What is SWG (Secure Web Gateways)?
In the past, Secure Web Gateways (SWGs) worked primarily as appliances on the local network. However, this is currently changing as enterprises are increasingly moving to cloud-based SWGs to provide secure Internet access in remote offices that are directly connected to the Internet. This saves them the hassle of first bringing all traffic from such branch offices to corporate headquarters – via a VPN, for example – and then forwarding it to the Internet via the head office SWG. Hybrid solutions that combine on-premises appliances with cloud offerings are also gaining popularity.
Filtering web traffic
One of the most important components of an SWG is definitely the web filter. Although this technology is now often also available – at least in rudimentary form – in firewall appliances and other security solutions, it still plays a very important role for web gateways, as only very powerful filters are capable of meeting comprehensive compliance requirements.
Most web filters typically work with lists where the administrator can select which content to block. In practice, such lists are divided into different categories, for example, “Gambling”, “Religion”, “Malware”, “Shopping”, “Social Networking” or “Violence” and it is enough to put a checkmark on the categories to be filtered out. The SWG then blocks all access attempts from the LAN to the URLs entered in the categories.
It is already clear here that the quality of the lists is one of the most important criteria for the effectiveness of the filter. If any relevant URLs have not been captured, for example, because they publish their content in a language that the manufacturer of the SWG does not know, the filter will be ineffective.
With powerful filter solutions, the responsible employees usually also have the option of creating white and black lists and thus always allowing or permanently blocking certain pages. If the SGW blocks a URL, it usually displays a page of information to the user. It usually states that the page was blocked, why it was blocked, and who to contact to unblock it.
However, some solutions allow users to say to themselves that they want to access the content despite the policy responsible for blocking the URL. In this case, the SWG releases the access, but logs it and informs the responsible parties about the operation. Many products also bring the ability to define specific users who are allowed to access individual categories or pages that are closed to other users, such as the “shopping” category for employees in the purchasing department.
Problems that web filters have to deal with during operation are attempts by users to bypass the filters, for example by using alternative protocols, such as HTTPS instead of HTTP. In this case, access is encrypted and the SWG cannot identify which URL the user requests are aimed at. The only solution is to completely block all HTTPS accesses or to use a SWG that is capable of decrypting SSL connections, examining them, and then establishing an encrypted connection to the target system itself.
Such solutions are offered by ContentKeeper, Sangfor, Symantec, and Zscaler, among others. Forecepoint takes a different approach: the company has added a feature to some of its products that includes a TLS/SSL encryption port mirror. Through this mirror port, passive security solutions are able to examine encrypted data without the need for additional add-on solutions.
Other security functions
As mentioned earlier, web filters are no longer found only in SWGs, but also in other security products. Therefore, they no longer play quite such a crucial role when it comes to choosing a Secure Web Gateway. In recent years, therefore, other security technologies have become more important in the selection process. For example, many SWG manufacturers now work with antivirus product vendors and integrate them into their solutions.
In this way, SWGs are enabled to scan data transmissions directly for malware infestation. Some solutions, such as those from Barracuda Networks, also provide a sandbox to scrutinize downloaded files. There are also products – from Cisco, for example – that can handle DNS redirection and prevent web calls from domains classified as bad. Sophos solutions also analyze any downloaded code before it is executed. In this way, they go a long way to provide comprehensive security for the corporate network.
Special application domains
Some vendors also focus on specific application areas, such as Forcepoint, which implements laptop protection outside of a corporate network. In contrast, other vendors – such as iboss – integrate NetFlow analytics into their products to detect malware.
Another approach is to keep a close eye on the applications used in the company. In this way, the responsible employees are able to record in detail what actions users can perform on portals such as Facebook or Tumblr. With some products, such as Forcepoint, they can also create rules for cloud apps and block or allow them completely. In addition, administrators often also have the option to block apps like BitTorrent or Skype, even if they use different ports.
Some providers also deliver other features with their solutions, such as mail filters that specialize in filtering out malware from email traffic. The same applies to data loss prevention functions, which ensure that critical data, such as company information, patient data, or even account and credit card information, cannot be transferred via the SWG.
Management and reporting
Today, SWGs are typically administered via a central management tool. Comprehensive reporting functions ensure that administrators are always aware of all actions taking place and help to meet compliance requirements. The same applies to the creation of log files. So administrators usually only have to deal with one management tool that covers both configuration and reporting.
Key players in the SWG market
Gartner classifies Barracuda Networks (this company offers relatively low-cost solutions for SMBs, among others) as a “niche player” for SWGs. The same is true for ContentKeeper, Sangfor, Sophos, and Trend Micro. The only “Visionary” is iboss, while the “Challengers” include Cisco, Forcepoint, and McAfee. Finally, the “Leaders” are Symantec and Zscaler.