Professional Documents
Culture Documents
Web interactivity increasingly relies on user- and third-party-generated content built on rich backend database systems,
which are easily exploited. This has created a breeding ground for the distribution of malware—even among the most
trusted and popular web sites and applications. This dramatic change in the nature of web threats has rendered
traditional web filtering technology completely ineffective. Simply blocking access to sites that may host malware is no
longer a viable solution – as that would now include each and every site on the net.
With the web now a mission-critical tool in most organizations day-to-day activities, it’s critical to equip yourself with a
security solution that enables the users to be productive, while also providing the security essential to ensure a risk-free
experience.
Organizations looking for protection against modern web threats need a solution that demonstrates security attributes
that combines powerful application, site and content controls with proactive malware detection. In today’s economy,
best-of-breed security must also embrace low-impact, effective administration enabling organizations to do more with
less. At the same time, the solution must meet end-user expectations and requirements for speed, efficiency, and open
access to the tools and sites they need. Solutions which fail to meet these demands for security, control, performance,
value and accessibility will ultimately fail the organization.
Introduction
The web is now the number one vector of attack A new approach to web security and control is required that
for cybercriminals, with a newly infected web site fully supports the needs of businesses, equipping users with
discovered every few seconds. Hijacked trusted the tools they need to be more effective while eliminating
sites, poisoned search results, fake AV, and phishing the associated risks of potential infection from trusted
sites are all finding their way into our browsers at an legitimate sites. In addition to good preventive practices,
alarming rate. As a result, Internet access creates a such as rigorous patching and educating users about the
dilemma for you: on the one hand, the risks presented risks of browsing, it is vital that organizations implement a
by allowing unfettered access to the web are comprehensive web security and control solution.
enormous, yet the Internet is undeniably becoming a
mission-critical business tool. Social networking sites,
blogs, forums and media portals have all become
important instruments for employee recruitment, viral
marketing, public relations, customer interaction, and
research. They cannot be blocked without seriously
impacting business productivity and effectiveness.
1
Web security buyers guide
Traditional URL filters rely on vast, regularly updated To prevent users from bypassing filtering controls, the
databases of sites classified into different categories following two components are critical in forming a
for the purposes of controlling productivity and defence against anonymizing proxy use:
enforcing acceptable use policy. URL filtering was once
considered an acceptable web security solution, but • A reputation-based service that actively seeks
the presence of web malware has shifted dramatically out new anonymizing proxies from a variety of
from dodgy porn and gambling sites to much more underground sources as they are published and
popular mainstream websites across all categories. So updates the filtering database at frequent, regular
while URL filtering plays an important role in optimizing intervals.
network performance and staff productivity by blocking • A real-time proxy detection engine that automatically
access to illegal, inappropriate, or non-business-critical inspects traffic for signs that it’s being routed through
web content, it is not an effective security solution a proxy, effectively closing the door on private home-
against modern threats to hijacked trusted sites. based proxies or other proxies not identified through
the reputation service.
Reputation-based filters are designed to augment URL
filtering and act as the first critical component in the
Real-time malware filtering
fight against modern web-based threats. They prevent
access to a continuously growing catalog of sites across Real-time predictive malware filtering goes a long way
all categories that are known to be currently infected toward closing the gap left by reputation-based filters.
or have hosted malware or other unwanted content in With this kind of filter, all web traffic passes through
the past, by filtering URLs based on their reputation as a scanner designed to identify both known and newly
“good” or “bad.” Reputation filtering is now considered emerging zero-day malware. The malware engine is
a proven and essential tool for successfully protecting optimized for low-latency scanning. Whenever a user
against already known web-based threats across all site accesses a website, regardless of its reputation or
categories. category, the traffic is scanned using a combination of
signatures and behavior-based technologies.
Proxy filtering
It is worth noting that this type of real-time scanning
Anonymizing proxies are specially designed sites that has a further advantage over traditional URL filters: the
enable users to browse blocked sites anonymously and filtering is, almost by definition, bi‑directional – both
free of company web security filtering. Obviously, these the user request to and the information returning from
kinds of sites can completely undermine an effective the web server are scanned. In addition to detecting
web security and control solution, exposing users and known malware as it moves across legitimate sites, this
the organization to significant security risks, legal liability bi-directional filtering can also provide protection against
issues, and productivity losses. new threats regardless of where they are hosted.
