New Report
Menlo Security finds a new sophisticated phishing campaign.
Icon Rounded Closed - BRIX Templates

What is a Secure Web Gateway (SWG)?

The senior member of Security Service Edge

What is a Secure Web Gateway?

A secure web gateway (almost always abbreviated as “SWG”) is usually deployed between a company's internal network and the internet, to filter web traffic in an effort to (primarily) protect the organization using it from online threats and (secondarily) ensure that internal users follow company internet use policies.

These are some typical SWG capabilities:

  • Traffic (URL) filtering: a SWG examines web traffic, checking URLs against a “deny list” of malicious sites and can block access to risky websites.
  • Threat protection: some SWGs can detect and block some malware and some phishing attempts.
  • Data loss prevention: some SWGs can help prevent sensitive data from being accidentally or intentionally leaked out of the company network.
  • Application control: Some SWGs can also control which web applications employees can use. This can help prevent them from wasting time on unproductive websites or from using applications that could compromise security.

What is URL Filtering?

URL filtering attempts to restrict the web content users can access by blocking specific URLs from loading.

This is the typical URL filtering flow:

  1. Database Check: All web traffic is routed through a URL filtering system. This system checks the requested URL against a database of categorized URLs.
  2. Allow or Block: Based on the category (e.g., malware, social media, shopping), the filter allows or blocks access to the URL.
  3. User Notification: If a user tries to access a blocked site, they'll typically see a message explaining why they can't reach it.

Is URL filtering outdated?

URL filtering has limitations that essentially render it ineffective as a standalone security solution.

Here's why:

  • In the modern world, there is no such thing as a URL database: New malicious websites appear constantly and phishing URLs change within seconds. URL filtering databases would need non stop updates to stay relevant and database optimizations for performance could not ensure URL matches.
  • Limited Scope: URL filtering only blocks access based on pre-categorized URLs. It can't detect threats on otherwise legitimate websites, like malicious scripts or phishing attempts that haven't been flagged yet.
  • HTTPS Encryption: With the rise of HTTPS encryption, filtering based solely on URLs becomes less effective. The encrypted content itself can't be inspected for threats by traditional URL filtering methods.
  • Workarounds and User Error: Tech-savvy users might find ways to bypass URL filters. Additionally, users can still be tricked into clicking malicious links on legitimate websites, bypassing the filter altogether.

How does a secure web gateway deliver data loss prevention (DLP)?

Some Secure Web Gateways (SWGs) can  play a role in Data Loss Prevention (DLP) by monitoring and controlling the flow of sensitive data across the web. Typical capabilities in this area include deep content inspection and DLP policies.

Deep Content Inspection

Unlike URL filtering, some SWGs can inspect the actual content of web traffic, enabling identification of sensitive information like credit card numbers, social security numbers, or proprietary company data.

DLP Policies

Some SWG’s permit organizations to define DLP policies to dictate how to handle potential data leaks. These policies can include:

There is MORE to web security than a Secure Web Gateway

What were the main criticisms of Secure Web Gateways after they were broadly deployed?

While SWGs were considered by many to be a significant step forward in web security, their limitations became apparent as they gained widespread adoption.

Performance Impact

  • Latency: SWGs often introduced latency into network traffic, leading to slower application response times and a degraded user experience.
  • Scalability: Challenges in scaling SWGs to handle increasing internet traffic and user numbers.

Evasion Techniques

  • Advanced Threats: SWGs struggled to keep pace with the evolving threat landscape, often failing to detect and block sophisticated attacks.
  • Bypass Methods: Users found ways to circumvent SWG controls, using techniques like proxy servers or VPNs.

User Experience

  • Productivity Impact: Overly restrictive policies could hinder employee productivity by blocking legitimate websites or applications.
  • False Positives: Incorrectly blocking safe websites led to frustration and decreased user satisfaction.

Limited Visibility

  • Encrypted Traffic: SWGs traditionally struggled to inspect encrypted traffic, leaving organizations blind to threats hidden within HTTPS connections.
  • Shadow IT: Difficulty in identifying and controlling unsanctioned cloud applications.

Complexity and Management

  • Ongoing Maintenance: SWGs required constant updates to threat definitions and policy rules, demanding significant IT resources.
  • Scalability Challenges: Expanding SWG infrastructure to accommodate growth could be complex and costly.

What evolutions in web languages and capabilities exposed the limitations of Secure Web Gateways?

The rapid evolution of web languages and capabilities has significantly challenged the effectiveness of traditional Secure Web Gateways (SWGs). The key areas where these developments have exposed SWG limitations are dynamic content and rich media, encryption and HTTPS, cloud applications and APIs, Web 2.0 and social media, and mobile applications and BYOD.

1. Dynamic Content and Rich Media

  • Increased complexity: The rise of dynamic content, powered by languages like JavaScript, AJAX, and HTML5, made it difficult for SWGs to accurately inspect and analyze web traffic.
  • Evading detection: Malicious actors exploited these technologies to obfuscate malicious content, bypass filters, and deliver exploits.

2. Encryption and HTTPS

  • Data privacy: The widespread adoption of HTTPS encryption made it challenging for SWGs to inspect traffic without compromising user privacy.
  • Evasion tactics: Malicious actors leveraged encryption to hide malicious activities from SWGs.

3. Cloud Applications and APIs

  • Direct connections: Cloud applications often bypassed traditional network perimeters, rendering SWGs less effective.
  • API-driven interactions: The increasing reliance on APIs for data exchange made it difficult for SWGs to monitor and control traffic.

4. Web 2.0 and Social Media

  • User-generated content: The proliferation of user-generated content on platforms like social media made it challenging to filter and monitor for malicious content.
  • Data leakage: SWGs often struggled to prevent sensitive data leakage through social media sharing.

5. Mobile Applications and BYOD

  • Direct internet access: Mobile devices often bypassed corporate networks, making it difficult for SWGs to enforce security policies.
  • App stores: The rapid growth of app stores introduced new attack vectors and made it challenging to assess app security.

How is traffic sent to traditional secure web gateways, and what are the pros and cons of each method?

Traditional Secure Web Gateways (SWGs) typically rely on one of the following methods to intercept and inspect web traffic: inline deployment, Proxy Auto-Configuration (PAC) files, Generic Routing Encapsulation (GRE), or client agents.

1. Inline Deployment:

  • Direct traffic flow: All web traffic is routed through the SWG, acting as a mandatory checkpoint.
  • Pros: Comprehensive visibility and control over web traffic.
  • Cons: Potential performance impact due to increased latency.

2. Proxy Auto-Configuration (PAC) Files:

  • Client-side configuration: Users configure their web browsers to use a proxy server.
  • Pros: Flexible deployment, can be used in environments with limited network control.
  • Cons: Reliance on user configuration, potential for bypass.

3. Generic Routing Encapsulation (GRE):

  • Encapsulated traffic: Web traffic is encapsulated in GRE tunnels and sent to the SWG.
  • Pros: Can be used in environments with complex network topologies.
  • Cons: Additional overhead and complexity.

4. Client Agents:

  • Software installation: SWG agents are installed on client devices to intercept web traffic.
  • Pros: Comprehensive control over user activity, can be used in environments with limited network visibility.
  • Cons: Increased management overhead, potential performance impact.

In summary, traditional SWGs typically operate as a proxy server or intercept traffic through various methods to inspect and filter web content. The choice of deployment method depends on factors such as network topology, security requirements, and user experience considerations.