What makes a Secure Web Gateway Tick?By Sandra Gittlen
Three powerful tools in one
Companies are shying away from best-of-breed point solutions for URL filtering, anti-malware filtering and Web application-level controlls in favor of the power-punch that an all-in-one secure Web gateway provides.
"This is the best position in the network to handle SSL traffic that's non-VPN as well as compliance," says Ted Ritter, research analyst at Nemertes Research. Some examples include: file transfers, instant messaging, Web-based voice and video over IP, and software-as-a-service, he says.
Secure Web gateways are available in several form factors, including software (ex: Computer Associates and Trend Micro); appliances (ex: Aladdin, Barracuda, Finjan, IronPort (Cisco), Mi5, Surf Control, Websense); and as a service (ex: MessageLabs and ScanSafe).
The critical elements to look for within secure Web gateways are a combination of URL filtering, malware filtering, and application-level control. Together, they allow companies to monitor, filter, and if necessary, inspect, inbound and outbound Web traffic.
*URL filtering --- URL filtering is one of the most common approaches to securing Web traffic today. This technique involves blacklisting sites that are known to be bad and whitelisting sites that are known to be good. Some vendors, such as Cisco's IronPort and Secure Computing, use reputational databases to add heft to their blacklisting techniques. IT managers can also map their corporate usage policies to their URL filters to make sure that users are not visiting categories of sites or even individual sites that are deemed inappropriate. Some companies, including Marshal, provide real-time URL categorization based on keywords, content analysis and user-defined criteria, says Peter Firstbrook, research director for Gartner's Internet Security and Privacy group.
*Malware filtering – Most companies offer signature-based malware protection so that known threats are not allowed onto or off of the network. However, with Web-based applications, Firstbrook says the bigger threat is non-signature-based malware, or zero-day threats, that can place viruses, Trojans or botnets on your network. For signature-based filtering, vendors scan traffic against their database of known threats. Some vendors, such as Mi5, also use heuristics based on behavior and pattern matching, for real-time traffic analysis.
*Application control – Although application firewalls have been around for a while to protect applications from code-level attacks such as SQL injections and cross-site scripting, Internet application control is relatively new. The goal is to gain visibility into these applications and then control access and use of them via policies, says Chris King, director of strategic marketing at Blue Coat Systems in Sunnyvale, Calif.
To facilitate application control, "you have to proxy all of the key protocols in a rich enough manner that you can detect specific applications, user agents, users and content," King says.
Firstbrook agrees, saying vendors should be able to recognize protocols beyond HTTP, including SMTP, FTP, voice over IP and other types of Web-application traffic. Vendors, such as FaceTime, allow a deep focus on Web-based communications networks, including Skype and instant messaging, as well as peer-to-peer networks like BitTorrent. Finjan does deep-code inspection, breaking up HTML into separate components, such as text and style sheets, to search for malicious code. The vendor also scans active content, such as ActiveX and Java, for potential malware.
Application control enables organizations to apply detailed policies to these newer applications. For instance, companies can set policies that say users can interact over instant messaging but not click on links within those messages.
What makes secure Web gateways an attractive offering is the bundling of these three areas with integrated management and reporting. In one product or service, IT teams can filter, detect and remediate all known and unknown Web-application-based threats. For instance, Mi5, which integrates with LDAP and Active Directory, alerts you to infected machines and then automatically cleans the machine before allowing it back on the network.
This story, "Guide to Secure Web Gateways" was originally published by Network World.