zscaler web security services
DESCRIPTION
Zscaler Web Security Services. Your Name Contact Info August 2009 Zscaler Proprietary & Confidential. Zscaler: The Leader in Cloud Security. Singular Focus. Secure, fast and policy-based Internet experience from any place, on any device. Zscaler Services. Benefits. - PowerPoint PPT PresentationTRANSCRIPT
Zscaler Web Security Services
Your NameContact Info
August 2009Zscaler Proprietary & Confidential
Zscaler: The Leader in Cloud Security
Secure, fast and policy-based Internet experience from any place, on any device
Singular Focus
• Twice the functionality at half the price• Mitigate business risk• Improved Resource Utilization
Benefits
Zscaler Services
3
Enterprise Users
Mobile Devices
Road Warrior
Web 2.0 Challenges: Security, Bandwidth & More…
Web 2.0 Users can send and post content
DLP: Blogs, Webmail, IM
Web 1.0 Read Only
No DLP
Data Leakage
Data Leakage Risk Up
Public Internet
Bandwidth Issues
No bandwidth issues: HTML
pages
Streaming & P2PBandwidth hungry apps
(last mile)
New Network QoS Issues
URL FilteringStatic list (almost) Allow or block
Web 2.0 – User created contentSocial Sites, Streaming, Webmail, IM
Managed Access
Traditional URL Filtering is Not Effective
Viruses, Worms (signature)
Botnets , XSS, Active Content, Phishing
Can’t be detected with signatures
Security Threats
Web 2.0 is Rendering Traditional Anti-virus Useless
Enterprises are struggling to deal with web-related issuesLosing ability to enforce policy
Botnets + Malware
Web 2.0 Control
Bandwidth Control
Data Leakage
Webmail, IMAV
Bypass appliances & policy (VPN???)
Caching + URL
Directory
Consolidated Reporting??
Current point products are expensive, inefficient and incomplete
Traditional Appliances: Don’t Help with New Challenges
Mobile User
Road Warrior
HQ Users
• Acquisition & deployment Cost: X boxes• On-going Management Cost: Multiple UI/policies, log files
Buy, install & maintain water cleaning kit in
each home?
Customers want this and don’t have
Web LogsRemote Office(s)
Already installed
Zscaler Service
Zscaler Service:Secure, Fast & Policy-based Access to Internet
Botnets + Malware
Web 2.0 Control
Bandwidth Control
Data Leakage
Webmail, IMAV
Bypass appliances & policy (VPN???)
Caching + URL
Directory Consolidated Reporting??
Appliances have limited functionality
Web Logs
Mobile User
HQ Users
Remote Office(s)
Zscaler Utility
Secure
ComplyManage
AnalyzeForward Internet-bound traffic to Zscaler service
Inspect & enforce policy
Inspect web pages being returned for security
CLEAN traffic to user
1
IT admin defines your company policy
2
34
Free IT from Operational Security chores: Managing boxes Enable IT to focus on Strategic Security: Policy & Architecture
• No Acquisition Cost, No Deployment Cost, Little on-going management• Annual Subscription Fee
Let Utility clean the water
X
Road Warrior
Anti-Virus & Anti-Spyware
Advanced Threats Protection
Web AccessControls
Functionality: Comprehensive, Integrated, Best-of-BreedEliminates the need to buy multiple point products; Reduces cost
Anti-Virus & Anti-Spyware
Advanced Threats Protection
Web AccessControls
URL Filtering
Web 2.0 Applications Bandwidth
Optimization
Anti-Virus & Anti-Spyware
Advanced Threats Protection
Web AccessControls
URL Filtering
Web 2.0 Applications Bandwidth
Optimization
Data LossPrevention
Anti-Virus & Anti-Spyware
Advanced Threats Protection
Safe Browsing
URL Filtering
Web 2.0 Control Bandwidth
Optimization
Data LossPrevention
Forensics &Data Mining
Zscaler Global Network
Zscaler Technologies & Global Network
9
Zscaler: Five Key Game Changing Technologies
IntelliSpectTM
• Ultra fast content (body) scanning
• Detect malicious content, Data Leakage, Classify URLs
3
Page Risk IndexDynamically computed
