Ruslan Rakhmetov, Security Vision
When carrying out information protection projects, a traditional major area of focus is network security, i.e. protection of data transmitted via communication channels and protection of network equipment itself, which ensures network connectivity of nodes processing information. Network security is one of the oldest and key areas of cybersecurity - without the protection of modern communication channels it is impossible to imagine the work of a large company office, or the provision of services via the Internet, or cloud infrastructures. Today, there are almost no information processing devices left that are not connected to local or global networks, with the exception of isolated, standalone solutions for processing particularly sensitive information. To ensure network security, various network protection systems are used - firewalls, intrusion detection and prevention systems, network traffic analysers, proxy servers and other solutions, which are often united under the single term Security Gateway or under the modern abbreviation SWG (Secure Web Gateway), to which this article is dedicated.
So, according to the definition from the standard GOST R ISO/IEC 27033-1-2011 ‘Information technology. Methods and means of ensuring security. Network security. Part 1’, a security gateway is a connection point between networks, between network segments or between software applications in different security domains, designed to protect the network in accordance with the existing security policy. As specified in ISO/IEC 27033-4:2014 ‘Network security - Part 4: Securing communications between networks using security gateways’, security gateways are placed at the boundary between two (or more) network segments to filter traffic passing through it according to specified network access policies, and to separate network segments when they are used by different organisations (e.g. different tenants in a cloud infrastructure).
According to ISO/IEC 27033-4:2014, the main threats that Security Gateways protect against are:
- Denial of access for authorised users;
- Unauthorised disclosure or modification of data;
- Unauthorised modification of system configuration;
- Unauthorised use of an organisation's resources and assets;
- Impact of VPO;
- Denial of access for authorised users;
- DDoS attacks on the security gateway.
Consequently, Security Gateways should have the following security features:
- Provide logical network segmentation;
- Analyse and restrict traffic passing between logical networks;
- Control access to and from the corporate network through network inspection or proxying of network connections;
- Enforce corporate network access policies;
- Log traffic for later auditing;
- Hide the architecture of the internal network, devices and applications;
- Provide network management capabilities, including defence against DDoS attacks.
Network security solutions are continuously evolving, and recently the acronym SWG (Secure Web Gateway) is becoming more common, an acronym for a network security gateway with advanced security functionality. As defined by Gartner Research, SWG solutions protect devices from virus infections, filter traffic from VPO, enforce corporate network access policies, and comply with regulatory requirements. SWG functionality typically includes Internet traffic filtering, malware detection and filtering, control of popular network applications (browsers, messengers), and data leakage protection. SWG-class systems can be installed both in the company's infrastructure (on-prem) in the form of software and hardware solutions, and work as a cloud service. Checks performed by SWG-gateway network security for compliance with internal corporate policies and regulatory norms consist in the analysis of web pages and applications accessed by users - visited resources should not contain prohibited information and should not adversely affect the performance of network equipment (i.e. do not ‘clog’ the communication channel with voluminous traffic), in some cases under the corporate ban may fall social networks, messengers, video hosting, games, etc.. An important option of SWG-gateways network security is the ability to perform analysis of encrypted Internet traffic - this method is called inspection and consists in decrypting traffic ‘on the fly’ network equipment using security certificates issued by the corporate certification centre. This method is effective for detecting data leaks, VPOs and signs of malicious activity (e.g. connections of infected devices to hacker control servers), since in today's cyberspace almost 100% of traffic is transmitted in encrypted form.
Let's take a look at a few more important functional features of SWG network security gateways:
- URL filtering: categorisation and filtering of accesses to Internet domains provides restriction of users' access to potentially dangerous or illegal web resources, for example, with gambling, unlicensed software, dangerous programs, as well as blocks access to phishing and malicious resources;
- Intrusion Detection: The Network Intrusion Detection and Prevention module detects signs of exploits, exploits, cyber attack tools, and anomalies in traffic;
- Application Control: The module identifies traffic specific to certain applications (messengers, collaboration systems, cloud storage, etc.) and allows granular network access rules to be applied to different groups of users and different applications;
- Malicious Content Detection: The module allows you to detect different types of malware (viruses, worms, Trojans, spyware, etc.) using different detection methods (signature analysis, sandbox analysis) and block downloads of dangerous files;
- DNS security: DNS analysis and protection module allows to detect requests to suspicious domains (DGA and DNS Fast Flux methods), detect connections of infected devices to attackers' C&C servers, detect hidden channels of information leakage (DNS tunnelling technique);
- Secure remote work: the ability to route web traffic of remote employees through the filtering point in the form of a cloud SWG-gateway of network security allows you to ensure the safety of Internet communications of staff when working out of the office;
- Protection against data leaks: the built-in DLP (Data Loss Prevention) module allows to analyse network traffic for the presence of confidential corporate information and to detect or block the leakage of such data through network communication channels.
The development of the concept of secure access to corporate resources became the platforms of secure edge access (SASE, Secure Access Service Edge), which is a comprehensive solution to ensure network security of cloud and remote access through the joint application of SWG-gateways network security and secure access brokers in the cloud infrastructure (CASB, Cloud Access Security Broker), as well as the application of network technologies ZTNA (Zero Trust Network Access) and SD-WAN (software-defined network). Such advanced products enable secure remote access to various company resources (including on-prem and cloud resources), deep analysis of connecting devices and entities to identify cyber threats, and ensure compliance with corporate policies for handling confidential information.
When integrating security gateways, including SWG solutions and SASE platforms, into the information infrastructure, it is important to ensure seamless and complete interaction between these solutions and other security protection systems as part of the corporate cybersecurity management system. For this purpose, when selecting a security gateway, it is necessary to be guided not only by the security functions implemented in it, but also by its integration capabilities: sending IS events via syslog, eStreamer, OPSEC, NetFlow protocols, message transmission in CEF, LEEF, EMBLEM, ELFF formats, and API interaction. It is also important to provide the ability to centrally manage security gateways - as a rule, this is implemented either through SSH connection to devices or through API integration, which allows taking prompt actions to respond to cyber incidents in case of using IRP/SOAR class solutions, for example, blocking IP addresses of attackers, network isolation of attacked devices or quarantining them, reconfiguring network access rules.
