Visibility – acceleration - security Harri Kurronen 3. June, 2009

Application Visibility & QOS Blue Coat Solutions PacketShaper Application Visibility & QOS Application Performance Monitoring P2P Traffic Shaping Recreational Traffic Control MPLS Migration Bandwidth Management IP Telephony & Video Conf Deployment ProxySG Secure Web Gateway WAN Optimization Malware Prevention Application Acceleration SSL Visibility and Control Mobile User Acceleration Web Content Filtering Server Consolidation & File Acceleration Remote Web Control External Applications & Direct-to-Net IM and P2P Control Streaming & Content Delivery Networks Information Leak Prevention Replication and Backup And here’s just a, on ProxySG, just so you see that the feature set map very clearly. And let’s note, the ProxySG is leader not only in the WAN Optimization Gartner Magic Quadrant but it’s also a leader in the Secure Web Gateway Gartner Magic Quadrant. So it’s clearly the top of its class, both in Secure Web Gateway and WAN Optimization, providing a full set of capabilities in these two markets. PacketShaper for that performance monitoring and the application based QoS, you can see performance, you can control at a granular level of the operation. And these are the solutions that PacketShaper and ProxySG fit into. Whether it’s meant for PacketShaper or whether it’s performance monitoring, MPLS migrations, or voice deployments, the Secure Web Gateway on ProxySG for SSL visibility and control, information leak protection and really, protection from malware, as well as that acceleration CDN capabilities and caching for all these different applications. 2

Visibility 3

Tools Deployed Are Not Good Enough New Hire Sales Training—APAC: 9-10 December, 2008 Better Together Boot Camp—San Jose: July 7-11, 2008 Tools Deployed Are Not Good Enough No application view (network based) Big problems avoid detection/resolution Not Smart Enough Newly added to converged MPLS networks VERY performance sensitive, no tools deployed New Demands: Voice, Video End user complaints Reactive How do you resolve issues? No Ability to Fix 4 © Blue Coat Systems 2008 © Blue Coat Systems 2008 4 4

Blue Coat Visibility – Overcome Limits Application View, Fix Problems & Deliver ROI Layer 7+ Autodiscovers 600+ Applications Find elusive recreation: iTunes, YouTube, etc. Break down compound Enterprise apps: SAP, Oracle, Citrix Classification Not Smart Enough Real traffic, in real time for voice and video conf (RTP) Quality (MOS, rFactor) and Utilization (peak & average) Jitter, delay, loss Voice Quality New Demands: Voice, Video Track end user experience – network delay, server delay Set baselines and exception thresholds Alert, alarm & integrate: SNMP, XML, Email Proactive Response Time Monitoring Reactive Apply Powerful QOS & Compression - RESOLVE Contain recreation, protect mission critical Integrate with acceleration devices like ProxySG Fix Problems No Ability to Fix 5 5

PacketShaper Key Functionality Key Solutions Application Visibility Application QoS RAM-Based Compression Key Solutions Visibility & Performance Monitoring Recreation Traffic Control Delivery/Acceleration of Real Time Applications Voice/IPT Video Conferencing Thin Client/Virtual Desktop Transactions 6 6

Classification: Basis of Control Metrics Management Usage RTM VoIP Diagnostics Discover Applications on Network Find Elusive P2P, YouTube, iTunes, etc Break down Oracle, SAP, Citrix, Microsoft Align Class Tree to Business Track business processes – end user response Monitor SLAs – carrier, internal app Monitor utilization/budget per application Limit recreation Now Blue Coat benefits from the industry’s leading classification technology; PacketShaper’s Layer 7 Classification. And you’ll see in the diagram, the stack on the left hand side there, Blue Coat classification goes way beyond even the dynamic port level classification that the alternative visibility products in the market can provide. So Blue Coat PacketShaper sees things from the perspective of the application, and that’s great because it allows us to automatically discover our applications, it allows us to distinguish between the applications, to a very fine level of detail, and it allows us to begin treating those applications differently. It allows us to treat recreational voice traffic, for example, coming out of an instant messaging application much, much differently than we would sanctioned Voice over IP traffic for example. Now that classification is delivered as a plug-in architecture, so this allows Blue Coat to deliver the immediacy that’s often needed to deal with these applications. So for example, if a new application emerges, like YouTube or more recently, some of the games systems on the internet, we can respond very quickly with a plug-in classification which allows customers to immediately start recognizing and dealing with that kind of application traffic. 7