Better fraud prevention
4
NanoLogTM
• 50:1 Log reduction• Real-time
consolidation• Trans-level drill-
down
5
Distributed Network, Multi-tenant Architecture
Deliver ultra-low latency, & High Reliability
1
10 Gbps Platform - Latency in Micro-secs64-bit Architecture, Zscaler TCP stack, drivers; SSMATM (Single Scan Multi Action)
2
10
Zscaler Global Distributed Network
Delivers Rapid Response Time (ultra-low latency) & High Reliability
EN2
EN3
Central Authority
Enforcement Node (EN1)
Brain/Nervous system, Policy, Updates, Health of the Cloud
1
Onramps to Internet, Traffic processing, Policy execution
2 When user moves from city A to city B, the policy follows him, her traffic is directed to the nearest EN
3
Logs from all locations go to NanoLog (real-time consolidated reporting)
4
NanoLog NanoLog
Production Coming Shortly
Fremont
Atlanta
Mexico City
DC
Chicago
Toronto
Sao Paulo
Buenos Aires
Tel Aviv
London
Paris
Mumbai
Moscow
Tokyo
Beijing
AdelaideJohannesburg
Hong Kong
Singapore
Monterey
BrusselsFrankfurt
Dubai
Delivers Rapid Response Time & High Reliability
Bogota
Zscaler Global Network Delivers Rapid Response Time & High Reliability
Summary
"Chaudhry has a great track record of anticipating the [emerging, new] market.“
“We are glad to partner with Zscaler to provide comprehensive functionality using their SaaS model to deliver higher value and greater ROI.”
"With data centers distributed worldwide, Zscaler has done an excellent job building a scalable infrastructure to support customers without a noticeable performance hit.”
Experts’ Vote of Confidence in Zscaler
Zscaler has received many prestigious awards/recognitions:
Zscaler SummaryIncrease Security & Productivity While Reducing Costs
Security• Integrated, Comprehensive & On-demand• Web 2.0 threat protection
Global Distributed Architecture• SaaS based,highly scalable and reliable model • Global policy – single policy follows user
Compliance & Real-Time Reporting• Consolidated reporting and tracking in real-time• Centralized management with application-based policies
Cost Savings• No appliance and software related costs• Operational expense vs. Capital expense
Simplicity• Eliminates complex point solutions • Easy to deploy and manage policies
End
Drill-Down
Zscaler Functionality
Key Features of Reporting & Analysis
Unique ability to analyze from 3 fronts
1. Slice the data by relevant fields
Cumulative data orComparative trends
3. Choose how to view data
Change graph type or Zoom in
Choose what to see & what to hide
Filter by time and type of data displayed
2. Filter the data you want to see
Within a section, see more detail
4. Drill down
Save as a PDF to email or print
5. Save
Save as a Favorite
6. Schedule Reports
Unique ability to analyze from 3 fronts
1. Slice the data by relevant fields
Cumulative data orComparative trends
3. Choose how to view data
Change graph type or Zoom in
Choose what to see & what to hide
Filter by time and type of data displayed
2. Filter the data you want to see
Key Features of Reporting & Analysis
Schedule regular emailed reports
Zscaler Secure
By performing full content inspection with ultra-low latency, Zscaler detects and protects against newer threats & vulnerabilities.
Challenge:
Solution:
Reduce security risk with least effort (centrally configured)
Anti-virus/Anti-Spyware
• Just like SMTP, AV is needed on HTTP channel
• Traditionally, AV adds latency• Zscaler AV solution is fast and
comprehensive• Signatures are always up to date
(Cloud model)
AV/AS solution with ultra-low latency & at low TCO
Advanced Threats
• Botnets, malicious active content, XSS, etc.
• Requires full inspection of content (Request & Response) which traditional proxies can’t do due to latency
• Zscaler high-speed scanning enables this unique protection.
