Secure web gateway (SWG) solutions help keep enterprise networks from falling victim to ransomware, malware, and other threats carried by internet traffic and malicious websites. At a minimum, they monitor and prevent data from malicious sites, online services, and web applications from entering an internal network and infecting systems.
This is accomplished through various components, including malware detection and URL filtering. In many instances, they also help prevent malware from “calling home” and can stop the inadvertent or intentional leakage of sensitive corporate and private data by regulating outbound traffic.
Secure web gateways, then, provide fast, secure access to the Internet and SaaS, making digital business a safe and productive experience. During the pandemic, their importance has been amplified as organizations accelerate digital transformation efforts across cloud, SaaS, and mobility.
As end users represent the biggest cyber risk to enterprises, secure web gateways are an important cornerstone of IT security, along with employee cybersecurity training and secure email gateways.
See our picks for the best secure email gateways and employee cybersecurity awareness training.
How Secure Web Gateways Work
Modern secure web gateways serve several key functions.
They prevent advanced attacks from reaching users with consistent, always-on protection regardless of location. SWGs achieve this by blocking web-based attacks that forward malware, phishing, drive-by downloads, ransomware, supply chain attacks, and command-and-control actions.
Some tools now prevent data loss by inspecting data-in-motion with data loss protection (DLP) controls as information goes outbound to the internet or SaaS apps. They also safeguard data-at-rest.
SWGs enforce acceptable use policies aligned with the needs of the business, ensuring users only access appropriate content that is allowed by the organization, which can also minimize productivity loss from unauthorized applications like social media and online video sites.
They also help accelerate secure digital transformation by providing secure, direct-to-cloud connectivity to the internet, SaaS, and cloud platforms over the shortest path possible.
See also: How Does a Secure Web Gateway Work?
Key Features of Secure Web Gateways
Secure web gateways are available from a wide range of vendors. As such, they come with a wide range of features. These include:
- Domain and URL filtering (website categorization and classification)
- Application control (granular social media controls, Office 365 support)
- Logging and reporting
- Mobile device support
- Malware detection
- SSL/TLS decryption
- Proxy HTTP and HTTPS traffic for users wherever they are in the world (on-premises, cloud, and hybrid deployments)
- Decryption of HTTPS traffic
- DLP scanning of web traffic
- Anti-malware scanning
- Leveraging artificial intelligence and machine learning (AI and ML) to detect, classify, and stop attacks and enforce acceptable use policies
Top Secure Web Gateways
Below are some top secure web gateway vendors, along with the capabilities they offer. Many of these vendors also rank on our top next-gen firewall (NGFW) page.
The Barracuda Web Security Gateway lets organizations benefit from online applications and tools without exposure to web-borne threats (such as phishing) or diminished user productivity and misused bandwidth. It unites spyware, malware, and virus protection with a policy and reporting engine. Other features ensure that organizations adapt to emerging requirements like social-network regulation, remote filtering, and visibility into SSL-encrypted traffic.
- Blocks access to malicious content by protecting local and remote users from accessing malicious websites and files
- Protects employee productivity by stopping unproductive or inappropriate web browsing with granular access policies
- Enforces corporate policies to increase productivity, stay compliant with the regulatory frameworks, regulate bandwidth usage, and prevent risky behavior
- Monitors network and user activity to gain insight into user activity and network threats via a dashboard and integrated reporting
- Offers content filtering, remote filtering, and application control
- SSL inspection
- Integrated cloud and on-premises functionality
- Elastic and scalable serverless architecture and auto-scaling
- Agent-based, proxy-free architecture
- Zero latency for distributed users
- Privacy (customer traffic does not leave their network)
- Integration with full email protection capabilities
- Available as SaaS, virtual appliance, or hardware
An integrated component of the Zscaler Zero Trust Exchange platform, Zscaler Internet Access (ZIA) provides fast, secure access to the internet and SaaS for digital transformation, making the web a safe place for business. ZIA is the only leader in the latest Gartner Magic Quadrant for Secure Web Gateways.
