expert guide to secure web gatewayscdn.ttgtmedia.com/.../downloads/websecurity_eguide.pdf · some...

Expert Guide to Secure Web Gateways

of 13

Contents

Tying business needs to technology

The Request for Information (RFI)

Decision time: Final differentiators to make a vendor selection

Many organizations are moving malware protection to the Web and investing in Secure Web Gateways. These products combine URL filtering with antimalware protection, Web application controls and centralized management. This e-guide will help sort the different feature options and deployment challenges and help you bring efficiency to your threat management programs by centralizing Web-based security and stop managing numerous standalone Web security products.

Tying business needs to technology Adrian Lane

Assessing the business issue

If this is the first time you’ve heard about secure Web gateways, fear not.

You’ve most likely used—or currently use—one of its predecessors, such as

network accelerators, unified threat management systems, or email security

gateways. Secure Web gateways (SWG) form the convergence point of all of

these technologies. These products are not new, but they’ve been amended

to address a set of security problems that logically overlap, and bring all of

the aforementioned products under one umbrella.

Secure Web gateways are an assortment of security capabilities, but they all

boil down to their ability to inspect Web traffic. You can think of them as a

sort of firewall, but rather than block network traffic, secure Web gateways

focus on the traffic and content coming through port 80—the network port

through which all HTTP and related Web traffic passes—looking for evidence

of malicious software, misuse and user adherence to corporate Internet

policy.

SWGs also validate that remote users leveraging mobile devices are not

unintentionally spreading viruses to other systems when they connect from

home. In order to guard against a wide number of threats across all known

Web protocols, originating inside and outside the corporate network, these

of 13

Contents




gateway products must apply many analysis techniques to validate activity

and content.

Secure Web gateways are an evolutionary convergence point of different

security products. Vendors, driven by customer requirements and the

presumed need to differentiate their products, have packed just about every

conceivable Web security feature into these platforms. What began as a set

of distinct security challenges, addressed my niche products, have now

morphed into a common platform with a common feature set.

In fact, the vendors in the SWG space come from very different specialties.

Some were network accelerators and load balancers that added filtering and

packet inspection, and moved up the stack to Layer-7 content analysis.

Some were email security tools (such as antivirus, antispam) that evolved to

include antimalware, and later URL filtering. Some were general network

security appliances, providing firewall and VPN services, morphing first into

UTMs. Still others are a bundle of acquired technologies, merged under a

Web management interface to fill demand in the evolving Web gateway

market. As it stands, these vendors have now met in the middle and evolved

into secure Web gateways.

With each emerging threat to corporate IT networks, new features are

layered-on, creating a Web traffic Swiss-army knife for security. And despite

the differences in how they arrived at this point, vendors have followed the

path of emerging threats to IT systems.

Business Benefits

Enterprises and midmarket firms have invested in secure Web gateways

because their traditional firewalls don’t stop the attacks against their systems.

Threats come over network port 80, just like legitimate Web services, making

it difficult to sift out attacks and misuse from approved traffic. Worse, the

threats are constantly evolving, leveraging different communication protocols

such as email, webpages, file attachments, image uploads, application calls,

and just about any other traffic you can think of to hide their activity.

Customers view this as a single problem space: malicious Web content.

of 13

Contents




They don’t want to buy a dozen different products for each specific threat,

going through a dozen different product validation efforts to solve what they

consider to be a single problem. Nor do they want to manage a dozen

different products across different interfaces, customizing each product to

their environment. In response SWGs bundle all of the features necessary to

monitor Web activity, consuming all different flavors of traffic to detect

inbound and outbound security issues. These products combine, at a

minimum, URL filtering, content filtering and antimalware protection. Most

include application whitelisting and botnet detection, and all of these

capabilities are managed through a central web management console.

Because of increased demand across every market vertical and with every

size of company, we’ve geared this e-guide to help you understand what to

look for in a secure Web gateway product. We’ll sort through the different

feature options and deployment challenges with SWGs and help you bring

efficiency to your threat management programs. We’ll examine the core and

advanced features in detail; cover the most common deployment models,

and what to look for in a product depending upon your use case.

The Request for Information Adrian Lane

Secure Web gateways are an important strategic and technology investment

for any organization. Most threats come from the Web and in many forms,

rendering traditional firewalls ineffective against most of what attackers can

pull off today. As your organization evaluates secure Web gateways, keep in

mind several use cases for these tools and the available core features.

The following is a list of the most pressing Web security issues, and the

reasons why customers invest in secure Web gateways.

of 13

Contents




Malicious links. URLs to sites that host malicious code which—best case—

compromise your browser, or worst case, infect your PC with malware.

