Network technologies and trends


October 30, 2016  5:22 PM

Blue Coat Proxy SG Client Connection methods

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Networking

When Blue Coat Proxy SG is configured for internet in any of the mentioned deployment methods the client must need to establish connection with Blue Coat Proxy SG appliance.  A client uses either an explicit method or a transparent method to establish a connection.

Explicit Proxy:

In this method, a client browser is explicitly configured to forward all the request towards proxy. Usually the browser is configured with an IP address and the port number of the proxy service. One can use Group policies to push the configuration to browsers or can also use Proxy Auto-Configuration (PAC) file to configure the browser to proxy setting from a web server. Explicit proxying is the quickest and simplest proxy solution. However, this method does fit well for large organizations.

Transparent Proxy:

In this method, the client browser does not need any special configuration, neither the browser is aware of how the traffic is being processed by the proxy. The proxy intercepts the traffic and process it. Basically the traffic is directed to proxy SG by using techniques like PBR, WCCP or default route. This method is much easier to deploy and administrate as there no configuration needed at the client end.

Some of the best practice of Blue Coat proxy SG are

Inline is recommend for:

  • Small branch office with very limited scalable plan
  • For POC and short-term deployments

Virtually inline or out-of-path is recommended for:

  • Customers who are looking for scalability
  • Customers who are looking for high availability (redundancy)

Explicit proxy is recommended for:

  • Customers who wants to use extensive authentication

Transparent proxy is recommended for

  • Customers who want inline physical deployment.

October 26, 2016  5:21 AM

Blue Coat Proxy SG Deployment methods – Out of Path Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Hardware, Network, PAC, Protocols, Proxy, router, Scalability, Switch, virtual

The Out-of-path deployment mode is commonly used when, one cannot bring down the network. Out-of-path deployment happens to be very difficult to manage as one cannot intercept and redirect the internet traffic at network level (like configuring WCCP, PBR or inline deployment). One needs to explicitly configure the web browser of each client to sent internet request to Proxy SG. Hence this mode of deployment is also known as explicit proxy deployment.

Figure 1.1 - Blue Coat Proxy Out of path Mode

One can use either of the methods to configure the out-of-path / explicit mode to redirect the traffic to Proxy SG

  • Client Brower is manually configured to connect to Proxy SG
  • System administrator can distribute PAC (Proxy Automatic Configuration) files using group policy to explicitly point the end-user’s browsers to the Proxy SG.

Some of the advantages of Out-of Path deployment are

  • No downtime is required to deploy out-of-path mode in any network
  • Easy to deploy

Some of the disadvantages of Out-of-Path deployment are

  • Requires client configuration to redirect the internet traffic towards Proxy SG
  • Increase administrative overheads


October 24, 2016  6:10 PM

Blue Coat Proxy SG Deployment methods – Virtually Inline Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
firewall, GRE, Hardware, Network, Protocols, Proxy, router, Routing, Scalability, Switch, virtual, WCCP

In Virtually Inline deployment mode, the Proxy SG can be deployed in any network location, it relies on traffic redirection mechanisms like Web Cache Communication Protocol (WCCP) or Policy Based Routing (PBR) to redirect the interesting traffic, such as HTTP /HTTPS to the Proxy SG. WCCP is a Cisco proprietary protocol that allows certain Cisco routers, switches, Firewalls and Nexus switches to transparently redirect the traffic to a cache engine like Proxy SG. Blue Coat Proxy SG does supports both versions of WCCP 1 and 2.

Figure 1.1 Blue Coat in Virtully Inline Mode

The main advantages of Virtually Inline Deployment mode are

  • No downtime is required to deploy Virtually inline mode in any network
  • Very scalable and Robust
  • Additional Proxy SG appliance can be added for capacity redundancy.
  • The administration overhead is low, as clients need no configurations in their browsers.

Some of the disadvantages of Virtually Inline Deployment mode are

  • Network configurations are needed to enable WCCP. This some times creates additional load on the Switch or Router especially when GRE is used.
  • WCCP / PBR capable hardware is required for Virtually Inline Deployment.