Mitigate security risks caused by newer Web 2.0 threats
Safe Browsing
• Browsers are exploited to infect computers
• Enforce policies by allowing safe browsers to go to the Internet
• Policy by browser version, patch level, plug-in and apps.
Mitigate security risks caused by unsafe browsers
Malware is found on 60% of the top 100 sites. All new malware has a web component.“ ”
Anti-virus on HTTP gateway is a must but not enough. Inspect for bots, active content threats and more.“ ”
Zscaler Manage
Challenge:
Granular control of Web 2.0 applications. Policies by location, user, group, location, time of day, quota
Solution:
Right access to right resources to empower users and optimize resource use
URL Filtering
• URL DB, multiple languages• Enforcement by URL, not
domain• Real-time Dynamic Content
Classification• 6 classes, 30 super categories,
90 categories• Safe Search
Enforce traditional URL policies at low TCO
Web 2.0 Control
• Action-level control for Social sites, Streaming, Webmail & IM
• Allow viewing but block publishing
• Allow webmail but not file attachments
Enable use of Web 2.0 with right access to right users
Bandwidth Control
• 40 – 50% of BW is consumed by streaming
• Enforce policies by type of web application
• Ensure enough BW to mission critical apps
Tangible savings due to proper use of BW (last mile)
URL Filtering is mostly reactionary. It has a fundamental flaw to be an effective security filter; it does not monitor threats in real time.“ ”Internet bound traffic should be inspected for more than URL
filtering. Web 2.0 applications require granular policies for control.“ ”
Social networks, Blogs, Webmail/IM are easily accessible from any browser and are dangerous backdoors. May lead to accidental or intentional leakage of proprietary and private information.
Users
PolicyEngine
Detect
Enforce
Defineblog
Credit cardsIM
Sales datawebmail
file upload
Benefits Rapid deployment. Highly accurate, Ultra-low latency, Complete inline inspection (not a tap node)
Define Policy - IP Leakageor regulatory compliance
Detect violations - DLP dictionaries and engines
Challenge
Enforce by location, user, app Allow or block. Notify
Comply - Data Leakage Prevention (DLP)
Solution
Solving the Web Log ProblemGet real-time Interactive Analysis; Say Good Bye to Batch Reporting
Others: 50GB
Web log size for the same traffic
Zscaler: 1GB
Access Response TimeOthers Zscaler
2 secs
2 hours
• Web logs are huge (50 – 100GB per day for large companies). • Expensive to retrieve logs for a specific incident when needed. • Often takes overnight to run many summary reports. • Almost impossible to drill-down to transaction-level; Resort to batch reporting.
Challenge
Solution • Zscaler’s Nanolog technology, uniquely solves the problem. • Leverages data differential, indexing and compression technologies • Reduced storage by a factor of 50; Optimized data retrieval
Functionality Zscaler Traditional Vendors
Query Response time Sub-second Minutes or hours
Real-time interactive analysis Yes; 2,000 views from any angle Limited batch reporting
Full drill-down from any view Yes; Drill-down at all levels No
Consolidation across locations Yes; in real-time, globally No
Correlated view Yes; Correlates logs for security, URL filtering, DLP & more
Logs are often for one functional aspect
Analysis by locations, applications, departments, users
Yes Often limited to department and user
Transaction-level drill-down Yes; within seconds In hours or days. Often needs batch report to run overnight
Get timely and accurate information to make right decisions
Reporting tools for web logs are primitive, especially in handling large logs. Consolidated and real-time reporting is a challenge.“ ”
Doing SaaS Right
Proxy LatencyTraditional Proxies: Not Designed for Content Inspection
