Secure web gateways sit between internal users and the internet, analyzing traffic in and out of networks for malicious content and policy compliance.
Given the important role employees play in IT security, web gateways are one of the top IT security spending priorities, according to eSecurity Planet‘s 2019 State of IT Security survey, and also one of the tools that security pros have the most confidence in.
The popularity of web gateways won’t be waning anytime soon. Analysts generally expect 20% growth in the web gateway market for the foreseeable future, with sales more than doubling to $12 billion by 2025.
See our picks for Top Secure Web Gateway Vendors.
- What is a secure web gateway?
- What does a secure web gateway do?
- Secure web gateways vs. firewalls
- Secure web gateways vs. CASBs
- How to implement a secure web gateway
- Gateway security trends
- Secure web gateway market
So what exactly is a secure web gateway? A secure web gateway is an advanced, cloud-delivered or on-premises network security service. It enforces consistent internet security and compliance policies for all users regardless of their location or the type of computer or device they are using.?These gateway security tools also provide protection against threats to users who are accessing the internet via the web or are using any number of web-based applications. They allow organizations to enforce acceptable use policy for web access, enforce compliance with regulations and prevent data leakage.
As a result, secure web gateways offer a way to keep networks from falling victim to incursions through internet traffic and malicious websites. They prevent data from such places from entering the network and causing a malware infection or intrusion.
This form of gateway security is accomplished through malware detection, URL filtering, and other means. A gateway effectively blocks malware from calling home and acts as a barrier against sensitive intellectual property being stolen or sensitive data such as social security numbers, credit card numbers, and medical information getting into the wrong hands. The web gateway secures people, processes or programs from downloading or accessing external sites, software, or data that could harm them, or the organization. Additionally, they stand in the way of untoward, unauthorized access from the outside.
A secure web gateway, then, is a solution that filters unwanted software or malware from user-initiated web and internet traffic while enforcing corporate and regulatory policy compliance. These gateways must, at a minimum, include URL filtering, malicious-code detection and filtering, and application controls for popular web-based applications, such as instant messaging (IM) and Skype. Native or integrated data leak prevention is also increasingly being included in these products. Similarly, analysts note convergence with other security technologies such as endpoint protection, network firewalls, and threat detection.
How does a secure web gateway work? As a web proxy, a secure web gateway terminates and proxies web traffic (ports 80 and 443), inspects that traffic via a number of security checks, including URL filtering, advanced machine learning (AML), anti-virus (AV) scanning, sandboxing, data loss prevention (DLP), cloud access security brokers (CASBs), web isolation and other integrated technologies.?Web gateways apply policies and enforce threat prevention and information security rules based on user, location, content, and a variety of other factors.
This form of gateway security can stop known and unknown threats in their tracks. This includes zero day and other forms of advanced threats.
Web gateways start with URL filtering
URL filtering is typically the first layer. It blocks access to known malicious URLs and can form a buffer against zero day threats. It does this by recognizing new URLs that are similar to or the same as known malicious web servers.
Further layers such as AML and AV can remove attempted downloads of threats, including new and unknown threats.?Sandboxing is also included in some secure web gateways. It conducts real-time blocking and can prevent targeted attacks by emulating a company’s environment.
Web isolation is another element that some vendors have incorporated. It runs web server code and malicious code in a virtual instance that is isolated from the user. DLP, too, can be used to stop unauthorized data leakage.
Some people have confused secure web gateways with firewalls. So what is the difference? Secure web gateways are dedicated cloud services or appliances for web and application security.?They are proxies (meaning they terminate and emulate network traffic). Because of specialization, they can detect and protect against much more sophisticated and targeted attacks that use the web.
Firewalls have a different function. Firewalls are great at packet-level security, but are not as sophisticated on the application layer for security, said Gerry Grealish, head of Product Marketing for Cloud & Network Security Products at Symantec.?Firewalls typically do not terminate or inspect entire objects, and many are reliant on stream-based AV scanning as a defense against malware. That’s why evasive threats operating on an application level can easily bypass some firewall defenses.?But the clear distinction between secure web gateways and firewalls is beginning to blur.
Some cloud-delivered secure web gateway services now offer an optional cloud firewall service to enforce controls on non-web internet traffic.
Cloud access security brokers (CASBs) are another technology that can sometimes be confused with secure web gateways. And indeed, there is some overlap. Generally speaking, CASBs are able to recognize a greater range of applications than secure web gateways. They can also provide more detail and control over the use of applications.
