Fight Web-based malware with Web security gateways: A new breed of integrated technology

Fight Web-based malware with

Web security gateways: A new

breed of integrated technology

A Google report in February highlighted how risky Web browsing has

become for organizations. In an 18 month period, it found 3 million

unique URLs on more than 180,000 Web sites automatically installing

malware. How viable are Web security gateways as a catch-all security

option? It's a tricky mix of services to get right, in terms of security,

performance and ease of use.

In this expert E-Guide, take a closer look at how Web security gateways

work to provide comprehensive network protection against damaging

and often automated threats. Discover three core functions of a Web

security gateway, the advantages of using one product for Web

securi-ty rather than multiple devices and how Web securisecuri-ty gateways work to

plug data leaks.

Pocket E-Guide

Fight Web-based malware with Web

security gateways: A new breed of

integrated technology

Pocket E-Guide

Web security gateways keep Web-based malware at bay

Resources from SonicWALL

Web security gateways keep Web-based malware at bay

By Michael Cobb

A new breed of integrated technology takes Web-based malware off the menu.

Texas is a giant state--a fact Mike Stump was painfully aware of as director of information technology for Roundtable, an independently owned Dairy Queen franchisee. As the company expanded its chain of ice cream stores across the Lone Star State and beyond, a virus outbreak could mean a 10-hour drive from the Lubbock office for him or one of his technicians.

"If we had a big problem, we would literally have to drive out to the location, spend a day or maybe even a night depending on how far away it was, to clean off the virus and get the machine back into operational state," Stump says.

And infested PCs were becoming all too common as employees took advantage of broadband access to surf the Internet, download MP3s and visit MySpace. Traditional antivirus software wasn't catching the malware that came with the unauthorized Web browsing. Each store has a PC, which among other things, 15 to 30 employees use to clock in and out on and managers use for email, reporting and other applications.

Today, though, malware outbreaks are rare and productivity is up. Two years ago, Roundtable began using

ScanSafe managed services to control employees' Internet access and ward off spyware and viruses. "The first year, we saved about $100,000 in support costs...that was with 31 stores," Stump says. Roundtable now has 46 stores in Texas, New Mexico and Oklahoma, with plans for more.

The threat landscape has shifted in the past few years to Web-based malware, leading companies such as Roundtable to bolster their security with a newer breed of technology, Web security gateways. In much the same way antivirus gateways were overtaken by multifunction secure email gateways, Web security gateways combine several existing technologies and features offered by point solutions. Instead of having separate devices for URL filtering, malicious code filtering, instant messaging and other application controls, Web security gateways provide a single high-performance security gateway that shares a common threat database and policy management frame-work. The Web security gateway market is a mix of software and appliance vendors as well as managed service providers like ScanSafe.

A report by Google in February highlighted how risky Web browsing has become: during a period of 18 months, it found more than 3 million unique URLs on more than 180,000 Web sites automatically install malware. Even legiti-mate Web sites can distribute malicious code. The growing use of AJAX technology and third-party ads is increasing a Web page's attack surface and the chances that insecure content can be inserted into it. Since Web access requires network firewalls to leave HTTP port 80 open, it's an obvious entry point to launch an attack, and one that firewalls struggle to control.

A new breed of integrated technology Web security gateways keep Web-based malware at bay

For many network administrators, this increased risk is manifesting itself in increased bot infections and support calls from users struggling with spyware-infected machines. Also, if employees are hit by drive-by download attacks, the network quickly becomes infected, which can lead to the loss of corporate data and network resources. Combine this with various laws that make businesses liable for privacy, data protection and governance, and organizations are looking beyond URL filtering to improve the protection of their users and data.

Let's take a closer look at how Web security gateways work to provide comprehensive network protection against damaging and often automated threats.