Traditional Proxies
Zscaler
URL Filtering
AV/AS Header Inspection
Body Inspection
Thro
ughp
ut
10Gbps
100Mbps
50Mbps
10Mbps
Knowledge of Destination
Knowledge of Payload
Knowledge of Application
Knowledge of Content
Zscaler can inspect full content without introducing latency
Latency of a Proxy
Zscaler(10’s of microsecs)
Throughput of a Proxy
Late
ncy
URL Filtering
AV/AS Header Inspection
Body Inspection
Traditional Proxies(10’s of millisecs)
Copyright © 2008-2009 Zscaler Internal and Confidential
61 ms
24 ms
136 ms
50 ms
500 ms
68 ms
30 ms
360 ms
30 ms72 ms
San Francisco
Washington DC
Mexico City
Rio De Janeiro
Cape Town
Rome
Moscow
Bangalore
Hong Kong
Singapore
Adelaide
Tokyo
Re-routing Latency depends on number of data centers & multi-tenant architecture(A true multi-tenant SaaS allows a policy to follow the user (means that a customer is not tied to a data center)
Few data centers = Re-routing latency of 100s of milliseconds. Zscaler’s 30+ data centers minimize re-routing latency (less than 20 milliseconds for most markets)
Solving the Re-routing Latency Problem
London
Re-routing latency from various locations
Copyright © 2008-2009 Zscaler Internal and Confidential
Ethernet
TCP
IP
Socket
Proxy App
STOP
STOP
STOP
STOP
Ethernet
TCP
IP
Proxy App
Zscaler’s proprietary TCP Stack and Network Drivers Minimize Proxy Latency
Standard Protocol Stack (10 millisecs) Zscaler Protocol Stack (4 microsecs)
Zscaler delivers 100x the speed of traditional proxies
Packets are stopped and queuedat each protocol junction. Issues:- Context Switches- Cache thrashing- Memory waste
Optimized TCP Stack to:+ Remove all stops and queues+ No context switches+ Remove un-necessary constructs like sockets+ Zero Copy
Advantages:+ High Performance+ DDoS Protection
Proxy
URL DB Anti-virus Anti-spam Phrase Matching
Internet
. . .
InternetData Packet
Traditional Proxies
Loosely coupled subsystems require passing data back and forth, introducing latency.
Zscaler Proxy Node
Zscaler SSMA Technology Delivers Ultra-Low latency
Packet in Memory
Data Packet
Zscaler Proxy with SSMA
Single Scan Multi-Action (SSMA) ensures full inspection without latency
29
Legacy SaaS:Single-tenant
• A customer is tied to a specific system • Re-routing creates latency
Multi-tenant Architecture Sets Zscaler Apart from Others
Zscaler:Multi-tenant, Distributed
• Multiple customers share the same system infrastructure
• User goes to the nearest gateway
Data Center: West Coast
Data Center: East Coast
Gateway
Gateway
Gateway
Central Authority
SaaS Advantages
SaaS: Better Security, Lower TCO
Pressure to do more with less, Limited IT budget & personnel
• Reduce deployment cost• High acquisition &
management cost
MSSP
Home water cleaning
Appliances Hosted Apps (MSSP) Software-as-a-Service
Security Industry: Move from a cottage industry to Professionally Managed Services
• Outsourced management of on-premise device
•No acquisition cost•Pay-as-you-go•Little administration •Multi-tenant
Water utilities deliver clean water Home power generators Power utilities: Get power as you need
Natural move to professionally managed services
IDC Research: SaaS Market Trends & Opportunity
Not enough IT staff30%
Lack of integration between security solutions
24%Complexity of security solutions17%
Too many point solutions to manage
17%
Lack of IT expertise13%
IT security management challenges to your organization
All are drivers for SaaS
Reduction of IT staff
Shifting security bud-get from a capital
expense to an opera-tional expense
Ease of use and implementation
Threat environment
Cost savings
0% 10% 20% 30% 40% 50%
Drivers in your organization's SaaS investments
Source IDC 2009
2007 2008 2009 2010 2011 2012 2013$0
$100
$200
$300
$400
$500
$600
46% CAGR
Web Security SaaS Forecast