Application Based Utilization & Metrics Classification Metrics Management Usage RTM VoIP Diagnostics Customer Sees 60% of WAN is Recreational Top Applications, Users Where is WAN Budget spent? Real Time Troubleshooting Long Term Capacity Planning Having seen the network at that level of detail, we can begin measuring the applications to see what the top applications are and what bandwidth they’re consuming at any given time. And on the diagram on the right there, you’ll see that at a glance, we can immediately see that more than half of our network is being consumed by recreational traffic. That kind of information is vital if we’re trying to get in control of the network. So we can see those top applications. We can see where the network resources, and more importantly the bandwidth budget is actually being spent and we can begin to try to control that. We can also use that information, that level of information, for real time troubleshooting. So at a glance, you can see when a voice call is crowded out, for example, by a people in the branch office watching a sporting event on the internet. That level of information, that level of usage information also gives us great intelligence for long term capacity planning. 8

Response Times: Measure Transactions Classification Metrics Management Usage RTM VoIP Diagnostics End-user experience Network & Server Delay Thresholds for SLA Alert, alarm, integrate Another important category of metrics is response time measurement, and this is where we can begin to map the performance of applications in terms of what the user is actually experiencing. So we can tell again at a glance, when an application is performing to spec. We can measure network delay. We can measure server delay. We can establish thresholds so that if one of those delay maxima or minima is reached, we can provide a means of alarming the network group on that event. Total Delay SAP Order Entry: 1220 ms Network Delay: 340 ms Server Delay: 880 ms 9

Voice Metrics: Real Traffic, Real Time Classification Metrics Management Usage RTM VoIP Diagnostics For Real Time Protocol (RTP) Voice Video Conferencing Call Volume Network Metrics Loss Latency Jitter Quality Mean Opinion Score (MOS) rFactor And as many of our customers roll out Voice over IP or IP telephony on a converged network, we also provide a comprehensive range of Voice over IP specific metrics. And this can be from call volume, down to network characteristics that affect the quality of voice, such as loss, latency and jitter, all the way down to Voice over IP or voice specific metrics, such as a Mean Opinions Score or the RFactor. Now all of that can be combined to present a realistic view of the quality of voice. Voice quality is key and often the hardest thing to assure, so we can use those metrics as a means of determining, measuring, reporting and alarming the actual quality of voice over our network.

Troubleshooting Diagnostics New Hire Sales Training—APAC: 9-10 December, 2008 Better Together Boot Camp—San Jose: July 7-11, 2008 Troubleshooting Diagnostics Classification Metrics Management Usage RTM VoIP Diagnostics Host Analysis – Real time host/IP address view (below) TCP Health – Connection state (good, aborted, refused, ignored) PacketCapture – Targeted Capture TCPDump format Synthetic Transactions – HTTP/S, FTP, SMTP, Echo & Custom Can be installed - inline or mirror/span/tap 11 © Blue Coat Systems 2008 © Blue Coat Systems 2008 11 11

Central Management: IntelligenceCenter Classification Metrics Management Usage RTM VoIP Diagnostics IntelligenceCenter Centralized Reporting Collection (flows or ME) Correlation Reporting & Alarms SLA Dashboard (left) Quick summary app performance Different Roles & Views Per app Per site Customized portals 12 12

Acceleration 13

Platform for Application Acceleration Multiprotocol Accelerated Caching Hierarchy Bandwidth Management Protocol Optimization Object Caching Byte Caching Compression File Services (CIFS), Web (HTTP), Exchange (MAPI), Video/Streaming (RTSP, MMS), Secure Web (SSL)

Bandwidth Management Divide user and application traffic into classes Sales Automation App Priority 1 Min 400Kb, Max 800Kb E-Mail Priority 2 Min 100Kb, Max 400Kb File Services Priority 3 Min 400Kb, Max 800Kb General Web Surfing Priority 4 Min 0Kb, Max 200Kb Divide user and application traffic into classes Guarantee min and/or max bandwidth for a class Align traffic classes to business priorities

Protocol Optimization Packet #1 request client -- server Open a file Packet #2 response server - client Indicate FileID or error if not found FID is used in subsequent packet for accessing the file Packet #3 request client -- server Read from a file Packet #4 response server - client Returns file data requested A client can not request another read until it receives the first request. Thus, large documents could require lots of round trips, causing a ping-pong effect. This is effect has been termed as a chatty protocol.

Protocol Optimization 10-100X Faster Includes CIFS, MAPI, HTTP, HTTPS, TCP

Object Caching Built on high-level applications and protocols Streaming caches CIFS cache Advantages Fastest response times Offload work from servers (and networks) Can be deployed asymmetrically Limitations Application-specific All or nothing: No benefit if whole object not found or changed

Byte Caching Local History Cache Remote History Cache …..B24D77E8A00E1...4ABEF8853821A31B482F6C8D920A00CEF225A0F634F8200A2D6BC87F0AB227D95239BE0A15F07A6238C9DDBE0ACFD97652BDD0C0AA017629CAD9E99DE0 …..B24D77E8A00E1...4ABEF8853821A31B482F6C8D920A00CEF225A0F634F8200A2D6BC87F0AB227D95239BE0A15F07A6238C9DDBE0ACFD97652BDD0C0AA017629CAD9E99DE0 B24D77E8A00E4785ACB7EE20A31B482F6C8D920A00CEF225A0F634F8200A2D6BC87FAAB266E8DC9A00A15F07A6238C9DDBE0ACFD97652BDD0C0AA0 B24D77E8A00E4785ACB7EE20A31B482F6C8D920A00CEF225A0F634F8200A2D6BC87FAAB266E8DC9A00A15F07A6238C9DDBE0ACFD97652BDD0C0AA0 [R1]4785ACB7EE20[R2] AAB266E8DC9A00A[R3] Used for WAN Link Optimization Deploy ProxySGs on both ends of a WAN link Eliminate repeated sequences of bytes sent over WAN Drastically improve performance for bandwidth limited applications Consistent end user response times Controlled application bandwidth requirements Key Benefits Completely transparent to client and server Exactly the same bytes are seen at both ends Works on any TCP connection, no protocol or application knowledge required Works with dynamic and changing data Frequently updated files Dynamic web applications Most effective data transmission acceleration Limitations Byte Caching addresses bytes transferred No server offload No protocol optimization No protection or control Need application proxies for full performance management Local LAN WAN Link Remote LAN

Compression COMPRESSION 110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010101100101100101010101010010101010101010100101000010100 110111110011100100100101110011001010111011001000011010011001110010000011110001110011000110000010011110000001101111010010000110110100101111100110100111011010011010011110010000000000001110010111001011011011010010010010101010010101010101101100101100010100 COMPRESSION 11011111001110010010010111001100101011101100100001001100111001000001111000111001100011 Industry-standard gzip algorithm compresses all traffic Removes predictable “white space” from content and objects being transmitted

MACH5 Accelerates Applications MACH5 Optimizes More Protocol Types, Removes More Latency and Saves More Bandwidth than Other Solutions

ProxyClient Features Acceleration URL rating service Web filtering Byte caching Simple UI Logging Service Status Updates

WAN Optimization Anywhere Provide Fast Access to Applications in the Datacenter Internet Corporate Network Performance increase Dramatically decrease bandwidth use Byte Caching Sophisticated custom compression based on observed network patterns Location Awareness Makes intelligent use of ProxySG appliances in the network TCP Optimization CIFS Optimization Inline Compression CIFS Object Caching

Security 24

Internet Evolution… USER EXPECTATIONS PERFORMANCE REQUIRED Apps Mission Critical + Dynamic Connection Agnostic Multiple Devices Web 2.0 Web threats Apps Mission Critical Static Content Connection Method Key Limited CPEs Email/Spam Threats USER EXPECTATIONS As the internet has progressed there has been a linear need and demand to scale both performance and security. From thick clients, like fully standalone home PCs where all the data is on the PC, we’ve moved to through internet to personalized content and now web 2.0 where a large part of the data is stored “on the network” Apps Lan Centric Limited Content PC based Internet Basic Broadband Traffic Growth Multi-Protocols Richer Applications Always-On Connections Thick Clients Few Business Apps Dial Up PERFORMANCE REQUIRED 25 25

