Expert Guide to Secure Web Gateways
Expert Guide to Secure Web Gateways
Page 1 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
Many organizations are moving malware protection to the Web and investing in Secure Web Gateways. These products combine URL filtering with antimalware protection, Web application controls and centralized management. This e-guide will help sort the different feature options and deployment challenges and help you bring efficiency to your threat management programs by centralizing Web-based security and stop managing numerous standalone Web security products.
Tying business needs to technology Adrian Lane
Assessing the business issue
If this is the first time you’ve heard about secure Web gateways, fear not.
You’ve most likely used—or currently use—one of its predecessors, such as
network accelerators, unified threat management systems, or email security
gateways. Secure Web gateways (SWG) form the convergence point of all of
these technologies. These products are not new, but they’ve been amended
to address a set of security problems that logically overlap, and bring all of
the aforementioned products under one umbrella.
Secure Web gateways are an assortment of security capabilities, but they all
boil down to their ability to inspect Web traffic. You can think of them as a
sort of firewall, but rather than block network traffic, secure Web gateways
focus on the traffic and content coming through port 80—the network port
through which all HTTP and related Web traffic passes—looking for evidence
of malicious software, misuse and user adherence to corporate Internet
policy.
SWGs also validate that remote users leveraging mobile devices are not
unintentionally spreading viruses to other systems when they connect from
home. In order to guard against a wide number of threats across all known
Web protocols, originating inside and outside the corporate network, these
Page 2 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
gateway products must apply many analysis techniques to validate activity
and content.
Secure Web gateways are an evolutionary convergence point of different
security products. Vendors, driven by customer requirements and the
presumed need to differentiate their products, have packed just about every
conceivable Web security feature into these platforms. What began as a set
of distinct security challenges, addressed my niche products, have now
morphed into a common platform with a common feature set.
In fact, the vendors in the SWG space come from very different specialties.
Some were network accelerators and load balancers that added filtering and
packet inspection, and moved up the stack to Layer-7 content analysis.
Some were email security tools (such as antivirus, antispam) that evolved to
include antimalware, and later URL filtering. Some were general network
security appliances, providing firewall and VPN services, morphing first into
UTMs. Still others are a bundle of acquired technologies, merged under a
Web management interface to fill demand in the evolving Web gateway
market. As it stands, these vendors have now met in the middle and evolved
into secure Web gateways.
With each emerging threat to corporate IT networks, new features are
layered-on, creating a Web traffic Swiss-army knife for security. And despite
the differences in how they arrived at this point, vendors have followed the
path of emerging threats to IT systems.
Business Benefits
Enterprises and midmarket firms have invested in secure Web gateways
because their traditional firewalls don’t stop the attacks against their systems.
Threats come over network port 80, just like legitimate Web services, making
it difficult to sift out attacks and misuse from approved traffic. Worse, the
threats are constantly evolving, leveraging different communication protocols
such as email, webpages, file attachments, image uploads, application calls,
and just about any other traffic you can think of to hide their activity.
Customers view this as a single problem space: malicious Web content.
Page 3 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
They don’t want to buy a dozen different products for each specific threat,
going through a dozen different product validation efforts to solve what they
consider to be a single problem. Nor do they want to manage a dozen
different products across different interfaces, customizing each product to
their environment. In response SWGs bundle all of the features necessary to
monitor Web activity, consuming all different flavors of traffic to detect
inbound and outbound security issues. These products combine, at a
minimum, URL filtering, content filtering and antimalware protection. Most
include application whitelisting and botnet detection, and all of these
capabilities are managed through a central web management console.
Because of increased demand across every market vertical and with every
size of company, we’ve geared this e-guide to help you understand what to
look for in a secure Web gateway product. We’ll sort through the different
feature options and deployment challenges with SWGs and help you bring
efficiency to your threat management programs. We’ll examine the core and
advanced features in detail; cover the most common deployment models,
and what to look for in a product depending upon your use case.
The Request for Information Adrian Lane
Secure Web gateways are an important strategic and technology investment
for any organization. Most threats come from the Web and in many forms,
rendering traditional firewalls ineffective against most of what attackers can
pull off today. As your organization evaluates secure Web gateways, keep in
mind several use cases for these tools and the available core features.
The following is a list of the most pressing Web security issues, and the
reasons why customers invest in secure Web gateways.
Page 4 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
Malicious links. URLs to sites that host malicious code which—best case—
compromise your browser, or worst case, infect your PC with malware.
