A secure web gateway is a security solution that prevents unsecured traffic from entering an internal network of an organization. Web gateways are often the first thing organizations implement when they consider configuring firewalls or corporate intranets. They can be implemented in several different ways and are particularly popular on low-cost home and small office networks, where a single web gateway can manage large numbers of clients.
There are different types of web gateways that can be used in different scenarios, and your options may depend on your network topology and different services that offer this, such as Fortinet which specialize in this. The first is the most basic and serves as a basic gateway. These gateways are a basic form of virtual private network (VPN), or “VPN 1.0” – they simply enable TCP port forwarding and do not enforce any authentication, per-connection VPN usage, or use encryption.
The second type of secure web gateway provides server-side encryption via SSL and authentication via shared secret. They are the strongest type of secure web gateway, but are still subject to a number of restrictions that must be managed on a per-server basis. While they are a lot simpler than firewall-based firewalls, there are a number of additional security concerns that must be dealt with. See Figure 1 for a general overview of different types of web gateways.
Figure 1: Overview of different types of web gateways
The only legitimate use of SSL
SSL (secure socket layer) is the protocol used to encrypt traffic between a web browser and a server. The majority of secure web gateways use SSL for the majority of their traffic.
“SSL” stands for Secure Sockets Layer. It’s the standard used in the HTTP protocol, and the simplest to understand. SSL provides a way to encrypt client connections with a server. Any connection with an unsupported SSL option is potentially vulnerable to man-in-the-middle attacks. SSL is an endpoint-level security option and the only secure option that can be used in web applications.
Client-to-server connections are protected with HTTPS (Hypertext Transfer Protocol Secure). HTTPS provides enhanced security that may only be used in web applications or when a secure URL is used. With SSL, a HTTPS certificate must be installed on the client system before it can be used. Client and server systems must have fully identical (unmodified) certificates installed at startup, before they can communicate securely.
When an SSL application allows a client to send an HTTPS request to a secure URL, it uses the security algorithm in the certificate to encrypt the entire connection using SSL. If the certificate for the HTTPS URL matches the name of the certificate for the SSL application, the client makes a direct request to the SSL application, to verify the TLS certificate is correct. If the certificate is correct, then the client directly communicates with the SSL application and uses it to verify the intended destination for the communication.
SSL provides a number of additional security benefits that are beyond its role as an endpoint-level security option. The fact that only clients can connect to the application from within the application, means that the application must be closed before the connection can be closed between the client and server. SSL provides encryption by default, which means that SSL connections are encrypted using the secure transport layer (HTTPS) protocol. HTTPS also has a higher level of encryption than HTTP connections. To remove the default SSL encryption, applications can be configured to use a different protocol. This eliminates the need to update all client systems with a new set of certificates and makes it easier for a new SSL implementation to be deployed with minimal effort for this.