Jumat, 27 April 2012

Belajar Bluecoat - Blocking Google Talk

While ProxySG does not yet have a Google Talk (using the "jabber" protocol) specific proxy, it is possible to block Google-Talk access on both the native client and Gmail interface. 

First enabling a HTTPS-proxy service on port 5222 and arrange for that traffic to reach the ProxySG. If this is an inline deployment, nothing special needs to be done.

Second configure policy to SSL-intercept and deny all HTTPS traffic to "Chat" and "Search/Engines" categories. While the chat category is obvious, the Search category is also necessary to address G-Talks attempt to connect to any Google owned IP. The chance of over-blocking HTTPS search sites is small (it's unclear why a web-search site would be HTTPS), but could be addressed with a more complex policy.

Example policy for step two.
    server.certificate.hostname.category=("Chat/Instant Messaging", "Search Engines/Portals") ssl.forward_proxy(https)
Deploying a certificate to client computers is not necessary as the goal is to deny this traffic.

Finally configure denials for port 5222 and the Google-Talk client. The gmail chat interface uses AJAX calls to "/mail/channel/bind" to log a user into G-Talk and retrieve the login status of friends.

Selasa, 17 April 2012

Belajar Bluecoat - Client side attack detection pada Bluecoat ProxySG

Pada proxy bluecoat kita bisa melakukan pembatasan session user/client ,hal ini digunakan untuk mendeteksi serangan dari client.
Untuk mengaktifkannya gunakan perintah :
Blue Coat SG9000 Series#conf t
Blue Coat SG9000 Series #(config)attack-detection
Blue Coat SG9000 Series #(config attack-detection)client
Blue Coat SG9000 Series #(config client)enable-limits
Blue Coat SG9000 Series#(config client)view
Client limits enabled: true
Client interval: 20 minutes
Default client limits:
Client connection limit: 100
Client failure limit: 50
Client warning limit: 10
Blocked client action: Drop
Client connection unblock time: unlimited

untuk menonaktifkannya gunakan perintah :
Blue Coat SG9000 Series#(config client)disable-limits

untuk menset TCP limit per IP individu gunakan perintah :
Blue Coat SG9000# conf t
Blue Coat SG9000#(config) attack-detection
Blue Coat SG9000#(config attack-detection) client
Blue Coat SG9000#(config client) enable-limits
Blue Coat SG9000#(config client) create
Blue Coat SG9000#(config client) edit
Blue Coat SG9000#(config client connection-limit 50

Lakukan pengecekan session ip
https://IPPROXY:PORT /tcpcc/show

Kamis, 12 April 2012

Belajar Bluecoat - RFC-1323 pada Bluecoat

Pada beberapa kasus proxy bluecoat di temui ,client yang tidak bisa mengakses situs bri walaupun secara policy rule dan services link tersebut tidak terblock.
Ternyata situs BRI www.bri.co.id ataupun http://ibank.bri.co.id menggunakan protocol RFC 1323 dan apabila protocol dalam keadaan enabled pada bluecoat maka link tersebut tidak akan bisa dibuka.
Solusinya yaitu dengan mematikan/mendisable nya

Mematikan RFC-1323
Blue Coat SG9000 Series#configure term
Enter configuration commands, one per line. End with CTRL-Z.
Blue Coat SG9000 Series#(config)show tcp-ip
RFC-1323 support: enabled
TCP Newreno support: enabled
IP forwarding: enabled
ICMP bcast echo response: disabled
ICMP timestamp echo response: disabled
Path MTU Discovery: disabled
TCP 2MSL timeout: 120 seconds
TCP window size: 65535 bytes
TCP Loss Recovery Mode: normal
Bypass connection keep-alive: disabled
Fast retransmit: enabled
Blue Coat SG9000 Series#(config)
Blue Coat SG9000 Series#(config)tcp-ip rfc-1323 disabled

Mengaktifkan RFC-1323

Blue Coat SG9000 Series#configure term
Enter configuration commands, one per line. End with CTRL-Z.
Blue Coat SG9000 Series#(config)show tcp-ip
RFC-1323 support: disabled
TCP Newreno support: enabled
IP forwarding: enabled
ICMP bcast echo response: disabled
ICMP timestamp echo response: disabled
Path MTU Discovery: disabled
TCP 2MSL timeout: 120 seconds
TCP window size: 65535 bytes
TCP Loss Recovery Mode: normal
Bypass connection keep-alive: disabled
Fast retransmit: enabled
Blue Coat SG9000 Series#(config)
Blue Coat SG9000 Series#(config)tcp-ip rfc-1323 enable