These URL come disguised as email from Grandma, or are embedded within

your favorite websites, easily duping the unsuspecting user. URL filtering

works by comparing inbound and outbound links with databases of known

malicious sites, blocking requests on users’ behalf to avoid infection.

Malware. Most firms have antivirus software installed on corporate

endpoints, but most AV is ineffective against malware. Infections from

malware often require IT to reimage the machine, or the software equivalent

of nuking from orbit. Once it’s infected one machine, it quickly propagates by

replicating itself in files, sniffing then exploiting credentials, exploiting known

vulnerabilities or spamming infected content to users. It’s therefore critical to

detect malware as soon as possible, hopefully before it reaches the

unsuspecting user’s machine.

Unapproved applications. Movie downloads, Tor networks, live streaming

of sporting events, video game servers and other applications that are not

approved for business use clog network bandwidth. Many of these

applications come with malware and spyware, creating both a performance

and security issue. Some SWGs filter all network traffic generated by

unapproved applications. Commonly called application whitelisting, this form

of application control has quickly jumped to the top of customer requirements

list as it’s effective at stopping all sorts of unwanted services from abusing

corporate networks.

Social media. Social media is a legitimate tool for companies to promote

brand and customer satisfaction, but these approved uses form only a tiny

fraction of total employee use, most for purely personal benefit. Because

social media can be a huge time sink and reduce employee productivity,

many companies deny access. Web gateways can detect and block requests

to social media sites.

IP and data leakage. Sending sensitive corporate data over email and

posting intellectual property on Web portals is a serious problem. Systems

of 13

Contents




infected with malware often embed sensitive data in files and attempt to send

them out of the company though email, Web services or file transfers. Web

security gateways inspect outbound content for inclusion of sensitive data.

This feature is called data loss prevention by vendors, but it’s really only

DLP-lite because it offers only a subset of content analysis techniques that

state-of-the-art DLP platforms provide. As there are many different ways to

perform content analysis, there is a wide degree of effectiveness between

different products.

Botnet detection. For the last decade, corporate networks have been

infected with botnets, which use corporate servers to generate spam, and

conduct denial of service attacks against other corporations. SWGs can both

detect botnet software running inside corporate networks and trying to

communicate with the outside world, as well as detect and–in many cases–

mitigate inbound denial of service attacks.

Email security. Email security, specifically antispam and antivirus

capabilities, remains a core customer driver. Some products include

antiphishing capabilities as well, detecting links to bogus services and other

malware lurking within the body of email messages. Relatively speaking,

email security is the oldest of the core features. While it’s not considered the

most critical threat to infrastructure, spam and viruses are highly visible

annoyances, and phishing has been the root cause for several major data

breaches. No product fully solves the email security threat, but they block the

vast majority of garbage sent to users.

You’ll notice that the set of use cases reads like a feature list: That’s because

it is. Web-borne threats are the umbrella under which these threats are

logically linked, but customers—especially with mid-sized firms and small

enterprises— only have two or three specific challenges that they need to

address. Perhaps email security and information leakage is your priority, or

perhaps antimalware and application white-listing, but look for products that

provide best-of-breed capabilities in the core areas that they need the most.

The rest is gravy.

of 13

Contents




At a minimum SWG must include URL filtering, content filtering (DLP-lite),

application controls or white-listing, email security, antimalware and

malicious code detection. These features provide security controls for the

most common and most commonly abused–Web services. Our research

shows only a few customers enable every feature, but it’s always nice to

know the capabilities exist should you need them in the future. Think of it this

way: If you want to add application whitelisting, simply request a new license

from your vendor. There is no additional proof of concept or evaluation

procedure, just a simple adjustment to the configuration. Add-on features

may not be best of breed, but you avoid another evaluation process and

realize cost savings of bundled pricing. The convenience creates a degree of

stickiness making it much more likely that you will stay with a vendor once

you’ve made your initial selection.

Ease of use is a significant issue for users of SWGs. With features bolted on,

not all capabilities are fully integrated. In some cases, it can be several

products with several administrative interfaces. In some cases you have a

single Web interface to set policies and configuration, but the user interface

is half-baked and designed by technical people for technical people. It’s

really hard to weed out potential vendors based upon the normal request for

process (RFP) or request for information (RFI) documents; it becomes clear

which vendors have their act together the first time you get your hands on

their products and have to set them up in a real environment.

