4 Replies Latest reply on Jun 25, 2013 10:47 AM by vidrine

    Migration from Blue Coat -- Default DENY

    vidrine

      Have any other members migrated from Blue Coat ProxySG to McAfee Web Gateway (ver 7)? 

       

      I'm in the process of converting our configuration and re-validating rules.  And I'm mapping out categories between Blue Coat and McAfee's category set 4 list.

       

      The bigger question, though, have (or do) any other members run a default deny model?

        • 1. Re: Migration from Blue Coat -- Default DENY
          jont717

          We came from Blue Coat.

           

          Most of the categories matched up pretty good.

           

          We do not run a default deny.  We have a block rule based on all the categories we want blocked.  If it is not a categorized site, then it would be allowed.  I submit these uncategorized sites to McAfee every so often.  They are very good about updating their lists.

           

          I would not recommend using a defult deny rule!

          • 2. Re: Migration from Blue Coat -- Default DENY
            vidrine

            Completely aware that a default deny can cause monumental amounts of overhead and production access issues.

             

            However, that's the business case that I was presented with and have to meet. We're migrating from a fairly restricted web access policy already.

            • 3. Re: Migration from Blue Coat -- Default DENY
              btlyric

              If you already have a restrictive policy and the corporate mandate is for a default deny rule set, this might not be too difficult to accomplish.

               

              For some of our hosts, we have implemented a default deny policy.

               

              In my experience, it's always easier to loosen restrictions than it is to tighten them up. The former results in happy customers whereas the latter results in calls to the help desk.

               

              Things to consider:

               

              - Is deployment in WCCP (or other transparent) mode or will the clients have configured proxy settings?

              - How will you handle sites that are uncategorized?

              - Which rating settings do you plan to use for your URL Filter settings?

              - SSL Scanning?

              - Which AV engines to deploy

              - Authentication?

               

              If deploying in a transparent manner, you will run into more issues than in direct proxy mode because in certain cases, the proxy will only have the IP address to use as categorization criteria and TrustedSource categorization of some CDN netblocks is less than perfect. Same deal in terms of uncategorized sites -- a URL may have a category, but the corresponding IP address might not. You can do a local category overwrite for sites where you will always disagree with TrustedSource -- for example, in their world, sites where you can download software like mIRC, Pidgin, etc. are considered Chat, even though the sites themselves do not give you any sort of Chat capabilities. While we don't permit the Chat category, software downloads are the sort of thing that we overwrite for since certain software may be used in an internal capacity.

               

              If you are relying heavily on categorization, the settings that you select for the URL Filter can impact things significantly.

               

              Even though MWG has a "Logging" rule set, you are not limited to logging in the Log Cycle. You can write a log line at any point during the connection. This can be useful for monitoring specific types of traffic based on any criteria you define.

              • 4. Re: Migration from Blue Coat -- Default DENY
                vidrine

                btlyric - thanks for the information.  The overhead (via greater help desk calls) is accounted for in our decision/planning.  And we will be leveraging category whitelisting heavily, while it will lead to some potential blocking of valid sites (as you mentioned), that to is added to the known overhead.  However, many of these will not have a valid business reason to process, as well.  In the case you listed, if Software Downloads are allowed in our environment, Chat (Pidgin, etc...) would still be denied as an approved application.  Thus, some of the potential mis-categorizations will not be valid.

                 

                + We are moving away from a WCCP deployment currently and are hoping to leverage the McAfee Client Proxy for location awareness/traffic redirection.

                + Uncategorized sites haven't been discussed, as of yet.

                + SSL Scanning will be enabled

                + Authentication will be enabled (Kerberos with NTLM fallback)

                 

                Thanks for the notes on logging.  I haven't begun to dig into that portion of the configuration, yet.