Transition slides

Blue Coat: Web Security & Acceleration

1

2

About PacketShaper

2

3PacketShaperKey FunctionalityApplication VisibilityApplication QoSApplication QoS benefits time-sensitive applicationsTransactions (ERP, CRM, Citrix)IP Telephony and convergenceContain P2P, recreational & maliciousAdditional ProductsRequires ProxySG for acceleration, caching & WAFSIntelligenceCenter / PolicyCenter management system

3

4What Can PacketShaper Do?Discover All Application Traffic

MonitorUser Experience

Troubleshoot Performance Issues

Resolve IssuesPre-empt Problems

Control and ProtectApplication Performance

Application Visibility

Application QoS

4

5

PacketShaper Deployment Option: Asymmetric in the Core

WANBranchOfficesData Center

CorePacketShaperIntelligenceCenterPolicyCenterCentralized Data and Applications

5

6

PacketShaper Deployment Option:Symmetric with Branch Deployment

WANBranchOfficesData Center

CorePacketShaperIntelligenceCenterPolicyCenterCentralized Data andApplications

InternetPublic WebServersCustomers and Partners

Employees

BranchPacketShaper

BranchPacketShaperWeb Content andApplications

6Just to give you a sense of where they fit in the network, the PacketShaper moves into both, not only the data center but also at branch locations, giving you visibility, QoS and compression for applications between these two areas, or between all these areas.

Discovery & Monitoring QOS SITE BASED TREE

7PacketShaper Application Visibility

7

8What is Application Visibility?

Web Browsing28%Other4%TN32702%Citrix5%Oracle7%FileTransfers9%E-mail20%InternetGaming5%P2P12%Recreational Streaming8%53% of bandwidth being used by recreational applications14% of bandwidth is business critical

Identifies Applications for What They Really Are

8To run the business effectively, you need to know whats happening on your network.

Heres an example of the mix of applications found on our customers networks and the amount of bandwidth they are consuming. We find that most IT people suspect they have a problem on their networks, but they are astonished at the actual numbers when we conduct an application performance evaluation. In this case, you can see that more than half the available bandwidth is being consumed by recreational applications. This problem is growing with the popularity of applications like YouTube and even Slingbox! You definitely dont want your employees accessing their Slingbox from the company network!

So you need to have a way to ensure that your most important business applications are protected from recreational bandwidth hogs and from malicious applications so they perform in support of the business.

Well see how PacketShapers solution for monitoring and automatic traffic discovery offers unparalleled visibility into whats running on the network.

9Application VisibilityDiscover All Application Traffic600+ applications, good & bad, sub-classify within complex apps / HTTPMonitor User ExperienceMeasure & alarm, SLA compliance, VoIP metrics, integrate with other toolsTroubleshoot Performance IssuesIsolate delays, connections, host and app performance, capture & analyze

9PacketShaper analyzes traffic running across the WAN, inspecting at all layers of the protocol stack and using unique industry-leading techniques behavioral analysis that goes way beyond address or port matching or even deep packet inspection to identify network applications. PacketShaper can identify and classify over 600 applications. This deep knowledge of applications is unique to PacketShaper and provides application-intelligence to customers to monitor performance and investigate problems, while providing the other PacketShaper modules with the information they need to do their jobs in a more intelligent way.

10DiscoveryMaps traffic to its classification library Automatically builds a list of the applications running on your networkProvides basis for PacketShaper Application QoS technologyStarts collecting performance dataUtilizationEfficiencyResponse times

10PacketShaper analyzes traffic running across the WAN, inspecting at all layers of the protocol stack and using unique industry-leading techniques to identify network applications. PacketShaper can identify and classify over 600 applications. This deep knowledge of applications is unique to PacketShaper and provides application-intelligence to customers to monitor performance and investigate problems, while providing the other PacketShaper modules with the information they need to do their jobs in a more intelligent way.