While there is a veritable smorgasbord of features in every product, customer

requirements are siloed into a handful of threats deemed most critical to their

business. Again, gauging the effectiveness of the features that are critical to

you is not easy to ascertain with an RFP/RFI. Most customers we speak with

view Web threats differently from peer organizations, and they have different

expectations from their users, some choose to address risks to their

organization with a slightly different mix of controls. It’s this fractured

demand, coupled with the fact that each vendor has specific strengths that

allows for 15-plus vendors to compete in this security market. Vendors keep

adding feature upon feature to differentiate their product, and give them a

degree of stickiness in providing add-on features as customer requirements

of 13

Contents




evolve. But again, each vendor does a couple of things well—the rest of the

functions, not so much.

In addition to the core features listed above, there are several additional

features commonly offered with secure Web gateways. While these may not

be available with every product, we find for some customers—especially with

mid-sized and large enterprises—that these are critical features.

Network optimization. Load balancing, network segmentation, failover and

even network layer packet analysis are features inherent to some of the

SWG platforms. Small firms with that need only a single appliance to protect

their back office won’t require these features, but they are essential to large

enterprises.

Centralized management. If your vendor offers four products with four

management consoles you’ll quickly see that their definition of integration

means Band-Aided together under the same Web admin page and style-

sheet. Just because the features share the same login page does not mean

the products are integrated. Centralized management is important to large

and small companies alike as it means getting your job done easier and

faster. If you can go to one place to set policies, and those policies are

applied consistently across all of their installations, you save time and make

fewer mistakes.

Virtual private networks. Being able to provide a secure link between

remote offices, or provide connectivity for employees working from home or

on the road. In the last five years there has been a dramatic increase in the

number of people who work remotely and VPN connections provide a fast

and efficient connection to internal corporate resources. At the same time,

remote devices provide malware and viruses with an easy path into your

trusted network; by coupling VPN connectivity with content and malware

detection, SWGs provide a secure bridge to IT resources.

Encrypted session interception/inspection. Use of encrypted tunnels,

such as HTTPS or SSH, allows users a means to ensure privacy and

integrity when communicating with external services. It’s also a great way for

of 13

Contents




attackers and rogue employees to exfiltrate data. Secure session interception

is where outbound connections are monitored by the SWG. In this case the

gateway acts as an encryption proxy for the user, decrypting the data stream,

then validating that intellectual property, pornography or other undesirable

content is not passing through. The session is then established by the SWG

on the user’s behalf, and content is re-encrypted before it is passed along.

Security intelligence. Threats change weekly, with new malware, malicious

websites and phishing attacks launched on unsuspecting users. Many

vendors offer third-party intelligence feeds that automatically update rules

and malware signature files based upon global intelligence.

Questions to ask:

These critical questions should be asked in a secure Web gateway

evaluation:

1. What threats are you worried about and have you performed a risk

assessment? You will need to prioritize features based upon the

most pressing issues that need to be addressed.

2. Do you have the expertise in house to deploy and manage a

product? Do you need deployment assistance to ―get you over the

hump,‖ or is it more cost effective to engage a managed service

provider?

3. Does your business produces highly advanced intellectual property?

Do you need inbound and outbound content inspection?

4. Are you worried about spear-phishing and targeted attacks?

Companies that are targets of foreign nations or need to worry about

APT will need to focus on these types of attacks.

5. Does your organization prefer hardware appliances, software or is a

SaaS based service more appealing?

6. Are you only interested in keeping users from hostile sites, or are

you worried about lower productivity from social applications? These

two features highlight the differences between controlling users vs.

controlling applications.

7. Are you looking for a solution because you are dissatisfied with what

you have, or is the current solution lagging in performance or

of 13

Contents




functionality? Rip and replace requires more effort and preparation

than augmentation.

8. Do you need to monitor encrypted and incur the associated

overhead and possible performance degradation? This feature

requires special deployments and performance analysis.

9. Are you trying to stop internal activities that reduce productivity—

spam, social media, streaming media—or are you more focused on

keeping attackers out of your network (anti-malware, phishing)?

10. How do you secure remote users, VPNs and mobile devices? How

do you provide remote account and mobile services?

Decision time: Final differentiators to make a vendor selection Adrian Lane

Product benefits and tradeoff

Once you have a handle on your requirements for a secure Web gateway,

understand stakeholder priorities and which features you want to turn on and

deploy, you have a final decision to make: How will you deploy the tool? This

will be critical as you make the final call on purchasing a gateway.

