A gateway is a network point that acts as an entrance to another network. On the Internet, a node or stopping point can be either a gateway node or a host (end-point) node. Both the computers of Internet users and the computers that serve pages to users are host nodes. The computers that control traffic within your company's network or at your local Internet service provider (ISP) are gateway nodes.
In the network for an enterprise, a computer server acting as a gateway node is often also acting as a proxy server and a firewall server. A gateway is often associated with both a router, which knows where to direct a given packet of data that arrives at the gateway, and a switch, which furnishes the actual path in and out of the gateway for a given packet.
Gateway is used between two dissimilar LANs.
Router and Gateway both are sometimes used interchangeably but the difference is
- Data Link,
- Network,(performs establishment of connection between networks and the Routing and selecting best path)
- Presentation and
- Application Layer. (Provides semantic exchange of data between application in an open system)
Best Practices for deploying secure Web gateways
Analysts, users point to cheap upgrades,
understanding traffic patterns and flexible policy enforcement as
crucial deployment elements.
If you're looking to upgrade your URL filter, you've got the upper
hand with vendors of this new class of secure Web products. Use it.
"The time is now to get your security providers to add granular control over Web 2.0 products," says Peter Firstbrook, research director for Gartner's Information Security and Privacy group.
Firstbrook notes that the best news for IT departments looking to upgrade their Web point security measures (like URL filtering) to an all-in-one secure Web gateway that adds to URL filtering malware filtering, Web application-level controls and centralized management, is that vendors (he names Secure Computing as an example) are willing negotiate on the gateway price.
"When your contract comes up for renewal, the scope of your product [or service] should be expanded to include other things," Firstbrook says.
To find the most appropriate product for their environment, IT managers must first measure how much traffic is being generated both inbound and outbound by Web-based applications. Applications to consider include blogs, Wikis, social networking sites, instant messaging, Web conferencing, voice over IP and peer-to-peer file sharing. These applications all have the potential for users to contract malware onto their machines. You'll also want to factor in other Web-based programs such as CRM or call center tools.
Doug Camplejohn, CEO and founder of Mi5 Networks in Sunnyvale, Calif., says, "IT teams should have a baseline understanding of the inappropriate Web sites and applications employees are using." Some companies, including Mi5, offer to gather these measurements as part of the network evaluation process that delivered as part of the sales process.
Of that traffic, IT managers will need to know how much is SSL-based that will need to be backhauled to a central site to take advantage of network security tools. "Our SSL traffic is only 10% of our [overall] traffic, but it's the most important percentage because that's where our vulnerabilities lie," says Chris Bress, CIO at Charlotte County Public Schools in Port Charlotte, Fla.
Bress, who brings all SSL traffic generated by his campuses through the network to his district-level BlueCoat ProxySG gateway appliances, says he couples WAN acceleration with his secure Web gateway appliances to counterbalance the slowdown that can be caused by centralized SSL packet inspection. He has two appliances at the district site for failover.
Another guideline to implementing one of these Web gateways is to determine the acceptable risk in terms of productivity loss, bandwidth consumption and liability. This will help IT folks figure out what granularity of control they'll want to implement both I terms of policy enforcement and URL filtering. It is important to note here that the amount of traffic needing to be inspected and the depth of inspection can result in higher latency.
For the networks with a high risk factor, it may be crucial to go with a product or service that does some sot of non-signature-based detection and filtering, like those offered by Websense, which could help in detecting zero-day threats.
IT folks will also want to map acceptable use and compliance policies closely to any deployed secure Web gateway. Bress says that policy enforcement I the world of Web access represents a very fine line that requires some flexibility with the product. "I noticed kids going to a drumming site that didn't violate our usage policies but it was draining bandwidth, so rather than banning the site, I just throttled back bandwidth," he says.
Matt Kesner, CIO at Silicon Valley-based law firm Fenwick & West LLP, is less lenient. He uses application-level controls on his Mi5 Webgate appliance to prevent the streaming or download of heavy video flows. "One user was looking at a site that had HD video downloads. We have a 100M bit/sec pipe to the Internet and that one download was filling 80% of that pipe. I don't want to have to tell my boss that the network is down because of that," he says.
He also uses the secure Web gateway to block users from sharing copyrighted material via peer-to-peer sites and other Web-based applications.