The PacketShaper also immediately starts collecting performance data, so youll get information like: How much bandwidth is that application using? Is it running efficiently? Are there a lot of retransmissions? What is the response time of that application? and Who are the top users of the application?

11Industry-Leading Application IdentificationUnique to Blue Coat Behavioral characteristicsMulti-packet flow analysis and profilingBeyond address andport-based analysisIdentifies evasive applications EncryptedPort-hopping Tunneled

Blue Coat PacketShaper

11This diagram shows how Blue Coats industry leading application identification and classification eclipses other flavors of methods available on other products.

Layer 7 Plus enables PacketShaper to auto-classify over 600 applications. It provides the deepest insight into application sub-classifications, validation methods, and behavioral characteristics, and uses unique multi-packet flow analysis and profiling intelligence for encrypted, tunneled and evasive applications.

Layer 7 Plus goes way beyond traditional Layer 7 products, which can identify only well-known, well-behaved applications and HTTP and FTP transactions that use unique and published port numbers.

To be truly useful, traffic analysis needs to be more application-intelligent than simple address- and port-based analysis because: 1) Many applications share the same ports web-enabled business applications, casual Web browsing, and music sharing can all communicate over port 80. If you only had port-based analysis, you wouldnt be able to tell the difference between unimportant Web browsing and business-critical Web traffic. 2) Many applications dynamically negotiate port assignments as they establish connections. Many evasive applications (and business applications) utilize encryption and tunneling techniques either to protect or obscure the underlying application type. If you only used port-based analysis, you would have no visibility into traffic from such applications.

Think about music and media downloads. Music sharing applications like KaZaA can be configured to run over port 80 masquerading as Web traffic. With the increase in Web-enabled applications, its important to distinguish between music downloads with an MPEG content-type and more important e-Commerce traffic with an XML content-type.

PacketShaper is the only solution that provides the intelligence and flexibility needed to manage traffic according to business priorities.

12Classification

Maps traffic to its classification library Automatically builds a list of the applications running on your network600+ Application classesSub-classify within complex apps / HTTPGood, bad and malicious trafficCurrent and next generation applicationsPlug-In ArchitectureEnables new application definitions without firmware upgrade

12So traffic discovery automatically inspects the traffic, mapping it to its classification library and building a list of the applications running on your network. This is extremely valuable if you dont have this, all the rich classification would not help you - you wouldnt know where to start classifying because you dont know what you dont know!

Convergence: IP Telephony & Video ConferencingIdentifies each setup, call & codec usedMeasures quality in real timeWeb ServicesXML/SOA based applications WSDL analysis and classification toolEncrypted ApplicationsDifferentiate between SSL applications Identify encrypted P2P based on behavioral profilesPlug-In ArchitectureEnables new application definitions without firmware upgrade

13

Application QoS Technology: Application-specific Bandwidth ControlApplication Session Provisioning provides:Hierarchical subclassifications of appsPer call or per session differentiation Far richer classification than routersLayer 7 Plus differentiationCustomer-critical over recreational appsLatency-sensitive over bandwidth-hungry apps TCP and UDP Rate Control Managed on a flow- by flow basis at application levelGuaranteed delay bounds for IP telephony on converged networks

13Because PacketShaper QoS technologies work with our Visibility technology providing application-intelligence, you can differentiate business-critical traffic from recreational and less important applications and use rate policies to ensure a minimum rate per individual application session. Allow that session prioritized access to excess bandwidth. Then set a limit on the total bandwidth it can use. A policy can keep greedy traffic in line or protect latency-sensitive sessions. Unused bandwidth is automatically lent to other applications.

Consider non-TCP trafficvia UDP-based applications that represent about 10 to 20 percent of network traffic, including Voice and Video over IP (VoIP). Our UDP Rate Control technology leverages the same aggregate view of the network supply/application demand equation and the Predictive Scheduler to provide UDP applications effective QoS.

