Delaware dons a Blue Coat to fight spyware
- By William Jackson
- Mar 02, 2005
Blue Coat ProxySG
Delaware operates networks for 35,000 state employees and all its 115,000 students, kindergarten through high school.
'We're small enough that we can provide that service,' said Glenn Wright, senior telecom technologist in the Technology and Information Department. 'Every school has at least a T1 back to us.'
Of course, the state IT department provides security for its networks, including firewalls and antivirus filters. Executable attachments on e-mail are blocked and spam is filtered. But spyware still is becoming a problem, Wright said.
Spyware programs gather information about a host computer's activity and send it to a third party, often without the user's knowledge. It can be used to harvest personal information and to deliver pop-up ads. Spyware can be difficult to block because it often piggybacks on free software downloaded from the Internet and also can be downloaded along with legitimate code from a Web site. Because spyware often is downloaded in response to a user request, firewalls do not block it. It typically does not interfere with outgoing traffic when spyware 'phones home' to a parent site to deliver its payload of data.
'We aren't protecting against a lot of things on the Internet,' Wright said. 'But it has come to the point where spyware is consuming resources.'
Delaware is a small state'just three counties'but its network is sizeable, with three main nodes in Dover and Wilmington.
'There are around 400 T1s coming back to us,' Wright said.
To combat the spyware problem, the state is trying out a proxy appliance from Blue Coat Systems Inc. of Sunnyvale, Calif.
'We have it on a test bed,' Wright said. 'We tested it on the full network at one point, but we're still looking for funding. It's expensive, but it's something that is necessary.'
Pricing starts at $3,695 for the ProxySG appliance, and Wright said he expects to use at least 10 of them. The state already has a cluster of Blue Coat ProxyAV antivirus appliances, which start at $5,495.
Blue Coat has added spyware protection to these core appliances. The ProxySG controls traffic to and from the Web, and the ProxyAV uses third-party engines for antivirus scanning.
'Spyware is a rapidly evolving technology,' said Chris King, Blue Coat's product marketing manager. 'These are folks who are fairly ingenious, and no single technology will stop it.'
The company has added four features to its appliances to fight spyware:
Spyware Policy Control, which lets administrators block downloads of code to be installed on a computer. Policy can be done through a blacklist of sites from which such downloads will not be accepted, or through a whitelist of approved sites.
URL filtering for known source sites for spyware. ProxySG supports five third-party URL databases running on the appliance. It can block both incoming downloads and outgoing data. Because source sites for spyware can change often, URL filtering often is more effective against outbound data from already infected machines. 'The site that the spyware calls home to is a lot more static, so blocking those guys is a lot easier,' King said.
Signature scanning by the ProxyAV, looking for known spyware patterns in the traffic stream just as it does for viruses.
Cleanup, which alerts users and administrators when spyware agents are detected and directs the user to InterMute Inc. of Braintree, Mass., and recommends its SpySubtract product be used to remove the software.
The new features were released in October. So, how effective are they?
'It's early yet,' King said. 'We're still gathering statistics.' But anecdotal evidence from logs from competing products shows a sharp drop-off in spyware infections, he said.
For Wright, one of the most attractive features of the Blue Coat tools is the speed of a proxy appliance. Users are unwilling to give up performance on their network connections in exchange for security.
'People can't notice it,' he said. 'You can't give them something and then take it away.'
The appliances have a throughput of up to 487 Mbps, with a latency of two to four milliseconds.
'We cache a lot of the objects,' King said. Once a requested object has been scanned, it can be cached on the proxy and does not have to be scanned each time it is requested. 'We just serve it a lot of times.'
The networks for state employees and schools are separate, and Wright said each will require five appliances.
'We are planning on putting 10 of the units in a pool, stacking them up,' he said.
The pool will be isolated and will serve both networks, providing load balancing.
Wright said about 60 percent of requested traffic can be served from caches, giving a big boost to performance. But if traffic demands increase, the pool can easily scale by adding additional appliances.
'You can grow as far as you want,' he said.
William Jackson is a Maryland-based freelance writer.