For Bress, BlueCoat's distributed policy approach provides a way to save on CPU and bandwidth resources at the district's main office. "Anything that is not encrypted can be filtered at the campus level gateway appliances without having to come to the district level," he says. For instance, GeoCities traffic is banned so those requests never make it past the campus.
Kesner says it's important to wrap user education in with the deployment of your secure Web gateway. In addition to distributing acceptable usage policies, Kesner configured his appliance to send users a Web page that explains why a site has been blocked rather than just an error message.
For any secure Web gateway to be truly effective, companies must be able to respond to alerts and integrate the gateway with their trouble-ticket system, according to Mi5 Networks' Camplejohn.
Kesner agrees and says it's vital that organizations keep reports simple. "Some devices generate thousands of pages a day. That's too much to try to tackle," he says. Kesner's team receives alerts as well as daily reports that prioritize all threats including zombies, Trojans and botnets.
"The appliance gives us the level of criticality so we can get to the most important ones first. Once we detect a threat, we can remotely uninstall the executable that runs the program that is causing the harm," he says.
Eight questions for secure Web gateway success Choosing a secure Web gateway product or service can be challenging. Here are eight questions you should ask vendors to help determine which offering is right for your network.
1. What is the average latency for your offering?
Before you start to approach vendors about their products, you have to first figure out how much latency you can tolerate. For instance, if your users are depending on Web-based applications for real-time productivity, such as salesforce.com, then your latency has to be low. Make sure vendors know what applications will be monitored and/or controlled by the secure Web gateway so they can answer the latency question appropriately.
2. Did you build or buy the various parts of your secure Web gateway?
Since most secure Web gateways have been cobbled together based on piece parts from mergers and acquisitions, this is a critical question. While you don't have to shy away from companies that have meshed several products together, you do want to make sure they've integrated the products into a single management console and have made installation, upgrades and policy management a seamless process.
3. How does your technology roadmap mesh with my priorites?
Many secure Web gateway companies are still working on the various parts of their offerings. For instance, they might be strong in URL filtering, but weaker in application control. First determine the priorities for your own network – for instance, is malware filtering more important than application control – and then match your needs to the vendors' plans. Verify that your top issues will be addressed in products being delivered in the next few months.
4. How do you handle policy enforcement and management?
If you're a large enterprise with remote or branch offices around the world, you'll want a product with distributed policy enforcement and centralized policy management. You do not want to deal with backhauling Internet traffic to a central point just for policy enforcement – it's sure to create an instant bottleneck. However, you also don't want to have to set individual policies for hundreds of devices globally.
5. What form factors do you offer?
Today, there are a variety of ways to implement secure Web gateways: software, appliance, virtual appliance and service. If you are a company with numerous remote offices, purchasing and managing a device for each location can be expensive. Therefore, a service approach might suit you best. However, if you have a large IT staff and want more control over your network, then appliances might be the right choice for you.
6. Do you support bidirectional filtering?
Many companies have recognized that to be completely effective in the fight against malware, they must monitor both inbound and outbound traffic. For instance, they want to ensure that none of their machines have been compromised and are carrying out "phone home" commands that send sensitive data to remote machines.
Zero-day vulnerabilities are a common occurrence these days and secure Web gateway vendors should be able to tell you how they deal with these threats. Do they use non-signature-based methods such as heuristics and behavior patterns? If so, what are their success rates in detecting unknown threats? Ask for examples of malware they've been able to stop based on these methods. You'll also want to know what kind of performance hit having these extra safeguards causes. Then weigh your need for speed against your acceptable risk.
This is an often underrated part of the secure Web gateway choice, yet compliance rules dictate that you have strong reporting tools. You'll want real-time reporting in an easy-to-digest, centralized console that allows you to drill down into details. For instance, you'll want to be able to see the top users of various applications as well as the top threats for a particular time period. You'll want to make sure that the product or service you choose supports easy integration with your directory service.
Layering it on thick
New class of secure Web gateways are the ticket for securing next-generation Web application traffic.
Two years ago, Kesner, who had anti-virus, anti-malware and anti-spyware in place on each user's machine, found that his network was also the source of more than 50 exploits, and more than 1,000 different mid-level infections, including a few live "phone-home" attacks that were using the firm's machines to send information out of the network.