Grealish says CASBs and web gateways are both needed. A secure web gateway needs a CASB for full visibility and control, and a CASB needs a secure web gateway for full traffic and log information of web and application activity.?By working together, they offer comprehensive gateway security for the web as well as application security.
As in many areas of security technology, convergence is evident. Some vendors have integrated secure web gateways with CASBs.?This trend is accelerating. By tying together CASB and secure web gateway functions, it is much easier to provide access security capabilities to SaaS applications.
A secure web gateway can be deployed as an all-cloud solution, as an all on-premises solution, or in a hybrid deployment.?Traffic can be sent to it by placing the gateway in-line, by sending web traffic to the secure web gateway using generic routing encapsulation (GRE) or policy-based routing, by using proxy auto config (PAC) files on the client, or via agents placed on the client.
Gateway security solutions are typically deployed as software loaded onto existing servers, whether they are physical, virtual, or containerized. Appliances are also available, either as containers, virtual appliances or hardware appliances. Increasingly, cloud-based secure web gateways are becoming available.
By far the most dominant trend in gateway security is the move to the cloud.?Over the last few years, companies have largely gotten over their fears about cloud security. Many now recognize the benefits of cloud-delivered security in addition to on-premises solutions. Some deploy both. Others have decided to move entirely to the cloud.?In fact, some cloud web security gateways are as fully functional as on-premises deployments.
Cloud-based services can offer advantages. In some cases, they offer lower latency and higher performance. This is particularly true if they are deployed close to end user locations such as remote offices, and when they are placed in a way that facilitates application mobility. As a result, the likelihood is that new gateway security rollouts will be in the cloud. Enterprises will maintain their existing on-prem secure web gateways until they reach end of life, but that part of the market is unlikely to experience much growth.
With almost half of all attacks and malicious traffic using encryption, secure web gateways are also adding the ability to decrypt SSL traffic. However, some technical challenges still have to be overcome to make this technology operate well in multi-tenant environments while remaining scalable and offering acceptable performance.
Web isolation is another trend: protecting the user from risky and unknown websites by running the web browser in an isolated environment. Web isolation can even be extended to all sites for high-profile users such as the CEO or CFO, who are often subject to targeted attacks. Potential phishing emails, for example, are opened in a read-only environment to protect users from accidently revealing personally identifiable information.
Greg Schulz, an analyst at Server and StorageIO Group, said the complexity of modern enterprises is a common challenge in secure web gateway deployments. Common themes include cloud, containerization and convergence, along with broader hybrid deployments spanning legacy, software-defined on-premises, and single or multi-cloud environments.
With the rise of social networks, another growing interest is enabling secure web gateways to deal with threat vectors from platforms such as Facebook, Instagram, and Twitter. Filtering file uploads, instant messaging and chats is an area several vendors are adding, and most of the others are working on adding it. This capability is of particular interest to those in sectors such as financial services, education, government, and retail.
There are a variety of vendors operating in the secure web gateway space, among them Symantec, iboss, F5, Check Point Software, zScaler, Barracuda, Forcepoint, McAfee and Cisco. Most of these companies are now emphasizing cloud-based gateway security. Although many still carry, maintain and market their on-premises versions, the competitive battleground has largely shifted to the cloud.
According to Gartner, Symantec and Cisco are the market leaders in terms of revenue. Their efforts in this space give an indication of where the market is heading. Symantec favors proxy-based SWG appliances and services. Cisco, on the other hand, has concentrated on a hybrid of DNS and proxy capabilities. Both have acquired CASB technology and have been integrating it with their secure web gateways. Cisco has also added DNS-based inspection into its package. This allows it to use DNS for most inspection traffic to raise performance. More involved content inspection of potentially risky websites can be done using HTTP/HTTPS proxying.
Cloud offerings have been growing at around 30 percent per year for the last several years, according to Gartner. When coupled with growing integration with other security features, on-premises standalone secure web gateways are slowly giving way to larger cloud-based suites that incorporate gateway security. This is generating a climate that is ripe for acquisition and consolidation. Currently, Cisco, Symantec and zScaler appear to be the furthest along in the development of consolidated gateway security platforms. But regardless of how many new features are incorporated, the basic functions of secure web gateways remain central to maintaining enterprise security.