These URL come disguised as email from Grandma, or are embedded within
your favorite websites, easily duping the unsuspecting user. URL filtering
works by comparing inbound and outbound links with databases of known
malicious sites, blocking requests on users’ behalf to avoid infection.
Malware. Most firms have antivirus software installed on corporate
endpoints, but most AV is ineffective against malware. Infections from
malware often require IT to reimage the machine, or the software equivalent
of nuking from orbit. Once it’s infected one machine, it quickly propagates by
replicating itself in files, sniffing then exploiting credentials, exploiting known
vulnerabilities or spamming infected content to users. It’s therefore critical to
detect malware as soon as possible, hopefully before it reaches the
unsuspecting user’s machine.
Unapproved applications. Movie downloads, Tor networks, live streaming
of sporting events, video game servers and other applications that are not
approved for business use clog network bandwidth. Many of these
applications come with malware and spyware, creating both a performance
and security issue. Some SWGs filter all network traffic generated by
unapproved applications. Commonly called application whitelisting, this form
of application control has quickly jumped to the top of customer requirements
list as it’s effective at stopping all sorts of unwanted services from abusing
corporate networks.
Social media. Social media is a legitimate tool for companies to promote
brand and customer satisfaction, but these approved uses form only a tiny
fraction of total employee use, most for purely personal benefit. Because
social media can be a huge time sink and reduce employee productivity,
many companies deny access. Web gateways can detect and block requests
to social media sites.
IP and data leakage. Sending sensitive corporate data over email and
posting intellectual property on Web portals is a serious problem. Systems
Page 5 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
infected with malware often embed sensitive data in files and attempt to send
them out of the company though email, Web services or file transfers. Web
security gateways inspect outbound content for inclusion of sensitive data.
This feature is called data loss prevention by vendors, but it’s really only
DLP-lite because it offers only a subset of content analysis techniques that
state-of-the-art DLP platforms provide. As there are many different ways to
perform content analysis, there is a wide degree of effectiveness between
different products.
Botnet detection. For the last decade, corporate networks have been
infected with botnets, which use corporate servers to generate spam, and
conduct denial of service attacks against other corporations. SWGs can both
detect botnet software running inside corporate networks and trying to
communicate with the outside world, as well as detect and–in many cases–
mitigate inbound denial of service attacks.
Email security. Email security, specifically antispam and antivirus
capabilities, remains a core customer driver. Some products include
antiphishing capabilities as well, detecting links to bogus services and other
malware lurking within the body of email messages. Relatively speaking,
email security is the oldest of the core features. While it’s not considered the
most critical threat to infrastructure, spam and viruses are highly visible
annoyances, and phishing has been the root cause for several major data
breaches. No product fully solves the email security threat, but they block the
vast majority of garbage sent to users.
You’ll notice that the set of use cases reads like a feature list: That’s because
it is. Web-borne threats are the umbrella under which these threats are
logically linked, but customers—especially with mid-sized firms and small
enterprises— only have two or three specific challenges that they need to
address. Perhaps email security and information leakage is your priority, or
perhaps antimalware and application white-listing, but look for products that
provide best-of-breed capabilities in the core areas that they need the most.
The rest is gravy.
Page 6 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
At a minimum SWG must include URL filtering, content filtering (DLP-lite),
application controls or white-listing, email security, antimalware and
malicious code detection. These features provide security controls for the
most common and most commonly abused–Web services. Our research
shows only a few customers enable every feature, but it’s always nice to
know the capabilities exist should you need them in the future. Think of it this
way: If you want to add application whitelisting, simply request a new license
from your vendor. There is no additional proof of concept or evaluation
procedure, just a simple adjustment to the configuration. Add-on features
may not be best of breed, but you avoid another evaluation process and
realize cost savings of bundled pricing. The convenience creates a degree of
stickiness making it much more likely that you will stay with a vendor once
you’ve made your initial selection.
Ease of use is a significant issue for users of SWGs. With features bolted on,
not all capabilities are fully integrated. In some cases, it can be several
products with several administrative interfaces. In some cases you have a
single Web interface to set policies and configuration, but the user interface
is half-baked and designed by technical people for technical people. It’s
really hard to weed out potential vendors based upon the normal request for
process (RFP) or request for information (RFI) documents; it becomes clear
which vendors have their act together the first time you get your hands on
their products and have to set them up in a real environment.
