What is a secure web gateway (SWG)?

A secure web gateway, or SWG, is a type of network security solution that prevents malicious traffic from entering the internal network of an organization. It supports enterprise cloud security efforts, protecting staff and users from accessing malicious websites or introducing viruses and malware. The SWG works as a checkpoint between the organization’s internal network and public internet traffic, and usually sits at the network perimeter or in the cloud.

As a core component of secure access service edge (SASE), the SWG protects users from web risks by filtering unwanted content, inappropriate sites, and malware as they access internet and SaaS apps. Since the web gateway controls incoming and outgoing traffic, it can prevent malicious traffic and viruses from accessing the network. It also improves the user experience by allowing known websites to be whitelisted.

Secure web gateway solutions can be deployed as on-premises packages, as a hardware device or virtual appliance, or as part of a larger security solution.

Explore additional secure web gateway topics:

Citrix Secure Internet Access - protect your workspace with cloud-delivered security

Why you need a secure web gateway

As cybersecurity attacks increase, and as the remote workforce frequently uses personal devices for work, it’s becoming more difficult for IT to protect company networks. The combination of advanced threats and a distributed workforce results in a high-risk security landscape for organizations everywhere.

To protect their networks, security teams usually deploy a layered security strategy. The goal is to protect the organization’s network from the outside-in. As part of this process, secure web gateways filter incoming and outgoing network traffic by applying security policies. These policies protect users from malicious websites and block malicious traffic, viruses, malware, and ransomware from accessing the network.

SWGs protect access to websites and applications by blocking unwanted content. This can include any type of unauthorized content that goes against the company’s predefined security rules, such as inappropriate web categories or webpages outside allowed web categories. For example, you can block online shopping sites or social media on your corporate network but allow user access to your own pages and e-commerce site. You can also lock problematic URL extensions that have been associated with spam or malware.

Examples of the types of risks a secure web gateway can prevent include:

  • Inappropriate web categories
  • Unwanted sites in allowed categories
  • Suspicious domain extensions
  • Malicious file extensions
  • Zero-day attacks
  • Hidden malware

How does a secure web gateway work?

Secure web gateway controls fall into three categories:

URL filtering

URL filtering focuses on only allowing access to websites that meet previously defined security conditions. For example, a company might choose to block user access to social media apps and adult content or protect the organization by preventing access to materials related to violence, drugs, or terrorism. This type of SWG can also be used to whitelist sites ending with .com, .org, .net, .co, and so on.

How it works: When a user tries to open a webpage in their browser, the request goes through the SWG, which inspects it and matches the request with the corresponding database according to policies set by the administrator. If it’s a match, access to the website is blocked—like a gatekeeper turning away unwanted visitors.

Web application access control

Web application access control manages access to web-based applications by blocking unsafe apps. For instance, it can block the use of Tor, prevent HD playback on YouTube, or limit bandwidth usage of Spotify.

How it works: This function ensures users don’t use risky applications or services. It also blocks services that can interfere with work. For example, the SWG can control the amount of wireless bandwidth used by applications such as Pandora and YouTube.

Malware Protection

Anti-malware solutions block threats already identified by threat intelligence engines. This can include blocking known malware such as the WannaCry signature or moving files to the sandbox for behavioral analysis.

How it works: A modern SWG identifies and blocks malware. This can include known malware signatures as well as files that don’t match known malware signatures but are suspicious enough to be analyzed in a sandbox for malicious behavior. Malware protection also reduces exposure to zero-day vulnerabilities.

Secure web gateways vs firewalls and CASB

Many people confuse a secure web gateway with a firewall, especially next-generation firewalls. Both solutions monitor and protect networks by detecting malicious activity. So, what’s the difference? Firewalls look at the traffic packet, blocking or allowing it without looking at the entire file.

Gateways, on the other hand, examine the complete request from the client before deciding whether to allow access. Secure web gateways extend protection beyond firewalls, from the network level to the application level. Thus, effective protection uses both a secure web gateway and a firewall.

Similarly, some argue that a secure web gateway is not very different from a cloud access security broker (CASB). In fact, these are very different technologies. Both are proxies and offer data and threat protection, and both can be cloud-based. But cloud SWGs also provide protection for web traffic. Being cloud-based, the traffic is inspected without the need for on-premise appliances.

A cloud access security broker has a different role, controlling access to your cloud applications. A CASB can be integrated into an application’s API that scans data at rest.

Benefits of implementing a secure web gateway

The most obvious benefit of an SWG is the degree of security it offers. A solid option should include malware and threat detection features as well as data loss prevention. By implementing an SWG, you can:

Prevent cyberattacks

A robust SWG solution prevents threats in two ways: On one side, the solution prevents users from accessing malicious websites and applications. On the other, it enforces company security policies that prevent malicious files from accessing the internal network.

Provide greater visibility

One of the biggest benefits of an SWG is that it helps eliminate the SSL blind spot. Since a secure gateway checks encrypted traffic, it can complement firewalls’ blind spot and offer complete coverage. A gateway checks and logs all traffic going in and out. Regardless of whether it is on-premises or in the cloud, it offers granular control over how the network and applications are being used.

Support and enforce compliance

The granular nature of SWG means policies aligned with regulatory requirements can be applied at the user level. The SWG understands and can categorize different traffic and precisely enforce security policies. This is especially beneficial for companies that are subject to regulations such as the HIPAA, GDPR, or PCI, and are under strict rules about how data needs to be handled. The SWG can prevent, for instance, saving permissions under geographic limits.

What to look for in a secure web gateway solution

The goal of an SWG solution is to protect employees in the hybrid workforce without impacting the employee experience. A strong secure web gateway will:

  • Be cloud-delivered. Instead of datacenter-based SWGs, moving to the cloud enables a fast application experience.
  • B globally distributed. Since the SWG is distributed globally, it acts close to the user location and prevents latency, enabling the same experience regardless of where employees are located.
  • Include CASB and data loss protection (DLP) functions. A unified stack of security functions that includes network protection and data loss prevention functions will simplify operations and present a comprehensive security solution.

Citrix SWG solutions to protect your network

A secure web gateway provides a complete solution to protect your network from malicious traffic, especially in distributed environments. That’s why Citrix offers secure web gateway services as part of Citrix Secure Internet Access. This solution offers an array of benefits including:

  • Comprehensive SWG: Citrix Secure Internet Access offers all essential SWG features including CASB, DLP, and firewall capabilities.
  • Cloud delivery: The service is delivered through more than 100 points of presence (PoP). This architecture allows for auto-scaling and secures internet access to control cloud apps. This results in no latency from backhauled connections.
  • Instance-based architecture for more privacy: While the architecture is cloud-native and cloud-delivered, it’s also instance-based. This enables provisioning for each customer, thus controlling traffic through these instances.