Manage Learn to apply best practices and optimize your operations.

Secure Web gateway overview: Implementation best practices

In this secure Web gateway overview, learn how to implement, configure and maintain a Web security gateway to support other security devices.

Security School

This technical tip article is part of's Security School lesson, "Choosing a Web security gateway."...

For more materials in this lesson, visit the lesson page; for additional lessons on other information security topics, visit's Security School Course Catalog.

A Web security gateway can greatly improve an organization's overall security posture, but it is not a "deploy and forget" product. The way in which a secure Web gateway is deployed, configured and maintained affects the level of security it delivers.

The key to success is to choose a product or service that will integrate with existing IT infrastructure, specifically security infrastructure.

In this technical article, we'll discuss how to maximize an investment in a Web security gateway through optimal deployment, configuration and maintenance.

Choosing a Web security gateway deployment strategy

To maximize the benefits of a Web security gateway, an enterprise must establish clear security objectives and understand the pros and cons of various deployment strategies. Although traditional physical on-premises appliances are still popular, there's growing interest in virtual appliances. Cloud-based Web security gateway services are increasing in popularity due to their relative ease of implementation. In fact, many such products now make use of cloud-based services to provide live URL lookups and reputation services; hybrid deployments that combine on-premises, managed and cloud-based elements are becoming quite common.

The key to success is to choose a product or service that will integrate with existing IT infrastructure, specifically security infrastructure, and be able to handle current and future network traffic loads. Offerings optimized for small and medium-sized businesses offer protection against basic threats and are easier to manage, while enterprise-grade products and services offer greater protection against advanced and targeted threats but require more skills and resources to manage.

Cloud-based and managed appliances are often a good choice for enterprises with restricted in-house resources or skills. However, these options mean the organization's data passes through and is accessible by third-party systems and personnel, so don't forget to take into account any applicable regulatory compliance requirements. Also, one slight disadvantage relative to an on-premises Web security gateway is that bandwidth and application controls cannot be used to keep unwanted traffic off the Internet pipe, since it has to travel to the cloud service for analysis.

With an on-premises Web security gateway, a proxy architecture is most effective. By forcing all Web traffic to terminate at the secure Web gateway, it can allow or block any traffic before it enters or leaves the network. With an inline passive monitoring-style deployment (also known as a TAP deployment), traffic is duplicated and forwarded to the Web security gateway for analysis. If it doesn't detect a threat in time, it could be too late to completely stop it because traffic isn't being intercepted as with an inline proxy configuration. A TAP deployment is easier to deploy and change, and is fine for enforcing organizational policy, but it's definitely not a reliable safeguard against Web-borne threats.

Many firewall vendors have begun incorporating Web security gateway functionality into their products, but the complexity of modern threats rules out such Unified Threat Management (UTM) devices for enterprise networks. For high-volume networks, it may be better to use a firewall to first filter and block inappropriate low-level network traffic, such as disallowed protocols or port requests, before it's passed to the Web security gateway. This way, the right balance between performance and in-depth analysis can be achieved.

Integrating a Web security gateway with other endpoint security products

Existing security controls must work properly prior to a Web security gateway deployment, otherwise it will merely provide limited cover for poorly implemented security controls and won't provide additional protection. For example, be sure to review the organization's network topology, given that the Web security gateway adds a new device to it, and ensure that it is properly segmented with trust boundaries between different classifications of data and processes.

Also, survey the other security devices on the network, confirm which threats they are configured to mitigate, and document the rules and filters they use to enforce security policy. Detail who collates this information and how it is reviewed. It's important to avoid a situation in which neither the Web security gateway nor point devices are protecting against a particular threat.

As employees are a key part of any organization's security posture, ensure they are being educated about the latest social engineering attacks. Teaching them how to identify a potential attack or recognize a malicious link means you're not solely reliant on your Web security gateway to prevent Web-borne attacks from succeeding.

Mapping acceptable use and compliance policies to rule sets

Controlling how employees use social websites is important, because while many such sites are valuable business tools, they can also pose security risks and can reduce productivity. Web security gateways makes it easier to implement complex rules that enforce security policy because they offer visualization of network traffic. Observing information such as bandwidth utilization or sites visited in real time allows administrators to fine-tune acceptable usage and security rules to optimize productivity and security.

Fine degrees of granular control offered by Web security gateways mean that rules can be applied to specific applications rather than having blanket allow or deny rules controlling ports and protocols. Being able to grant bandwidth priority to critical applications means enterprises don't have to prevent all employees from using certain Web applications and losing out on the potential benefits of cloud and mobile apps, while still being able to effectively enforce security policies.

More from Michael Cobb

Read more enterprise application security advice from Michael Cobb.

Ask Michael Cobb about application or platform security.

Developing a procedure for reviewing and investigating alerts and improving rule sets

A Web security gateway will produce alerts when a rule is broken or a threshold is reached, and procedures need to be in place to deal with them to ensure a quick, effective, consistent and organized response. The prioritization of events is very important, particularly if there are multiple incidents to deal with. Incidents involving high-value or business-critical systems or data, or those where there's a danger of further compromise, should be investigated first.

Finally, to quantify and evaluate a secure Web gateway's effectiveness, record the types, numbers and costs of incidents as well as alerts. Constant monitoring of the Web security gateway dashboard and the visual mapping of traffic types will enable administrators to reduce the number of false alerts and improve rules affecting bandwidth. It is also important to establish an audit procedure to check that rule sets are working as intended and are enforcing security policy correctly.

About the author: 
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 15 years of experience in the IT industry and another 16 years of experience in finance. He is founder and managing director of Cobweb Applications Ltd., a consultancy that helps companies secure their networks and websites, and also helps them achieve ISO 27001 certification. He co-authored the book
IIS Securityand has written numerous technical articles for leading IT publications. He is also a Microsoft Certified Database Administrator and a Microsoft Certified Professional.

This was last published in November 2012

Dig Deeper on Web application and API security best practices