Why Do You Need a Proxy in a Secure Web Gateway?

October 4, 2011 - By Tim Chiu

In today's web based world, web threats are at an all time high. Whether it's an iFrame injection, a drive-by download, phishing, or just plain malware, end-users browsing the web are at a higher risk than ever before of having their computers and identities compromised. It's no surprise then, that more companies than ever are looking to implement a Secure Web Gateway, or updating their existing internet gateways.

For many in IT,  the term Secure Web Gateway is interchangeable with the term proxy or web proxy, but not all Secure Web Gateways are proxies. It's an important distinction to make, because originally Secure Web Gateways were implemented to enforce corporate or organizational policy (such as preventing shopping on the web during office hours), but in today's threat laden world, having a proxy in the Secure Web Gateway is more important than ever in the battle against cybercrime, malware and phishing.

By specifically mandating a proxy in the Secure Web Gateway, there's a guarantee of terminating all traffic at the proxy. When a client (end-user) makes an http request, the request goes to the proxy and the proxy responds behaving like the web server accepting the connection from the client. The proxy then opens a new, separate connection, and emulates the client and makes the same request the client made to the destination web server. By forcing all web traffic to terminate at the proxy, the proxy has the ability to inspect all the traffic flowing through the device, and can ensure no traffic flows through to the Internet without inspection or control. 

Alternative Secure Web Gateway deployments, such as TAP (or SPAN port) deployments, have the gateway sitting off to the side of the network, observing traffic as it passes by, instead of intercepting and terminating all traffic. These deployments have the specific flaw that malware or other threats can get by, if the gateway doesn't detect the threat in time or doesn't send out a TCP reset packet in time to disrupt the flow of traffic. It's not a guaranteed security mechanism. It may have worked okay for enforcing organizational policy, but it's definitely not a safeguard against web borne threats.

Today, the only true way to have full protection against web threats is to intercept all web bound traffic using a proxy architecture. Depending on the proxy vendor, your proxy device may also intercept and protect other forms of internet bound traffic like, ftp, telnet, and other protocols. Protecting your mission critical network from inbound threats should be a top priority, and you need to make sure your Secure Web Gateway processes all web bound traffic by using a proxy architecture.