Secure web gateways (SWGs) use URL filtering, advanced security vulnerability and legacy malware protection to secure users against internet-borne attacks, and to help businesses maintain compliance with internet policies. SWGs are implemented as on-site systems (hardware and virtual) or cloud-based services, or in hybrid mode (hardware and cloud-based services combined). Vendors continue to differ greatly in their cloud-based services’ maturity and features, and in their ability to protect businesses from advanced threats. Rapid growth of secure Web gateway services based on the cloud has become a disruptive force in the market. SWG vendors incorporate security broker for cloud access, remote user isolation, firewall, and other specialized features to enhance their application reliability. Enterprises are looking to integrate SWG function with cloud access security broker (CASB). SWG vendors respond to this trend, either by acquiring CASB technology or by partnering with CASB providers (mainly Microsoft and its Cloud App Security service) to deliver more tightly integrated CASB and SWG solutions. There is also a growing market for Remote Browser Isolation (RBI) technology that allows a website image in the cloud and delivers an image to a user’s browser.
Managed security services (SWGs) – Gartner magic quadrants
The descriptions of some of the best SWGs tools are as follows:
As one of the few actual cloud vendors in the industry today, ZScaler captures a majority of the cloud deployed base for the SWG sector. The ZScaler Internet Access (ZIA) platform provides a simple interface which can proxy and filter features of web traffic. ZScaler Private Access (ZPA) is a zero trust network access solution (ZTNA) that places ZScaler as a replacement for VPNs. ZIA partners directly with most popular SaaS providers, including Microsoft Office 365. Zscaler has acquired Appsulate, a framework for web isolation, and is preparing to fully expand its service. Zscaler also accomplished FedRAMP Authorized status for both the ZIA and ZPA offerings in the past year, and has now fully incorporated its TrustPath acquisition to improve the speed and effectiveness of Zscaler’s cloud sandbox threat prevention. Zscaler is a good option for mid-sized and large companies that require a cloud-based SWG service. All customers can use basic Firewall policies for Layer 3 and Layer 4 across all ports and protocols, including basic DNS and Network Address Translation (NAT) services. In its solution, ZScaler also provides basic in-line proxy CASB functionality for common forward proxy use cases such as cloud application discovery and control, threat prevention, and integration with DLPs.
Symantec provides SWG services that include cloud based and appliance based services. It has the largest market share among SWG appliance vendors, and has the largest overall market share of all vendors. Symantec announced in December 2018 that it will offer a cloud-based, technology-based firewall solution it is licensing from Fortinet. ProxySG appliances are good candidates for most large corporate clients, especially those that require highly scalable SWGs. Cloud service offered by Symantec is a good choice for most companies, particularly those needing hybrid (cloud and on-premises) deployment. The Advanced Secure Gateway (ASG) and ProxySG families remain the strongest proxies on the market in terms of protocol breadth and number of advanced features. Symantec’s cloud-based Web Security Service (WSS) has strong support for Microsoft Office 365. Symantec is very accepting with SSL / TLS as all ProxySG models provide SSL hardware which helps to offload processing from the main CPU. The stand-alone SSL Visibility Appliance will decode SSL / TLS traffic and feed it to Symantec security solutions and non-Symantec security services.
Iboss’ cloud solution is based on node-based technology, which it refers to as ‘containerized gateways.’ Customers have the option of using iboss’s public cloud service, or they can use the same container gateways in their own private cloud. Customers needing a hybrid solution can integrate the iboss public cloud into their own private cloud. Iboss has extended the security monitoring and reporting to ensure that the application data is secure at rest. The company has shown the potential to win big sales while negotiating against leading SWG suppliers, and it’s a perfect choice for small to medium-sized businesses (SMBs) to large corporations. The node-based approach of the cloud service is strong, as it makes a seamless transition from a private cloud (hosted or on-premises) to a public cloud or hybrid deployment. Iboss’ cloud infrastructure maintains the source IP address of the client after traffic exits the iboss cloud. The collaboration between Iboss and Verizon enables it to deploy containerized gateways through Verizon’s worldwide network.
Menlo Security offers an isolation-based SWG framework that runs Web pages on isolated browsers and copies the rendering to the system of the end user. A dual-engine approach uses the browser’s Document Object Model (DOM) with the Smart DOM from Menlo Security to ensure an optimal level user experience. This prevents malicious drive-by attacks and provides techniques to minimize the possibility of downloaded files and theft of passwords. On-premises or the Amazon Web Services (AWS) platform provide the isolation-based approach. The vendor has multiple large-scale, global enterprise deployments and is a good choice for companies that have high security priorities. Menlo Security also provides DLP capabilities through OEM partner with Sandbox Security (the OEM company is Sophos). The vendor can also exploit already installed Palo Alto Networks Wildfire and FireEye sandboxes for clients, as well as other sandboxes through API integration, while documents can be translated into secure local storage HTML / PDF files. Menlo Security follows HTTP/2 and QUIC natively as, unlike other SWGs, its remote client instances are based on Chromium, which must block the protocol to establish a TCP connection.
In a single cloud console called the Umbrella Secure Internet Gateway (SIG), released in July 2019, Cisco offers an on-site Web Security Appliance (WSA; hardware or virtual) and Cisco Umbrella, which provides recursive DNS security as well as SWG, firewall as a service (FWaaS) and CASB functionality. Cisco’s security product line comprises multiple products, and has expanded gradually over the past few years by acquisition. It provides endpoint security clients Cisco AMP, Cisco AnyConnect (VPN client), Stealthwatch and Stealthwatch Cloud Cisco focus more of their SWG technical activities on their Umbrella product offerings. Cisco’s WSA is a good choice for most mid-sized to large companies, particularly those needing on-premises setup only. For most organizations Umbrella is a decent cloud option. Clients have regularly quoted Cisco’s recursive DNS protection service in Umbrella for its ease of use and efficacy. Cisco offers a patent-pending Anycast feature for connecting to cloud SWG instances, which makes it possible to connect to the cloud from a single data center and fail to connect to a different data center without customer intervention.