A common misconception is that URL filtering is enough protection on the Secure Web Gateway, and that there’s little need for anti-malware (anti-virus) scanning. Before we explain why you really need both WebFilter (URL filtering) and ProxyAV (anti-malware) in your Secure Web Gateway deployment, let’s first explain what each one of these features actually does.
ProxyAV is implemented a separate appliance and talks with the ProxySG over a protocol called ICAP. It runs actual AV engines, and you can choose to purchase an AV license to run either Kaspersky, Sophos, McAfee, Trend Micro or Panda software on the ProxyAV device. ProxyAV will scan any files an end-user attempts to download from the web via the ProxySG for viruses and malware.
BCWF (Blue Coat WebFilter), on the other hand is a URL categorization database and back-end cloud service known as Webpulse. It puts URLs in categories. For example, google.com is in the category “Search Engines/Portals”. Some URLs are in multiple categories, for example,www.facebook.com/farmville is in both “Social Networking” and “Games”.
There is a “Malicious Sources” category in BCWF, but BCWF doesn’t actually scan for viruses. It knows a particular URL contains a virus or malware and classifies the URL in that category. For new URLs and new malware, often the categorization isn’t in a local BCWF database, and the ProxySG can rely on up to date categorizations from the Webpulse cloud, which can also do real-time categorization and provide the categorization to the ProxySG.
With only BCWF enabled and not ProxyAV, what happens when a site (in an allowed category) becomes newly infected? If something is in an allowed category, e.g. google.com in “Search Engines/Portals”, and if somehow google.com gets newly infected with a virus, the ProxySG wouldn’t block it, even if you had the entire “Malicious Sources” category blocked, until the infection has been found and the additional classification added into Webpulse. If you also had ProxyAV turned on to do file scanning, it would scan and detect the virus. Protection from malware on good sites is just as important as protection from known bad sites, and may even be more important.
If you don’t need URL categorization, maybe you’re thinking you can live with just ProxyAV. But, because virus scanning is also typically more CPU intensive and more likely to introduce a latency, you’re better off not having to scan a file in ProxyAV if you don’t have to. By having BCWF filtering with Webpulse come first, it provides a quick URL database search, and if it’s in the “Malicious Sources, Phishing, or Potentially Unwanted Software” categories you can block a significant amount of threats without having to use the resources of the ProxyAV engine.
A complete security solution includes both URL filtering and anti-malware protection. Blue Coat WebFilter and ProxyAV provide the added level of security need in enterprise environments.
Leave a reply