2008-2013 CAGR0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
4%
20%
46%
12%
Software
Appliance
SaaS
Total
Web Security SaaS CAGR – 2008 - 2013
33
IDC Research: SaaS vs. Appliances/Software
SaaS Appliances/SoftwareCost No cost to acquire or deploy. Requires OpEx
rather than CapExNeed significant CapEx to acquire and deploy boxes/software
Threat detection Cloud architecture enables better threat detection and real-time updates
Harder and time-consuming to update each box
Ease of use & implementation
No need to manage appliances or software; Customers only do policy enforcement
Requires IT to manage hardware, software, database and policies
IT resources Fewer IT resources needed Significant IT resources needed
Latency due to traffic re-routing
Can lead to higher latency due to traffic re-routing unless the vendor has global presence of data centers
Little latency (appliance sits on customer premise) unless traffic backhauled to HQ
Control Less control Full control of the environment though employee turn-over can make it hard
Green IT Environmental friendly, requires fewer boxes Dedicated boxes for each customer; more power/cooling
Security Slides
Zscaler Secure
U. of Florida discloses patient-record data breachNov. 12, 2008
The Crisis of Newer Security Threats
TDAmeritrade Breach Affects 6.3 Million CustomersSep. 14, 2007
Network Security Breaches Plague NASANov. 20, 2008
Malware targets U.S. military computers – Agent.btzDec. 02, 2008
Hannaford says malware on its servers stole card dataMar. 28, 2008
Heartland finds malware in bank card payment systemJan. 20, 2009
35
Current Technologies Aren’t Effective and May Give You False Sense of Security
64% are stealthy, polymorphic(undetected by conventional
security technologies)
36% (and falling) detectable by conventional Anti-virus
technologies
Anti-virus bypassed using Zero-day exploits Polymorphic malware
Antivirus and URL filters have been circumvented by today’s threats
URL Filtering & Web Proxies circumvented by Dynamic domain names & URLs Compromised legitimate Web sites (e.g. Super
Bowl Miami Dolphins, Samsung Telecom, Google)
64%
36%
37
Browser is Exploited to Infect Your PCs
Source: IBM
Browser
Source: European Network & Information Security Agency
Browser Exploits65.00%
Email Attachments13.00%
OS Exploits11.00%
Downloaded Files9.00%
Other2.00%
65% of Web-based malware is spread by exploiting browsers
The fastest growing attack vector is your browser
Traditional Detection Technologies No Longer Work
• Unauthorized Apps
• Tunneling Protocols
Header Inspection
Knowledge of Application
Header Body
• Virus
• Spyware
Signature Match
Knowledge of Payload
Hash Hash
• Malicious Active Content, Botnets, XSS
• User generated pages
Content Inspection
Knowledge of Content (Body)
Request
Response
Knowledge of Destination
• URL Categorization
• Domain Control List
Black Listing
www.google.com
Full Content (page) inspection is required to detect today’s threats
“AV signatures or URL filtering is obsolete for newer threats. High-speed scanning of content/pages is needed.” Gartner
Real-Time In-line Analysis
Knowledge of Destination
Domain /URL MatchDestination Reputation
Knowledge of Content
Content Inspection of each object
JavaScript, ActiveX
Knowledge of Application
Header InspectionTunneling ProtocolsUnauthorized Apps
Knowledge of Payload
Signature MatchingExecutable FilesUsers
Internet
SSL SSL
Offline Data Mining – The Cloud Effect
New URLs
Based upon # of hits
New Signatures
Using multiple engines
New Patterns
Anomalous Patterns
Secure - Integrated & Comprehensive Threat Detection
Page Risk Index
Zscaler uses dynamic page risk index to detect threats accurately
Zscaler Secure Browsing
Missing patches
Hackers are exploiting browsers to infect users’ computer. Older and unpatched browsers are vulnerable.