- Delivered entirely as a cloud service, ZIA is delivered from 150 global cloud edge locations close to every user, headquarters, and branch office
- Processes over 200 billion daily transactions, stopping over 100 million threats each day
- 99.999% availability
- Encrypted traffic inspection: As a proxy architecture that terminates every connection inline, ZIA can perform full inspection of all traffic, including SSL/TLS
- AI-based security services to stop cyberattacks and prevent sensitive data loss
- Integrated with Zscaler tools and services including Cloud Firewall, Cloud IPS, Cloud Sandbox, Cloud DLP, CASB, and Cloud Browser Isolation
- By enforcing least-privilege access controls and eliminating the attack surface, it offers a zero trust architecture
- ZIA scales to the largest global enterprises
- AI-powered quarantine that stops never-before-seen threats before they reach their target
Note: McAfee Enterprise is now under the Trellix name after merging with FireEye, but McAfee’s cloud products will become a separate company later this year. For now we will continue to keep both McAfee and FireEye products on this list as branding is sorted out.
MVISION Unified Cloud Edge by McAfee Enterprise is cloud native and converges an SWG with a Cloud Access Security Broker (CASB), Remote Browser Isolation (RBI), Zero-Trust Network Access (ZTNA), and Endpoint DLP technologies. This provides contextual awareness and rapid response capabilities when inspecting web traffic.
- C-managed and cloud-delivered with over 85 global points of presence
- Hybrid deployments are supported by combining on-premises virtual and hardware appliances
- Data security via a DLP scanning engine, a shared set of data classifications, and a unified incident management framework
- CASB technology informs policy decisions with a business risk dimension by incorporating a cloud registry of over 30,000 analyzed cloud services using over 260 risk attributes
- Remote browser isolation (RBI) is a free baked-in feature that enables isolation of any client browser from potentially harmful web content by loading all requested content in an ephemeral browser in a McAfee datacenter and permitting only a visual stream to reach the local browser
- Zero-Trust Network Access visibility and control to private applications while performing device posture analysis and eliminating the need for VPNs
- Covers all potential data loss vectors (endpoint, web, SaaS, IaaS, private applications, network)
- Uses a policy scripting language to control behavior
- McAfee Enterprise’s Gateway Anti-Malware (GAM) engine is an emulation-based sandbox that detects zero-day threats by performing behavioral analysis in real time. This runs faster than a traditional AV scan protecting patient zero and yet provides the anti-malware efficacy of a virtualization sandbox solution
FireEye Network Security helps organizations minimize the risk of breaches by detecting and stopping targeted and other invasive attacks hiding in internet traffic. It facilitates resolution with concrete evidence, actionable intelligence, and response workflow integration. It also offers protection against threats, whether they exploit Microsoft Windows, Apple OS X operating systems, or application vulnerabilities.
- Multi-Vector Virtual Execution (MVXis a signature-less analysis engine that inspects suspicious network traffic to identify attacks that evade traditional signature- and policy-based defenses
- Multiple machine learning, AI, and correlation engines form a collection of contextual, rules engines
- Includes intrusion prevention system (IPS) technology to detect common attacks using conventional signature matching
- Available in a variety of form factors, deployment, and performance options
- Rapidly detects known and unknown attacks with accuracy and few false positives
- Stops infection and compromise phases of the cyber-attack kill chain by identifying never-before-seen exploits and malware
- Extracts and submits suspicious network traffic to the MVX engine for a verdict analysis
- In addition to client-side protection, engines support server-side detections, lateral movement detection, and detection on post-exploitation traffic
- Alerts generated include real-time concrete evidence to respond to, prioritize, and contain targeted and newly discovered attacks
- FireEye Network Security issues TCP resets for out-of-band blocking of TCP or HTTP connections
- Selected models offer an active high availability (HA) option to provide resilience in case of network or device failures
The CyBlock Employee Web Filtering and Monitoring Cloud Service provides web filtering, threat protection, employee reporting, and Smart Engine analytics in a deployment requiring no hardware or software to buy and install and no ongoing maintenance.
- Configure policy exceptions for different users and groups
- Use white & black lists to restrict or allow access to certain sites
- Limit users’ time online by hour and day of the week
- Inspect or tunnel HTTPS by website, category, or user ID
- Identify and stay ahead of malware sites
- Comprehensive employee reporting, including by entire organization, groups, users, and categories
- Complies with government and industry regulations such as CIPA and HIPAA
- Smart Engine with machine-learning analytics makes technical data easy to consume and manager-ready
- Analyze large volumes of data over long periods of time
F5 Secure Web Gateway Services verify endpoint integrity before and after users connect to the web. It secures against both inbound and outbound malware. With URL categorization and filters, you can allow, block, or confirm and continue access to sites and applications on a user-by-user basis. It provides security without compromising employee productivity.
