Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

Web security gateways keep Web-based malware at bay

Web Security Gateways - A new breed of integrated technology takes Web-based malware off the menu.


A new breed of integrated technology takes Web-based malware off the menu.

Texas is a giant state--a fact Mike Stump was painfully aware of as director of information technology for Roundtable, an independently owned Dairy Queen franchisee. As the company expanded its chain of ice cream stores across the Lone Star State and beyond, a virus outbreak could mean a 10-hour drive from the Lubbock office for him or one of his technicians.

"If we had a big problem, we would literally have to drive out to the location, spend a day or maybe even a night depending on how far away it was, to clean off the virus and get the machine back into operational state," Stump says.

And infested PCs were becoming all too common as employees took advantage of broadband access to surf the Internet, download MP3s and visit MySpace. Traditional antivirus software wasn't catching the malware that came with the unauthorized Web browsing. Each store has a PC, which among other things, 15 to 30 employees use to clock in and out on and managers use for email, reporting and other applications.

Today, though, malware outbreaks are rare and productivity is up. Two years ago, Roundtable began using ScanSafe managed services to control employees' Internet access and ward off spyware and viruses. "The first year, we saved about $100,000 in support costs...that was with 31 stores," Stump says. Roundtable now has 46 stores in Texas, New Mexico and Oklahoma, with plans for more.

The threat landscape has shifted in the past few years to Web-based malware, leading companies such as Roundtable to bolster their security with a newer breed of technology, Web security gateways. In much the same way antivirus gateways were overtaken by multifunction secure email gateways, Web security gateways combine several existing technologies and features offered by point solutions. Instead of having separate devices for URL filtering, malicious code filtering, instant messaging and other application controls, Web security gateways provide a single high-performance security gateway that shares a common threat database and policy management framework. The Web security gateway market is a mix of software and appliance vendors as well as managed service providers like ScanSafe.

A report by Google in February highlighted how risky Web browsing has become: during a period of 18 months, it found more than 3 million unique URLs on more than 180,000 Web sites automatically install malware. Even legitimate Web sites can distribute malicious code. The growing use of AJAX technology and third-party ads is increasing a Web page's attack surface and the chances that insecure content can be inserted into it. Since Web access requires network firewalls to leave HTTP port 80 open, it's an obvious entry point to launch an attack, and one that firewalls struggle to control.

For many network administrators, this increased risk is manifesting itself in increased bot infections and support calls from users struggling with spyware-infected machines. Also, if employees are hit by drive-by download attacks, the network quickly becomes infected, which can lead to the loss of corporate data and network resources. Combine this with various laws that make businesses liable for privacy, data protection and governance, and organizations are looking beyond URL filtering to improve the protection of their users and data.

Let's take a closer look at how Web security gateways work to provide comprehensive network protection against damaging and often automated threats.



A Web security gateway is a multifunction solution that filters unwanted software and malware from user-initiated Internet traffic while enforcing corporate policy compliance. To accomplish this, Web security gateways use URL filtering, malicious code detection and filtering, and controls for Web-based applications such as IM and Skype.

It's important to clarify the purpose of a Web security gateway: to protect clients on the internal network and their users from infection while surfing the Web and enforce company policies. This is different from a Web application firewall, which is designed to protect Web sites and Web applications from attack. Web application firewalls aim to prevent attackers from directly exploiting vulnerabilities within a Web application to upload their malware code, while Web security gateways provide an additional layer of defense for clients using vulnerable browsers open to malware exploits. Three main technologies provide an extra layer of defense:

  1. URL Filtering This has long been the most common method of controlling surfing activity. According to Gartner, URL filtering is deployed in 75 percent to 95 percent of enterprise networks while malware filtering is deployed in less than 15 percent. URL filtering uses content scanning, artificial intelligence and blacklists to control Web access. Its big advantage is that it's scalable, and provides granular usage reporting. The big players in this field include Websense and Surf-Control. However, the sophistication of Web 2.0 attacks and the speed with which their launch base and actual code can change means that URL filtering is no longer enough. It's still going to be a critical element within a WSG but needs to be combined with other technologies.

  2. Malware Filtering The aim of malware filtering is to catch malware entering and leaving the network. As with URL filtering, a database is used; in this case known malware signatures. The industry trend, though, is to employ similar techniques to antivirus engines, which use non-signature based methods such as heuristic scanning. For malware filtering to be truly effective, traffic on all ports and over all protocols must be analyzed from Layer 4 to Layer 7 as it enters or leaves the network. This delivers a proactive defense that can catch attempts to "phone home" since some malicious software invariably will get through. It also reduces the criticality of ensuring desktops and applications are patched and antivirus is up to date.

  3. Application Control Controlling the use of often unmanaged applications, such as IM, P2P and Skype, is becoming a critical part of network security. Interestingly, it is the one area where no one Web security gateway vendor really has a clear lead. Most devices can block or allow access only to specific groups or users. This is partly because new applications are emerging and adopted so quickly. IM and Skype are examples of how new applications can quickly become ingrained in work practices. To be truly effective, Web security gateways need to enforce a company's acceptable usage policies, selectively managing features of an application and blocking them where necessary.