Selasa, 03 April 2012

Belajar Bluecoat - Bluecoat Command Guide

Root privileged commands in BlueCoat

1:acquire-utc Acquire UTC from NTP server

1:bridge Clear bridge data
2:clear-statistics Clear bridge statistics

2:clear-fwtable Clear bridge forwarding table

1:cancel-upload Cancel a pending access log upload
2:all Cancel upload for all logs
2:log Cancel upload for a log

1:clear-arp Clear the ARP table

1:clear-cache Clear the contents of the cache
2:byte-cache Clear the Byte Cache
2:dns-cache Clear the DNS Cache
2:object-cache Clear the Object Cache

1:clear-errored-connections Clear historical errored connections
2:adn-inbound Clear the historical ADN inbound connections
2:bypassed Clear the historical bypassed connections
2:proxied Clear the historical proxied sessions

1:clear-statistics Clear statistics
2:authentication Clear Authentication Statistics
3:error Clear authentication error statistics
3:realm Clear authentication realm statistics

2:bandwidth-management Clear Bandwidth-Management Statistics
3:class Clear class Statistics

2:cifs Clear CIFS Statistics
2:default-service Clear the default service byte statistics
2:efficiency Clear Efficiency Statistics
2:epmapper Clear Endpoint Mapper Statistics
2:persistent Clear Persistent Statistics

2:quicktime Clear QuickTime Statistics
2:real-media Clear Real Media Statistics
2:windows-media Clear Windows Media Statistics

1:configure Enter configuration mode
2:terminal Configure from the terminal
2:network Configure from an HTTP network host

1:disable Turn off privileged commands

1:disk Perform disk related commands
2:offline Take a disk offline

2:reinitialize Reinitialize a disk

1:display Display a text based url

1:enable Turn on privileged commands

1:exit Exit command line interface

1:fips-mode Enable or disable FIPS mode (reinitializes system)
2:disable Disable FIPS mode
2:enable Enable FIPS mode

1:help Information on help

1:hide-advanced Disable commands for advanced subsystems
2:all Hide all advanced commands
2:expand Disable expanded commands

1:inline Install configurations from console input
2:accelerated-pac Install accelerated PAC file from console input

2:authentication-form Install an authentication form from console input
2:authentication-forms Install all authentication forms from console input

2:banner Configure the login banner for the telnet and SSH consoles
3:login Set multi-line login banner

2:exceptions Install exceptions from console input

2:forwarding Install forwarding settings from console input

2:icp-settings Install ICP settings from console input

2:license-key Install a license key from console input
3:force Force install license even if it is a license-downgrade

2:policy Install policy from console input
3:central Install central policy from console input

3:local Install local policy from console input

3:forward Install forward policy from console input

3:vpm Install VPM's CPL and XML policy from console input. This command is intended for Director use only.

3:vpm-cpl Install VPM's CPL policy from console input. This command is intended for Director use only.

3:vpm-xml Install VPM's XML policy from console input. This command is intended for Director use only.

2:rip-settings Install RIP settings from console input

2:socks-gateways Install SOCKS gateway settings from console input

2:static-route-table Install static route table from console input

2:wccp-settings Install WCCP settings from console input

1:kill Terminate a CLI session

1:licensing Licensing commands
2:request-key Retrieve the activated license-key from Bluecoat using the Blue Touch Online user ID and password
3:force Force install license even if it is a license-downgrade
[user ID] [password]
[user ID] [password]
2:update-key Update the license-key from Bluecoat now
3:force Force install license even if it is a license-downgrade
2:register-hardware Register hardware with Bluecoat
3:force Force hardware registration and license install even if it is a license-downgrade
[user ID] [password]
[user ID] [password]
2:mark-registered Mark the hardware registered manually
2:disable-trial Disable trial period
2:enable-trial Enable trial period

1:load Load installable lists or system upgrade image
2:accelerated-pac Download new PAC file
2:authentication-forms Download one authentication form or all new authentication forms

2:exceptions Download new exceptions
2:forwarding Download new forwarding settings
2:icp-settings Download new ICP settings
2:license-key Download new license-key
3:force Force install license even if it is a license-downgrade
2:policy Download new policy
3:central Download new central policy
3:local Download new local policy
3:forward Download new forward policy
3:vpm-cpl Download new vpm-cpl policy
3:vpm-xml Download new vpm-xml policy
2:proxy-client-software Download new ProxyClient software
2:rip-settings Download new RIP settings
2:socks-gateways Download new SOCKS gateway settings
2:static-route-table Download new static route table
2:timezone-database Download new time zone database
2:ui-update Download a UI update
2:upgrade Download new system image
3:ignore-warnings Ignore any upgrade warnings
2:wccp-settings Download new WCCP settings