PacketShaper manages UDP packets on a flow-by-flow basisat the application levelproviding much more intelligent management than aggregate queuing schemes. UDP delay bounds allow you to specify how long packets can remain buffered during times of congestion. For example, a delay bound of 200 ms is appropriate for a streaming audio flow.

Select priority policyfor transaction-oriented trafficor rate policy classes for persistent UDP traffic like VoIP. Use a minimum rate for each UDP flow guaranteed in bits-per-second24 kbps to each VoIP stream, for example.

14Monitor and TroubleshootMeasure Utilization, response times, performance & SLAs per applicationIsolateWhat (application), where (server or network), who (users), how (captures, histories) Diagnose and fix problemsIdentify protocols, link latency & other environmental variablesDetermine what optimization / will help

14Once weve identified the traffic, were able to monitor the end user experience by measuring and alarming on specific statistics to track the user experience and alert IT when things are going wrong before the users complain. That allows you to maintain SLA - or Service Level Agreement compliance both for internal applications, as well as the carrier SLAs for your specific WAN links. We also track the Voice over IP metrics, like Mean Opinion Score, jitter, delay and loss, and integrate all of these reports into other tools that have a more heterogeneous approach to performance reporting. Basically, taken together, this gives you a way of monitoring the user experience.

Next, once youve identified that there are issues or that you have a degradation in performance, were able to troubleshoot and help you identify where the issues are coming from. So you can isolate where the delays are, Are they on the network side? Are they on the server side? You can look at what the connection state is. You can identify the host, the servers, the users that may be experiencing the worst performance degradation. And this goes deep - we have very targeted packet capture so that you can analyze them with your Sniffer Pro, your EtherPeek, your EtherReal, or any packet decode tools. So that allows you to troubleshoot performance issues and then finally, tune the environment to resolve and preempt problems.

So thats great, we know exactly whats wrong. But one of the challenges traditionally associated with performance monitoring is once youve identified a problem, how do you fix it? Whether its an emergent issue with a spike in application usage or whether its a CIFS protocol problem in latency, Blue Coat has all the tools to actually fix performance issues with a full suite of control and acceleration technologies to manage all your applications across distributed networks. And thats really a big difference with Blue Coat when you compare our Application Performance Monitoring with competitors in this space people like NetQOS or NetScout.

15PacketShaper Application QoS

15

16What is Application QoS?

Unacceptable ERP performance Insufficient bandwidth and congestion

Uncontrolled recreational traffic Wasted bandwidth and impact on business- critical applications

Unpredictable Voice quality Crowded out by bandwidth hungry apps

16So lets look at the challenges we face on the WAN this graphic really illustrates the fundamental challenge, which is the fact that we have a LAN with much greater capacity connecting to a WAN with much less capacity. 10 Mb or 100Mb switched or gigabit - very common in the enterprise. On the other side of that is the WAN with common connection speeds of 128K, 256K, or if youre lucky a T1/E1 between large datacenters maybe youll have a T3/E3. A T1 is 1.54 Mb per second a much smaller connection than the local area network feeding it.

As part of a distributed network or as a result of server consolidation, you have a whole new dynamic. Latency sensitive business applications like voice and SAP, your bandwidth intensive business applications like e-mail or file transfers between two engineering groups for document check-in important but not terribly delay sensitive - and then you have non-business traffic casual Web surfing, P2P downloads, worm and virus propagation - all of these applications will compete for that small amount of bandwidth on the WAN.

With limited WAN bandwidth and challenges due to latency and congestion, control over which applications use that bandwidth becomes even more critical.

17What is Application QoS?

Powerful, Dynamic Application-aware Bandwidth Shaping

Great ERP performanceProtected from apps and congestion100% control of recreational trafficNo matter how much it tries to hideVoice quality 100% assured all-level QoS

17This is the after view of the previous slide. What you see here is that the traffic has been smoothed out the bandwidth intensive applications and non-business applications are no longer taking up all the bandwidth. No matter what happens, your business-critical applications are getting the bandwidth they need.