While there is a veritable smorgasbord of features in every product, customer
requirements are siloed into a handful of threats deemed most critical to their
business. Again, gauging the effectiveness of the features that are critical to
you is not easy to ascertain with an RFP/RFI. Most customers we speak with
view Web threats differently from peer organizations, and they have different
expectations from their users, some choose to address risks to their
organization with a slightly different mix of controls. It’s this fractured
demand, coupled with the fact that each vendor has specific strengths that
allows for 15-plus vendors to compete in this security market. Vendors keep
adding feature upon feature to differentiate their product, and give them a
degree of stickiness in providing add-on features as customer requirements
Page 7 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
evolve. But again, each vendor does a couple of things well—the rest of the
functions, not so much.
In addition to the core features listed above, there are several additional
features commonly offered with secure Web gateways. While these may not
be available with every product, we find for some customers—especially with
mid-sized and large enterprises—that these are critical features.
Network optimization. Load balancing, network segmentation, failover and
even network layer packet analysis are features inherent to some of the
SWG platforms. Small firms with that need only a single appliance to protect
their back office won’t require these features, but they are essential to large
enterprises.
Centralized management. If your vendor offers four products with four
management consoles you’ll quickly see that their definition of integration
means Band-Aided together under the same Web admin page and style-
sheet. Just because the features share the same login page does not mean
the products are integrated. Centralized management is important to large
and small companies alike as it means getting your job done easier and
faster. If you can go to one place to set policies, and those policies are
applied consistently across all of their installations, you save time and make
fewer mistakes.
Virtual private networks. Being able to provide a secure link between
remote offices, or provide connectivity for employees working from home or
on the road. In the last five years there has been a dramatic increase in the
number of people who work remotely and VPN connections provide a fast
and efficient connection to internal corporate resources. At the same time,
remote devices provide malware and viruses with an easy path into your
trusted network; by coupling VPN connectivity with content and malware
detection, SWGs provide a secure bridge to IT resources.
Encrypted session interception/inspection. Use of encrypted tunnels,
such as HTTPS or SSH, allows users a means to ensure privacy and
integrity when communicating with external services. It’s also a great way for
Page 8 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
attackers and rogue employees to exfiltrate data. Secure session interception
is where outbound connections are monitored by the SWG. In this case the
gateway acts as an encryption proxy for the user, decrypting the data stream,
then validating that intellectual property, pornography or other undesirable
content is not passing through. The session is then established by the SWG
on the user’s behalf, and content is re-encrypted before it is passed along.
Security intelligence. Threats change weekly, with new malware, malicious
websites and phishing attacks launched on unsuspecting users. Many
vendors offer third-party intelligence feeds that automatically update rules
and malware signature files based upon global intelligence.
Questions to ask:
These critical questions should be asked in a secure Web gateway
evaluation:
1. What threats are you worried about and have you performed a risk
assessment? You will need to prioritize features based upon the
most pressing issues that need to be addressed.
2. Do you have the expertise in house to deploy and manage a
product? Do you need deployment assistance to ―get you over the
hump,‖ or is it more cost effective to engage a managed service
provider?
3. Does your business produces highly advanced intellectual property?
Do you need inbound and outbound content inspection?
4. Are you worried about spear-phishing and targeted attacks?
Companies that are targets of foreign nations or need to worry about
APT will need to focus on these types of attacks.
5. Does your organization prefer hardware appliances, software or is a
SaaS based service more appealing?
6. Are you only interested in keeping users from hostile sites, or are
you worried about lower productivity from social applications? These
two features highlight the differences between controlling users vs.
controlling applications.
7. Are you looking for a solution because you are dissatisfied with what
you have, or is the current solution lagging in performance or
Page 9 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
functionality? Rip and replace requires more effort and preparation
than augmentation.
8. Do you need to monitor encrypted and incur the associated
overhead and possible performance degradation? This feature
requires special deployments and performance analysis.
9. Are you trying to stop internal activities that reduce productivity—
spam, social media, streaming media—or are you more focused on
keeping attackers out of your network (anti-malware, phishing)?
10. How do you secure remote users, VPNs and mobile devices? How
do you provide remote account and mobile services?
Decision time: Final differentiators to make a vendor selection Adrian Lane
Product benefits and tradeoff
Once you have a handle on your requirements for a secure Web gateway,
understand stakeholder priorities and which features you want to turn on and
deploy, you have a final decision to make: How will you deploy the tool? This
will be critical as you make the final call on purchasing a gateway.