1:pcap Packet capturing commands
2:filter Setup the current capture filter
[direction in|out|both] [interface |all] [expr ]
direction in|out|both filter only packets in specified direction(s)
interface |all filter only packets on specified interface(s)
expr capture packets matching the filter expression
no filtering, capture all packets

2:info Display current capture information
2:start Start the capture
[] [trunc ] [coreimage ]
buffering-method: {first|last} {{count }|{capsize }}
2:stop Stop the capture
2:transfer Transfer captured data to ftp site

1:ping Send echo messages

1:ping6 Send IPv6 echo messages

1:policy Policy commands
2:trace Specify default policy tracing level
3:all Trace all transactions by default
3:none No tracing except as specified in policy files
3:proxy-traffic Trace all proxy transactions by default

1:register-with-director Register with Director
[ []]

1:reset-ui Restore the Blue Coat Sky UI from the system image

1:restart Restart system
2:abrupt Reboot system abruptly, according to restart settings
2:regular Reboot system according to restart settings
2:upgrade Reboot system to start running new image

1:restore-sgos4-config Restore to settings last used with SGOS 4.x

1:restore-defaults Restore to default configuration
2:factory-defaults Reinitialize machine.
2:force Restore defaults without confirmation.
2:keep-console Restore defaults; Keep settings required for console access.
3:force Restore defaults without confirmation; Keep setting required for console access.

1:reveal-advanced Enable commands for advanced subsystems
2:all Reveal all advanced commands
2:expand Enable expanded commands

1:show Show running system information
2:accelerated-pac Accelerated PAC file
2:access-log Access log settings
3:log Show Access log configuration
4:brief Show Access log names

3:format Show Access log format configuration
4:brief Show Access log format names

3:statistics Show Access log statistics

3:default-logging Show Access log default policy
2:adn Application Delivery Network settings
3:byte-cache Show ADN byte-cache configuration
3:load-balancing Show ADN load-balancing configuration
3:manager Show ADN manager configuration
4:approved-peers Show approved-peers configuration
4:backup-manager-id Show retrieved device ID of backup manager
4:pending-peers Show pending-peers configuration
4:primary-manager-id Show retrieved device ID of primary manager
3:routing Show ADN routing configuration
4:advertise-internet-gateway Show advertise-internet-gateway configuration
4:server-subnets Show server subnets configuration
3:security Show ADN security configuration
3:status Show ADN status
3:tunnel Show ADN tunnel configuration
2:advanced-url Advanced url for statistics
[] Display statistics for the specified url and optional mode
2:appliance-name Appliance name
2:archive-configuration Archive configuration settings
2:attack-detection Attack-Detection settings
3:client Show client infomation
4:blocked Show clients blocked at the network
4:connections Show client connection table
4:statistics Show client request failure statistics
3:configuration Show attack detection configuration
3:server Show server information
4:statistics Show server connection failure statistics
2:arp-table ARP information
2:bandwidth-gain Bandwidth-gain settings
2:bandwidth-management Bandwidth-management settings
3:configuration Show bandwidth-management configuration
Show this class
3:statistics Show bandwidth-management statistics
Show stats this class
2:bridge Bridge information
3:configuration Show bridge configuration
3:statistics Show bridge statistics

3:fwtable Show bridge fwtable

2:caching Caching settings
2:cifs CIFS information
3:configuration Display CIFS configuration information
3:statistics Display CIFS statistics
2:clock Current time
2:commands Show available CLI commands
3:delimited List commands in a format for parsing
4:all List all commands available at current security level
4:privileged List only privileged commands (must be enabled)
3:formatted List commands in a format for viewing
4:all List all commands available at current security level
4:privileged List all privileged commands (must be enabled)
2:configuration Current configuration, as different from default
3:brief Show configuration without "inline" expansion
4:noprompts Show brief configuration without "--More--" prompts
3:expanded Show configuration with "inline" expansion
4:noprompts Show expanded configuration without "--More--" prompts
3:noprompts Show configuration without "--More--" prompts
3:post-setup Show configuration changes made after console setup
4:noprompts Show post-setup configuration without "--More--" prompts
2:connection-forwarding Connection forwarding settings
3:configuration Display connection forwarding configuration
3:statistics Display connection forwarding statistics
2:content Show content management commands
3:outstanding-requests Show outstanding distribute and revalidate requests.
4:deletes Show regex deletes in-progress
4:revalidates Show regex revalidates in-progress
4:priority Show regex priority commands in-progress
3:priority Show priority deletion policies.
4:regex Show priority deletion policy for regular expression.

4:url Show priority deletion policy for URL.

3:statistics Show content management statistics
3:url Show information for cached object.
2:content-distribution Sizes of objects in cache
2:content-filter Content filter settings
3:bluecoat Blue Coat Web Filter configuration
3:i-filter i-FILTER configuration
3:intersafe InterSafe configuration
3:iwf Internet Watch Foundation configuration
3:local Local database configuration
3:optenet Optenet configuration
3:proventia Proventia configuration
3:smartfilter SmartFilter configuration
3:surfcontrol SurfControl configuration
3:status Current configuration
3:websense Websense configuration
3:webwasher Webwasher configuration
2:cpu CPU usage summary
3:extended Show extended CPU usage
2:cpu-monitor Show the CPU Monitor results
2:diagnostics Remote diagnostics
3:configuration Show diagnostics settings
3:cpu-monitor Show the CPU Monitor results
3:service-info Show service-info settings
3:snapshot Show snapshot configuration

2:disk Disk status and information
or "all"
2:dns DNS servers and name imputing
2:dns-forwarding DNS servers and name imputing
2:download-paths Downloaded configuration paths
2:efficiency Efficiency statistics
2:epmapper Endpoint Mapper information
3:statistics Display Endpoint Mapper statistics
2:event-log Event log setting
3:configuration Show event log configuration
[start "[YYYY-mm-dd] [HH:MM:SS]"] [end "[YYYY-mm-dd] [HH:MM:SS]"] [substring | regex ]
2:exceptions Exception definitions
2:external-services External-services
3:statistics External-service statistics
2:failover Failover settings
3:configuration Show failover configuration
Show this group
3:statistics Show failover statistics
2:forwarding Forwarding settings
2:ftp FTP settings
2:general General settings
2:health-checks Health checks settings and statistics
3:configuration show health check configuration settings
3:quick-statistics show a summary of the health check statistics
3:statistics show health check statistics
2:http HTTP settings
2:http-stats HTTP statistics
2:icp-settings ICP settings
2:identd Identd settings
2:im IM information
3:configuration Display IM configuration information
3:aol-statistics Display AOL IM statistics
3:msn-statistics Display MSN IM statistics
3:yahoo-statistics Display Yahoo IM statistics
2:installed-systems Installed appliance systems
2:interface Interface status and configuration
3:all Show all ethernet interfaces
Show this interface
2:ipv6 IPv6 configuration
2:ip-default-gateway Default IP gateway
2:ip-route-table Route table information
2:ip-stats TCP/IP statistics
3:all All TCP/IP statistics
3:interface Interface statistics
4:all Show stats for all interfaces
Show stats for this interface
3:ip IP specific statistics
3:memory TCP/IP memory statistics
3:summary TCP/IP summary statistics
3:tcp TCP specific statistics
3:udp UDP specific statistics
2:licenses Product's license information
2:management-services Information about management services
2:mapi MAPI settings
2:netbios Netbios settings
2:ntp NTP servers and information
2:p2p Peer-to-peer information
3:statistics Display Peer-to-peer statistics
2:policy Current policy
3:listing Results of policy load
3:order Policy evaluation order
3:proxy-default Proxy default policy
2:private-network Private Network information
2:profile System profile
2:proxy-client ProxyClient settings
3:acceleration Show ProxyClient Acceleration settings
4:adn Show ProxyClient Application Delivery Network settings
5:exclude-subnets Show ProxyClient ADN excluded subnets
4:cifs Show ProxyClient CIFS settings
3:clients Show current connected clients
3:locations Show Location settings
3:web-filtering Show Web-Filtering settings
2:proxy-services Information about proxy services
3:dynamic-bypass Show dynamic bypass information
4:configuration Show the dynamic bypass configuration
4:filter Show filtered dynamic bypass list
3:restricted-intercept Show restricted intercept information
4:filter Show filtered restricted intercept list
3:services Show list of services
4:bypass Show services containing a bypass action
4:default Show the default service settings
5:configuration Show default service configuration
5:statistics Show default service destination port byte stats

4:intercept Show services containing an intercept action
4:name Show services with name substring match

4:proxy Show services using a specific proxy

3:static-bypass Show static bypass information
4:filter Show filtered bypass list
2:realms Security realms
2:reflect-client-ip Client IP reflection
2:resources Allocation of system resources
2:restart System restart settings
2:return-to-sender "Return to sender" settings
2:rip RIP settings
3:default-route RIP default route configurations
3:parameters RIP parameters and configuration
3:routes RIP routes
3:statistics RIP statistics
2:security Security parameters
3:authentication-errors Authentication errors
3:authentication-forms Authentication forms