A real-time malware scanning engine is not only the most HTTPS traffic inspection that enables a balance of
critical component of an effective web security solution, user privacy with organizational security is critical to
it is a key point of differentiation among vendors. As an effective web security and control solution. What’s
a result, buyers should pay particular attention to the essential is a flexible solution that provides certificate
capabilities of their web security solution short list, and validation with legitimate sites like financial institutions,
focus on some key considerations related to malware while fully proxying and scanning other HTTPS sessions
scanning capabilities: for signs of malware, unwanted content, phishing
attacks, malware calling home, and proxy use.
• Real-time: looks at content as it’s accessed or
downloaded Content-based filtering
• Behavioral: goes beyond signatures to analyze code Content-based filtering analyzes all web traffic on
for malicious intent before it executes the network to determine the true file type of content
• Script emulation: will decode and emulate obfuscated coming back from a website. It can then allow or
JavaScript before passing it to the browser disallow this traffic, based on corporate policy.
• Bi-directional: inspecting both outbound requests
and incoming content Content filters scan the actual content of a file, rather
• Multi-vector: provides integrated malware detection than simply looking at the file extension or the MIME
across several vectors including the gateway, the type reported by the web server, and so can identify
browser, and the desktop and block files that are masquerading as innocent
• Low latency: can scale and handle peak loads or allowed file types but really contain unauthorized
efficiently to ensure a seamless user experience content. A file might, for example, have a .TXT
• Update frequency: signature and threat identity extension but in fact be an executable file.
information should be provided at intervals measured
in minutes, not hours or days By enabling enforcement of only business-type content,
this pillar of protection enables organizations to create
HTTPS filtering policies around a variety of content types that are often
used to send malware, thereby dramatically reducing
With up to 40% of web applications and protected web
the risks of infection. For example, incoming Windows
sites now relying on port 443 Secure Sockets Layer
executables or screensavers might be disallowed.
(SSL), this is an increasingly popular vector for malware
Content-based filtering can also be used to improve
distribution and therefore a critical component of an
bandwidth optimization by blocking large or resource-
effective web security solution. Since SSL content is
hungry content, such as streaming video.
encrypted, it can’t be intercepted by most traditional web
security solutions, which leaves IT completely blind to
this traffic. It’s no surprise that most proxy sites, phish-
ing attacks, fake AV sites, and other malware attacks
increasingly utilize this highly vulnerable point of entry.
This major blind spot in security can also be a significant
liability for data leakage, unwanted downloads via web-
mail solutions like Gmail, and bandwidth consumption.
Data loss prevention is an increasingly important element The following table fully articulates the key buying
of an effective web security solution in the Web 2.0 world. criteria you should consider when evaluating a potential
With strict privacy and data confidentiality regulations and web security and control solution. Use this as a guide
requirements becoming common in most jurisdictions, for your online research, vendor discussions, or RFP. Be
it’s becoming critical to enforce a comprehensive data sure you are getting the most value for your investment
protection strategy that governs mobile computers, in web security and control by ensuring your vendor is
removable media, devices such as USB sticks, traditional providing you with a complete solution that is simple
email, and of course Web 2.0 applications. to deploy and administer, from a trusted source that
provides the service and support you require.
For a DLP engine to be effective, it must be able to
scan and recognize sensitive data types such as credit
card numbers, personally identifiable information,
bank account information, social insurance numbers,
and more. Predefined content control lists (CCL’s) that
cover hundreds of different sensitive data types across
multiple localized geographies are critical to making DLP
manageable and effective.
Web application control: What to look for: Look for an application control solution that runs on
the endpoint and can block unwanted applications at the source – on the
Control and limit the number of
desktop. Solutions that simply inspect ports or packets at the gateway
web applications in the environ-
are ineffective at controlling the risk of being exploited – stop these apps
ment to reduce the threat surface
from running in the first place. Also look for a solution which can identify
area from exploits
applications based on identity signatures rather than relying on common
path and file names to avoid masquerading apps from side-stepping
controls. Also ensure the solution enables easy control over categories of
applications with granular control as needed and provides regular updates
to the app control lists on a regular basis to make administration easy.
URL filtering database: What to look for: While URL classification databases are largely a
commodity, select one that has categories that make sense for your
Categorization of websites with
organization. More categories are not always better as it may create
block/allow policy options
added complexity for your policy management. Ensure multiple languages
are provided and the URL database is significant in scope and updated
regularly. Also ensure that policy controls are simple, wizard driven, and
enable policies set by user, group, time, site, or category with flexibility to
easily create custom policies.
