Adding Multi-scanning to a Blue Coat Proxy

We have previously discussed how to scan network traffic for malware by configuring MetaDefender ICAP Server (formerly known as Metascan ICAP Server) functionality for use with a Squid proxy server, and although Squid is used by many organizations and is a great open source proxy solution, the most widely-used commercial proxy is Blue Coat. So today we would like to talk about how MetaDefender ICAP Server can be used with a Blue Coat proxy to enable scanning of web traffic with multiple anti-malware engines.

Why add multi-scanning to Blue Coat?

With web traffic and downloads accounting for a large percentage of data coming into an organization, it is an important entry point to protect against malware. And because no single anti-malware engine can catch 100% of threats, using multiple anti-malware engines to scan web traffic provides increased protection.

Blue Coat's ProxySG product gives network administrators a lot of flexibility in how they manage their network traffic, which can be very powerful when leveraged as part of a multi-scanning integration. One of the most valuable features when combined with MetaDefender ICAP Server is the ability to direct a portion of traffic to a specific ICAP service group depending on a defined set of filters. These filters can be based on the specific endpoint making the request, the type of file requested, or the user making the request. This filtering then allows an administrator to scan files with different MetaDefender servers depending on which filter they match. For instance, administrators can decide to scan lower risk files (e.g. images or text files) with a handful of anti-malware engines by directing traffic to a MetaDefender 4 ICAP Server. High risk files (e.g. downloaded executables and archives) can be scanned with a greater number of engines by directing traffic to a MetaDefender 16 ICAP Server.

Filtering traffic through Blue Coat Proxy SG

How does it work?

Whenever a threat is found, the file is blocked so that the threat never reaches the endpoint that had requested the file. An administrator can configure Blue Coat to send an email alert with information on the threat found, the endpoint requesting the file, and the user that had authenticated with the proxy server. This allows administrators to quickly triage any potential threats and reduce the likelihood of the network being compromised. If the end user was deliberately trying to access the file, they can be alerted to its malicious nature so they avoid that threat and others. If an application was making the request without the knowledge of the user, the system can be investigated to determine the nature of the application making the request and whether there is a possible infection on the system.

Handling high traffic loads

Blue Coat also allows you to group multiple ICAP servers together into a Service Group, and then balances traffic between the servers in that service group. Having multiple MetaDefender servers assigned to a Service Group allows administrators to easily add capacity to meet increases in traffic. All that is required to scale the multi-scanning throughput is to start up a new MetaDefender server and add it to the Service Group. Blue Coat will automatically start spreading traffic to that server as well. Service Groups also make upgrades easier because a server can simply be removed from the Service Group while it is being upgraded and then re-added back to the group when the upgrade is complete.

Handling high traffic through Blue Coat

For administrators using multiple MetaDefender servers with their Blue Coat proxy deployment, MetaDefender Management Station is the best way to easily monitor all of the MetaDefender servers from a single location. From MetaDefender Management Station the current health status of all servers, as well as the current definition update status of all engines on each server, can be viewed from a single interface. Administrators can also see aggregated statistics on how many files have been scanned by all of the servers and whether any threats were found. This makes it easy to monitor the entire MetaDefender ICAP Server deployment.

Additional information on using MetaDefender ICAP Server with Blue Coat proxies, including configuration steps, are in our online MetaDefender documentation.

Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.