Hybrid Web Gateway Links web gateway into cloud service More malware defenses Offloads processing Extends to remote clients 3rd Party Malware Feeds Malware Feed WebPulse Cloud Service Analyzes 1B+ requests per week ProxyAV Linking the WebPulse cloud service with the ProxySG web gateway creates a hybrid web gateway solution. The cloud service provides more malware defenses than possible on the web gateway and even more importantly it offloads the processing load to detect malware and rate new web content from the web gateway. ProxySG runs faster and more defenses are provided. The cloud service even extends to remote users. ProxyClient for enterprise users provides central policy controls and reporting with a real-time relationship to the WebPulse cloud service. K9 is our home parenting solution and uses the full strength cloud service to block malware and rate web content for families on the web. What is most important about this diagram are the feeds into the WebPulse cloud service. ProxySG provides unrated sites, or what we call the “tail-end” of the web into the cloud service. ProxyClient and K9 provide popular web sites, or what we call the “big-head” of the web into the cloud service. Together this provides over 1B user requests per week to background analyze for malware, web threats, reputations and rating new web content. The key to the cloud service is a tremendous volume of web content and repetition of popular web sites to continuously detect hidden malware and protect all users in the community watch. The WebPulse cloud partners with other clouds to increase its coverage of malware protection. Blue Coat partners with Google for malware feeds and leading third party threat detection vendors for malware inputs. AVG, Kaspersky, Sophos, McAfee, SunBelt and others all provide cloud detection for malware and are part of the WebPulse solution. Thus the WebPulse cloud is actually many clouds working together to detect and block malware hosts. WebFilter has over 50M users and provides over 30B web ratings per day. ProxySG has over 40,000 appliances deployed, together they create a very large web community watch computing grid unmatched by any competitor. Inputs are in real-time, client updates are immediate and ProxySG updates to WebFilter are every 5mins. Internet Enterprise Network ProxySG With WebFilter Remote Users ProxyClient Combining 54M+ Users to Protect the Enterprise

WebPulse™ Cloud Service Reputation Analysis Real-time rating service Web content analysis & ratings Malware Detection 180 Million/day Multiple Threat Engines Machine Analysis Human Raters Content Ratings We mentioned the Blue Coat WebPulse Cloud Serivce earlier. So What is the Blue Coat WebPulse Cloud Service? It provides: Web Content Analysis & Ratings using the Blue Coat WebFiltering service – which supports three simultaneous url databases for the latest ratings - Unrated or new content goes to the real time rating service to get rated. -Reputation Analysis (which provides URL reputation data that scores URLs or IP addresses based on various attributes to determine intention) - a good option to block visits to uncategorized Web sites that could be malicious. --Malware Detection All requests to our cloud services are analyzed in background rating processes for malware using a computing grid of clients with multiple threat detection engines, machine content analysis and human raters. -Our Web Pulse cloud service delivers real time rating of malware infected sites analyzing over 150M url requests/day, 1 B requests per week. This is a constant process happening over and over again making our web filtering service stronger and stronger <click> Realistic web profile enables more efficient control over traffic ProxyClient 30B/ day 54M Clients 27 27

New Malware Defense WebPulse 5min updates to WebFilter Immediate updates to ProxyClient and K9 Analyzes over 1B user requests per week WebPulse Cloud Service Five Minute Updates Immediate Access New to our ProxySG solution with the SGOS v4.3 operating system is the ability to request 5 minute updates from the WebPulse cloud service into WebFilter. These 5 minute updates are for malware and web threat categories. Non-threat category updates for WebFilter continue to be provided several times per day. This faster update cycle closes the time span between the cloud service and the ProxySG web gateway to block new malware hosts and web threats. Currently Blue Coat has three WebPulse cloud service operations centers to serve global customers and is in the process of adding a fourth. Note that ProxyClient and K9 have an immediate benefit of any new detected malware hosts with no update cycles required, they utilize the cloud service in real-time. This new malware defenses changes the enterprise web gateway architecture. Rather than analyzing all web content requested by users at the web gateway with limited resources and defenses, the hybrid gateway offloads the web gateway by using the cloud service which sees more web content, leverages more defenses and blocks malware very efficiently by web request. As noted earlier, inline detection is becoming less effective due to attack cloaking techniques to mask threats from detection by web gateways. Community watch cloud services are changing web gateway defenses for the better and allowing web gateways to perform faster. Internet Enterprise Network ProxySG with WebFilter ProxyClient Unites gateways & clients into computing grid defense

