Secure Web Gateways (SWG) protect against many – but not all – web-based threats

A secure web gateway (SWG) is a set of security services that protects Internet-enabled devices from web-based threats. These threats include viruses, malware, and phishing. The gateway achieves this in two ways. First, it enforces an organization’s network security policies across all devices, and second, it monitors both incoming and outgoing Internet traffic.

A secure web gateway, as indicated by its name, acts as a gate between the end user and the Internet. Any time a web request is made, the SWG ensures that the request complies with organizational policies, and blocks user access to any suspicious or malicious websites and applications. In this way, the gateway reduces the risk of data breaches and data leaks that can occur due to malware or other web-based threats.

How do secure web gateways work?

An SWG is usually a software or hardware-based solution, which sits on the network perimeter, or on endpoint devices. It can also be a cloud-based solution. In either case, all traffic must pass through the gateway, where it is monitored. The gateway monitors traffic flowing in both directions — from the end user to the web, and from the web to the end user. Thus, it protects against insider threats relating to exfiltration of confidential information, and external threats originating from the web.

Secure web gateway technologies

A secure web gateway will often use a variety of different security technologies, comprising detection and filtering tools, to provide maximum protection against all kinds of Internet-based threats. These technologies may include:

Application controls

Application controls enable organizations to create and enforce granular access policies for particular applications, which block or limit access at the application level. These application controls may be created on a per user, or per group basis, and will often differ depending on the type of application for which they are used. For example, an Instant Messaging application will have different controls than are suitable for a file-sharing application. Using these controls, organizations can prevent users from sharing data with an application that could create a risk of data loss as well as preventing excessive lateral movement by users who have either logged onto the network legitimately, or illicitly breached it.

URL filtering

URL filtering allows an organization to control access to websites based on their categorization. In the simplest cases, website domains that are known to contain malicious code can be blocked. In addition, URLs can be filtered according to different web categories, denying users access to websites that are not needed for their job, or which present a security risk. For example, an organization may decide to block social media sites that could reduce employee productivity or present a risk of inappropriate data sharing, or prevent access to websites with inappropriate content. Conversely, “allowlists” indicate websites that users may access freely. URL filters depend on categorization engines, such as Google Safe Browser (GSB).

Data leak prevention

Also known as DLP, data leak prevention software can be used to protect and secure data. Often, secure web gateways will include a data leak prevention solution, which monitors data movement in and out of the network, and prevents data loss using preemptive techniques. This protects the organization from the damage that is caused by the loss of valuable or sensitive data. DLP solutions ensure that users cannot send sensitive information outside of the organizational network, based on a set of policies defined by the organization.

Antivirus

Antivirus solutions traditionally use signature-based detection to identify known malicious threats. Recently, there has been a trend towards more advanced antivirus solutions, which include other methods, such as real-time and heuristic detection. These solutions provide more comprehensive – although still not failproof – protection against unknown and zero-day threats than purely signature-based solutions.

Remote browser isolation

A sophisticated secure web gateway will include a remote browser isolation (RBI) solution that prevents malicious code or data from reaching the organizational network. RBI does this by running all active code from the web in a virtual, disposable container, outside the network. A clean, fully interactive stream of rendering data is provided to the user via their regular endpoint browser, allowing them to full Internet access, and enabling high productivity. Remote browser isolation is so effective at securing networks from web-based threats and exploits that some industry experts, such as Gartner have suggested that RBI might fulfill SWG functionality independent of other technologies.

Phishing prevention

Websites launched from within email that might be suspicious should be routed to remote browser isolation and opened in “read-only” mode to prevent credential theft and malware injection.

Content disarm and reconstruction

Email attachments and web downloads should be examined in isolation and have all malicious elements removed before being downloaded to the user device in order to prevent attacks via files weaponized with malicious links or scripts.

HTTPS inspection

As the HTTPS protocol is used to make data private, it can also be used to hide malicious activity occurring on a network. HTTPS inspection allows the gateway to decrypt and inspect all HTTPS traffic. There are two types of HTTPS inspection:

1. Inbound HTTPS inspection – inspecting traffic sent from the Internet to the end-user.
2. Outbound HTTPS inspection – inspecting traffic sent from the end-user to the Internet.

Secure web gateway use cases

Secure web gateways provide many benefits to organizations seeking protection against web-based threats. Their use cases include:

Real-time Internet traffic monitoring

A secure web gateway provides an organization with real-time web traffic monitoring. This involves checking any web traffic to ensure that it lines up with the organization’s security policies.

Blockage of malicious websites and applications

One of the benefits that results from real-time traffic monitoring is the ability to block any potentially malicious content, whether from a website or web application, or from cloud applications. Blocking such content protects against malware or similar threats.

Access control

An SWG can be configured to restrict access to the internet based on a set schedule, or ensure that only certain web content is accessible. In this way, an organization can ensure that employees are as productive as possible, and that each individual only has access to the websites they need for their job.

Enforcing policies for remote and on-site employees

With increasingly distributed workforces, organizations need cloud security solutions that can protect any device, from anywhere. A cloud-based secure web gateway can enforce security policies on-the-go, so that employees, wherever they are working from, can authenticate and browse the web safely.

Secure web gateway feature checklist

Here are some features to look out for when choosing a secure web gateway:

• Support for HTTP, HTTPS, and FTP connections
• Cloud-based, for use with both on-site and remote employees
• Protection against known and unknown (zero-day) threats
• Data leak prevention
• Real-time web traffic monitoring
• Social media filtering and scanning
• Customizable access and application control