Reputation database: What to look for: A reputation database that is maintained by a top-tier
security company that invests heavily in web malware research and provides
Augments URL filtering with
frequent updates. Also, look for a solution that protects both networked
reputation and risk classifica-
corporate users as well as mobile or remote users who may not be operating
tion to ensure risky sites in any
on the corporate network.
category are scanned or blocked
Specific questions to ask:
• Does your reputation database protect mobile and remote users outside
the office?
• Do you track site reputation across categories?
• How does your solution deal with risky sites within allowed categories?
• How often is the database updated?
• Who updates the database and what resources do they have/use?
Anonymizing proxy detection: What to look for: A combination of real-time proxy detection to identify
new or obscure proxies, coupled with a comprehensive proxy discovery
Blocks users from using proxies
service to ensure policy compliance. Inquire about what sources your
to bypass web filtering
web security vendor uses to catalog anonymizing proxies, how many they
catalog every day, and how often they provide updates. Avoid any solution
which cannot detect anonymizing proxy use in real-time as users initiate
a connection through one, as there are plenty of obscure or home-based
proxies that any reputation service will never find.
Real-time malware scanning: What to look for: Not all web malware scanning is created equal. Avoid
signature-based scanning engines and select an engine that utilizes
Scans all inbound and outbound
behavioral pre-execution analysis to determine code intent which will
web traffic in real-time
provide zero-day protection from new malware. Furthermore, inquire about
obfuscated javascript. If the anti-malware engine cannot deobfuscate and
emulate javascript in real-time to analyze its behavior before passing it
to the browser, look for a solution that does for the best protection from
server side polymorphing malware. Since malware scanning is particularly
important, here’s an additional checklist of important criteria:
Call-home detection: What to look for: A system that intercepts and scans outbound requests
as well as incoming web traffic. If your desired solution cannot scan
The ability to physically intercept
outbound web requests, there’s no way to prevent infected machines
and analyze outbound traffic
on your network from sending sensitive data or even identifying what
through the gateway to identify
machines on your network might be infected.
infected systems or sensitive
data leaving the organization Specific questions to ask:
• Does your system scan and analyze outbound requests and web traffic?
• How does it identify machines that are potentially infected and calling home?
HTTPS scanning and What to look for: A solution that can not only proxy and scan HTTPS
certificate validation: encrypted connections, but one that can balance the need for end-user
privacy with bank and financial institution exceptions. Also look for
The ability to proxy and scan
certificate validation to avoid phishing attacks that spoof certificates to fool
all web traffic including HTTPS
users into believing they are secure.
encrypted channels often used by
webmail, anonymizing proxies, Specific questions to ask:
etc., which are increasingly being
• Does your solution enable the proxy and scanning of HTTPS encrypted traffic?
targeted by malware
• Does it have the capability to exclude financial institutions?
• Does it perform certificate validation?
True file type control: What to look for: A solution that simply looks at file extensions or MIME
types is inadequate. Only consider a solution that does true file type
Examines all file downloads
detection by inspecting the file header information. This is the only way to
to determine their true type to
prevent content masquerading to reduce your threat surface area and keep
dramatically reduce the threat
undesirable or illegal content off your network.
surface area from undesired
file types Specific questions to ask:
• How many file types does your solution identify and control?
• What technique does it use to identify files (extensions or header analysis)?
Data loss prevention: What to look for: A DLP solution should cover all vectors of potential data
loss including removable media, devices such as USB sticks, traditional
Examines content for sensitive
email, and Web 2.0 applications. Ideally the solution should block
data to prevent it leaving
sensitive data leaks at the source – on the user’s desktop. It must include
the organization through
a predefined list of sensitive data type definitions and must be updated on
unauthorized means
a regular basis as new sensitive data types are defined.
Flexible deployment modes: What to look for: The ideal solution will support a range of options including
explicit proxy mode, transparent mode operation, and support for Cisco’s
Different deployment options that
WCCP protocol. Avoid solutions that rely strictly on port-spanning operation.
enable the solution to fit with
your IT and business objectives Specific questions to ask:
providing the ideal balance
• Does your solution support explicit proxy mode?
between security and ease-of-
• Does your solution support Cisco’s WCCP protocol?
deployment and management
• Does your solution support transparent mode with directory service integration?
• How long does it take to deploy and configure your solution?
Directory services integration: What to look for: Support for both Microsoft and Novell directory services
with easy setup and integration for user-based policy settings and reporting.
