Sie sind auf Seite 1von 13

Expert Guide to Secure

Web Gateways
Many organizations are moving malware protection to the
Web and investing in Secure Web Gateways. These
products combine URL filtering with antimalware
Contents protection, Web application controls and centralized
management. This e-guide will help sort the different
Tying business needs feature options and deployment challenges and help you
to technology bring efficiency to your threat management programs by
The Request for centralizing Web-based security and stop managing
Information (RFI) numerous standalone Web security products.
Decision time: Final
differentiators to
make a vendor
selection Tying business needs to technology
Adrian Lane

Assessing the business issue


If this is the first time youve heard about secure Web gateways, fear not.
Youve most likely usedor currently useone of its predecessors, such as
network accelerators, unified threat management systems, or email security
gateways. Secure Web gateways (SWG) form the convergence point of all of
these technologies. These products are not new, but theyve been amended
to address a set of security problems that logically overlap, and bring all of
the aforementioned products under one umbrella.

Secure Web gateways are an assortment of security capabilities, but they all
boil down to their ability to inspect Web traffic. You can think of them as a
sort of firewall, but rather than block network traffic, secure Web gateways
focus on the traffic and content coming through port 80the network port
through which all HTTP and related Web traffic passeslooking for evidence
of malicious software, misuse and user adherence to corporate Internet
policy.

SWGs also validate that remote users leveraging mobile devices are not
unintentionally spreading viruses to other systems when they connect from
home. In order to guard against a wide number of threats across all known
Web protocols, originating inside and outside the corporate network, these

Page 1 of 13
gateway products must apply many analysis techniques to validate activity
and content.

Contents Secure Web gateways are an evolutionary convergence point of different


security products. Vendors, driven by customer requirements and the
Tying business needs presumed need to differentiate their products, have packed just about every
to technology conceivable Web security feature into these platforms. What began as a set
The Request for of distinct security challenges, addressed my niche products, have now
Information (RFI) morphed into a common platform with a common feature set.

Decision time: Final In fact, the vendors in the SWG space come from very different specialties.
differentiators to Some were network accelerators and load balancers that added filtering and
make a vendor
packet inspection, and moved up the stack to Layer-7 content analysis.
selection
Some were email security tools (such as antivirus, antispam) that evolved to
include antimalware, and later URL filtering. Some were general network
security appliances, providing firewall and VPN services, morphing first into
UTMs. Still others are a bundle of acquired technologies, merged under a
Web management interface to fill demand in the evolving Web gateway
market. As it stands, these vendors have now met in the middle and evolved
into secure Web gateways.

With each emerging threat to corporate IT networks, new features are


layered-on, creating a Web traffic Swiss-army knife for security. And despite
the differences in how they arrived at this point, vendors have followed the
path of emerging threats to IT systems.

Business Benefits
Enterprises and midmarket firms have invested in secure Web gateways
because their traditional firewalls dont stop the attacks against their systems.
Threats come over network port 80, just like legitimate Web services, making
it difficult to sift out attacks and misuse from approved traffic. Worse, the
threats are constantly evolving, leveraging different communication protocols
such as email, webpages, file attachments, image uploads, application calls,
and just about any other traffic you can think of to hide their activity.

Customers view this as a single problem space: malicious Web content.

Page 2 of 13
They dont want to buy a dozen different products for each specific threat,
going through a dozen different product validation efforts to solve what they
consider to be a single problem. Nor do they want to manage a dozen
Contents different products across different interfaces, customizing each product to
their environment. In response SWGs bundle all of the features necessary to
Tying business needs monitor Web activity, consuming all different flavors of traffic to detect
to technology inbound and outbound security issues. These products combine, at a
The Request for minimum, URL filtering, content filtering and antimalware protection. Most
Information (RFI) include application whitelisting and botnet detection, and all of these
capabilities are managed through a central web management console.
Decision time: Final
differentiators to Because of increased demand across every market vertical and with every
make a vendor
size of company, weve geared this e-guide to help you understand what to
selection
look for in a secure Web gateway product. Well sort through the different
feature options and deployment challenges with SWGs and help you bring
efficiency to your threat management programs. Well examine the core and
advanced features in detail; cover the most common deployment models,
and what to look for in a product depending upon your use case.

The Request for Information


Adrian Lane

Secure Web gateways are an important strategic and technology investment


for any organization. Most threats come from the Web and in many forms,
rendering traditional firewalls ineffective against most of what attackers can
pull off today. As your organization evaluates secure Web gateways, keep in
mind several use cases for these tools and the available core features.

The following is a list of the most pressing Web security issues, and the
reasons why customers invest in secure Web gateways.