PacketShaper now contains the most sophisticated, and patented, methods of controlling how traffic flows over the network.

18Application QoS Resolve application performance issuesPre-empt performance problems Control bandwidth, dynamicallyApportion and ensure service levels for applicationsControl and protect applicationsProtect and optimize time-sensitive / real-time appsSLAs for voice, transactions, streamsRestrict bandwidth impact of recreational traffic

18Application QOS lets you:Protect the performance of important applications, such as SAP and Oracle, provision steady streams for voice or video traffic to ensure smooth performance and stop applications or users from monopolizing the link by capping bandwidth using an explicit rate, percentage of capacity or priority and provision bandwidth equitably between multiple locations, groups or users

Contain unsanctioned and recreational traffic, such as P2P and music downloads, and detect attacks and limit their impact, monitor conditions of interest; then, when thresholds are crossed, automatically take immediate action to correct, document and/or notify someone of the problem.

Deal with congestion issues from an application perspective by applying application-intelligent use of marking technologies and packet flow technology to minimize latency and other inefficiencies for apps that are important to your business. Partitions and policies can be used to protect the critical application and contain or block malicious and recreational traffic.

Bandwidth management also has the effect of smoothing bursty traffic to reduce congestion from end-to-end and improve overall network performance and efficiency.

Blue Coat is the only vendor that offers per session guarantees, which are critical to the performance of applications like Citrix, video and voice traffic.

Blue Coat is also the only vendor that offers bi-directional control that keeps congestion free on both ends. This is counter to other solutions that just use queuing, which only works in the outbound direction and is a reactive solution that only comes into play after there is congestion.

19Application QoS Technology: Policies and Partitions Policy-based Application QoS definitions and partitions by:ApplicationSite or server User or user groupBeyond Standard QoSApply policies to protect critical trafficSmooth disruptive, bandwidth-intensive trafficContain recreational trafficBlock malicious traffic

Set priorities to protect business-critical appsNon-critical apps can use remaining bandwidth

19So with PacketShaper you can protect SAP, Oracle, VoIP and other business-critical applications and prioritize them over other applications.

As we can see in the illustrations, you can contain or even block traffic you probably want to block malicious traffic, but maybe you also want to block P2P applications, - you can do this with our solution. Or maybe you just need to smooth your business applications that are bursty like large file transfers.

Standard QoS technologiesRED, WRED and dual leaky bucketare passive queuing techniques that only react to congestion conditions. If there's too much traffic for a given link, they either hold (queue) or drop packets, resulting in poor application performance because data is stuck or the connection has throttled back. Also, retransmission sends the same data twice, wasting bandwidth. Well come back to that later in more detail.

An elegant component of PacketShapers policy framework is the use of dynamic partitions, per-user partitions that automatically manage each user'sor groups of users'bandwidth allocation across one or more applications. Very useful for equitable bandwidth allocation, dynamic partitions provide the ability to easily scale bandwidth fairness, simplifying administrative overhead and allow over-subscription

20Application QoS Technology: Rate Control and Predictive SchedulerManages congestion proactivelyLatency reducedPackets drops minimizedFewer retransmissions Improved application performance.Improve efficiency to increase throughput

Without App QOSWith App QOS

20PacketShaper's Rate Control engines work at the flow level to calculate aggregate network resource supply and application demand conditions, moment-to-moment. With real-time flow speed detection, the engine calculates a demand vector for each application flow; the Predictive Scheduler is able to forecast packet-arrival times that affect the supply and demand equations.

The predictive scheduler anticipates congestion. TCP Rate Control manages datastream to less important applications to slow down transmission speedas it travels from a server in Dallas to a branch office in Boston. The impact of our patented technology is hugelatency reduced, packets drops minimized, fewer retransmissions and improved application performance.

