and CacheFlow Inc. (now Blue Coat Systems Inc.) is no exception. Blue Coat celebrated its new incarnation by releasing the Security Gateway 800, a gussied-up caching tool that does a good job of filtering hard-to-control Port 80 Web traffic.

With the SG800, Blue Coat is building on its expertise in packet inspection and Web usage patterning to rapidly inspect Web-based traffic that is usually passed through firewalls without a second glance. The SG800, released last month, is worth a look because of its focus on controlling threats from Port 80 traffic.

Vendors such as Kavado Inc. and Sanctum Inc. are also approaching the Port 80 problem, but from an application protection point of view. Most traditional firewall vendors are still figuring out the potential for Port 80 problems, so the SG800 is a good complement to an organizations firewall.

The SG800 comes in five models, ranging in price from $5,995 to $29,995. The low-end model, suitable for a midsize organization—has a single 17GB drive, 512MB of RAM and two on-board Ethernet ports. At the high end, the SG800 has four 73GB drives and 2GB of RAM, plus an optional slot for a 1000BaseT or an SX interface.

The products single biggest weakness is that it is not an SSL (Secure Sockets Layer) terminator, so encrypted Web traffic is still going to go right by unless another device is placed in front of the SG800 to decode this traffic.

Otherwise, eWeek Labs tests show that the product should work well for most medium- or large-size enterprises. The 1U, or 1.75-inch, SG800 has hot-swappable drives, so that the unit can be serviced in the field. Furthermore, because it is not an in-line appliance but rather acts by proxy, it wont be a single point of failure. And while no operating system is completely airtight, the SG800s proprietary operating system is customized and hardened so that compromising the system would be very difficult.

Like its predecessor, the SG600/6000, the SG800 integrates with Web filtering products such as Websense Inc.s Websense Enterprise and Secure Computing Corp.s SmartFilter to set boundaries for Internet surfing. The SG800 uses only these products for its block lists and does an adequate job of tracking employee Internet usage.

IT managers can set up their own URL blocks as well. After we got the hang of writing rules, it was a snap to fine-tune where our client machines could browse. It will take some time to learn all the tricks of the trade, and, based on our experience with the product, it will take at least several weeks to hone rules so that Web sites are correctly filtered. For example, by making a simple typing error, we set up a rule that blocked access to all sites except a gambling site that we had set out to proscribe.

An additional product called Director is required to share policies across more than one Security Gateway, a needless hassle. And organizations will have to buy Reporter, another separate module, to get centralized reports. We hope these basic features are better integrated in future Security Gateway offerings.

The SG800 integrates with products from anti-virus providers Trend Micro Inc. and Symantec Corp. The cool thing about the anti-virus integration is that once a Web object is scanned, it is cached so that subsequent requests for the same object can bypass the anti-virus checkout. This is one area where the former CacheFlows experience with content caching really makes sense in its new life as a security tool company.

We used the SG800 to protect our client systems by having it strip out mobile code and active content. The product uses "content transformation policies" to either strip out the code entirely, display a message or let the code through based on the origin URL. So, for example, we could strip out all active code except from sites that we approved, such as eweek.com. This stopped potential problem traffic at the perimeter before our client machines had a chance to go bad.

Senior Analyst Cameron Sturdevant can be contacted at cameron_sturdevant@ ziffdavis.com.