Best Practices for deploying secure Web gateways
Analysts, users point to cheap upgrades, understanding traffic patterns and flexible policy enforcement as crucial deployment elements.By Sandra Gittlen
If you're looking to upgrade your URL filter, you've got the upper hand with vendors of this new class of secure Web products. Use it.
"The time is now to get your security providers to add granular control over Web 2.0 products," says Peter Firstbrook, research director for Gartner's Information Security and Privacy group.
Firstbrook notes that the best news for IT departments looking to upgrade their Web point security measures (like URL filtering) to an all-in-one secure Web gateway that adds to URL filtering malware filtering, Web application-level controls and centralized management, is that vendors (he names Secure Computing as an example) are willing negotiate on the gateway price.
"When your contract comes up for renewal, the scope of your product [or service] should be expanded to include other things," Firstbrook says.
To find the most appropriate product for their environment, IT managers must first measure how much traffic is being generated both inbound and outbound by Web-based applications. Applications to consider include blogs, Wikis, social networking sites, instant messaging, Web conferencing, voice over IP and peer-to-peer file sharing. These applications all have the potential for users to contract malware onto their machines. You'll also want to factor in other Web-based programs such as CRM or call center tools.
Doug Camplejohn, CEO and founder of Mi5 Networks in Sunnyvale, Calif., says, "IT teams should have a baseline understanding of the inappropriate Web sites and applications employees are using." Some companies, including Mi5, offer to gather these measurements as part of the network evaluation process that delivered as part of the sales process.
Of that traffic, IT managers will need to know how much is SSL-based that will need to be backhauled to a central site to take advantage of network security tools. "Our SSL traffic is only 10% of our [overall] traffic, but it's the most important percentage because that's where our vulnerabilities lie," says Chris Bress, CIO at Charlotte County Public Schools in Port Charlotte, Fla.
Bress, who brings all SSL traffic generated by his campuses through the network to his district-level BlueCoat ProxySG gateway appliances, says he couples WAN acceleration with his secure Web gateway appliances to counterbalance the slowdown that can be caused by centralized SSL packet inspection. He has two appliances at the district site for failover.
Another guideline to implementing one of these Web gateways is to determine the acceptable risk in terms of productivity loss, bandwidth consumption and liability. This will help IT folks figure out what granularity of control they'll want to implement both I terms of policy enforcement and URL filtering. It is important to note here that the amount of traffic needing to be inspected and the depth of inspection can result in higher latency.
For the networks with a high risk factor, it may be crucial to go with a product or service that does some sot of non-signature-based detection and filtering, like those offered by Websense, which could help in detecting zero-day threats.
IT folks will also want to map acceptable use and compliance policies closely to any deployed secure Web gateway. Bress says that policy enforcement I the world of Web access represents a very fine line that requires some flexibility with the product. "I noticed kids going to a drumming site that didn't violate our usage policies but it was draining bandwidth, so rather than banning the site, I just throttled back bandwidth," he says.
Matt Kesner, CIO at Silicon Valley-based law firm Fenwick & West LLP, is less lenient. He uses application-level controls on his Mi5 Webgate appliance to prevent the streaming or download of heavy video flows. "One user was looking at a site that had HD video downloads. We have a 100M bit/sec pipe to the Internet and that one download was filling 80% of that pipe. I don't want to have to tell my boss that the network is down because of that," he says.
He also uses the secure Web gateway to block users from sharing copyrighted material via peer-to-peer sites and other Web-based applications.
For Bress, BlueCoat's distributed policy approach provides a way to save on CPU and bandwidth resources at the district's main office. "Anything that is not encrypted can be filtered at the campus level gateway appliances without having to come to the district level," he says. For instance, GeoCities traffic is banned so those requests never make it past the campus.
Kesner says it's important to wrap user education in with the deployment of your secure Web gateway. In addition to distributing acceptable usage policies, Kesner configured his appliance to send users a Web page that explains why a site has been blocked rather than just an error message.
For any secure Web gateway to be truly effective, companies must be able to respond to alerts and integrate the gateway with their trouble-ticket system, according to Mi5 Networks' Camplejohn.
Kesner agrees and says it's vital that organizations keep reports simple. "Some devices generate thousands of pages a day. That's too much to try to tackle," he says. Kesner's team receives alerts as well as daily reports that prioritize all threats including zombies, Trojans and botnets.
"The appliance gives us the level of criticality so we can get to the most important ones first. Once we detect a threat, we can remotely uninstall the executable that runs the program that is causing the harm," he says.Gittlen is a free-lance technology writer in the greater Boston area. She can be reached at firstname.lastname@example.org.