Enforce browser policy: browser versions, patches, plug-ins & applications
Benefit:
Challenge:
Solution:
Zscaler Policy Enforcement
Reduce security risk with least effort (centrally configured)
Browser Versione.g. IE 6 & Firefox 3.0.10 are vulnerable
Plug-in/Extension3rd party plug-ins are vulnerable
ApplicationsBrowser becoming an application platform
Browser Patchese.g. Google’s patches to secure Chrome
• Configurable scans frequently (daily, weekly, monthly, etc)• Warn if outdated or vulnerable• No client-side software or download required
IE
Firefox
Safari
OperaVulnerable Plug-in
There are more browser capabilities to be exploited, more potential for vulnerabilities.“ ”
Zscaler Manage
Zscaler ManagePolicy-based URL Filtering
• Flexible and granular categories – better analysis & control
• User-defined, custom URL classification• Dynamic Content Classification: Uncategorized pages
scanned and classified in real time
Classification
• Enforcement by URL, not by domain (Yahoo, FaceBook, etc.)• Granular policies by user/group, location, time of day, quota• Integration with Active Directory and LDAP
Enforcement
Reporting • Powerful reporting—Real-time consolidated view, Real-time drill-down to transaction level
6 Classes30 Super Categories
90 Categories
• Global URL DB for dozens of countries• Fully customizable block pages in multiple languages• International domain name support
Global Support
Safe Search
Users
Challenge:
Solution:
Benefits:
Managed access - Granular policies by action, location, group, etc.
IMChat File Transfer
Streaming Sites
View/Listen Upload
Social Networks, BlogsView Publish
WebmailEmail Attachment
SaaS Service
Provide right access to right users
Zscaler Manage Policy-based Managed Access to Web 2.0
Internet
Discerning one app from another is far from just a URL recognition game “ ”
The advances in Web 2.0 technologies require a new generation of Web security tools that go well beyond traditional URL filtering.“ ”
Users
General SurfingMin 10%, Max 30%
Sales AppsMin 15%, Max 50%
Financial AppsMin.15%, Max 50%
Streaming MediaMin 0%, Max 10%
Zscaler
Application-Level Bandwidth Control
Zscaler ManagePolicy-based Bandwidth Optimization
Challenge:
40% - 50% of bandwidth is consumed by streaming applications
Benefits: Right applications get the right bandwidth; cost saving
Solution: Bandwidth allocation by application type
Comply Slides
Understanding Data Leakage Prevention
Web 2.0 has become open backdoor for Data Leakage. All you need is a browser
who what how where
Loss of IPSource code, Business Plans, M&A Documents, Customer Records, Technical Docs
Regulatory ComplianceCredit Cards, Social Security Number, Financial Statements, Patient Info
Blog Posting
Social Networks
Webmail
IM
Users
HR
Sales
Legal
Loss of data & IP, Liability of non-compliance, Loss of reputationimpact
Customer
Competitor
Analyst
Spyware Site
Business Partner
Benefit Provider
Web 2.0
• Users send & post content• DLP: Blogs, Webmail, IM• Intentional or Accidental
Web 1.0
Read OnlyNo DLP issues
“With Web 2.0, message boards, blogs, and social networking sites are becoming a pipeline for information leakage and corporate compliance violations.
”
Is Data Leakage a Real Problem?
• Data at rest and end points is handled by storage and end point vendors respectively.
Source: IDC, 2008
Instant Messaging
Web Email or Web Posting
Lost/Stolen Laptop
Corporate Email
0% 10% 20% 30% 40% 50% 60%
33%
37%
51%
56%
Top Sources of Data Leakage
Former Goldman Employee Accused of Stealing CodeJuly 6, 2009
According to federal charges, Sergey Aleynikov stole a highly sophisticated piece of Goldman's code, uploaded it to a German server, and then tried to hide his trail, wiping the record of his keystrokes. Goldman's network stored a backup, so the company was able to check it after alarm bells were triggered by Aleynikov's 32-megabyte upload.
Had his actions gone unnoticed, Aleynikov would have been sitting on 32 megabytes of data worth potentially hundreds of millions of dollars. The federal complaint notes only that Goldman had spent "millions" to develop the program and that it generated "many millions of dollars of profits per year" for the firm.