Page 3 of 13
Malicious links. URLs to sites that host malicious code whichbest case
compromise your browser, or worst case, infect your PC with malware.
Contents These URL come disguised as email from Grandma, or are embedded within
your favorite websites, easily duping the unsuspecting user. URL filtering
Tying business needs works by comparing inbound and outbound links with databases of known
to technology malicious sites, blocking requests on users behalf to avoid infection.
The Request for
Information (RFI) Malware. Most firms have antivirus software installed on corporate
endpoints, but most AV is ineffective against malware. Infections from
Decision time: Final malware often require IT to reimage the machine, or the software equivalent
differentiators to of nuking from orbit. Once its infected one machine, it quickly propagates by
make a vendor
replicating itself in files, sniffing then exploiting credentials, exploiting known
selection
vulnerabilities or spamming infected content to users. Its therefore critical to
detect malware as soon as possible, hopefully before it reaches the
unsuspecting users machine.

Unapproved applications. Movie downloads, Tor networks, live streaming


of sporting events, video game servers and other applications that are not
approved for business use clog network bandwidth. Many of these
applications come with malware and spyware, creating both a performance
and security issue. Some SWGs filter all network traffic generated by
unapproved applications. Commonly called application whitelisting, this form
of application control has quickly jumped to the top of customer requirements
list as its effective at stopping all sorts of unwanted services from abusing
corporate networks.

Social media. Social media is a legitimate tool for companies to promote


brand and customer satisfaction, but these approved uses form only a tiny
fraction of total employee use, most for purely personal benefit. Because
social media can be a huge time sink and reduce employee productivity,
many companies deny access. Web gateways can detect and block requests
to social media sites.

IP and data leakage. Sending sensitive corporate data over email and
posting intellectual property on Web portals is a serious problem. Systems

Page 4 of 13
infected with malware often embed sensitive data in files and attempt to send
them out of the company though email, Web services or file transfers. Web
security gateways inspect outbound content for inclusion of sensitive data.
Contents This feature is called data loss prevention by vendors, but its really only
DLP-lite because it offers only a subset of content analysis techniques that
Tying business needs state-of-the-art DLP platforms provide. As there are many different ways to
to technology perform content analysis, there is a wide degree of effectiveness between
The Request for different products.
Information (RFI)
Botnet detection. For the last decade, corporate networks have been
Decision time: Final infected with botnets, which use corporate servers to generate spam, and
differentiators to conduct denial of service attacks against other corporations. SWGs can both
make a vendor
detect botnet software running inside corporate networks and trying to
selection
communicate with the outside world, as well as detect andin many cases
mitigate inbound denial of service attacks.

Email security. Email security, specifically antispam and antivirus


capabilities, remains a core customer driver. Some products include
antiphishing capabilities as well, detecting links to bogus services and other
malware lurking within the body of email messages. Relatively speaking,
email security is the oldest of the core features. While its not considered the
most critical threat to infrastructure, spam and viruses are highly visible
annoyances, and phishing has been the root cause for several major data
breaches. No product fully solves the email security threat, but they block the
vast majority of garbage sent to users.

Youll notice that the set of use cases reads like a feature list: Thats because
it is. Web-borne threats are the umbrella under which these threats are
logically linked, but customersespecially with mid-sized firms and small
enterprises only have two or three specific challenges that they need to
address. Perhaps email security and information leakage is your priority, or
perhaps antimalware and application white-listing, but look for products that
provide best-of-breed capabilities in the core areas that they need the most.
The rest is gravy.

Page 5 of 13
At a minimum SWG must include URL filtering, content filtering (DLP-lite),
application controls or white-listing, email security, antimalware and
malicious code detection. These features provide security controls for the
Contents most common and most commonly abusedWeb services. Our research
shows only a few customers enable every feature, but its always nice to
Tying business needs know the capabilities exist should you need them in the future. Think of it this
to technology way: If you want to add application whitelisting, simply request a new license
The Request for from your vendor. There is no additional proof of concept or evaluation
Information (RFI) procedure, just a simple adjustment to the configuration. Add-on features
may not be best of breed, but you avoid another evaluation process and
Decision time: Final realize cost savings of bundled pricing. The convenience creates a degree of
differentiators to stickiness making it much more likely that you will stay with a vendor once
make a vendor
youve made your initial selection.
selection

Ease of use is a significant issue for users of SWGs. With features bolted on,
not all capabilities are fully integrated. In some cases, it can be several
products with several administrative interfaces. In some cases you have a
single Web interface to set policies and configuration, but the user interface
is half-baked and designed by technical people for technical people. Its
really hard to weed out potential vendors based upon the normal request for
process (RFP) or request for information (RFI) documents; it becomes clear
which vendors have their act together the first time you get your hands on
their products and have to set them up in a real environment.