3:local-user-list Local user list

3:local-user-list-group Group in local user list

3:local-user-list-user User in local user list

2:services Information about services
2:service-groups Proxy service groups
3:group Show details about a service group

2:sessions Information about CLI connections
2:session-monitor Session monitor
2:shell Shell proxy settings
2:snmp SNMP configuration
3:communities show SNMPv1-SNMPv2c community configuration settings
3:users show SNMPv3 user configuration settings
2:socks-gateways SOCKS gateway settings
2:socks-machine-id Machine id for SOCKS
2:socks-proxy SOCKS proxy settings
2:sources Source listings for installable lists
3:authentication-form Show source file for an authentication form

3:crl Show source file for a CRL

3:exceptions Show source file for exceptions
3:forwarding Show source file for forwarding settings
3:icp-settings Show source file for ICP settings
3:license-key Show source file for the license-key
3:policy Show source file for policy
4:central Show source file for central policy
4:local Show source file for local policy
4:forward Show source file for forward policy
4:vpm-cpl Show source file for VPM CPL policy
4:vpm-xml Show source file for VPM XML policy
3:rip-settings Show source file for RIP settings
3:socks-gateways Show source file for SOCKS gateway settings
3:static-route-table Show source file for static route table
3:wccp-settings Show source file for WCCP settings
2:ssh-console SSH settings
3:client-key View client key fingerprint

3:director-client-key View director's client keys

3:host-public-key View host public key
4:sshv1 View sshv1 host public key
4:sshv2 View sshv2 host public key
3:sshv2-welcome-banner View SSH V2 welcome banner
3:user-list View list of users with imported rsa client keys
3:versions-enabled View which SSH version(s) is enabled
2:ssl SSL settings
3:appliance-certificate-request Show appliance certificate signing request
3:ca-certificate Show CA certificate configuration

3:ccl Show CA certificate lists configuration
: Show summary of all CA certificates in this list
3:certificate Show certificate configuration

3:crl View crl

3:external-certificate Show external certificate configuration

3:keypair Show key pair configuration
4:aes128 Show AES-128 encrypted key pair
4:aes256 Show AES-256 encrypted key pair
4:des Show DES encrypted key pair
4:des3 Show DES3 encrypted key pair
4:unencrypted Show unencrypted key pair

Show unencrypted key pair
3:keyring Show keyring configuration

3:ocsp Show SSL OCSP configuration
3:proxy Show SSL proxy configuration
3:signing-request Show certificate signing request configuration

3:ssl-client Show SSL client configuration
: Show information about this ssl-client
3:ssl-device-profile Show SSL device profile
: Show information about this profile
3:ssl-nego-timeout Show SSL negotiation timeout configuration
3:summary Show SSL summary information
4:ca-certificate Show summary of CA certificates

4:crl Show summary local crls
Show summary for this crl id
4:external-certificate Show summary of external certificates

2:static-routes Static route table information
2:status Current system status
3:xml Show output in xml format
2:streaming Streaming information
3:windows-media Show Windows Media streaming
4:configuration Display Windows Media configuration information
4:statistics Display Windows Media statistical information
3:real-media Show Real Media streaming
4:configuration Display Real Media configuration information
4:statistics Display Real Media statistical information
3:quicktime Show QuickTime streaming
4:configuration Display QuickTime configuration information
4:statistics Display QuickTime statistical information
3:configuration Show streaming configuration
3:statistics Show streaming statistics
2:system-resource-metrics System Resource Metrics
3:xml Show output in xml format
4:brief Show brief output in xml format
4:since Show output if changed

2:tcp-ip TCP-IP settings
2:terminal Terminal configuration parameters
2:timezones Local timezones supported
or Show supported time zone
2:trust-destination-ip Trust destination IP
2:ui UI update settings
2:user-overflow-action User Overflow Action
2:version System hardware and software status
2:virtual-ip Virtual IP addresses
2:wccp WCCP configuration
3:configuration WCCP configuration
3:statistics WCCP statistics
3:status WCCP status
2:xml-config Registry settings

1:static-route Manage static route entries

1:temporary-route Manage temporary route entries
2:add Add a temporary route entry

2:delete Delete a temporary route entry
/ []

1:test Test subsystems
2:adn Test ADN by connecting to a server

2:dns Test DNS by connecting to a server
[ipv4|ipv6] [DNS server IP] [bypass-cache]
2:http Test HTTP subsystem
3:get Get HTTP object

3:loopback Perform loopback test

1:traceroute Trace route to destination

1:upload Upload access log or running configuration
2:access-log Upload access log to configured host
3:all Upload all logs
3:log Upload log

2:configuration Upload running configuration to configured host