Secure web gateway solutions help keep enterprise networks from falling victim to malware and threats carried by internet traffic and seemingly harmless websites. At a minimum, they monitor and prevent data from malicious websites, online services and web applications from entering an internal network and infecting systems.
This is accomplished through various components, including malware detection and URL filtering. In many instances, they also help prevent malware from “calling home” and can stop the inadvertent or intentional leakage of sensitive corporate and private data by regulating outbound traffic.
On the surface, web security gateways seem to have a lot in common with cloud security gateways, or cloud security access brokers (CASBs) as they are commonly called, and indeed, there’s some overlap that becomes apparent in some vendor offerings. But where web security gateways are more generalized in the protection they offer enterprise networks from countless threats online, CASBs are generally focused on enforcing enterprise security policies on cloud services, SaaS applications and the like.
Web gateways were one of the top IT security spending priorities in eSecurity Planet’s 2019 State of IT Security survey – and also one of the technologies users have the most confidence in.
Below are some top secure web gateway vendors, along with the capabilities they offer. Jump to:
Symantec’s web gateway solutions are available as a globally distributed cloud service, offering proxy-based protection for web, mobile and cloud application traffic. It offers file inspection and malware sandboxing, web isolation, data leak prevention and integrated intelligence on web threats and cloud application risks, said Mark Urban, the company’s VP of Product Strategy and Operations. In addition to a cloud service, the solution can be deployed on-premises, virtual or in an IaaS provider. Unified security policy management is available across all deployment approaches.
On the cloud front, Symantec plays to its strengths by delivering anti-virus scanning and quarantining capabilities. Cloud access security broker (CASB) capabilities allow IT teams to enforce security and user access policies governing cloud usage. Symantec’s on-premises Advanced Secure Gateway incorporates the company’s ProxySG content inspection appliance with its high-performance Content Analysis technology to securely manage web and cloud use with minimal impact on the end-user experience.
The iboss Distributed Gateway Platform offers a node-based cloud architecture that provides non-shared web gateway resources, isolates customer data, and offers on-demand scalability. “Delivered through the cloud, as a service, and managed through a single interface, the iboss Distributed Gateway Platform’s unique approach provides customers with financial predictability, control over upgrade cycles, and the choice of where to store their data without exposure to the risks associated with other shared-cloud services,” said Paul Martini, iboss CEO and co-founder.
iboss enables content filtering on all ports and protocols and behavioral analysis, along with real-time malware detection, including mobile threats. The product offers bandwidth optimization, cloud application and social media usage controls along with secure socket layer (SSL) decryption capabilities.
Dubbed simply McAfee Web Gateway, the company’s on-premises solution is available as a hardware appliance or a virtual machine for VMware and Microsoft Hyper-V. For added protection against malware and attacks, it integrates with several of McAfee’s security offerings, including McAfee Endpoint Security and McAfee Advanced Threat Defense, to name a few.
Providing both inbound and outbound protection, it employs a layered approach, first enforcing internet use policies then using content analysis on allowed traffic to block malware and other malicious code. It also examines SSL traffic to spot threats that are cloaked in encryption.
To prevent sensitive data from sneaking off a network, it borrows technologies from McAfee Data Loss Prevention to scan outgoing data on HTTP, HTTPS, FTP and other web protocols. It can be used to block the transfer of regulated or confidential information passed to social networks, online productivity and collaboration apps and webmail services, plus prevent infected endpoints from transmitting data and contacting a botnet’s command and control servers.
In addition to web filtering and reporting capabilities, F5 Secure Web Gateway Services adds malware detection and supports the ability to intercept and inspect SSL traffic for hidden malicious code. One perk is a federated single sign-on feature that allows users to log into a portal for authentication purposes at the start of their workday and provides time-saving single sign-on functionality throughout the day, so they don’t spend time valuable time logging back into their apps.
Check Point Software
Check Point Secure Web Gateway blocks access to millions of malicious websites, courtesy of a cloud-based service that updates its URL filtering catalog in real-time. Organizations can also block dangerous applications or specific application features using the company’s expansive app library.
Check Point’s ThreatCloud security intelligence provides malware detection, while an optional anti-bot integration provides post-infection detection and containment. Another integration, with the company’s intrusion prevention system (IPS), can be used to stop exploits targeting application and browser vulnerabilities.
zScaler offers secure internet gateway services, part of the company’s Zscaler Cloud Security Platform. Informed by a robust cloud footprint, which encompasses over 100 data centers and processes 40 billion transactions and blocks 100 million threats each day, it provides URL and content filtering, along with malware protection, and in some packages bandwidth control and SSL inspection.
It makes sense that computer networking giant Cisco would also supply systems that can keep its customers’ networks safe.
Cisco Web Security Appliance (WSA), available as hardware and virtual appliances, automatically blocks dangerous websites and tests unknown sites to prevent the spread of malicious code. An automated inbound and outbound traffic analysis system scans for malware while web content is vetted by the company’s behavior-based analysis and dynamic reputation technologies. Customers can add advanced threat detection with Cisco’s Advanced Malware Protection for Web Security, which includes Cognitive Threat Analytics, a machine learning security solution that boosts the platform’s web filtering software capabilities.
Available as a hardware or virtual appliance, Barracuda Web Security Gateway covers all the basics, including URL filtering and malware detection. Customers can also use the solution to provide remote filtering and regulate social media use and web application activity. For companyies seeking a hosted alternative, Barracuda Web Security Service, a cloud-based web content filtering and malware protection platform, offers similar functionality.
Forcepoint URL Filtering uses the firm’s ThreatSeeker Intelligence platform to analyze up to five billion requests each day spanning 900 million endpoints and 155 countries. It features 120 web security and content controls, including bandwidth and video streaming, that can be used to craft customized policies.
The Austin, Texas based company formerly (formerly Websense) also offers Forcepoint Web Security, a cloud-based and/or on-premises product that blocks malicious web content and threats, complete with malware sandboxing, along with cloud application detection and monitoring capabilities that help stamp out shadow IT.