While there is a veritable smorgasbord of features in every product, customer


requirements are siloed into a handful of threats deemed most critical to their
business. Again, gauging the effectiveness of the features that are critical to
you is not easy to ascertain with an RFP/RFI. Most customers we speak with
view Web threats differently from peer organizations, and they have different
expectations from their users, some choose to address risks to their
organization with a slightly different mix of controls. Its this fractured
demand, coupled with the fact that each vendor has specific strengths that
allows for 15-plus vendors to compete in this security market. Vendors keep
adding feature upon feature to differentiate their product, and give them a
degree of stickiness in providing add-on features as customer requirements

Page 6 of 13
evolve. But again, each vendor does a couple of things wellthe rest of the
functions, not so much.

Contents In addition to the core features listed above, there are several additional
features commonly offered with secure Web gateways. While these may not
Tying business needs be available with every product, we find for some customersespecially with
to technology mid-sized and large enterprisesthat these are critical features.
The Request for
Information (RFI) Network optimization. Load balancing, network segmentation, failover and
even network layer packet analysis are features inherent to some of the
Decision time: Final SWG platforms. Small firms with that need only a single appliance to protect
differentiators to their back office wont require these features, but they are essential to large
make a vendor
enterprises.
selection

Centralized management. If your vendor offers four products with four


management consoles youll quickly see that their definition of integration
means Band-Aided together under the same Web admin page and style-
sheet. Just because the features share the same login page does not mean
the products are integrated. Centralized management is important to large
and small companies alike as it means getting your job done easier and
faster. If you can go to one place to set policies, and those policies are
applied consistently across all of their installations, you save time and make
fewer mistakes.

Virtual private networks. Being able to provide a secure link between


remote offices, or provide connectivity for employees working from home or
on the road. In the last five years there has been a dramatic increase in the
number of people who work remotely and VPN connections provide a fast
and efficient connection to internal corporate resources. At the same time,
remote devices provide malware and viruses with an easy path into your
trusted network; by coupling VPN connectivity with content and malware
detection, SWGs provide a secure bridge to IT resources.

Encrypted session interception/inspection. Use of encrypted tunnels,


such as HTTPS or SSH, allows users a means to ensure privacy and
integrity when communicating with external services. Its also a great way for

Page 7 of 13
attackers and rogue employees to exfiltrate data. Secure session interception
is where outbound connections are monitored by the SWG. In this case the
gateway acts as an encryption proxy for the user, decrypting the data stream,
Contents then validating that intellectual property, pornography or other undesirable
content is not passing through. The session is then established by the SWG
Tying business needs on the users behalf, and content is re-encrypted before it is passed along.
to technology

The Request for Security intelligence. Threats change weekly, with new malware, malicious
Information (RFI) websites and phishing attacks launched on unsuspecting users. Many
vendors offer third-party intelligence feeds that automatically update rules
Decision time: Final and malware signature files based upon global intelligence.
differentiators to
make a vendor
Questions to ask:
selection
These critical questions should be asked in a secure Web gateway
evaluation:
1. What threats are you worried about and have you performed a risk
assessment? You will need to prioritize features based upon the
most pressing issues that need to be addressed.
2. Do you have the expertise in house to deploy and manage a
product? Do you need deployment assistance to get you over the
hump, or is it more cost effective to engage a managed service
provider?
3. Does your business produces highly advanced intellectual property?
Do you need inbound and outbound content inspection?
4. Are you worried about spear-phishing and targeted attacks?
Companies that are targets of foreign nations or need to worry about
APT will need to focus on these types of attacks.
5. Does your organization prefer hardware appliances, software or is a
SaaS based service more appealing?
6. Are you only interested in keeping users from hostile sites, or are
you worried about lower productivity from social applications? These
two features highlight the differences between controlling users vs.
controlling applications.
7. Are you looking for a solution because you are dissatisfied with what
you have, or is the current solution lagging in performance or

Page 8 of 13
functionality? Rip and replace requires more effort and preparation
than augmentation.
8. Do you need to monitor encrypted and incur the associated
Contents overhead and possible performance degradation? This feature
requires special deployments and performance analysis.
Tying business needs 9. Are you trying to stop internal activities that reduce productivity
to technology spam, social media, streaming mediaor are you more focused on
The Request for keeping attackers out of your network (anti-malware, phishing)?
Information (RFI) 10. How do you secure remote users, VPNs and mobile devices? How
do you provide remote account and mobile services?
Decision time: Final
differentiators to
make a vendor
selection

Decision time: Final differentiators to make a vendor


selection
Adrian Lane

Product benefits and tradeoff


Once you have a handle on your requirements for a secure Web gateway,
understand stakeholder priorities and which features you want to turn on and
deploy, you have a final decision to make: How will you deploy the tool? This
will be critical as you make the final call on purchasing a gateway.
Fortunately there are several different deployment options, each offering
advantages for customer-specific requirements in speed, ease of use and
flexibility of deployment. Lets look at the advantages and disadvantages of
the available options and nail down the final decision:

