Debunking Blue Coat Myth #6890 — Application Layer Inspection of SSL Tunnels
A friend of mine told me the other day that a Blue Coat sales guy was trying to feed him a line about how the ISA Firewall was unable to perform application layer inspection on SSL connections and that only by buying a Blue Coat Web proxy could he get inspection of SSL tunnels.
My friend told the Blue Coat goon that this wasn’t true — that his ISA Firewall was able to perform SSL to SSL bridging for all his secure Web Publishing Rules. The Blue Coat guy told him that while the ISA Firewall could inspect inbound tunnels, it couldn’t inspect outbound tunnels and he would need to pay a FAT premium in order to cover the margins the Blue Coat resellers get to in order to get outbound SSL to SSL bridging.
Needless to say, my friend was concerned, because the Blue Coat guy was right about the importance of outbound SSL inspection. He asked me if there was a way to get the ISA Firewall to support outbound SSL bridging, because while he didn’t want to support the fat, padded margins the Blue Coat guys get, he did want the security that comes without outbound SSL tunnel inspection.
I told him not to worry, as the ISA Firewall does support outbound SSL tunnel inspection, and at a fraction of the price of a Blue Coat box. The answer is Collective Software’s ClearTunnel product. ClearTunnel allows the ISA Firewall to perform application layer inspection on outbound SSL tunnels and it tightly integrated into the ISA Firewall’s Web Proxy filter and Firewall core. With ClearTunnel you can:
- Inspect outbound SSL connections in the same way you can inspect HTTP connections
- Enforce HTTP Security Filter policies on all SSL connections
- Cache contents of outbound SSL connections — significantly decreasing your overall bandwidth usage
- Expose the contents of SSL connections to any third party application layer inspection enhancer you have installed on the ISA Firewall
For more information about ClearTunnel, check out the Collective Software Web site at www.collectivesoftware.com And the next time the Blue Coat guy tries to feed you a load of bull, give him the boot and take the money you saved and buy yourself new car!
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
Email: tshinder@isaserver.org
MVP — ISA Firewalls
Agentsmith Says:
September 22nd, 2006 at 10:02 am
Hello Tom,
i fully agree that this is the way to go when …..
ClearTunnel is leaving the beta state
Anyway … i have to leave now to buy my new car
cu
Agent
Thomas Shinder Says:
September 22nd, 2006 at 10:05 am
Hi Agent,
Yep! ClearTunnel really rocks! And I’m not kidding regarding buying a new car with the money you save. Why should you have to support the PHAT margins the Blue Coat sales guys get so that they get to buy new cars? Use the ISA Firewall and ClearTunnel and use the money you were going to hand over to the Blue Coat sales guy and buy your own car!
Thanks!
Tom