Virtually Inline mode proves to very handy form operation prespective and its been observed this is one of the widely used deployment method for Blue Coat Proxy SG.


October 23, 2016  6:21 PM

Blue Coat Proxy SG Deployment methods – Inline Mode

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Hardware, Network, Protocols, Proxy, router, Scalability, Switch, virtual

When it comes to deployment of Blue Coat Proxy SG, it offers some flexibility. One can deploy them in either of the below mentioned methods.

  • Physically Inline (Transparent)
  • Out-of-Path or Virtually Inline (Transparent)
  • Explicit

Inline deployment is the simplest among the above mentioned deployments and it well suits for small branch offices. In this mode of deployment, the Proxy SG is placed directly placed between the core Switch and the edge router, logically the Proxy SG is placed in the path of all network traffic going to and from the Internet. In mode the Proxy SG relies on pass-through network card, which basically supports hardware bridging to provide fail-to-wire functionality. This mode of deployment doesn’t require any configuration changes either in core switch or router. Even the clients don’t need any kind of configuration. This mode of deployment is also known as bridge mode due to the hardware bridging network cards in use.

Figure 1.1 - Blue Coat Proxy Inline Mode

Inline deployment mode does have certain draw backs like

  • Single point of failure.
  • Network down time is must to deploy inline mode.
  • Doesn’t offer scalability.
  • Protocols proxied needs to be managed.

Inline deployment holds good for small organization as its is easy to deploy, can be used for evaluations or short-term deployments. However, one cannot rely on this mode for larger organizations for obvious drawback mentioned.


October 21, 2016  7:46 PM

Blue Coat Proxy Deployment methods

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Proxy, virtual, Web, web server

When it comes to deployment of Blue Coat Proxy SG, it can be deployed as a forward proxy or reverse proxy.

Basically forward proxy is used proxy LAN users / Internal user’s requests to the external networks. In this mode of deployment, the Blue Coat Proxy proxies in behalf of client. Basically the tcp session is built between Internal Users and Proxy SG, the proxy then breaks this tcp session and build a new tcp session with the External server. The internet network users are never exposed directly to external servers.  In forward proxy mode, the Proxy is always placed on the same network as Internal users.

Figure 1.1 Blue Coat in Forward Proxy Mode

In the reverse proxy mode, the proxy does the opposite of forward proxy, in this mode the proxy is placed in the same zone as servers.  When the external client initiates the connection towards the internal web server, the Proxy intercepts that connection and proxies the whole communication between the external client and the web server. As forward proxy mode , the proxy breaks the tcp session between the external client and the internal web server.

Figure 1.2 Blue Coat in Reverse Proxy Mode

Proxy either in forward or reverse proxy mode always act as layer of protection, and can be used to implement security policies, caching, anti-virus scanning etc.

Blue Coat proxg SG can be physically deployed in following ways.

  • Physically Inline (Transparent)
  • Out-of-Path or Virtually Inline (Transparent)
  • Explicit

In upcoming post, we will discuss these methods in brief.

 


October 7, 2016  3:57 PM

Blue Coat Proxy SG – A leader in Secure Web Gateways

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Blue Coat, Blue Coat ProxyClient, Gartner, Gartner Magic Quadrant, Proxy, SSL, SSL/TLS, TLS

When it comes to forward proxy or reverse proxy Blue Coat Proxy SG happens to be a Gartner Magic Quadrant leader in Secure Web Gateways category. They are  especially known for  their proxy capabilities for over a decade   Blue Coat offers their Proxy SG appliances in various size and models. More details about their current models and capabilities can be discovered at their website.

