Secure Web Gateway as a Game Changer in Enterprise Security

0

As part of Solutions Review’s Premium Content Series, a collection of columns written by industry experts in maturing software categories, David Balaban, a computer security researcher with over 18 years of experience in malware analysis and anti-virus software assessment, sharing information about Secure Web Gateway (SWG) technology.

The secure web gateway (GTS) The technology has been around for years, but it still raises many questions among enterprise IT teams. How does it differ from a classic proxy server and a next-generation firewall (NGFW)? Will it become a feature of Cloud Access Security Broker (CASB) systems, or is it destined to play a critical role in the increasingly popular Secure Access Service Edge (SASE) frames? What problems do organizations face when implementing SWGs? What are the challenges of SSL inspection when it comes to web applications? Let’s try to find out.

SWG Capabilities and Use Cases

There is an opinion that secure web gateway is a fancy marketing term coined to boost sales of wide variety proxy servers. However, this is a misconception. SWGs have more features that range from web access security and traffic filtering to common routing, data collection, and analysis. It is essentially a security-centric tool for implementing the classic functions of a proxy.

When proxy servers emerged to optimize users’ online activities, the data they processed was cached due to low channel bandwidths. Later, adding security mechanisms to the caching feature gave rise to SWG. These solutions have since absorbed many security features, becoming the “Swiss army knife” for providing granular, controlled, and sufficiently segregated access to enterprise users. The minimum features of such a tool include web filtering, malware protection, and application control.

Modern SWGs can incorporate one or more antivirus cores, prevent targeted attacks, and integrate with many third-party protection systems, such as Data Loss Prevention (DLP) and anti-phishing tools, via readily available APIs. They can also work in concert with endpoint security solutions by instantly reporting information on indicators of compromise.

Some users cannot grasp the difference between NGFW and SWG because their functionality overlaps in many ways. However, when a full cycle of web application protection is required, the latter is your best bet. It terminates suspicious HTTP/HTTPS connections, allowing much more detailed analysis and, if necessary, modification of web traffic.

What types of secure web gateways are there?

SWG facilitates separation of duties between IT and InfoSec. This is why these systems are prevalent in large enterprises, but many examples of their deployment in relatively compact organizations, such as universities. The SWG cloud industry is currently booming, mainly due to the growing interest of small businesses in these services. There are two categories of cloud-based secure web gateways:

  • Those available on a Software-as-a-Service (SaaS) basis enable a unified web application control policy to be enforced across the organization.
  • Those that operate as virtual appliances, where a vendor deploys a separate SWG image for a particular customer in their cloud environment.

Cloud SWG is one of the critical elements of CASB technology and part of the SASE framework, since web access is the primary data processing channel these days. At the same time, SWG and CASB develop as two independent products without absorbing each other’s features. Unlike SWG, which aims to provide secure access to multiple entities, CASB controls specific cloud applications.

The common SWG licensing model is based on the number of users. The implementation of certain additional features or modules influences the final price. Some organizations prefer to take advantage of NGFW because the number of users is not part of its licensing principle.

SWG Technical Specifications

Many customers question the effectiveness of SWGs based on open source solutions. While publicly available codebases underpin decent implementations of nearly all information security components, there are several issues with their use.

The most significant drawbacks are the complexity of maintenance and the difficult-to-control performance of the resulting system. In addition, proprietary products have much more powerful analysis systems that are constantly refined by teams of dedicated specialists. This is why open source tools tend to be less efficient.

Now let’s zoom in on the protocols supported by modern SWGs and the restrictions on their usage scenarios. Security web gateways can handle all major protocols used by web applications, including HTTP, HTTPS, and FTP. They are also able to analyze this traffic into components to implement advanced filtering functions. For example, they can control search queries or limit bandwidth for media content.

In the context of today’s Internet ecosystem, an essential feature of SWG is the decryption of SSL traffic. Since most data is transmitted in encrypted form, these tools must “crack” SSL to apply flexible access policies and not be “blind” along the way.

Secure web gateways use web resource reputation databases for traffic filtering. All URLs are divided into categories, the number of which varies from 80 to 120. Deeper fragmentation makes the configuration of the filtering process much longer. If a domain is labeled as new or uncategorized, it is treated as potentially untrusted. One of the best practices for handling these URLs is to open them in an isolated browser container.

The database queried by SWG contains both specific domains and URLs. In some cases, this data is enriched with risk levels based on the IP addresses where the resources are located. Suppose a website falls into a trusted category but is hosted on a server or data center used for phishing or other attacks. In this case, this is a valid reason to scrutinize its safety. Additionally, some SWGs use morphological analysis of site content to assess its trustworthiness.

Reports generated by a secure web gateway form the basis of user profiling. The system collects data about a particular employee’s activity to assess the level of risk, which it then takes into account when granting access. A separate solution built into the SWG tracks changes to a user’s profile over time.

Secure Web Gateway Implementation Challenges

Ensuring sufficient bandwidth for DNS-related traffic within the network is critical. Another important aspect is to choose an authentication method that provides the required functionality without overloading the proxy server or the network as a whole. It is also essential to ensure that the SWG can scale vertically and horizontally.

Security professionals should pay special attention to the above-mentioned problem of decrypting HTTPS traffic. To verify that a secure web gateway operates correctly in the continuous SSL inspection paradigm, the certificates it issues must be trusted on all network workstations, including remote user devices.

It should also be noted that many web applications tunnel their proprietary protocols into HTTPS. If such apps are not whitelisted, decrypting their traffic will disrupt their regular operation.

Where is the SWG market headed?

The secure web gateway market will continue to grow as new players enter the scene. Tighter integration with SASE will allow network administrators to manage SWGs from the cloud using a single console and other framework components. End-to-end security policy management will be the essential feature of such a distributed system.

While some vendors are abandoning the SWG market, the industry leaders with the most feature-rich products in their portfolios will remain. The SWG cloud market will grow faster than the on-premises segment due to the increase in web traffic generated by conventional applications and the massive shift to remote working.

Summary

Secure web gateways are increasingly essential components of organizations’ security infrastructures. This is due to the ever-increasing web traffic, as even locally deployed applications often use cloud services to retrieve or store data. That being said, SWG is becoming one of the bastions of corporate defenses against mainstream and emerging forms of exploitation on the web. Cloud SWGs fit perfectly into the SASE concept and facilitate traffic control not only at the corporate perimeter, but also at remote endpoints.


David Balaban
Latest posts by David Balaban (see everything)
Share.

Comments are closed.