Traditionally weve seen queues in routers - priority queuing, weighted fair queuing, class-based queuing, class-based weighted fair queuing. All of this is about making some traffic wait while other traffic goes through. But what happens is that while you make that traffic wait, it could be retransmitted by the sending system because of a timer, and if it does not receive an acknowledgement of receipt in a certain amount of time, it will consider the data lost, and retransmit it. Often what the router will do is hold the traffic so long that the end system retransmits it.

This slide really illustrates the dramatic impact that shaping can have on a network. Just by enabling shaping and setting the link speed, this customer was able to both smooth out the bursty traffic, and nearly eliminate the drops caused by congestion. The network went from consistently losing around 25% of packets that had to be re-transmitted, to only losing 1-2%.

This has the impact of improving overall throughput and in this case was equivalent to adding 35% additional bandwidth, and dramatically improving application performance considering the applications no longer had to wait for all of those retransmissions.

21Compare Router-based QoSManage bandwidth passively and react to congestion and packet lossUse port-based application traffic classificationUse various packet-based queuing methods that:Are not bi-directional cannot control inbound traffic at the other edgeAdd delay to transaction time and latencyCannot provide per-flow guaranteesAre only truly effective as part of a comprehensive control strategyAre managed on a per-router basisBig management overhead in distributed deployments

21Routers provide queuing technology that buffers waiting packets on a congested network. A variety of queuing schemes - including weighted fair queuing, priority output queuing and custom queuing - attempt to prioritize and distribute bandwidth to individual data flows so that low-volume applications dont get overtaken by large transfers. Router-based, queuing-only solutions have improved. For example, they can now enforce per traffic type aggregate bandwidth rates for any traffic type they can differentiate. But a variety of router and queuing limitations remain, for example:

Routers manage bandwidth passively, discarding packets and providing no direct feedback to end systems.

Traffic classification is too coarse and overly dependent on port matching and IP addresses. Routers cant automatically detect and identify many applications as they pass. They cant identify non-IP traffic, much VoIP traffic, peer-to-peer traffic, games, HTTP on non-standard ports, non-HTTP traffic on port 80 and other types of traffic. Their inability to distinguish traffic severely limits their ability to control it appropriately.

Routers use queuing (buffering and waiting) or packet tossing to try to control traffic sources and their rates. Queues, by their definition, oblige traffic to wait in lines and add delay to transaction time. Dropping packets is even worse for TCP applications since it forces the application to wait for a timeout and then retransmit. Queues do not proactively control the rate at which traffic enters the wide-area network at the other edge of a connection. Queuing-based solutions are not bi-directional and do not control the rate at which traffic travels into a LAN from a WAN, where there is no queue. Queuing addresses a problem only after congestion occurs. Its an after-the-fact approach to a real-time problem. Queuing is a good tactic, and one that should be incorporated into any reasonable performance solution. But it doesnt stand alone as an effective solution.

22

Router-based QoS Compared toPacketShaper Inbound Rate Control

Configured in all the branches and Data Center, router-based Queuing relies on the bulk transfers being throttled down after packet lossPacketShapers Patented Rate Control applied only in the Data Center slows down the Bulk traffic without packet loss and before queues can buildBranch OfficesBulk DataCitrixBulk DataData Center

BAC

1Mbps

512Kbps512Kbps512Kbps

22Lets look at an example that shows the difference.

With router-based QoS, you can apply priorities between port-based differentiated apps in the outbound direction, in this example on Citrix and bulk data from the Branch offices. As weve seen, PacketShaper has a much more intelligent differentiation between apps, but in this simple example, lets say you have applied a higher priority for Citrix and a lower priority for the bulk data. All outbound queues on the routers work independently of each other and will correctly apply the policies set. If Branches A and C only have bulk data to send then that traffic will interfere with Citrix traffic from B before entering the router at the Core. PacketShaper's Rate Control mechanism not only has a complete overview why there is congestion in the core, it is also capable of preventing the QoS offending flows from exceeding their available bandwidth before congestion occurs. This is done end-to-end without needing dual-sided devices that must intercommunicate and through mechanisms readily available in the TCP/IP standard.