Figure 1.1Blue Coat Magic Quadrant

Their strengths according to Gartner are

  • ProxySG is the strongest proxy in the market in terms of breadth of protocols and the number of advanced features. It also supports multiple authentication and directory integration options.
  • Blue Coat’s hybrid offering (cloud service and on-premises appliances) enables operations teams to manage most policies from a single console (although policies can be pushed only in one direction — from the cloud to on-premises appliances).
  • Blue Coat provides strong support for SSL/TLS. All ProxySG models include SSL hardware assist, to offload processing from the main CPU. The stand-alone SSL Visibility Appliance can be used to decrypt SSL/TLS traffic and feed it to Blue Coat and non-Blue Coat security solutions (for example, data loss prevention [DLP], IPS and network sandboxes).
  • Blue Coat’s partnership strategy has enabled it to fill gaps in its product line. Partnerships with six endpoint detection and response (EDR) vendors help ensure that its customers can complement Blue Coat’s network-based advance threat detection with an endpoint strategy. Partnerships with FireEye and Lastline enable customers to use their own sandboxes instead of Blue Coat’s sandbox. A partnership with Cylance adds signatureless file inspection to Blue Coat’s Content Analysis System.
  • Blue Coat’s ownership and integration of CASB technology gives it an early mover advantage in this emerging market

The main intention of starting a series on blogs post about Blue Coat is to create an awareness about Blue Coat  especially the technical capabilities of the appliance as its not easy to find more resources on Blue Coat Proxy SG. One need to rely on Blue Coat portal for more details and the information is not easily accessible especially for those who are not aware about the Blue Coat products.


September 30, 2016  11:23 AM

Cisco ASA FirePOWER Services and  High Availability – Series 3

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Arp, CCIE, Cisco Firewall, Cluster, context, Dynamic Routing, Failover, firewall, HA, LAN, NAT, NetFlow, Routing, Subnets, Syslog, TCP, UDP

The Cisco ASA Firewall with FirePOWER services can be deployed in Active/ Active failover, in this mode the ASAs must operate in multiple context mode.  Cisco is relying on failover groups for active Active/Active failover mode. A failover group comprises of logical groups, of one or more security context. In Active/Active failover mode , both units of  Cisco ASA Firewall with FirePOWER services can pass the network traffic, however the traffic load is split between members of the failover pair in such a way that each unit will be active for some set of security contexts.

Figure 1.1 - Cisco ASA Active-Active

The Cisco ASA Firewall with FirePOWER services can support up to three fail over groups in Active/Active failover mode.

  • Group 0
    • This is a hidden group which cannot be modified and it hold system context as its member. Group 0  have huge dependency on Group 1 as Group 0 remains active on the ASA unit where the group 1 is active .
  • Group 1
    • The admin context is always the part of this group and any newly created context are added to this group by default.  By default the primary ASA Firewall with FirePOWER services unit always own the Group 1.
  • Group 2
    • Some of the newly created contexts can be added to be the part of group 2 so that they are active on the secondary unit of the ASA Firewall with FirePOWER services. By default Group 2 is also active on the primary ASA Firewall with FirePOWER services unit, one need to change ownership of Group 2 from the primary ASA Firewall with FirePOWER services unit to the Secondary ASA Firewall with FirePOWER services unit manually

Figure 1.2 - Cisco ASA Active-Active

In Active/ Active failover deployment with multi context mode

  • Physical interfaces of the ASA Firewall with FirePOWER services cannot be shared between contexts belong to different failover groups.
  • All the features of ASA Firewall with FirePOWER services are not supported
  • When failover occurs, a single physical ASA unit must carry all the traffic load which was shared by two ASA units.
  • When ASA FirePOWER module fails, it can be configured to do either of the following
    • Fail Open
      • In fail open state all the traffic will pass thought the ASA even when the ASA FirePOWER module fails
    • Fail Close
      • In this state all traffic passing though the ASA will stop.

The Active/ Active failover deployment is quite useful following scenarios

  • Multi-tenancy environment
  • Multiple LAN subnets which needs a logical separation though different firewalls.

However looking at the limitations of Active/ Active failover deployment model one can consider clustering of Cisco ASA with FirePOWER modules as they provide much better HA solutions for load sharing scenarios.


September 26, 2016  4:43 AM

Cisco ASA FirePOWER Services and High Availability – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Arp, Cisco Firewall, Dynamic Routing, Failover, firewall, NAT, NetFlow, Routing, Syslog, TCP, UDP

The Cisco ASA Appliances offers failover in following states

  • Stateless failover
  • Stateful failover.

