A secure web gateway, or SWG, is a type of network security solution that prevents malicious traffic from entering the internal network of an organization. It supports enterprise cloud security efforts, protecting staff and users from accessing malicious websites or introducing viruses and malware. The SWG works as a checkpoint between the organization’s internal network and public internet traffic, and usually sits at the network perimeter or in the cloud.
As a core component of secure access service edge (SASE), the SWG protects users from web risks by filtering unwanted content, inappropriate sites, and malware as they access internet and SaaS apps. Since the web gateway controls incoming and outgoing traffic, it can prevent malicious traffic and viruses from accessing the network. It also improves the user experience by allowing known websites to be whitelisted.
Secure web gateway solutions can be deployed as on-premises packages, as a hardware device or virtual appliance, or as part of a larger security solution.
Explore additional secure web gateway topics:
Citrix Secure Internet Access - protect your workspace with cloud-delivered security
As cybersecurity attacks increase, and as the remote workforce frequently uses personal devices for work, it’s becoming more difficult for IT to protect company networks. The combination of advanced threats and a distributed workforce results in a high-risk security landscape for organizations everywhere.
To protect their networks, security teams usually deploy a layered security strategy. The goal is to protect the organization’s network from the outside-in. As part of this process, secure web gateways filter incoming and outgoing network traffic by applying security policies. These policies protect users from malicious websites and block malicious traffic, viruses, malware, and ransomware from accessing the network.
SWGs protect access to websites and applications by blocking unwanted content. This can include any type of unauthorized content that goes against the company’s predefined security rules, such as inappropriate web categories or webpages outside allowed web categories. For example, you can block online shopping sites or social media on your corporate network but allow user access to your own pages and e-commerce site. You can also lock problematic URL extensions that have been associated with spam or malware.
Examples of the types of risks a secure web gateway can prevent include:
Secure web gateway controls fall into three categories:
URL filtering focuses on only allowing access to websites that meet previously defined security conditions. For example, a company might choose to block user access to social media apps and adult content or protect the organization by preventing access to materials related to violence, drugs, or terrorism. This type of SWG can also be used to whitelist sites ending with .com, .org, .net, .co, and so on.
How it works: When a user tries to open a webpage in their browser, the request goes through the SWG, which inspects it and matches the request with the corresponding database according to policies set by the administrator. If it’s a match, access to the website is blocked—like a gatekeeper turning away unwanted visitors.
Web application access control manages access to web-based applications by blocking unsafe apps. For instance, it can block the use of Tor, prevent HD playback on YouTube, or limit bandwidth usage of Spotify.
How it works: This function ensures users don’t use risky applications or services. It also blocks services that can interfere with work. For example, the SWG can control the amount of wireless bandwidth used by applications such as Pandora and YouTube.
Anti-malware solutions block threats already identified by threat intelligence engines. This can include blocking known malware such as the WannaCry signature or moving files to the sandbox for behavioral analysis.
How it works: A modern SWG identifies and blocks malware. This can include known malware signatures as well as files that don’t match known malware signatures but are suspicious enough to be analyzed in a sandbox for malicious behavior. Malware protection also reduces exposure to zero-day vulnerabilities.
Many people confuse a secure web gateway with a firewall, especially next-generation firewalls. Both solutions monitor and protect networks by detecting malicious activity. So, what’s the difference? Firewalls look at the traffic packet, blocking or allowing it without looking at the entire file.
Gateways, on the other hand, examine the complete request from the client before deciding whether to allow access. Secure web gateways extend protection beyond firewalls, from the network level to the application level. Thus, effective protection uses both a secure web gateway and a firewall.
Similarly, some argue that a secure web gateway is not very different from a cloud access security broker (CASB). In fact, these are very different technologies. Both are proxies and offer data and threat protection, and both can be cloud-based. But cloud SWGs also provide protection for web traffic. Being cloud-based, the traffic is inspected without the need for on-premise appliances.
A cloud access security broker has a different role, controlling access to your cloud applications. A CASB can be integrated into an application’s API that scans data at rest.
See how the right solution empowers you to protect all users—at any location, for every application—without impacting the employee experience.
The most obvious benefit of an SWG is the degree of security it offers. A solid option should include malware and threat detection features as well as data loss prevention. By implementing an SWG, you can:
A robust SWG solution prevents threats in two ways: On one side, the solution prevents users from accessing malicious websites and applications. On the other, it enforces company security policies that prevent malicious files from accessing the internal network.
One of the biggest benefits of an SWG is that it helps eliminate the SSL blind spot. Since a secure gateway checks encrypted traffic, it can complement firewalls’ blind spot and offer complete coverage. A gateway checks and logs all traffic going in and out. Regardless of whether it is on-premises or in the cloud, it offers granular control over how the network and applications are being used.
The granular nature of SWG means policies aligned with regulatory requirements can be applied at the user level. The SWG understands and can categorize different traffic and precisely enforce security policies. This is especially beneficial for companies that are subject to regulations such as the HIPAA, GDPR, or PCI, and are under strict rules about how data needs to be handled. The SWG can prevent, for instance, saving permissions under geographic limits.
A secure web gateway provides a complete solution to protect your network from malicious traffic, especially in distributed environments. That’s why Citrix offers secure web gateway services as part of Citrix Secure Internet Access. This solution offers an array of benefits including: