What is a Secure Web Gateway?
Organizations can enhance their defense-in-depth strategies by using secure web gateways (SWGs) to protect their users’ internet traffic. SWGs can block malware and malicious websites, prevent data exfiltration, and prevent access to unauthorized sites or web apps. Gartner defines an SWG as “a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance.”
This article will explain why organizations use SWGs, how they work, and how a secure web gateway can support your Zero Trust Network Access strategies.
Most organizations have used some combination of content filters, network access controls, and other technologies to block malware and prevent users from accessing unauthorized websites. Ever since Gartner gathered many of these features together by coining the term secure web gateway, vendors have marketed their filtering technologies under the SWG banner. More than a buzzword, however, SWGs deliver tangible benefits:
SWGs scan all inbound and outbound internet traffic, blocking outgoing access to unsecure websites and comparing incoming traffic against deny lists of known malware and malicious websites. When users access secure websites, the SWG will decrypt, evaluate, and re-encrypt HTTPS to inspect all traffic.
Of course, unknown threats are the most dangerous. Advanced SWGs incorporate artificial intelligence, machine learning, and other heuristics to detect patterns from emerging threats.
Protecting traffic entering or leaving a private network is not enough. The rise of work-from-home and bring-your-own-device policies has stretched attack surfaces far beyond the network perimeter. A remote worker’s internet traffic could expose the protected network to malicious software. Requiring all users, internal or remote, to access the internet through an SWG reduces these risks significantly.
Detailed activity logs give network administrators more visibility into their organization’s internet activity. Unusual, risky, or unauthorized internet use becomes easier to identify and address. After a successful breach, SWG logs give forensic investigations more data to discover the source and impact of the attack.
Whether set by the company or defined by regulation, internet access policies must be enforced. Company policies may prevent access to popular web apps such as Facebook or TikTok. In highly regulated industries, policies may block access to any website not on a pre-defined allowlist. Channeling all users’ internet activity through the company SWG proactively enforces policies and improves the organization’s compliance efforts.
All SWG products scan incoming traffic for malicious activity. Advanced products also scan outgoing traffic for signs of data exfiltration. The SWG’s ability to scan encrypted HTTPS traffic stops more sophisticated hacking attempts.
Gartner’s vision of the Secure Access Service Edge (SASE) foresees the convergence of several networking technologies, including secure web gateways. SASE is a cloud-native architecture in which policy enforcement occurs at the network’s edge. As a result, SWGs have become part of many enterprises’ long-term network strategies.
Secure web gateways are proxies inserted between end-users and the internet. They can be implemented in traditional network architecture as appliances or proxy servers. This centralized approach, however, has drawbacks. Like VPN gateways, secure web gateways concentrate user traffic. Bandwidth bottlenecks and increased latency can be an issue — especially with geographically dispersed workforces.
Cloud-based SWG providers use software-as-a-service business models and large point-of-presence (PoP) networks to address these performance issues. A company’s facilities and remote users connect to the provider’s nearest PoP rather than a central hub.
Secure web gateways are distinct from IPsec virtual private network (VPN) gateways. VPN technology controls remote access into a protected network. Although it may have security features that apply to remote users’ outbound traffic, the VPN gateway only addresses part of the company’s user base. In contrast, an SWG inspects internet traffic generated by all users, remote or on-premises.
Whatever implementation a company chooses, how the secure web gateway works is the same. A user’s outbound traffic first passes through the SWG before continuing to the internet. Likewise, the return traffic must go through the SWG before arriving on the user’s device. Every outbound and inbound packet gets inspected and evaluated in the context of company policy. These policies can include:
URL filtering- A deny list defines the websites and web apps that users may not access. This list may be limited to known malicious sites such as malware control servers. Companies can also add specifically unauthorized websites to the deny list.
Malware scanning and blocking - SWG providers maintain and regularly update malware lists. The gateway inspects packets for signs of these known threats. If the SWG supports the feature, it will search for signs of unlisted, emerging threats. In addition, gateways can use sandboxes to run incoming code in a protected environment to detect malware.
Application control - Companies can block access to Facebook, YouTube, and other web apps to improve productivity and network performance. Organizations in highly-regulated industries such as finance or healthcare may use application controls to limit users’ internet activities.
Content inspection and filtering - As secure web gateways inspect inbound user traffic, they can filter video and other content that the company does not want on their private networks. Advanced SWGs will also inspect outbound traffic for signs of data exfiltration by rogue users or cybercriminals.
Secure web gateways are built on similar paradigms to VPN and other legacy technologies. Deep down, they assume that certain kinds of traffic are inherently trustworthy. URL filters, for example, assume that any web addresses not included on the deny list are safe for users to visit. When a user reaches a compromised website, the SWG relies on packet inspection and other defense layers to block the threat it lets enter the HTTPS tunnel.
Even though secure web gateways are not inherently Zero Trust technologies, they can complement Zero Trust network architectures. Zero Trust is a network access technology that creates secure connections to company resources from authenticated and authorized users. SWGs provide granular control over sources, destinations, content, and other aspects of users’ internet activity. With this additional context, the Zero Trust system can better evaluate whether to allow a user’s connection request — and how much access to authorize.
Zero Trust solutions are based on a much different paradigm from legacy network access technologies. Zero Trust assumes that trust must be earned and continuously justified rather than assuming that certain users, devices, or networks are safe. This is the only way to operate in today’s threat environment. Any network, device, or user credential can be compromised — and at least one probably already has.
Zero Trust systems deny access by default. All incoming requests, whether remote or on-premises, must be authenticated. Zero Trust systems apply the principle of least privileged access as they evaluate the context of each authenticated request. Unlike VPNs that grant unlimited access to the protected network, Zero Trust limits access to the resources.
Twingate’s Zero Trust solution creates secure, direct connections between a company’s users and its protected resources. Split tunneling is active by default which lets administrators route users’ internet traffic through their secure web gateways. Traffic between users and resources gets low-latency routes and is not impacted by SWG performance.
Companies rely on Twingate to simplify the migration to Zero Trust. A Twingate solution coexists with legacy systems, allowing companies to implement Zero Trust in stages. They can start with DevOps and other teams that need easy, secure access to the most sensitive resources. Later, they can migrate other teams to Zero Trust. Twingate’s software solution works with companies’ existing CI/CD pipelines, making it easy to deploy and scale over time.
For all its benefits, the internet is a dangerous place. Secure web gateways protect organizations from internet threats and prevent unauthorized internet use by employees. Besides reducing a company’s attack surface, SWGs improve administrators’ visibility into the company’s internet activity — an essential step towards regulatory compliance.
Even though secure web gateways are not Zero Trust technologies, they can complement Zero Trust solutions such as Twingate. Split-tunneling lets companies route users’ internet traffic through their SWG while giving users direct, performant connections to protected resources.
You can try Twingate’s Zero Trust solution yourself with our free starter tier for individuals and small teams. Or contact us to learn more about using Twingate Zero Trust to protect your most sensitive resources.