Fortunately there are several different deployment options, each offering

advantages for customer-specific requirements in speed, ease of use and

flexibility of deployment. Let’s look at the advantages and disadvantages of

the available options and nail down the final decision:

Appliance. Appliances are the most common deployment method for SWGs.

They are fast, inexpensive and completely self-contained. Slide one in your

rack, turn it on and you are operational. You avoid the software and

hardware platform biases. And several even provide specialized hardware to

speed up certain computationally expensive functions, outperforming all

rivals. The downside is, as they age, they typically fall behind customer

performance demands and need to be replaced as opposed to upgraded.

Scalability means buying more

of 13

Contents




appliances. Disaster recovery and failover means you buy more boxes. In an

age where more firms are moving to internal cloud and virtualized server

environments, the hardware model fails to integrate in those data center

architectures.

Software. A handful of vendors still provide SWGs as software. Software

offers flexibility and scalability options that hardware does not. If you need

more processing power, simply allocate or install more resources. While

software requires more up-front time to install and configure, it offers

advantages in flexibility of deployment, integration and resource allocation—

such as memory, processor, disk. And software licensing is easier to tune to

your specific needs, resulting in lower overall costs for most customers.

Virtual appliance. The fastest growing deployment option today is a virtual

appliance. This deployment option is the direct result of companies looking to

reduce costs and administrative hassles through virtualization platforms. As

the name implies, these are a software image of a hardware appliance. In

many ways they offer the best of both worlds; they scale like software but

offer the pre-configured deployment of hardware. And virtual appliances

naturally integrate with virtual server deployments. The downside is the

virtual appliances don’t have dedicated hardware acceleration that some

appliances offer, so performance between virtual and real appliances varies

considerably. And as the virtual appliances are no longer pre-packaged

affairs, it requires the customer to monitor resource utilization and

periodically tune in order to provide good performance.

Cloud-based/hybrid deployments. Some vendors are launching cloud

service offerings to complement or supplant on-premise solutions. When

internal hardware is overtaxed by antispam or rigorous content analysis, it’s

easy to offload that processing to a cloud service provider to ease the burden

on your in house platforms. Similarly, some customers want third-party cloud

services simply because they a lack in-house staff to manage the product.

Cloud-based security gateways as a service offer elastic, on-demand Web

filtering without alteration to existing IT systems. In this model, network

services are routed through the cloud service provider prior to being sent to

you, the customer. Customers can

of 13

Contents




choose to enable a subset of the features—perhaps because their current

system does not offer URL filtering—and customers simply pay for that

service as they go.

Sealing the deal

Each of these options is sold under different pricing models. For example,

hardware is sold based upon the level of potential throughput the appliance

supports, and must be accounted for as a CAPEX expenditure. Cloud

services are billed monthly as the user consumes the service and fall under

OPEX. Multiple models give customers some flexibility both in how they use

the product as well as how they pay for the product.

As all of the vendors are in a race to provide a comparable breadth of

features, but given the evolutionary track each has followed, remember that

your vendor won’t do everything well. They will have specific core

competencies, with additional features hastily added-on or acquired that lack

a degree of efficiency or effectiveness. For example, a vendor may have

deep experience with the network layer, so its load balancing and packet

inspection provide incredible performance, but it does a mediocre job at

content and email security. Your buying decision will be based upon this

balancing act, selecting the vendor that focuses on the areas you deem most

critical, yet still offers the flexibility and pricing models that work for your

organization.

of 13

Contents




Free resources for technology professionals TechTarget publishes targeted technology media that address your

need for information and resources for researching products,

developing strategy and making cost-effective purchase decisions. Our

network of technology-specific Web sites gives you access to industry

experts, independent content and analysis and the Web’s largest library

of vendor-provided white papers, webcasts, podcasts, videos, virtual

trade shows, research reports and more —drawing on the rich R&D

resources of technology providers to address market trends,

challenges and solutions. Our live events and virtual seminars give you

access to vendor neutral, expert commentary and advice on the issues

and challenges you face daily. Our social community IT Knowledge

Exchange allows you to share real world information in real time with

peers and experts.

What makes TechTarget unique? TechTarget is squarely focused on the enterprise IT space. Our team of

editors and network of industry experts provide the richest, most

relevant content to IT professionals and management. We leverage the

immediacy of the Web, the networking and face-to-face opportunities of

events and virtual events, and the ability to interact with peers—all to

create compelling and actionable information for enterprise IT

professionals across all industries and markets.

Related TechTarget Websites

expert guide to secure web gatewayscdn.ttgtmedia.com/.../downloads/websecurity_eguide.pdf · some...

Documents