Increase Web security and performance: unwieldy administrative effort eases during corporate...

More than 1,300 Frank Russell Co. (Russell) investment services associates

regularly conduct research and interact with other investment services professionals worldwide by using Web resources, ranging from financial information sites to live audio and video conferences to specialized applications. Their Internet access is provided and secured by a firewall and three Microsoft Proxy Servers, which sit between the users and the Internet, monitoring and intercepting outbound requests and inbound responses.

"This positioning in the network gives the proxy server the capability to provide several key functions," says Toby Penn, senior security engineer at Russell. "First, it can authenticate to prevent unauthorized use of the Internet. Second, it can provide content filtering to prevent associates from accessing inappropriate websites. Finally, proxy servers are able to improve end-user performance by saving (caching) the results of Web requests for a certain amount of time and re-serving that content to users the next time around."

Throughout 2001, the administrative effort maintaining the Internet access infrastructure was becoming unmanageable. Specifically, the software used to provide traditional proxy functions had begun to show its age.

THE EVALUATION PROCESS

At the same time, Russell began a corporate initiative to upgrade to the Windows 2000 server platform. The existing proxy server, which ran on Windows NT 4.0, had to remain compatible. Since the migration required an upgrade regardless, the IT team evaluated two solutions: Microsoft's Internet security and acceleration (ISA) server and Blue Coat Systems' (formerly CacheFlow) SG800 Series Web security appliance. Two key issues relative to both solutions had to be considered.

The primary issue was the way the proxy server handled the need for exceptions to the overall Web usage policy. These exceptions were the result of sites and applications being incompatible with some aspect of proxy caching or proxy authentication. The types of sites and applications needing this special treatment ranged from external websites with specific incompatibilities to commonly used protocols like Real Media streaming over TCP/IP port 80, which was often incompatible with proxy authentication.

The problem was not without a work-around. Russell could provide access to these sites and applications by putting entries in the users' Web browser proxy exception list. By doing so, the browsers were configured to bypass the proxy for specific sites, providing direct access and eliminating the source of the incompatibility.

MODIFYING THE EXCEPTIONS

While the exception list enabled the necessary access, its use posed different--and significant--administrative burdens. Adding sites to the exception list required a change to all user desktops, as well as a parallel change to the firewall to allow the user (rather than the proxy server) direct access to the Internet for the site or application in question. More importantly, the proxy exception list was fast approaching the maximum allowable size. As a result, the company needed a solution that would manage these exceptions better.

"With the existing solution, the installation procedure for new sites had become convoluted, requiring multiple steps, reboots and several dependencies that drew out the process," offers Penn. "As a result, one of our key requirements was decreased administrative effort."

With the approval of Russell's CIO, Jim Wallace, the evaluation team eventually deployed two Blue Coat Systems 645s, load-balanced through domain name services, and the previously existing firewall. Configuration scripts and information are now stored on a local Web server, easing the burden of maintenance and configuration distribution, as well as the process for handling exceptions.

The solution virtually eliminates the proxy exception list. Instead of configuring browsers to bypass the proxy altogether, special exceptions could be made for sites in the configuration of the Blue Coat Systems machine. By adding an entry to a configuration file on the machine, for example, a site or application incompatible with proxy authentication can be reached by users without an authentication challenge.

In addition, a new range of Web security functions is available, such as the capability to apply emergency filters to inbound Web traffic, which will provide protection as Web viruses and Trojans become more prevalent. The solution also automates and centralizes the collection of the access logs for analysis, which IT security now uses to create new Web usage policies.

For more information from Blue Coat Systems: www.rsleads.com/209cn-253