Secure Web Gateway as a Game-Changer in Enterprise Security
As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—David Balaban, a computer security researcher with over 18 years of experience in malware analysis and antivirus software evaluation, shares insights on Secure Web Gateway (SWG) technology.
The Secure Web Gateway (SWG) technology has been around for years, but it still raises many questions among corporate IT teams. How does it differ from a conventional proxy server and a Next-Generation Firewall (NGFW)? Will it become a feature of Cloud Access Security Broker (CASB) systems, or is it destined to play a critical role in the increasingly popular Secure Access Service Edge (SASE) frameworks? What problems do organizations face when implementing SWGs? What are the challenges of SSL inspection when dealing with web applications? Let’s try to find out.
SWG Capabilities and Use Cases
There is an opinion that a Secure Web Gateway is a fancy marketing term coined to boost the sales of garden-variety proxy servers. However, this is a misconception. SWGs have more features that range from web access security and traffic filtering to commonplace routing, data collection, and analysis. Essentially, it is a security-centric tool for implementing the classic functions of a proxy.
When proxy servers emerged to optimize users’ online activities, the data they processed was subject to caching due to low channel bandwidths. Later on, the addition of security mechanisms to the caching functionality gave rise to SWG. These solutions have since absorbed many security features, becoming the “Swiss Army knife” for providing granular, controlled, adequately separated access for corporate users. The minimum features of such a tool include web filtering, malware protection, and application control.
Modern SWGs can incorporate one or more antivirus cores, prevent targeted attacks, and integrate with numerous third-party protection systems, such as Data Loss Prevention (DLP) and anti-phishing tools, through readily available APIs. They can also work in concert with endpoint security solutions by instantly reporting information about indicators of compromise.
Some users can’t grasp the difference between NGFW and SWG since their features overlap in many ways. However, when a complete cycle of web application protection is required, the latter is your best bet. It terminates suspicious HTTP / HTTPS connections, allowing for much more detailed analysis and, if necessary, modification of web traffic.
What Types of Secure Web Gateways Are Out There?
SWG facilitates the separation of duties between IT and InfoSec. That’s why these systems are prevalent among large companies—however, many examples of their deployment in relatively compact organizations, such as universities. The cloud SWG sector is currently on the rise – this is primarily due to the growing interest of small companies in such services. There are two categories of cloud-based Secure Web Gateways:
- Those available on a Software-as-a-Service (SaaS) basis allow enforcing a unified web application control policy across the organization.
- Those operating as virtual devices, where a provider deploys a separate SWG image for a particular customer in its cloud environment.
Cloud SWG is one of the critical elements of the CASB technology and part of the SASE framework, given that web access is the primary channel for handling data these days. At the same time, SWG and CASB are developing as two independent products without soaking up each other’s functionality. Unlike SWG, which aims to provide secure access for multiple entities, CASB controls specific cloud applications.
The common SWG licensing model is based on the number of users. The implementation of certain features or extra modules influences the final price tag. Some organizations prefer leveraging NGFW because the user count isn’t part of its licensing principle.
Technical Specifications of SWG
Many customers are questioning the effectiveness of SWGs based on open-source solutions. Whereas publicly available codebases underlie decent implementations of almost any information security component, their use entails several problems.
The most significant drawbacks are maintenance complexity and the hard-to-control performance of the resulting system. Besides, proprietary products have much more powerful analytics systems that are constantly fine-tuned by teams of dedicated specialists. That’s why open-source tools tend to be less efficient.
Let’s now zoom into the protocols supported by modern SWGs and the restrictions regarding their usage scenarios. Security Web Gateways can handle all significant protocols web applications use, including HTTP, HTTPS, and FTP. They are also capable of parsing such traffic into constituents to implement advanced filtering functions. For example, they can control search queries or limit bandwidth for media content.
In the context of today’s Internet ecosystem, an essential feature of SWG is the decryption of SSL traffic. Since most data is transmitted in an encrypted form, these tools need to “crack” SSL to apply flexible access policies and not be “blind” along the way.
Secure Web Gateways use reputational databases of web resources for traffic filtering. All URLs are divided into categories whose number ranges from 80 to 120. Deeper fragmentation makes the setup of the filtering process much more time-consuming. If a domain is labeled as new or uncategorized, it is treated as potentially unreliable. One of the best-practice techniques to deal with such URLs is to open them in an isolated browser container.
The database queried by SWG contains both domains and specific URLs. In some cases, this data is enriched by risk levels based on the IP addresses where the resources are located. Suppose a website falls into a trusted category but is hosted on a server or a data center used for phishing or other attacks. In that case, this is a valid reason to scrutinize its security. Additionally, some SWGs use morphological site content analysis to evaluate its reliability.
Reports generated by a Secure Web Gateway build the foundation of user profiling. The system collects data on a particular employee’s activity to assess the level of risk, which it later considers when granting access. A separate solution integrated into the SWG tracks changes in a user’s profile over time.
Secure Web Gateway Implementation Challenges
Ensuring sufficient bandwidth for DNS-related traffic within the network is paramount. Another important aspect is to choose an authentication method that provides the required functionality while not overloading the proxy server or the network as a whole. It is also essential to ensure that the SWG can scale vertically and horizontally.
Security professionals should pay extra attention to the issue mentioned above of decrypting HTTPS traffic. To ascertain that a Secure Web Gateway works appropriately in the paradigm of continuous SSL inspection, the certificates it issues should be trusted on all workstations throughout the network, including remote users’ devices.
It is also worth considering that many web applications tunnel their proprietary protocols within HTTPS. If such applications are not added to a whitelist, the decryption of their traffic will disrupt their regular operation.
Which Way is the SWG Market Heading?
The market for Secure Web Gateways will continue to grow as new players step in. Closer integration with SASE will allow network administrators to manage SWGs from the cloud using a single console and other framework components. End-to-end management of security policies will be the crucial feature of such a distributed system.
As some providers abandon the SWG market, industry leaders with the most feature-stuffed products in their portfolios will remain. The cloud SWG market will develop faster than the on-premises segment due to the increasing web traffic spawned by conventional applications and the mass transition to telework.
Secure Web Gateways are growingly essential elements of organizations’ security infrastructures. This is due to the steady increase in web traffic, as even locally deployed applications often use cloud services to retrieve or store data. That being said, SWG is shaping up to be one of the strongholds of enterprise defenses against the mainstream and emerging forms of web-borne exploitation. Cloud SWGs fit seamlessly into the SASE concept and facilitate the control of traffic not only within the corporate perimeter but also at the level of remote endpoints.