This article can also be found in the Premium Editorial Download "Information Security magazine: Security Readers' Choice Awards 2008."
Download it now to read this article plus other related content.
CAN THEY DELIVER?|
So how viable are Web security gateways as a catch-all security solution? It's a tricky mix of services to get right, in terms of security, performance and ease of use. The challenge with deploying any Web gateway is that unlike email, which is asynchronous, the HTTP protocol is real-time and thus processing for a Web gateway must scale well. The analysis processes sit in the way of traffic and directly impact the end user's Web experience.
To be scalable, policy synchronization between devices and multiple network deployment options are necessary. Given the wide-ranging tasks of a Web security gateway, reliability will be a key factor too. At present, none of the products has been around long enough for there to be any reliable data to help with this decision. Certainly due to the volume of traffic on an enterprise network, only hardware or service-based models are real contenders.
Controlling applications such as IM, VoIP and P2P remains a challenge for Web security gateways. Proxy servers, long seen as the most secure solution to application control, just can't handle the all-ports and all-protocols requirement of a true Web gateway. The latency is too high, particularly when it comes to handling Web pages. There is also the overhead of configuring every client and every protocol to go through
| a proxy. The processing speed required to handle this type of deep-packet inspection is enormous, but many Web security gateway devices claim to handle enterprise-level volumes without a visible impact on network performance.
One of the big problems that Web security gateways must overcome in trying to provide blanket protection to network users is the issue of semantic interpretation: how to put the traffic it is analyzing into some sort of context. This problem is called "impedance mismatch." For example, the word "present" can have different meanings, depending on context. Regular expression matching, which most solutions use, is prone to impedance mismatch. Consequently, it's not completely effective when inspecting data for common signs of malicious code; it is both easy to evade and very prone to false positives.
Somehow, Web security gateways need to be able to interpret inbound data in the same way as the browser it is protecting. What is needed is a script engine so that the device will view the final executed code after any obfuscation is removed and in the same form that the browser would execute it. Hopefully, we will see this form of dynamic analysis in the next generation of security devices.
This was first published in April 2008