"That was disturbing to us. We thought we were protected all the way around. We even had firewalls on each user's machine," he says.
Kesner found the only way to combat the emerging threats was to use a new class of technology, secure Web gateways, that sit between the Internet and the edge of the network. Secure Web gateways employ a combination of URL filtering, malware filtering and application-level controls. They enable companies to control employees' access and use of Web applications and sites based on corporate and regulatory compliance policies.
Peter Firstbrook, research director for Gartner's Information Security and Privacy Group, first coined the term "secure Web gateway" in 2006 to describe a multifunction, integrated approach to Web security for Web-based applications.
"Most large enterprises today have some combination of network firewall, URL filter and proxy server to protect and manage Web traffic," says Firstbrook. However, he says these are proving to be woefully inadequate in dealing with Web threats like those generating from Web-borne malware. "Fewer than 15% of enterprises scan Web traffic for viruses," he says.
Firstbrook says secure Web gateways take security up a notch from traditional firewalls and desktop antivirus and anti-malware. "Just running antivirus in five places or scanning Port 80 traffic alone isn't enough. Some viruses aren't signature-based and a lot of spyware communicates on non-standard ports," he says, adding that malware is now using all protocols, not just HTTP, to penetrate networks.
He admits there's been an explosion in software and service providers eager to lead the secure Web gateway market.
For instance, Web and network security companies such as 8e6 Technologies, Aladdin Knowledge Systems, Computer Associates, Finjan, McAfee, Secure Computing, Sophos, SurfControl, Trend Micro and Websense have all created secure Web gateway offerings. Messaging security companies such as Barracuda Networks and IronPort Systems (now owned by Cisco) also have entered the secure Web gateway arena. Even alternative players, such as BlueCoat Systems, FaceTime Communications and Mi5 Networks, which Kesner uses, are developing secure Web gateway products and services.
Although companies can get some of the same functionality in point products, such as URL filters and anti-malware, they miss out on the benefits of unified policy management and integration, says Ted Ritter, research analyst at Nemertes Research. By bringing the URL filtering, malware detection and application control under one umbrella, companies can better enforce their corporate and regulatory compliance policies. Applying policies simultaneously to Web sites and content enables organizations to avoid data leakage, liability issues, and potential sexual harassment lawsuits.
Chris Bress, CIO at Charlotte County Public Schools in Port Charlotte, Fla., agrees. Recently, he discovered students were creating tunnels to off-site proxy servers to avoid the content filter and to access blocked sites that were in violation of the school's usage policies. Bress did not want to block all SSL traffic because administrators and teachers were conducting legitimate business, nor did he want to take time to block individual Web sites because "they were popping up like mushrooms," he says. He adds that installing content filters at each end point was cost-prohibitive.
Instead, he opted for BlueCoat's ProxySG appliance to manage the district's Web traffic. He installed one on each campus and at district headquarters to enforce and adjust application-level policies in real time. "On my desktop, at all times, I can see the top 30 Web destinations. We set thresholds and when things pop up I don't recognize, I can log into the campus-level appliance and see what's happening," he says.
Secure Web gateways offer IT a big advantage over desktop security tools: they allow for detection and remediation of problems before threats reach user PCs. "Preventing tenacious threats from getting onto the desktop is more desirable than attempting to remove them," Firstbrook says. He adds that managing policy in centralized gateways is far easier than managing policy on client desktops.
But for all their benefits, secure Web gateways do have some drawbacks. For instance, they work best in environments where SSL traffic from remote offices is backhauled to a central location to take advantage of centralized network security tools. "Gateways are expensive and difficult to manage in networks that provide direct access from multiple remote offices as opposed to backhauling traffic to a central Internet access point," Firstbrook says.
However, backhauling traffic can cause delays and bottlenecks. "SSL is processor-intensive and if a product is not designed correctly it can add overhead to traffic delivery times," according to Nemertes' Ritter.
Also, it will be difficult today to find a company that has bundled best-of-breed in URL filtering, anti-malware and application-level control. "They tend to be strong in one area… and are all struggling to shore up functionality across all three major areas," Firstbrook says.
