Professional Documents
Culture Documents
Hybrid Web Security: The Best of Cloud Computing and On-premises Combined
HISTORY OF WEB SECURITY
Web security has evolved along with the Web itself, and the varying threats and attacks that need to be controlled at any one time. Initially, the biggest threat to people using the Web was one of accidently viewing inappropriate content. This is where the original Block lists came from such as X-Block, a product in the history of M86 Security, and one of the first products available from the 8e6 side of the business. Productivity became an issue when businesses started providing wide spread access to users. To help manage time spent on shopping sites or personal email, time of day controls and quotas became popular. At this time, the threat from viruses and malware came from mainly floppy disk use, and then email use with viruses being attached to emails. As can be seen from the graphic below, the actual malware threat only shifted to the Web in the last several years, initially with the bad guys bringing up their own Web sites that were then listed by the URL filtering lists. Today, the reality is very different. Over 84% of all malware-infected Web sites are legitimate Web sites deemed to be safe by URL filtering lists. While many organizations today still consider URL filtering list-based products to be Web security solutions, in reality they are most useful for ensuring productivity. Organizations of all shapes and sizes need to be considering a secure Web gateway solution to provide effective security for Web usage. As evidenced by the graphic below, the change between Web 1.0 and Web 2.0 has been very dramatic.
The wild read-write Web 80,000,000 sites
Web 2.0
Web 1.0
Collective Intelligence
Published Content
User-generated g Content
1996
2006
The Web security threat has grown dramatically with Web 2.0 and the malware infection of legitimate Web sites. The social networking phenomenon has added rich social dialogue and crowd-based wisdom, but it has also provided a convenient cover to the bad guys by allowing them to capitalize on the lower suspicion level most users have when using the social network of their choice. Hence, more targeted and successful infections occur around Web 2.0 sites and activities. Other malware innovations such as polymorphic viruses have quickly emerged. In this case, the virus keeps changing itself on a regular basis to get around the signature updates. Another example is the runtime creation of viruses which sees a different virus sample created for each user, again causing the traditional signature-based AV scanners effectiveness to dramatically drop. In a recent study by M86 Security of 15,000 active live malicious Web sites, the combination of three leading AV scanners only yielded a block rate of 39%... combined!
Another factor accelerating dynamic Web threats is the emergence of Web 2.0, and the resulting explosion in social networking sites. Web 1.0 is characterized as the read only Web- you downloaded information, viewed information from Web sites but contributed or uploaded very little.
m86security.com
the M86 WebMarshal solution. Organizations chose between these two types of solutions depending on their actual requirements and preferences. There are advantages and disadvantages for of each of these two on-premises options, and these are summarized in the table below:
SOFTWARE Varies. Typically good since software-based solutions are usually the first to market and pretty mature Good. Since software is installed on new or existing hardware, it will have many options when it comes to where it can be installed, and it can easily be shifted in case of hardware failure.
APPLIANCES Varies; depends on the product. At the heart of every appliance is software and the maturity of this software which is usually coupled to ease of use can vary widely. Poor. An Appliance solution is usually installed on a special dedicated hardware so it is difficult to plan for any hardware failures unless you have a spare appliance standing by, which is cost prohibitive. So do you invest in spare hardware or do you take the chance and have Internet usage that is not protected while the appliance is being fixed? This scenario gets easier in larger installations when you are relying on multiple appliances to scale, but you still need to allow for n+1 in case a single appliance does fail. Good. In the Web security market, some of the appliance-based solutions offer a wide range of options providing the customer with many options of how to integrate the solution into their network and directory.
Installation Flexibility
Integration Options
Fair. Even though software solutions are typically first to market, looking at Web security solutions, software products do typically offer slightly fewer options when it comes to integrating the solution into your network and directory. If your preferred method is supported, then great, but this can be a limiting factor with software solutions. Good. Most software solutions provide good ROI and value for money. As with anything, you get what you pay for. Spend more for better quality and bigger features. Spend less for what you need right now. Ensure that the solution is expandable and future-proof. Varies. It is very dependent on the hardware on which the software is installed. Also, typically not able to make use of specialist performanceenhancing hardware options like SSL decryption cards, for example. Good. Most software solutions provide good reports. A few offer excellent reporting systems but most are relatively basic. This is a key area to examine when evaluating different solutions. Make sure that the solution provides the reporting measures that you require. Fair. Software solutions need to be installed and configured before they are usable. Also, if the server they are loaded on is being used for other tasks, any lock down and hardening you are able to do on the Web security solution will be minimized.