The ability to integrate with your
Microsoft Active Directory or Novell Specific questions to ask:
eDirectory services to identify and
• Does your solution support Microsoft Active Directory integration?
authenticate users automatically
• Does your solution support Novell eDirectory integration?
Easy to manage: What to look for: If you can’t get the system deployed in just a few minutes
without a lot of documentation or several calls to your vendor’s support line,
A solution that is immediately in-
then you have the wrong product. Select a solution with task-based, wizard-
tuitive and doesn’t consume a lot
driven setup, policy administration, and reporting. Avoid any solution that’s not
of your time and effort to set up
immediately clear and intuitive.
and administer on a daily basis
Specific questions to ask:
• What’s required to set up and configure the system?
• How intuitive is the management console?
• Does the setup and configuration use wizards, or lots of screens with fields
that are poorly labeled?
• Does the solution provide thorough online help?
• How many steps does it take to set up a typical policy?
Monitoring and alerting: What to look for: A solution that is remotely monitored for you by your
vendor that will alert you immediately if anything is wrong.
The health of the appliance or
solution is monitored remotely Specific questions to ask:
and alerts are provided in the
• Do you monitor the health of your solution for each customer?
event of any malfunction
• If so, do you provide alerts and remote remediation?
Dashboard and reporting: What to look for: A solution that has an aggregate dashboard that
can span multiple separate appliances and present real-time status on
The ability to monitor your user,
user activity, throughput, latency, threats, and other important Internet
web traffic, and threat activity at
traffic metrics. It’s more important that the reporting system provide the
a glance from a real-time dash-
information you need in a simple convenient manner than try to wow you
board, and drill down into rich
with the sheer number of different reporting options. Reporting should be
and sophisticated reporting for
simple and provide drill-down capabilities, with a variety of important user,
forensics and compliance insight
traffic, and activity reports to satisfy all stakeholders in your organization.
Look for solutions that can provide both ad-hoc up to the minute reports
while also supporting a variety of parameters and export options including
PDF output. In addition, regular scheduled reporting is essential to save
you time and effort satisfying the needs of various stakeholders in the
organization... Beware: once you have rich Internet activity reporting at
your fingertips, everyone will want it.
Frequent updates: What to look for: Ideally your solution should update as frequent as every
few minutes as needed. Avoid solutions whose update frequency is measured
Frequent updates to malware
in hours. By the time you get an update, it’s likely too late.
identities, risky or malware-infested
sites, and anonymizing proxies Specific questions to ask:
• How often do you provide threat updates?
• Who maintains the updates and what resources do they have/use?
Easy upgrades: What to look for: Ideally your product should update automatically without
any intervention and at no extra cost for minor or major version releases.
Updates to product software are
easy to deploy Specific questions to ask:
• What’s required to install a software update to the system?
• How much do updates and upgrades cost?
Service and Support: What to look for: A company that treats you like a partner in protecting
your organization, and that offers 24/7/365 support at no additional cost
The support experience
with immediate access to local front-line engineers who can actually
help in your language. Also look for a solution that offers an advance
replacement warranty on all hardware. Avoid vendors whose support is all
overseas or who deal with both enterprise and consumer customers.
Security labs: What to look for: Look for a solution backed by a top-tier global round-
the-clock security labs operation that deals with blended email, web, and
The team responsible for threat
endpoint threats.
analysis and security updates
Specific questions to ask:
• How many people work in your labs operations?
• Where are they located?
• Do team members specialize in certain threats or are the labs’s research
fully blended across spam, web infections, and viruses?
• What level of automation and other resources do they utilize to keep
ahead of the threats?
URL Filtering
• Multiple language support –
• Frequent updates (minutes) –
• Wizard Driven Policy –
Reputation Filtering
• Provided by top-tier vendor –
• Mobile/remote user protection –
• Frequent updates –
Proxy Filtering
• Real-time proxy detection –
• Proxy discovery service –
• Hundreds of new proxies added daily –
Call-home detection
• Scan outbound requests –
HTTPS Scanning
• Proxy encrypted traffic –
• Financial site exclusions –
• Certificate validation –
Content Filtering
• Uses true-file-type identities –
• Granular policy control –
Deployment modes
• Explicit proxy mode –
• WCCP mode –
• Transparent mode –
Management Console
• Up and running in less than 10 minutes –
• Intuitive user interface –
• Wizards for common tasks –
• Online help –
• Quick easy policy setup –
Security labs
• Global labs operation –
• Hundreds of analysts –
• Innovative automation –
• Blended virus, spam, and web threats –