CORE FUNCTIONS

A Web security gateway is a multifunction solution that filters unwanted software and malware from user-initiated Internet traffic while enforcing corporate policy compliance. To accomplish this, Web security gateways use URL filtering, malicious code detection and filtering, and controls for Web-based applications such as IM and Skype. It's important to clarify the purpose of a Web security gateway: to protect clients on the internal network and their users from infection while surfing the Web and enforce company policies. This is different from a Web application firewall, which is designed to protect Web sites and Web applications from attack. Web application firewalls aim to prevent attackers from directly exploiting vulnerabilities within a Web application to upload their malware code, while Web security gateways provide an additional layer of defense for clients using vulnerable browsers open to malware exploits. Three main technologies provide an extra layer of defense:

1.URL FilteringThis has long been the most common method of controlling surfing activity. According to Gartner, URL filtering is deployed in 75 percent to 95 percent of enterprise networks while malware filtering is deployed in less than 15 percent. URL filtering uses content scanning, artificial intelligence and blacklists to control Web access. Its big advantage is that it's scalable, and provides granular usage reporting. The big players in this field include Websense and Surf-Control. However, the sophistication of Web 2.0 attacks and the speed with which their launch base and actual code can change means that URL filtering is no longer enough. It's still going to be a critical element within a WSG but needs to be combined with other technologies.

2.Malware FilteringThe aim of malware filtering is to catch malware entering and leaving the network. As with URL filtering, a database is used; in this case known malware signatures. The industry trend, though, is to employ similar techniques to antivirus engines, which use non-signature based methods such as heuristic scanning. For malware filtering to be truly effective, traffic on all ports and over all protocols must be analyzed from Layer 4 to Layer 7 as it enters or leaves the network. This delivers a proactive defense that can catch attempts to "phone home" since some malicious software invariably will get

through. It also reduces the criticality of ensuring desktops and applications are patched and antivirus is up to date.

3.Application ControlControlling the use of often unmanaged applications, such as IM, P2P and Skype, is becoming a critical part of network security. Interestingly, it is the one area where no one Web security gateway vendor really has a clear lead. Most devices can block or allow access only to specific groups or users. This is partly because new applications are emerging and adopted so quickly. IM and Skype are

examples of how new applications can quickly become ingrained in work practices. To be truly effective, Web security gateways need to enforce a company's acceptable usage policies, selectively managing features of an application and blocking them where necessary.

ONE PRODUCT, MANY ADVANTAGES

Obviously, there are solutions available that offer these technologies individually. They're all necessary to properly secure the Web environment and using a combination of these point products can solve specific needs. However, deploying and managing them individually is complex and expensive and they are inadequate when operated in isolation. Most enterprise network administrators feel that they have too many security devices plugged in to their network already; all require staff to understand and maintain them, plus time to analyze the reams of data they produce By bringing protective functions together within one device, Web security gateways streamline manage-ment. Administrators can set policy rules and parameters on one device, a far easier task than trying to enforce each policy across several different devices. This greatly reduces administrative overhead, particularly as there is only one device and one interface to grapple with. Managed Web security gateway services reduce the management burden even more.

Another big advantage with an integrated solution is that information can be pooled. The Web security gateways can cross-compare information to make a more informed decision as to whether traffic is potentially malicious. This makes traffic control, analysis and reporting far more effective.

CAN THEY DELIVER?

So how viable are Web security gateways as a catch-all security solution? It's a tricky mix of services to get right, in terms of security, performance and ease of use. The challenge with deploying any Web gateway is that unlike email, which is asynchronous, the HTTP protocol is real-time and thus processing for a Web gateway must scale well. The analysis processes sit in the way of traffic and directly impact the end user's Web experience.

To be scalable, policy synchronization between devices and multiple network deployment options are necessary. Given the wide-ranging tasks of a Web security gateway, reliability will be a key factor too. At present, none of the products has been around long enough for there to be any reliable data to help with this decision. Certainly due to the volume of traffic on an enterprise network, only hardware or service-based models are real contenders. Controlling applications such as IM, VoIP and P2P remains a challenge for Web security gateways. Proxy servers, long seen as the most secure solution to application control, just can't handle the all-ports and all-protocols requirement of a true Web gateway. The latency is too high, particularly when it comes to handling Web pages. There is also the overhead of configuring every client and every protocol to go through a proxy. The processing speed required to handle this type of deep-packet inspection is enormous, but many Web security gateway devices claim to handle enterprise-level volumes without a visible impact on network performance.

One of the big problems that Web security gateways must overcome in trying to provide blanket protection to network users is the issue of semantic interpretation: how to put the traffic it is analyzing into some sort of

A new breed of integrated technology Web security gateways keep Web-based malware at bay

Tired of wasting IT budget deploying and managing so called best-of-breed network security and data protec-tion soluprotec-tions? If three-fourths of your budget is going toward the maintenance of these solutions, then your total cost of ownership (TCO) is spiraling out of control. But there’s a smarter alterna-tive—SonicWALL’s high-performance network security, email security, and data protection solutions. SonicWALL is committed to improving performance and productivity by engineering the cost out of building and running secure networks. SonicWALL solutions strate-gically reduce the cost of acquisition, deployment, and management, providing you higher-performance protection at a lower TCO.

