New secure Web gateways eye next-generation Web-application traffic

Layering it on thick: Network administrators face a new class of secure Web gateways to manage security issues Web 2.0 raise.

Best practices for deploying Secure Web gateways


Kesner found the only way to combat such emerging threats was to use secure Web gateways, a new class of technology that sits between the Internet and the edge of the network. Secure Web gateways employ URL and malware filtering and application-level controls. They let companies control employees' access to and use of Web applications and sites based on corporate and regulatory compliance policies.

Peter Firstbrook, research director for Gartner's Information Security and Privacy Group, first coined the term "secure Web gateway" in 2006 to describe a multifunction, integrated approach to Web security for Web-based applications. "Most large enterprises today have some combination of network firewall, URL filter and proxy server to protect and manage Web traffic," he says. These are proving to be woefully inadequate in dealing with Web threats like those being generated by Web-borne malware, however: "Fewer than 15% of enterprises scan Web traffic for viruses," he says.

Firstbrook says secure Web gateways take security up a notch from traditional firewalls and desktop antivirus and antimalware. "Just running antivirus in five places or scanning Port 80 traffic alone isn't enough. Some viruses aren't signature based, and a lot of spyware communicates on nonstandard ports," he says, adding that malware is using all protocols, not just HTTP, to penetrate networks.

There's been an explosion in software and service providers eager to lead the secure Web-gateway market, Firstbrook says. For instance, Web- and network-security companies, such as 8e6 Technologies, Aladdin Knowledge Systems, CA, Finjan, McAfee, Secure Computing, Sophos, SurfControl, Trend Micro and Websense offer these gateways.

Messaging-security companies, such as Barracuda Networks and IronPort Systems, also have entered the arena. Even alternative players, such as BlueCoat Systems, FaceTime Communications and Mi5 Networks -- which Kesner uses -- are developing secure Web-gateway products and services.

Although companies can get some of the same functions in point products, such as URL filters and antimalware, they miss out on the benefits of unified policy management and integration, says Ted Ritter, research analyst at Nemertes Research. By bringing URL filtering, malware detection and application control under one umbrella, companies can better enforce their corporate and regulatory compliance policies. Applying policies simultaneously to Web sites and content lets organizations avoid data leaks, liability issues and potential sexual-harassment lawsuits.

Chris Bress, CIO at Charlotte County Public Schools in Port Charlotte, Fla., agrees. Recently, he discovered students were creating tunnels to off-site proxy servers to avoid the content filter and to access sites that were blocked because they violated the school's use policies. Bress did not want to block all SSL traffic, because administrators and teachers were conducting legitimate business, nor did he want to take time to block individual Web sites, because "they were popping up like mushrooms," he says. He adds that installing content filters at each endpoint was prohibitively expensive.

Instead, Bress opted for BlueCoat's ProxySG appliance to manage the district's Web traffic. He installed one on each campus and at district headquarters to enforce and adjust application-level policies in real time. "On my desktop, at all times, I can see the top 30 Web destinations. We set thresholds, and when things pop up I don't recognize, I can log into the campus-level appliance and see what's happening," he says.

Secure Web gateways offer IT a big advantage over desktop-security tools: They allow for detection and remediation of problems before threats reach user PCs. "Preventing tenacious threats from getting onto the desktop is more desirable than attempting to remove them," Gartner's Firstbrook says. He adds that managing policy in centralized gateways is far easier than managing policy on client desktops.

For all their benefits, secure Web gateways still have drawbacks. For instance, they work best in environments where SSL traffic from remote offices is backhauled to a central location to take advantage of centralized network-security tools. "Gateways are expensive and difficult to manage in networks that provide direct access from multiple remote offices, as opposed to backhauling traffic to a central Internet access point," Firstbrook says.

Backhauling traffic can cause delays and bottlenecks, however. "SSL is processor intensive, and if a product is not designed correctly it can add overhead to traffic delivery times," Nemertes' Ritter says.

In addition, it will be difficult today to find a company that has bundled best-of-breed URL filtering and antimalware and application-level control products. "They tend to be strong in one area . . . and are all struggling to shore up functionality across all three major areas," Firstbrook says.

Gartner reports the market for secure Web gateways reached almost $700 million last year, and Firstbrook expects that number to climb 20% to 25% as companies shift over from pure-plays, such as URL filtering.

The options for implementing secure Web gateways are growing. Organizations can choose from a software, appliance or service approach. Some companies, such as Finjan, are offering a virtual appliance model that lets companies use secure Web gateways with standardized hardware environments, such as blade servers, Firstbrook says.

While this may seem a lot to cram into one product, Firstbrook says enterprises can expect even more consolidation in the near future. "By 2010, we expect distinctions between e-mail and Web security-gateway solutions to have dissolved," he says, adding that the need for unified, policy-based filtering of all inbound and outbound Web and Internet content will spur this market.

Gittlen is a freelance technology writer in the greater Boston area. She can be reached at sgittlen@charter.net.

Learn more about this topic

Buyer's Guide: Application layer firewalls

Secure Web gateways: slamming the door on malware

09/25/07

Secure Computing upgrades appliance for Web 2.0

09/13/07

Are secure connections really that secure?

03/19/07

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)