Note that some QoS solution offer inbound Queuing (not routers) but, again since they are queueing-based, that will only resolve the congestion caused by the Bulk data after loosing both Citrix and Bulk data packets.

23Compare Packet Marking and MPLSApplies only to carriers coreProvisioned WAN service, not the entire linkNo way of assigning preference at the last mileBiggest bottleneck is typically last mileAggregate shaping onlyTreats all connection requests the same Lacks ability to assign limit to number of call requestsNeeds complementary technology to overcome deficienciesApplication classification for accurate markingPacket rate, bandwidth and flow control

23First, CoS/ToS (Class and Type of Service bits) were incorporated into IP. Then, Diffserv became the newer marking protocol for uniform quality of service (QoS), essentially the same as ToS bits, just more of them. And more recently, MPLS emerged as the newest standard, integrating the ability to specify a network path with class of service for consistent QoS.

The advantages of packet marking are clear. It is proactive and does not wait until a problem occurs before taking action. It is an industry-standard system that different equipment from different vendors all incorporate, ensuring consistent treatment. But, as with queuing, it doesnt stand alone as an effective solution.

24Intelligent Marking for MPLS Networks Application enable accurate marking of application trafficVoIPSAPDiffServ, MPLS, TOS256 Kbps768 KbpsBandwidth allocationEmailBest effortClasses of Service

MPLSBackboneRemoteOffice

24MPLS has been adopted by organizations hoping to take advantage of different classes of service and ensure appropriate application performance. However, they often discover that placing key applications into premium service classes does not reap the expected benefits. The right traffic does not get placed in the right MPLS service class. Premium classes deliver sub-premium performance as they drown in copious non-urgent traffic; important applications are improperly assigned to only best-effort classes. Also, traffic gets hung up in a congested bottleneck just before each entry point to the providers MPLS network with unmanaged traffic heading into a LAN (inbound) at an inappropriately high flow rate.

Think of it terms of an airline, where they offer first class, business class and economy class across their WAN. Youll pay more for first class, but youll get better performance across the carriers network thats the claim. And thats great that will help you more effectively deliver better performance for your applications. But there are challenges. The first challenge is that this only applies to the carriers network. So you are still left with congestion and with the contention for bandwidth going from the LAN to the WAN that problem is not solved with MPLS PacketShaper solves it. The other challenge is this: how do you make sure SAP running over port 80 on HTTP goes into the first class service level and other HTTP applications running over port 80 do not? MPLS does not solve this problem. Why would you want to pay for first class service for casual Web-browsing?

25Application QoS and MPLS Working Together

MPLSCore

25MPLS leverages multiple service classesassigning different ones to different applications with different performance characteristics. There are hundreds of different traffic and application types running across the WANbusiness applications, recreational applications, "invisible" servicesand only a handful of service classes. Using our advanced application identification and classification technology, PacketShaper automatically classifies applicationsidentifying and then marking them with the proper DiffServ Code Point (or VLAN tag) to get them into the proper service class.

So you can see here that the real-time video and H.323 IP Telephony traffic which needs immediate and priority bandwidth is allocated over apps that are less real-time critical, apps that are purely recreational which fall into the best effort service class.

PacketShaper can apply its rich classification features and differentiate between those traffic types, mark it and make sure it goes into the right class of service.

26

Application QoS and MPLS: End to End QoS Quality of Service

Premium 256kbit/s DSCP 1 Platinum 256kbit/s DSCP 3Gold 512kbit/s DSCP 5Silver 512kbit/s DSCP 7Best Effort 512kbit/s DSCP 9

26MPLS provides for aggregate shaping only and treats all connection requests the same. It lacks the ability to assign a limit to the number of call requests, so unlike PacketShaper which can deny say the 12th call to avoid congestion, MPLS will assign the same priority to the 12th, 13th and all subsequent call requests regardless of how much congestion that may cause.