Fortunately there are several different deployment options, each offering
advantages for customer-specific requirements in speed, ease of use and
flexibility of deployment. Let’s look at the advantages and disadvantages of
the available options and nail down the final decision:
Appliance. Appliances are the most common deployment method for SWGs.
They are fast, inexpensive and completely self-contained. Slide one in your
rack, turn it on and you are operational. You avoid the software and
hardware platform biases. And several even provide specialized hardware to
speed up certain computationally expensive functions, outperforming all
rivals. The downside is, as they age, they typically fall behind customer
performance demands and need to be replaced as opposed to upgraded.
Scalability means buying more
Page 10 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
appliances. Disaster recovery and failover means you buy more boxes. In an
age where more firms are moving to internal cloud and virtualized server
environments, the hardware model fails to integrate in those data center
architectures.
Software. A handful of vendors still provide SWGs as software. Software
offers flexibility and scalability options that hardware does not. If you need
more processing power, simply allocate or install more resources. While
software requires more up-front time to install and configure, it offers
advantages in flexibility of deployment, integration and resource allocation—
such as memory, processor, disk. And software licensing is easier to tune to
your specific needs, resulting in lower overall costs for most customers.
Virtual appliance. The fastest growing deployment option today is a virtual
appliance. This deployment option is the direct result of companies looking to
reduce costs and administrative hassles through virtualization platforms. As
the name implies, these are a software image of a hardware appliance. In
many ways they offer the best of both worlds; they scale like software but
offer the pre-configured deployment of hardware. And virtual appliances
naturally integrate with virtual server deployments. The downside is the
virtual appliances don’t have dedicated hardware acceleration that some
appliances offer, so performance between virtual and real appliances varies
considerably. And as the virtual appliances are no longer pre-packaged
affairs, it requires the customer to monitor resource utilization and
periodically tune in order to provide good performance.
Cloud-based/hybrid deployments. Some vendors are launching cloud
service offerings to complement or supplant on-premise solutions. When
internal hardware is overtaxed by antispam or rigorous content analysis, it’s
easy to offload that processing to a cloud service provider to ease the burden
on your in house platforms. Similarly, some customers want third-party cloud
services simply because they a lack in-house staff to manage the product.
Cloud-based security gateways as a service offer elastic, on-demand Web
filtering without alteration to existing IT systems. In this model, network
services are routed through the cloud service provider prior to being sent to
you, the customer. Customers can
Page 11 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
choose to enable a subset of the features—perhaps because their current
system does not offer URL filtering—and customers simply pay for that
service as they go.
Sealing the deal
Each of these options is sold under different pricing models. For example,
hardware is sold based upon the level of potential throughput the appliance
supports, and must be accounted for as a CAPEX expenditure. Cloud
services are billed monthly as the user consumes the service and fall under
OPEX. Multiple models give customers some flexibility both in how they use
the product as well as how they pay for the product.
As all of the vendors are in a race to provide a comparable breadth of
features, but given the evolutionary track each has followed, remember that
your vendor won’t do everything well. They will have specific core
competencies, with additional features hastily added-on or acquired that lack
a degree of efficiency or effectiveness. For example, a vendor may have
deep experience with the network layer, so its load balancing and packet
inspection provide incredible performance, but it does a mediocre job at
content and email security. Your buying decision will be based upon this
balancing act, selecting the vendor that focuses on the areas you deem most
critical, yet still offers the flexibility and pricing models that work for your
organization.
Page 12 of 13
Contents
Tying business needs to technology
The Request for Information (RFI)
Decision time: Final differentiators to make a vendor selection
Free resources for technology professionals TechTarget publishes targeted technology media that address your
need for information and resources for researching products,
developing strategy and making cost-effective purchase decisions. Our
network of technology-specific Web sites gives you access to industry
experts, independent content and analysis and the Web’s largest library
of vendor-provided white papers, webcasts, podcasts, videos, virtual
trade shows, research reports and more —drawing on the rich R&D
resources of technology providers to address market trends,
challenges and solutions. Our live events and virtual seminars give you
access to vendor neutral, expert commentary and advice on the issues
and challenges you face daily. Our social community IT Knowledge
Exchange allows you to share real world information in real time with
peers and experts.
What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of
editors and network of industry experts provide the richest, most
relevant content to IT professionals and management. We leverage the
immediacy of the Web, the networking and face-to-face opportunities of
events and virtual events, and the ability to interact with peers—all to
create compelling and actionable information for enterprise IT
professionals across all industries and markets.
Related TechTarget Websites