By default Cisco ASA Appliance performs stateless failover and in this mode of operation, the Active Unit  does the following

  • Synchronizes its configuration with the standby unit.
  • Maintains all Stateful flow information
  • Doesn’t synchronises Stateful flow with the  Standby Unit

The Stateless failover is not a viable option, especially when failover occurs as it has to re-establish all the connections. This state simply cannot provide the availability of the services without any disruption. However some hardware platforms like Cisco ASA 5505 are only capable of working in Stateless failover mode.

When Stateful failover is enabled on the Cisco ASA Active unit it is capable synchronizing  the following with Standby Unit

  • Stateful table for TCP & UDP connection
  • Routing table both static and dynamic learned routes
  • ARP table
  • Bridge-group MAC mapping table in the transparent mode.
  • Application Inspection data for certain applications like
    • Packet Data Protocol (PDP)
    • General Packet Radio Service (GPRS)
    • GPRS Tunnelling Protocol (GPT)
    • Session Initiation Protocol (SIP) signalling tables.
  • VPN Data structures like Security Associations (SA)

However Stateful failover is supported only for the Cisco ASA Software features, where as the Cisco ASA FirePOWER module need to track the connection state independently.  When failover occurs ASA FirePOWER flows are transferred to the new Active unit.  The ASA FirePOWER module in the new active unit is capable of inspecting the traffic only from that point as old inspection states are not transferred during the failover process.


September 24, 2016  6:31 PM

Cisco ASA FirePOWER Services and  High Availability – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Arp, Cisco Firewall, Dynamic Routing, Failover, firewall, NAT, Routing, Syslog, TCP, UDP

The Cisco ASA Appliance  with FirePOWER Services is capable of offering high availability using failover and clustering. When it comes to failover , the Cisco ASA supports following types

  • Active/Standby
  • Active/ Active

The Cisco ASA Appliance  with FirePOWER Services when deployed in Active/Standby failover mode it offers device level redundancy. However only one unit of ASA appliance remains in active mode , where as the other ASA Appliance of the failover pair remain in standby mode.

Figure 1.1- ASA Active Stanby Mode

Figure 1.1- ASA Active Stanby Mode

The ASA Appliance in Active mode is responsible  for the following

  • Active unit accepts all the configuration commands from the user and replicate the same with Standby Unit.
  • All transit traffic is processed.
  • Applies security policies , build and tear down connections .
  • Synchronises all the connection information like global pool addresses, translation table for NAT, TCP/UDP states, ARP table and many other details with the standby unit provided its configured in Stateful failover mode.
  • Forwards all the syslog messages and Netflow Secure Event Logging (NSEL) to the destined event or log collector.
  • Participates in building and maintaining dynamic routing adjacencies with peer routing device

The standby device is not capable of processing any traffic it receives , it simply drops all the transit traffic and only accepts the management connections. The  Standby ASA Appliance becomes fully active automatically, provided that the active ASA appliance becomes less operational healthy than its peer.


September 17, 2016  6:29 AM

Cisco Router Selector may be your next tool to select the right router

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Business, Cisco, Functional, Functional requirements, Network, Network design, router, SMB, tool, User experience, virtual

When it comes to designing a network one may need to think from many aspects, one such aspect happens to be the scalability. It’s been observed most of the SMBs rely purely on their team to choose the technology or the product. This fits true especially when they want to upgrade their old router with a new one. The challenge of selecting a right product with no design experience is quite hard and often it’s been observed most of the SMBs end up either buying a lower specs device or much high end device. To overcome this challenge for Cisco Routers,Cisco is ffering Cisco Router Selector to select a right router which fits the need of an Organization.

Figure 1.1 - Cisco Router Selector

By simply answering few questions one can identity the  right Cisco router one might require , currently the  Cisco Router Selector allows one to select Branch Routers and Network Edge Routers . The tool recommends the Cisco Edge router based  on the encryption throughput, is the router physical or virtual, which is fine for SMBs.

Figure 1.2 Router Selector model

It’s a good offering from Cisco, as one could have an idea of what they want buy, however this tool cannot replace the task of Network designers and architects as they design networks from many dimensions few of them are business need of the customer, functional requirements, technical requirements, user experience etc.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: