Secure Web Gateway – implementation methodologies

Home / News / Secure Web Gateway – implementation methodologies

Some say that Secure Web Gateway is a technology that is in its twilight right now. However, organizations still fail to decode firewall traffic and benefit from the limited filtering capabilities of their firewalls – which limits visibility to IT security departments and the ability to use the potential of internet by end users. In this article, we will tell you about the methods of implementing Secure Web Gateway – which make it an effective solution for ensuring network security in highest layer.

For Internet gateways, there are only a few proven deployments that are effective and fully secure, and we will cover the four most common types of secure gateway deployments in this article. Sometimes referred to as forward proxies, these devices are used to secure network access for an organization’s internal end users. The four commonly used web gateway deployment scenarios are inline, explicit, transparent, and SPANPort. Each of these implementations has its own advantages and disadvantages.

Inline – the simplest and easiest to describe. Good for smaller deployments such as a branch office because of the ease of deployment and the absolute security it provides. In an inline deployment, the gateway is placed directly in the path of all inbound and outbound network traffic. It is important to make sure that your Internet gateway is capable of bypassing the network traffic that you don’t want to process. In many cases, you can choose to “proxy” or “exclude” for a specific protocol. For each protocol passed through the gateway, this means that the internet gateway will terminate the traffic from the client to the server locally, and reestablish a new connection acting as the client to get the requested information.

Benefits
  • Easy to deploy and you can be sure that all network traffic will be redirected through the gateway. There is no chance for a user to bypass administrator-set controls, as long as it is the only available path to the Internet. All Internet related HTTP traffic will be processed and handled by the Internet gateway.
  • The ability to monitor all ports for “call-for-home” traffic generated by ibotnety malware on infected computers. This awareness allows for the remediation of infected systems that lower the risk of network access for the organization.

Defects
  • Single point of failure. Even with technologies such as “fail to wire” that allow all traffic to flow when a device fails, many organizations are uncomfortable with a single device filtering the data stream to the Internet. Although unlikely, a partial device failure can crash your workflow. For a small organization or branch office, short-term disruption may not be an urgent problem, but in a larger organization it can be catastrophic.
  • The need to manage all protocols provided by the internet gateway. The IT administrator will have to administer a list of protocols that are and are not filtered by a secure proxy. It’s actually a side effect of this being the safest type of deployment.

Explicit – commonly used in larger networks where the network design requires no single point of failure. This implementation allows the Internet gateway to be placed on the network, anywhere accessible to all users, and the solution itself has access to the Internet. Explicit uses an explicit definition in the web browser. To facilitate this, the administrator distributes PAC or WPAD files for proxy configuration in end-user browsers. The client has a clearly defined proxy in their web browser settings When deploying explicit proxy, it is extremely important that the firewall is properly configured to prevent users from bypassing the proxy server. The firewall must be configured to allow HTTP and HTTPS only communication to the proxy server. Block all other hosts / IP addresses. In addition, all other ports must be blocked to prevent end users from configuring their own proxy server internally to access the Internet via HTTP on a port other than the commonly used port (80 and 443).

Benefits
  • Narrowing the traffic processed by the Internet gateway (you can, for example, limit traffic only to HTTP-based traffic), which allows you to effectively manage the throughput of network connections and focus on the most sensitive protocols/channels.
  • Less potential network disruptions. The Internet gateway can be placed anywhere on the network that is accessible to all end-users as long as it can connect to the Internet.

Defects
  • IT administration overhead, because each client station needs to be reconfigured. While there is some reduction in this overhead with PAC and WPAD, any error in the end user’s system configuration will result in a technical support call for an administrator to rectify the situation.
  • Explicit deployment largely depends on a properly configured network and firewall. An experienced user can take advantage of any hole in the network or firewall to bypass the Internet gateway. for potential call-home calls, port monitoring must be performed by a network device with access to all network traffic.
  • The Explicit Mode gateway can only detect and block call-home traffic for protocols defined and managed, such as HTTP and HTTPS.

Transparent – allows you to deploy an internet gateway to any network location (connected to the internet), similar to Explicit Mode. Deployment reduces the need to reconfigure the network for deployment. Additionally, there are no administrative overheads for configuring end-user systems as HTTP routing and HTTPS traffic is typically performed by a router. Transparent deployment is often used when an organization:

  • Is too big for inline implementation.
  • Do not want the extra work and costs needed to implement explicit.

Banner deployments rely on Web Caching Communications Protocol (WCCP), a protocol that is supported by many network devices. Alternatively, use Policy-Based Routing (PBR).

Benefits
  • Restriction of traffic processed by the proxy and the possibility of easier implementation of gateway redundancy.
  • Does not require changes for the end user.

Defects
  • Depends on the availability of: WCCP or PBR and their support through a web gateway, usually only available in more sophisticated solutions.
  • Configuration may be more difficult as it requires supported WCCP versions to be compatible between the router and the gateway.
  • To implement transparent mode, specialist knowledge is required, which may be a problem for smaller organizations (we recommend ourselves for the future!).

SPAN (Switched PortAnalyzer) port – a method sometimes called TCP reset as it relies on TCP resets to implement internet gateway rules. The Internet gateway is deployed by attaching it to a SPAN on a switch Unlike the other three deployment methods which process network traffic and implement policies based on a response, the gateway deployed on the SPAN port enforces policies by forcing a TCP reset to prevent malicious/illegal content download from completing .

Benefits
  • Advantageous for large-scale deployments as monitoring mode tends to use fewer resources than inline, explicit, or transparent, all of which must actively process traffic.
  • Useful if you believe that your hardware may not be sufficient to effectively secure your network traffic allows you to monitor ports to detect call-home attempts on most ports.
Defects
  • Can’t see all the traffic. Corrupted network packets, packets under the minimum size, and layer 1 and 2 errors are usually cleared by the switch.
  • Can introduce network delays. The software architecture of the low-end switches introduces delay by copying the connected packets. If the data is aggregated over a gigabit port, the delay is introduced when the signal is converted from electrical to optical. Any network delay can be critical as TCP resets are used to enforce policy.
  • Can have problems when there is traffic congestion. Typically the port drops packets and causes some data loss. In a high network traffic situation, most of the gateways connected to SPANport will not be able to respond quickly enough to stop malware from spreading through the corporate network.
  • Passively monitors traffic. Inline, Explicit and Transparent Gateway monitors and enforces policies in real time.

While there are four popular deployment methodologies to choose from when implementing a secure web gateway, there are really only three clear choices for IT departments. The choice between inline, explicit and transparent must be made based on the needs and resources of the organization and IT department. Based on experience, we do not recommend the last implementation, due to the lack of real-time possibility of using threat analysis, substituting changed requests and queries, or optimizing the delivery of web content through buffering, stream splitting and bandwidth.



Related articles
Please be advised that our website is using cookies for marketing, statistical and functional reasons. In order to optimize the content on our website and to adapt them to your individual needs, we use informations saved using cookies on users’ end devices. Cookies can be controlled by the user through the settings of their web browser. By contiuning to use our website without changing your web browser settings, you are accepting the use of cookies.
I accept More info