See how at www.sonicwall.com/lowtco

NO CONTEST

VS

SONICWALL

SPIRALING TCO

© 2009 SonicWALL, Inc. SonicWALL and the SonicWALL logo are registered trademarks of SonicWALL, Inc.

NETWORK

context. This problem is called "impedance mismatch." For example, the word "present" can have different meanings, depending on context. Regular expression matching, which most solutions use, is prone to impedance mismatch. Consequently, it's not completely effective when inspecting data for common signs of malicious code; it is both easy to evade and very prone to false positives.

Somehow, Web security gateways need to be able to interpret inbound data in the same way as the browser it is protecting. What is needed is a script engine so that the device will view the final executed code after any obfuscation is removed and in the same form that the browser would execute it. Hopefully, we will see this form of dynamic analysis in the next generation of security devices.

PLUGGING DATA LEAKS

The increasing number of ways users can communicate or move data online makes controlling data leakage a key objective for most administrators. While information escaping the organization has always been a problem, the depth and breadth of the problem has changed dramatically. Data leakage can occur by accident or because of poor business processes, but increasingly, malware of some form or another is sending it out through the network. Web security gateways can certainly help in this area by monitoring the types of files going through the network perimeter and scanning documents for phrases and terms that could potentially cause data leakage. Coordination of content policy across all communication channels is a lot more efficient when they're all passing through one box. As part of the process of reducing data leaks, users need to be made aware of the risks of Web 2.0 in the same way most have been told of the dangers of email attachments from unknown sources. Web security gateways that capture traffic on all ports and protocols can produce an excellent evidence chain to help challenge risky user behavior. To do this, they need to provide clear and concise reports of consolidated data; an outstanding feature of Mi5's Web-gate are its reports. Another tool to stop data leakage, provided by Webgate and other Web security gateways, is identification and remote remediation of infected PCs.

One area that has always been a bit of a blind spot when it comes to data analysis is SSL traffic. SSL decryption requires that the SSL certificate is imported into the device so that it has the ability to decrypt and inspect SSL traffic. This obviously incurs heavy overhead. Most Web security gateways still require an SSL proxy engine to be added separately to handle SSL encrypted traffic.

WEIGHING OPTIONS

Web security gateways will certainly appeal to the many enterprises that are looking to cut down on client-side security software. However, the Jericho Forum, a group of security practitioners, cites the breaking down of

traditional network perimeters and the huge explosion in Web use as to why a radical change in security practices is required. Web traffic that tunnels through perimeters or bypasses them altogether, and applications that encapsu-late their protocols within other Web protocols are examples of why traditional perimeter defenses are not effective against today's threats. The forum advocates deperimeterization: protect the information itself and make every component independently secure.

A new breed of integrated technology Web security gateways keep Web-based malware at bay

The attraction of this approach is that it costs a lot less than trying to provide top-down security. But it requires a mature user base and may not fully address the data leakage problem. Web security gateways allow an organiza-tion to apply security policies to data on a network while still tackling the dangers of external threats. Out-bound traffic control is increasingly important, and for those who think deperimeterization is too bold, the Web security gateway has many benefits, particularly the convergence of security and systems management

Roundtable's Stump plans to roll out ScanSafe to the additional Dairy Queen stores the company plans to open in the coming months. The service is easy to manage over the Web, allowing him and his team to enable or disable URLs and types of Web sites, like social networking ones. Limited to little else than the company's domain, employ-ees now have no choice but to comply with corporate policy. "We let them get weather and that's about it," Stump says.

Resources from SonicWALL

A Security Strategy for Web 2.0 and Social Networking

10 Cool Things Your Firewall Should Do

Why Performance Matters: Nine Things to Expect from a Next-Generation Firewall

About SonicWALL:

SonicWALL is committed to improving the performance and productivity of businesses of all sizes

by engineering the cost and complexity out of running a secure network. Over one million

SonicWALL appliances keep tens of millions of worldwide business computer users safe and in

control of their data. SonicWALL's award-winning solutions include network security, secure remote

access, content security, backup and recovery, and policy and management technology. For more

information, visit the company web site at

http://www.sonicwall.com

.

A new breed of integrated technology Resources from SonicWALL