Problem solve Get help with specific problems with your technologies, process and projects.

Exploring new features, uses for secure Web gateway appliances

Expert Michael Cobb reviews secure Web gateway appliance features that can better shield endpoints, plus SWG deployment options.

Originally, an enterprise would implement a secure Web gateway (SWG) appliance to enforce corporate policy (e.g.,...

preventing employees from visiting YouTube during office hours). Back in 2008, as enterprises realized they couldn't rely solely on a firewall, antivirus, and simple URL filtering to prevent zero-day attacks, SWGs were viewed as the best way of integrating features provided at that time by various single-purpose devices -- such as URL filtering and bandwidth throttling -- into one appliance. Web application-level controls and centralized management were also big selling points, plus non-signature-based detection and filtering were beginning to appear.

With the threats facing enterprises changing so much since the introduction of SWGs, though, enterprises must reconsider what new features and functions are now included with SWGs and which features are the most important when picking a potential implementation. A continually growing and increasingly sophisticated attacker base, combined with the emergence of more diverse endpoints, mobility and BYOD, have all forced SWG technology to evolve rapidly to meet the needs of the modern enterprise.

In this tip, we will reexamine what enterprises should expect from secure Web gateways in light of the technology's evolution, plus the differences between cloud-based and on-premises SWG appliance deployments.

Secure Web gateway features

To maximize the benefits contemporary SWGs provide, an enterprise must understand its requirements and the pros and cons of an on-premises, cloud-based or hybrid SWG deployment.

Any organization assessing secure Web gateway options should now expect to find a wide range of functions and features available, including:

  • URL filtering
  • HTTPS scanning
  • Malware detection, both inbound and outbound
  • Threat intelligence feeds
  • Mobile support
  • Application control
  • Data loss prevention (DLP)
  • Threat and traffic visualization

Due to the rapidly changing nature of the threat landscape, enterprises should note that differences abound in the quality of controls such as URL filtering, malware detection and support for DLP. For example, filtering and detection technology has advanced significantly in recent years. To solve the problem of outdated blacklists, SWGs now rely on multiple types of analytics, including reputation analysis, real-time browser code scanning, behavioral analysis, content control and data fingerprinting.

Another noticeable advance in modern SWGs is the increased flexibility and granularity administrators have in controlling Web, email and data traffic. Individual elements within a dynamic Web page can be analyzed and blocked, as can access to specific services at particular times of the day or when activity reaches a predefined threshold. Bandwidth utilization parameters can be specified for uplink and downlink traffic by content category. They can also be adjusted depending on specific access requirements for different users and groups.

To keep devices updated with the latest threat and attack information, many secure Web gateway products incorporate threat intelligence feeds from cloud-based services. DLP support is growing for a variety of mobile devices, which is vital for any enterprise that supports BYOD. By combining security classifications with custom data sets, context-aware data loss prevention is also improving. Many SWGs also support "call home" detection, or alerting on malware that seeks out remote instructions, to help cover any blind spots.

Visualization might seem like a gimmicky feature, but it enables administrators to easily see hotspots on the network that need further attention. For example, visualization of captured traffic can quickly highlight infected devices probing network neighbors looking for vulnerabilities to exploit. Also, administrators can observe information such as bandwidth utilization or sites visited in real-time, which provides better visual insight into how a network is being used and how rule changes affect productivity and security. This makes implementing complex rules that perform as intended much easier.

Secure Web gateway deployment trends

In terms of how secure Web gateways are being deployed, the most recent Secure Web Gateway Magic Quadrant 2012 from research firm Gartner Inc. indicated that on-premises enterprise-grade appliances still dominate the market, but the cloud-based SWG-as-a-Service segment is growing quickly. There are also hybrid deployments available that combine on-premises and cloud-based SWG elements.

From the editors: More Web server threat protection

Treat vulnerabilities as bugs for secure Web development.

Learn and follow enterprise website encryption best practices.

To maximize the benefits contemporary SWGs provide, an enterprise must understand its requirements and the pros and cons of an on-premises, cloud-based or hybrid SWG deployment. With cloud-based services, an enterprise can apply the same protection and policies to all users regardless of location, but the enterprise must select an SWG that will integrate with its existing infrastructure. With an on-premises SWG, a proxy architecture must be used so that all Web-bound traffic is processed. By forcing all Web traffic to terminate at the proxy, the gateway can ensure no traffic flows to or from the Internet without inspection or control. Alternative SWG deployments, such as TAP deployments, have the gateway observing traffic as it passes by because it's sitting off to the side of the network. If the gateway doesn't detect the threat in time because the traffic isn't being intercepted as an inline appliance would, malware or other threats can slip onto the network unnoticed. This method might be fine for enforcing organizational policy, but it's definitely not a reliable safeguard against Web-borne threats. 

Finally, as with most Web security technology, the marketing materials for secure Web gateway products are full of superlative blurbs, such as unique, the best and industry-leading. Enterprises should attempt to ignore these largely baseless claims when assessing how a certain device can best meet organizational requirements. Instead, narrow down a list of finalists on how well each product measures up against a pre-defined list of must-have features, and then use price, performance testing and advice from other customers to guide the final decision.

There's no question secure Web gateway technology has evolved considerably in recent years with many impressive new capabilities, but advancement alone is no guarantee of success. A careful, thoughtful review of what today's products can do and how they match up against an enterprise's needs is an essential precursor to secure Web gateway success.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is the founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies to secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Michael is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was last published in August 2012

Dig Deeper on Web server threats and application attacks