- Gathers content- and context-aware data, then processes it using malware analytics tools to detect patterns that indicate complex attack vectors, like advanced persistent threats (APTs)
- Monitors web and social media content
- By processing up to five billion content requests daily, it analyzes current data to predict, locate, and identify the latest threats
- See who is visiting which sites and enable user-based web security policies through user identity tracking
- Monitor and control off-premises or cloud-based user web activities with a single management view
- Log web activity in forensic detail and publish it to security information and event management (SIEM) solutions
- Use the web-based Splunk App to access aggregated graphical reports on top users and web categories
Cisco Umbrella: Secure Internet Gateway (SIG) Essentials package offers firewall, web gateway, threat intelligence, and cloud access security broker (CASB) tools as a single, cloud-delivered service and dashboard. By enforcing security at the DNS and IP layers, Umbrella blocks requests to malicious and unwanted destinations before a connection is established—stopping threats over any port or protocol before they reach networks or endpoints.
- In a security efficacy test by AV-TEST, Cisco Umbrella received the highest threat detection rate in the industry at 96.39%
- SIG Essentials can be integrated with an SD-WAN implementation
- The visibility needed to protect internet access across all network devices, office locations, and roaming users
- Reporting for DNS activity by type of security threat or web content and the action taken
- Ability to retain logs of all activity as long as needed
- Fast rollout to thousands of locations and users
- Secure web gateway (full proxy) Umbrella includes a cloud-based full proxy that can log and inspect all web traffic
- IPsec tunnels, PAC files, and proxy chaining can be used to forward traffic for visibility, URL and application-level controls, and threat protection
- Content filtering by category or specific URLs to block destinations that violate policies or compliance regulations
- The ability to efficiently scan all uploaded and downloaded files for malware and other threats using the Cisco Secure Endpoint (formerly Cisco AMP) engine and third-party resources
- Cisco Secure Malware Analytics (formerly Threat Grid) analyzes suspicious files (500 samples/day)
Forcepoint Web Security offers real-time protection against threats and data theft with multiple deployment options and modules. Its content-aware defenses and cloud app discovery and monitoring reduce risks to sensitive data for on-premises and mobile users.
- Easily integrates with other Forcepoint solutions for unified, consistent security controls
- Real-time analysis for threat protection to inspect traffic content and usage patterns, using up to eight different defense assessment areas for identifying malware, phishing, spam, and other risks to the enterprise
- Decision engine that identifies the nature and format of the digital artifact being analyzed and routes it through to the most appropriate defense assessment area for real-time scanning
- Dashboard access to forensic data and reporting on who was attacked, what data was targeted, the data’s intended endpoint, and how the attack was executed
- Defenses analyze inbound and outbound communications
- Integrated data theft defenses (optional) detect and intercept data theft attempts and provide regulatory compliance for DLP
- Integrated sandboxing to protect assets through automatic analyzing of malware behavior
Check Point Harmony Connect Internet Access protects internet access for remote users via a lightweight client. It blocks phishing sites in real time, prevents zero-day malware through sandboxing, and protects against browser exploits with intrusion prevention system (IPS) deep packet inspection (virtual patching).
- Real-time threat intelligence aggregated from Check Point ThreatCloud ensures that every site visited and file downloaded is inspected and vetted, blocking the most evasive attacks before they can reach users
- Includes DLP, URL filtering, and application controls with over 8,600 pre-categorized internet and SaaS applications
- Best catch rate for both known and unknown malware: Fastest time to verdict (up to 4 minutes), fastest time to virtually patch against new vulnerabilities (via IPS), and fastest update of Threat Intelligence feeds
- Multi-layer protection with real zero-day protection—threat emulation can hold the file in a sandbox until a verdict is reached
- Unified policy management available either through SaaS or SmartConsole
Further reading: Top Next-Generation Firewall (NGFW) Vendors