Appliance. Appliances are the most common deployment method for SWGs.
They are fast, inexpensive and completely self-contained. Slide one in your
rack, turn it on and you are operational. You avoid the software and
hardware platform biases. And several even provide specialized hardware to
speed up certain computationally expensive functions, outperforming all
rivals. The downside is, as they age, they typically fall behind customer
performance demands and need to be replaced as opposed to upgraded.
Scalability means buying more

Page 9 of 13
appliances. Disaster recovery and failover means you buy more boxes. In an
age where more firms are moving to internal cloud and virtualized server
environments, the hardware model fails to integrate in those data center
Contents architectures.

Tying business needs Software. A handful of vendors still provide SWGs as software. Software
to technology offers flexibility and scalability options that hardware does not. If you need
The Request for more processing power, simply allocate or install more resources. While
Information (RFI) software requires more up-front time to install and configure, it offers
advantages in flexibility of deployment, integration and resource allocation
Decision time: Final such as memory, processor, disk. And software licensing is easier to tune to
differentiators to your specific needs, resulting in lower overall costs for most customers.
make a vendor
selection
Virtual appliance. The fastest growing deployment option today is a virtual
appliance. This deployment option is the direct result of companies looking to
reduce costs and administrative hassles through virtualization platforms. As
the name implies, these are a software image of a hardware appliance. In
many ways they offer the best of both worlds; they scale like software but
offer the pre-configured deployment of hardware. And virtual appliances
naturally integrate with virtual server deployments. The downside is the
virtual appliances dont have dedicated hardware acceleration that some
appliances offer, so performance between virtual and real appliances varies
considerably. And as the virtual appliances are no longer pre-packaged
affairs, it requires the customer to monitor resource utilization and
periodically tune in order to provide good performance.

Cloud-based/hybrid deployments. Some vendors are launching cloud


service offerings to complement or supplant on-premise solutions. When
internal hardware is overtaxed by antispam or rigorous content analysis, its
easy to offload that processing to a cloud service provider to ease the burden
on your in house platforms. Similarly, some customers want third-party cloud
services simply because they a lack in-house staff to manage the product.
Cloud-based security gateways as a service offer elastic, on-demand Web
filtering without alteration to existing IT systems. In this model, network
services are routed through the cloud service provider prior to being sent to
you, the customer. Customers can

Page 10 of 13
choose to enable a subset of the featuresperhaps because their current
system does not offer URL filteringand customers simply pay for that
service as they go.
Contents
Sealing the deal
Tying business needs Each of these options is sold under different pricing models. For example,
to technology hardware is sold based upon the level of potential throughput the appliance
The Request for supports, and must be accounted for as a CAPEX expenditure. Cloud
Information (RFI) services are billed monthly as the user consumes the service and fall under
OPEX. Multiple models give customers some flexibility both in how they use
Decision time: Final the product as well as how they pay for the product.
differentiators to
make a vendor
As all of the vendors are in a race to provide a comparable breadth of
selection
features, but given the evolutionary track each has followed, remember that
your vendor wont do everything well. They will have specific core
competencies, with additional features hastily added-on or acquired that lack
a degree of efficiency or effectiveness. For example, a vendor may have
deep experience with the network layer, so its load balancing and packet
inspection provide incredible performance, but it does a mediocre job at
content and email security. Your buying decision will be based upon this
balancing act, selecting the vendor that focuses on the areas you deem most
critical, yet still offers the flexibility and pricing models that work for your
organization.

Page 11 of 13
Free resources for technology professionals
Contents TechTarget publishes targeted technology media that address your
need for information and resources for researching products,
Tying business needs
to technology developing strategy and making cost-effective purchase decisions. Our
network of technology-specific Web sites gives you access to industry
The Request for experts, independent content and analysis and the Webs largest library
Information (RFI) of vendor-provided white papers, webcasts, podcasts, videos, virtual
trade shows, research reports and more drawing on the rich R&D
Decision time: Final
differentiators to resources of technology providers to address market trends,
make a vendor challenges and solutions. Our live events and virtual seminars give you
selection access to vendor neutral, expert commentary and advice on the issues
and challenges you face daily. Our social community IT Knowledge
Exchange allows you to share real world information in real time with
peers and experts.

What makes TechTarget unique?


TechTarget is squarely focused on the enterprise IT space. Our team of
editors and network of industry experts provide the richest, most
relevant content to IT professionals and management. We leverage the
immediacy of the Web, the networking and face-to-face opportunities of
events and virtual events, and the ability to interact with peersall to
create compelling and actionable information for enterprise IT
professionals across all industries and markets.

Related TechTarget Websites

Page 12 of 13

Das könnte Ihnen auch gefallen