Gartner reports the market for secure Web gateways reached almost $700 million last year, and Firstbrook expects that number to climb between 20% to 25% as companies shift over from pure plays such as URL filtering.
The options for how to implement secure Web gateways are also growing. Organizations can choose from a software, appliance or service approach. Some companies, such as Finjan, are even offering a virtual appliance model that allows companies to use secure Web gateways with standardized hardware environments such as blade servers, he says.
And while this may seem a lot to cram into one product, Firstbrook says enterprises can expect even more consolidation in the near future. "By 2010, we expect distinctions between e-mail and Web security gateway solutions to have dissolved," he says, adding the need for unified policy-based filtering of all inbound and outbound Web and Internet content will spur this market.
What makes a Secure Web Gateway Tick?
Three powerful tools in one Companies are shying away from best-of-breed point solutions for URL filtering, anti-malware filtering and Web application-level controlls in favor of the power-punch that an all-in-one secure Web gateway provides.
"This is the best position in the network to handle SSL traffic that's non-VPN as well as compliance," says Ted Ritter, research analyst at Nemertes Research. Some examples include: file transfers, instant messaging, Web-based voice and video over IP, and software-as-a-service, he says.
Secure Web gateways are available in several form factors, including software (ex: Computer Associates and Trend Micro); appliances (ex: Aladdin, Barracuda, Finjan, IronPort (Cisco), Mi5, Surf Control, Websense); and as a service (ex: MessageLabs and ScanSafe).
The critical elements to look for within secure Web gateways are a combination of URL filtering, malware filtering, and application-level control. Together, they allow companies to monitor, filter, and if necessary, inspect, inbound and outbound Web traffic.
*URL filtering --- URL filtering is one of the most common approaches to securing Web traffic today. This technique involves blacklisting sites that are known to be bad and whitelisting sites that are known to be good. Some vendors, such as Cisco's IronPort and Secure Computing, use reputational databases to add heft to their blacklisting techniques. IT managers can also map their corporate usage policies to their URL filters to make sure that users are not visiting categories of sites or even individual sites that are deemed inappropriate. Some companies, including Marshal, provide real-time URL categorization based on keywords, content analysis and user-defined criteria, says Peter Firstbrook, research director for Gartner's Internet Security and Privacy group.
*Malware filtering – Most companies offer signature-based malware protection so that known threats are not allowed onto or off of the network. However, with Web-based applications, Firstbrook says the bigger threat is non-signature-based malware, or zero-day threats, that can place viruses, Trojans or botnets on your network. For signature-based filtering, vendors scan traffic against their database of known threats. Some vendors, such as Mi5, also use heuristics based on behavior and pattern matching, for real-time traffic analysis.
*Application control – Although application firewalls have been around for a while to protect applications from code-level attacks such as SQL injections and cross-site scripting, Internet application control is relatively new. The goal is to gain visibility into these applications and then control access and use of them via policies, says Chris King, director of strategic marketing at Blue Coat Systems in Sunnyvale, Calif.
To facilitate application control, "you have to proxy all of the key protocols in a rich enough manner that you can detect specific applications, user agents, users and content," King says.
Firstbrook agrees, saying vendors should be able to recognize protocols beyond HTTP, including SMTP, FTP, voice over IP and other types of Web-application traffic. Vendors, such as FaceTime, allow a deep focus on Web-based communications networks, including Skype and instant messaging, as well as peer-to-peer networks like BitTorrent. Finjan does deep-code inspection, breaking up HTML into separate components, such as text and style sheets, to search for malicious code. The vendor also scans active content, such as ActiveX and Java, for potential malware.
Application control enables organizations to apply detailed policies to these newer applications. For instance, companies can set policies that say users can interact over instant messaging but not click on links within those messages.
What makes secure Web gateways an attractive offering is the bundling of these three areas with integrated management and reporting. In one product or service, IT teams can filter, detect and remediate all known and unknown Web-application-based threats. For instance, Mi5, which integrates with LDAP and Active Directory, alerts you to infected machines and then automatically cleans the machine before allowing it back on the network.
Gittlen is a free-lance technology writer in the greater Boston area. She can be reached at firstname.lastname@example.org.
Cisco Virtual Security Gateway (VSG)
Design Massively-Connected Web Service Security Gateway.pdf