Data loss prevention (DLP) is a growing concern in the Web 2.0 environment“
”46% of data-stealing attacks are conducted over the Web“
”
Administration
49
Multiple and Easy Traffic Forwarding Options
No device needed on customer premise, no software to deploy. Simply forward the traffic from each location to Zscaler
1. GRE Tunneling Create a GRE tunnel to forward Port 80/443 traffic our SaaS Service
Primary TunnelSecondary Tunnel
Tertiary Tunnel
3. Proxy / PAC FilePAC File/Explicit Browser to SaaS Service
Browser based PAC file or explicit proxy setting support Road Warriors
2. Forward Proxy Chaining
Forward port 80/443 traffic from Squid, ISA, Bluecoat, etc.
Web proxy
50
Zscaler User Authentication & Directory Integration
LDAP/AD Host Auth Agent
Hosted Directory Cookie Based Authentication
1
2
Zscaler service integrates with Active Directory or LDAP for user and group-based policies
Directory Server
Web Site
Firewall
Users
Road Warrior
Hosted Authentication Bridge
Web Site
Users
Road Warrior
Hosted Directory (Cookie Authentication)
1. Browser’s request is intercepted by the cloud node and re-directed to Hosted Authentication Bridge.
2. Auth Bridge challenges the browser for user ID and password.
3. Hosted Authentication Bridge verifies the provided credentials with the customers directory server (LDAP, Active Directory).
4. If successful, the Hosted Auth Bridge inserts a cookie and redirects the browser to the original site.
1. Browser’s request is intercepted by the cloud node and re-directed to Hosted Authentication Bridge.
2. Auth Bridge challenges the browser for user ID and password.
3. Hosted Authentication Bridge verifies the provided credentials with hosted user database.
4. If successful, the Hosted Auth Bridge inserts a cookie and redirects the browser to the original site.
Firewall
51
Option to Inspect SSL Traffic Content (Inbound & Outbound)
1. Client/Proxy Handshake
2. Proxy/Web server Handshake
3. Certificate check
4. Website sends encrypted (SSL) content
5. Decrypted content sent to the Content Inspection Engine
6. Filtered content sent to proxy
7. Re-encrypted content sent to user
Users
Web Servers
1 2
47
3
56
Content Inspection Engine
•Terminate SSL sessions within Zscaler proxy, decrypt SSL sessions•Inspect inbound traffic for malware, outbound for data leakage•Apply appropriate policies, bridge sensitive sessions (banking)
Internet
Extra Slides
Zscaler Inspects Request & Response
Domain Path Parameters
HTML Images Scripts XML
Cookies Body
RIA
https://facebook.com/profile.php?id=x
Response
• Most vendors analyze only domain and block based on a black list
• Domain represents < 5% of a total URL
Request
ActiveX Controls & Browser Helper Objects
Windows Executables& Dynamic LinkLibraries
Java Applets &Applications
JavaScript (HTML, PDF, stand-alone).
Visual Basic forApps. Macros in Office documents
Visual Basic Script
HTML
• URL represents < 1% of a total page
• Most newer threats are hidden in the pages being served and require full page inspection
Analysis of Request/Response is critical but can introduce latency
Traditional Reputation Score is Ineffective for Web 2.0
20092004 2005 2006 2007 2008
IP Reputation
EmailIdentify servers
known to send or proxy spam email
• Works reasonably well
• Spam sources relatively static
Page Risk Index
• Risk Index is created for each page in real time
• Requires inspection of web pages
• Effective if latency can be minimized
Web 2.0Identify malicious pages (content)
dynamicallyDomain Reputation
Web 1.0Identify domains hosting malicious
content
• Worked well for Web 1.0 when web pages were static
• With Web 2.0’s user generated content, it does not work (domain may be good, specific pages may be malicious)
www
“Site reputation is no longer a useful measure”
Zombie/Bot
Four Waves of Security
IPS
Web 2.0 is creating many risky backdoors
Inbound Threats
Web 2.0Active
ContentBotnets
XSS
Active content:
FlashJavascript
Remote Office
Mobile User
Road Warrior
AV Desktop ineffective
80
443
25
Other
1 Desktop AV
2 Firewall/IPS
3 Email (SMTP)
4 Web (HTTP)
Zombie/Bot