MPLS also applies to the provisioned WAN service it does not offer any control over assigning preference at the last mile.

PacketShaper complements MPLS. It overcomes markings fundamental deficiencies by providing very granular differentiation between types of traffic/applications so that the proper distinguishing markers can be applied and control enforced over the rate at which packets enter and exit the WAN and apply explicit bandwidth minimums and maximums and control the number of allowed flows for a given type of traffic or a given sender.

About ProxySG

ProxySGKey FunctionalityWAN OptimizationSecure Web GatewayWAN Optimization accelerates business applicationsFiles, Email and Internal Bulk TrafficBusiness Web / SaaSContent DeliverySecure Web Gateway secures the network Protect from MalwareGuard Employee ProductivityPrevent Data LeaksValidate TrustsAdditional ProductsProxyClient satisfies the needs of the remote userPacketShaper provides Application Visibility and QoS

What Can ProxySG Do?

Secure Web Gateway

WAN OptimizationControl and OptimizeExternal Applications

Manage and DeliverVideo and Content

Accelerate Internal Bulk Traffic

GuardEmployee Productivity

Prevent Information Leaks

ValidateTrustProtect Against Malware

30

ProxySG in the Network

WANBranchOfficesData Center

ReporterCentralized Data andApplications

InternetPublic WebServersCustomers and Partners

EmployeesWeb Content andApplications

BranchProxySG

Internet Gateway /Content Filtering

Director

ProxyClient

BranchProxySGConcentratorProxyReverse Proxy

Remote Workers

30Just to give you a sense of where they fit in the network, the PacketShaper moves into both, not only the data center but also at branch locations, giving you visibility, QoS and compression for applications between these two areas, or between all these areas.

Discovery & Monitoring QOS SITE BASED TREE

SWG Design CriteriaAppliance/OS/TCP-stack/Cache designed for web object processingMaximize utilization, throughput, and reliability Reduce rack space required, green solutionWeb protocol/application coverage (legacy & new)Authentication, Authorization, Logging & ReportingWeb content optimization & accelerationLatency = Closed Filter & block unwanted web contentURL Filtering options, real-time analysis of new contentWeb object filtering & blocking via policy controlsScan, detect and block threatsAnti-malware/virus scanning options with cache intelligenceMMC filtering/strip/replace/block policy controlsData Loss Prevention & Open Integration PointDLP/ILP options, plus web content & method controlsSecure-ICAP and ICAP

Here is shopping list for key features in a Secure Web Gateway (SWG) design for your reference after this presentation. It is important to note features that remove both latency and threats as more content builds into the web, and your business success depends on optimized web traffic.

Proxy Design benefits:Ultimate Control Point Full Protocol Termination = Total Visibility & Context(HTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNS)

Custom built Blue Coat SGOSSecure platform that provides maximum benefit for cachingIndustry proven object caching capabilityPolicy architecture enables flexible user controls on applicationsSecure ICAP for added security features and integration with DLP vendors

ProxySGWAN Optimization

AccelerationwithControl

What is ProxySG WAN Optimization?

ProxySG WAN Optimization TechnologiesObject CachingGet web, file and video content close to users again

Byte Caching Store repetitive network traffic for dramatic acceleration

CompressionInline reduction of data to reduce application bandwidth

Protocol Optimization Align high-level protocols with network characteristics

Object Caching - Get web, file and video content close to users againAutomatically determines the right dataNo legal or compliance risk like other solutionsSimply the fastest, most compressed data transferAll applications, internal and external

WAN

Internet37Object CachingFull File Cached Locally (proxy)No data sent across WANReduced traffic and bandwidth usageBetter user experienceLower WAN costs