AV feedback Immediate malware feedback Even more malware defenses One AV serves all 54M+ users 3rd Party Malware Feeds Malware Feed WebPulse Cloud Service Analyzes 1B+ requests per week ProxyAV Linking the WebPulse cloud service with the ProxySG web gateway creates a hybrid web gateway solution. The cloud service provides more malware defenses than possible on the web gateway and even more importantly it offloads the processing load to detect malware and rate new web content from the web gateway. ProxySG runs faster and more defenses are provided. The cloud service even extends to remote users. ProxyClient for enterprise users provides central policy controls and reporting with a real-time relationship to the WebPulse cloud service. K9 is our home parenting solution and uses the full strength cloud service to block malware and rate web content for families on the web. What is most important about this diagram are the feeds into the WebPulse cloud service. ProxySG provides unrated sites, or what we call the “tail-end” of the web into the cloud service. ProxyClient and K9 provide popular web sites, or what we call the “big-head” of the web into the cloud service. Together this provides over 1B user requests per week to background analyze for malware, web threats, reputations and rating new web content. The key to the cloud service is a tremendous volume of web content and repetition of popular web sites to continuously detect hidden malware and protect all users in the community watch. The WebPulse cloud partners with other clouds to increase its coverage of malware protection. Blue Coat partners with Google for malware feeds and leading third party threat detection vendors for malware inputs. AVG, Kaspersky, Sophos, McAfee, SunBelt and others all provide cloud detection for malware and are part of the WebPulse solution. Thus the WebPulse cloud is actually many clouds working together to detect and block malware hosts. WebFilter has over 50M users and provides over 30B web ratings per day. ProxySG has over 40,000 appliances deployed, together they create a very large web community watch computing grid unmatched by any competitor. Inputs are in real-time, client updates are immediate and ProxySG updates to WebFilter are every 5mins. Internet Enterprise Network ProxySG With WebFilter Remote Users ProxyClient Combining 54M+ Users to Protect the Enterprise

Blue Coat Layered Defenses Cloud Service WebPulse & WebFilter Inline Threat Detection ProxyAV Web Application & Content Controls ProxySG Integrated Data Loss Prevention ProxySG with 6 DLP partners Remote Users ProxyClient Stepping back to look at the larger picture of layered defenses for a web gateway, you can see how the cloud service sits on top to address the bulk of malware injected into popular and trusted web sites. Blue Coat WebFilter provides over 70 categories, supports over 50 languages, has over 50M users, provides over 30B ratings per day, plus the WebPulse cloud service deeply analyzes over 1B user requests per week to keep WebFilter updated and relevant. Visibility into web content and traffic is provided by Blue Coat Reporter with over 150 pre-defined reports and a customizable dashboard with drill-down analysis features. The second layer of inline threat detection provides protection for areas where the cloud service lacks visibility. Web mail attachments and software downloads, plus SSL traffic inspection are key examples where a web gateway with inline threat detection provides an extra layer of defense before web content arrives on the desktop or laptop. Performance features allow inline threat analysis to scale for large user audiences with the Blue Coat web gateway solution. The third layer of web application controls (e.g. IM & P2P) and web content controls is very important. Suspicious (poor reputation) and unrated websites should not be allowed to download files on to user desktops. Attacks use the loophole that unrated sites are often allowed in policy controls, this should not be the case. The fourth layer to control data leakage integrates with the third layer. Why deploy DLP and leave a web application like Skype active as it provides an open doorway to the web using proprietary encryption that does not allow inspection. DLP is only as good as the web application controls provided by a web gateway. And finally, the fifth layer protects remote users. The community watch cloud service provides an enhanced layer of protection over existing laptop defenses, plus central policy management and reporting when users are on networks you do not control.