Obviously, there are solutions available that offer these technologies individually. They're all necessary to properly secure the Web environment and using a combination of these point products can solve specific needs. However, deploying and managing them individually is complex and expensive and they are inadequate when operated in isolation. Most enterprise network administrators feel that they have too many security devices plugged in to their network already; all require staff to understand and maintain them, plus time to analyze the reams of data they produce By bringing protective functions together within one device, Web security gateways streamline management. Administrators can set policy rules and parameters on one device, a far easier task than trying to enforce each policy across several different devices. This greatly reduces administrative overhead, particularly as there is only one device and one interface to grapple with. Managed Web security gateway services reduce the management burden even more.

Another big advantage with an integrated solution is that information can be pooled. The Web security gateways can cross-compare information to make a more informed decision as to whether traffic is potentially malicious. This makes traffic control, analysis and reporting far more effective.



So how viable are Web security gateways as a catch-all security solution? It's a tricky mix of services to get right, in terms of security, performance and ease of use. The challenge with deploying any Web gateway is that unlike email, which is asynchronous, the HTTP protocol is real-time and thus processing for a Web gateway must scale well. The analysis processes sit in the way of traffic and directly impact the end user's Web experience.

To be scalable, policy synchronization between devices and multiple network deployment options are necessary. Given the wide-ranging tasks of a Web security gateway, reliability will be a key factor too. At present, none of the products has been around long enough for there to be any reliable data to help with this decision. Certainly due to the volume of traffic on an enterprise network, only hardware or service-based models are real contenders.

Controlling applications such as IM, VoIP and P2P remains a challenge for Web security gateways. Proxy servers, long seen as the most secure solution to application control, just can't handle the all-ports and all-protocols requirement of a true Web gateway. The latency is too high, particularly when it comes to handling Web pages. There is also the overhead of configuring every client and every protocol to go through a proxy. The processing speed required to handle this type of deep-packet inspection is enormous, but many Web security gateway devices claim to handle enterprise-level volumes without a visible impact on network performance.

One of the big problems that Web security gateways must overcome in trying to provide blanket protection to network users is the issue of semantic interpretation: how to put the traffic it is analyzing into some sort of context. This problem is called "impedance mismatch." For example, the word "present" can have different meanings, depending on context. Regular expression matching, which most solutions use, is prone to impedance mismatch. Consequently, it's not completely effective when inspecting data for common signs of malicious code; it is both easy to evade and very prone to false positives.

Somehow, Web security gateways need to be able to interpret inbound data in the same way as the browser it is protecting. What is needed is a script engine so that the device will view the final executed code after any obfuscation is removed and in the same form that the browser would execute it. Hopefully, we will see this form of dynamic analysis in the next generation of security devices.



The increasing number of ways users can communicate or move data online makes controlling data leakage a key objective for most administrators. While information escaping the organization has always been a problem, the depth and breadth of the problem has changed dramatically. Data leakage can occur by accident or because of poor business processes, but increasingly, malware of some form or another is sending it out through the network.

Web security gateways can certainly help in this area by monitoring the types of files going through the network perimeter and scanning documents for phrases and terms that could potentially cause data leakage. Coordination of content policy across all communication channels is a lot more efficient when they're all passing through one box.

As part of the process of reducing data leaks, users need to be made aware of the risks of Web 2.0 in the same way most have been told of the dangers of email attachments from unknown sources. Web security gateways that capture traffic on all ports and protocols can produce an excellent evidence chain to help challenge risky user behavior. To do this, they need to provide clear and concise reports of consolidated data; an outstanding feature of Mi5's Web-gate are its reports. Another tool to stop data leakage, provided by Webgate and other Web security gateways, is identification and remote remediation of infected PCs.

One area that has always been a bit of a blind spot when it comes to data analysis is SSL traffic. SSL decryption requires that the SSL certificate is imported into the device so that it has the ability to decrypt and inspect SSL traffic. This obviously incurs heavy overhead. Most Web security gateways still require an SSL proxy engine to be added separately to handle SSL encrypted traffic.

Web security gateways will certainly appeal to the many enterprises that are looking to cut down on client-side security software. However, the Jericho Forum, a group of security practitioners, cites the breaking down of traditional network perimeters and the huge explosion in Web use as to why a radical change in security practices is required. Web traffic that tunnels through perimeters or bypasses them altogether, and applications that encapsulate their protocols within other Web protocols are examples of why traditional perimeter defenses are not effective against today's threats. The forum advocates deperimeterization: protect the information itself and make every component independently secure.

The attraction of this approach is that it costs a lot less than trying to provide top-down security. But it requires a mature user base and may not fully address the data leakage problem. Web security gateways allow an organization to apply security policies to data on a network while still tackling the dangers of external threats. Out-bound traffic control is increasingly important, and for those who think deperimeterization is too bold, the Web security gateway has many benefits, particularly the convergence of security and systems management

Roundtable's Stump plans to roll out ScanSafe to the additional Dairy Queen stores the company plans to open in the coming months. The service is easy to manage over the Web, allowing him and his team to enable or disable URLs and types of Web sites, like social networking ones. Limited to little else than the company's domain, employees now have no choice but to comply with corporate policy. "We let them get weather and that's about it," Stump says.



CLICK HERE for a sample of products and services
that provide protection against Web-based attacks,
content filtering and/or URL filtering (PDF).



Article 6 of 10

Dig Deeper on Web application and API security best practices

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All