BRANCHDATACENTER

38Byte Caching - Store repetitive network traffic for dramatic accelerationProxies Cache common patternsAll files & applications over TCPReduced traffic and bandwidth usageBetter user experienceLower WAN costs110111110011100100100101110[REF#1] 00011110001110011000110000010011110000001101111010010[REF#2] 010101010100101000010100110111110011100100100101110111111111111111111111111111111111111111100011110001110011000110000010011110000001101111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010101010100101000010100110111110011100100100101110111111111111111111111111111111111111111100011110001110011000110000010011110000001101111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010101010100101000010100110111110011100100100101110111111111111111111111111111111111111111100011110001110011000110000010011110000001101111010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010101010100101000010100

BLUE COAT SYSTEMS CONFIDENTIAL INTERNAL USE ONLY

39Compression - Inline reduction of data to reduce application bandwidth Industry-standard gzip algorithmRemoves predictable white space Reduced traffic and bandwidth usageBetter user experienceLower WAN costs

11011111001110010010010111001100101011101100100001001100111001000001111000111001100011110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100101010101010010101010101010100101000010100110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010010010101010010101010101101100101100010100

High-level protocols and network characteristics

High-level protocols are chattyMicrosoft file access, Web/HTTP, File Transfer (FTP), Exchange, Citrix, ERP, etcNetwork characteristicsWAN latency, not cured by simply adding more bandwidth

WAN latency and TCP, CIFS or HTTP protocol behavior are facts of life; TCP was designed for super high-bandwidth, super low-latency LOCAL area networking; it tends to suffer problems over WANs. This leads to app performance problems on the WAN. Since more than 80 percent of all WAN apps use TCP, it affect 80 percent of all WAN applications. HTTP, which is how the Web talks, also has room for improvement. None of these are cured by simply adding more bandwidth.

Ironically most fo the protocols we use were not originally designed well to deal with latency. So as distance increases, for example, from LA to Singapore, or if satellite links are being used, or international links such as Washington D.C. to Frankfurt, the latency that results from data traveling over these long distances creates problems for big jobs like file transfers, backups and synchronizations, or any big job that requires a lot of bandwidth. However, the impact really depends on the operating system and the application type.

Protocol Acceleration - Align high-level protocols with network characteristicsProtocol Acceleration replaces chatty protocols with a WAN optimized alternativeLocal acknowledgementLarger windowsTransparent

Provides a high performance gateway to do all those TCP-based applications transactions faster. Protocol acceleration actually introduces two transparent gateways between the two sites and runs a more efficient (less ACKknowledgement-intensive and using larger windows) protocol between them.

instead of waiting for acknowledgments across the whole network, we move the response to the local site. So instead of waiting 400 milliseconds for the ack to come back, it happens locally on same network and its almost instantaneous. What that does is it opens the window sizes for maximum output and it really accelerates the rate at which the data can be transported. So you can now fill the whole pipe, rather than being constrained by TCP. And by the way, when you combine this with our compression capabilities, you increase available bandwidth. You can make file transfers go even faster, because now you can fill an even bigger pipe.

WAN Optimization Technologies Working TogetherObject CachingCaches repeated, static app-level data; reduces andwidth and latencyByte CachingCaches any TCP application using similar/changed data; reduces BWCompressionReduces amount of data transmitted; saves BWProtocol OptimizationRemove inefficiencies, reduce latency

Acceleration Gains

ProxySG Policy ControlControl network resources by user, application or contentFull protocol termination for visibility and contextHTTP, SSL, IM, Streaming, P2P, SOCKS, FTP, CIFS, MAPI, Telnet, DNSFine-grained policy for: Application Protocols Content Users (allow, deny, transform, etc)Authentication integration, for example Active DirectoryGranular, flexible logging

Comparing ProxySG Control with PacketShaper Application QoSProxySG Control focused on:Policy for user behavior and content managementEliminates dangerous or inappropriate traffic[Terminated] Application traffic-specific bandwidth shapingDepth of understanding, Protects against negative impact on business and compliance

PacketShaper Application QoS focused on:Application behavior and bandwidth managementContains disruptive trafficSees and manages all applications and entire network linkBreadth of understandingProtects and maintains SLAs for business traffic