Layering it on thick
New class of secure Web gateways are the ticket for securing next-generation Web application traffic.By Sandra Gittlen
Matt Kesner, CIO at Silicon Valley-based law firm Fenwick & West LLP, is proud to say that his users are on the bleeding edge of the Web 2.0 revolution, making use of tools such as blogging, instant messaging, Web-based conferencing, and social networking.
After all, they have to keep up with the high-tech clients they represent. But he also knows first-hand the security risks these immature technologies pose.
Two years ago, Kesner, who had anti-virus, anti-malware and anti-spyware in place on each user's machine, found that his network was also the source of more than 50 exploits, and more than 1,000 different mid-level infections, including a few live "phone-home" attacks that were using the firm's machines to send information out of the network.
"That was disturbing to us. We thought we were protected all the way around. We even had firewalls on each user's machine," he says.
Kesner found the only way to combat the emerging threats was to use a new class of technology, secure Web gateways, that sit between the Internet and the edge of the network. Secure Web gateways employ a combination of URL filtering, malware filtering and application-level controls. They enable companies to control employees' access and use of Web applications and sites based on corporate and regulatory compliance policies.
Peter Firstbrook, research director for Gartner's Information Security and Privacy Group, first coined the term "secure Web gateway" in 2006 to describe a multifunction, integrated approach to Web security for Web-based applications.
"Most large enterprises today have some combination of network firewall, URL filter and proxy server to protect and manage Web traffic," says Firstbrook. However, he says these are proving to be woefully inadequate in dealing with Web threats like those generating from Web-borne malware. "Fewer than 15% of enterprises scan Web traffic for viruses," he says.
Firstbrook says secure Web gateways take security up a notch from traditional firewalls and desktop antivirus and anti-malware. "Just running antivirus in five places or scanning Port 80 traffic alone isn't enough. Some viruses aren't signature-based and a lot of spyware communicates on non-standard ports," he says, adding that malware is now using all protocols, not just HTTP, to penetrate networks.
He admits there's been an explosion in software and service providers eager to lead the secure Web gateway market.
For instance, Web and network security companies such as 8e6 Technologies, Aladdin Knowledge Systems, Computer Associates, Finjan, McAfee, Secure Computing, Sophos, SurfControl, Trend Micro and Websense have all created secure Web gateway offerings. Messaging security companies such as Barracuda Networks and IronPort Systems (now owned by Cisco) also have entered the secure Web gateway arena. Even alternative players, such as BlueCoat Systems, FaceTime Communications and Mi5 Networks, which Kesner uses, are developing secure Web gateway products and services.
Although companies can get some of the same functionality in point products, such as URL filters and anti-malware, they miss out on the benefits of unified policy management and integration, says Ted Ritter, research analyst at Nemertes Research. By bringing the URL filtering, malware detection and application control under one umbrella, companies can better enforce their corporate and regulatory compliance policies. Applying policies simultaneously to Web sites and content enables organizations to avoid data leakage, liability issues, and potential sexual harassment lawsuits.
Chris Bress, CIO at Charlotte County Public Schools in Port Charlotte, Fla., agrees. Recently, he discovered students were creating tunnels to off-site proxy servers to avoid the content filter and to access blocked sites that were in violation of the school's usage policies. Bress did not want to block all SSL traffic because administrators and teachers were conducting legitimate business, nor did he want to take time to block individual Web sites because "they were popping up like mushrooms," he says. He adds that installing content filters at each end point was cost-prohibitive.
Instead, he opted for BlueCoat's ProxySG appliance to manage the district's Web traffic. He installed one on each campus and at district headquarters to enforce and adjust application-level policies in real time. "On my desktop, at all times, I can see the top 30 Web destinations. We set thresholds and when things pop up I don't recognize, I can log into the campus-level appliance and see what's happening," he says.
Secure Web gateways offer IT a big advantage over desktop security tools: they allow for detection and remediation of problems before threats reach user PCs. "Preventing tenacious threats from getting onto the desktop is more desirable than attempting to remove them," Firstbrook says. He adds that managing policy in centralized gateways is far easier than managing policy on client desktops.
But for all their benefits, secure Web gateways do have some drawbacks. For instance, they work best in environments where SSL traffic from remote offices is backhauled to a central location to take advantage of centralized network security tools. "Gateways are expensive and difficult to manage in networks that provide direct access from multiple remote offices as opposed to backhauling traffic to a central Internet access point," Firstbrook says.
However, backhauling traffic can cause delays and bottlenecks. "SSL is processor-intensive and if a product is not designed correctly it can add overhead to traffic delivery times," according to Nemertes' Ritter.
Also, it will be difficult today to find a company that has bundled best-of-breed in URL filtering, anti-malware and application-level control. "They tend to be strong in one area… and are all struggling to shore up functionality across all three major areas," Firstbrook says.
Gartner reports the market for secure Web gateways reached almost $700 million last year, and Firstbrook expects that number to climb between 20% to 25% as companies shift over from pure plays such as URL filtering.
The options for how to implement secure Web gateways are also growing. Organizations can choose from a software, appliance or service approach. Some companies, such as Finjan, are even offering a virtual appliance model that allows companies to use secure Web gateways with standardized hardware environments such as blade servers, he says.
And while this may seem a lot to cram into one product, Firstbrook says enterprises can expect even more consolidation in the near future. "By 2010, we expect distinctions between e-mail and Web security gateway solutions to have dissolved," he says, adding the need for unified policy-based filtering of all inbound and outbound Web and Internet content will spur this market.