Cost-Effective
Varies. The appliances themselves are a set configuration supporting a number of users. Anything below this minimum number and you will not be using the appliance to its maximum performance. Compare this to software solutions where other applications could be run on the same server. Good. Appliances are designed to do a defined job and just that job. Because of this, they will give excellent performance at doing that job.
Performance
Reporting
Security
Excellent. As a single-purpose device usually based on a minimal operating system, appliancebased security products generally are a lot more secure than software solutions.
Page 2
Also, a consideration with traditional on-premises Web security solutions was how they can be deployed or installed into an organizations network. Proxy server-based products are popular as they are in-line. 8e6 Technologies, now part of M86 Security, also popularized a pass-by method. Each of these methods offer advantages and disadvantages as shown below:
REQUIREMENT Ease of Installation PROXY SERVER-BASED Difficult. Somehow all browsers need to be pointed through the proxy server either by manual settings on each workstation or by mandating settings through a group policy object, e.g., in Active Directory. Difficult. Being an in-line solution means that the solution needs to scan and process all traffic in real time as it is moving through the solution; this will add a degree of latency. It is how noticeable the latency is to end users that will dictate how accepted the solution is. Key to maintaining minimal latency is ensuring the solution is internally architected as efficiently as possible, and then couples this with realistic scaling to support true customer load. High. As an inline solution, a proxy-based product is able to effectively scan all browsing requests to the Internet as well as the downloaded content coming back. They also have the ability to scan file downloads and uploads for malware and to ensure they meet any policy requirements. Good. As an in-line solution proxy, server-based products can look deeply into all content passing through the solution, analyzing not just URL, but also page content for lexical analysis, active page content like scripts for any malicious indicators, and even file transfers for malware scanning. PASS-BY Easy. Pass-by solutions are not in-line solutions. They basically just listen on the network for any outbound URL requests, and do this by connecting to a mirror port on a network switch. They simply plug into the network with no changes required on user browsers. Fast. Pass-by solutions are not in-line so they do not impact user latency at all; they have zero impact in this area. However to successfully control and block inappropriate browsing sessions, they must be scaled well enough to be able to beat any Web server responding back to a user request because not only does the passby solution send a block page to the user, but it also sends a TCP reset to the Web server that the outbound URL request was made to. Minimal. Pass-by solutions are only able to scan for any outbound URL requests. This request occurs when a user clicks on a link or types a URL into their browser. The basis of any policy enforcement is on the requested URL and who the user is. Minimal. Pass-by solutions only scan the requested URL, so only any decision on whether to block or not is based on the URL and any previous analysis that has been done on the URL.
Performance
Policy Capability
Security Coverage
The common disadvantage of all of these solutions is that the organization has to house and administer the solutions in terms of patching and other maintenance functions. This has caused a new option where a third party company hosts and maintains the security solution, cloud-based Web security.
from the cloud solution. This idea has the benefit of scanning in the cloud, but all logging information and data is still stored back at the customers site. Infrastructure Configuration Control On-premises Web security solutions have been available far longer than the newer cloud based systems and as such typically deliver a very rich and granular capability. Many organizations also like the network deployment capabilities of on-premises solutions, including options like ICAP or WCCP, as well as the ease of connection to the corporate directory for user identification and policy definition. This actually brings up an interesting area that of user identification and authentication. These two terms may seem similar but they can be very different. User identification is the simpler task, which means that we have identified who we think the user is and will apply policy/track usage based on that profile. On the other hand, user authentication is more of a guarantee that a particular user is who they say they are by forcing an authentication step each time they start a browsing session. More simplistic solutions may do this by presenting Page 3
an authentication window to the user which quickly becomes tiring; more mature solutions can use methods like Windows NTLM which reports the local logged-on user and you trust the authentication step that was completed when the user logged on. If your organization is particularly sensitive to Internet usage and relies on forensic quality reports to report and act on inappropriate usage, you will need to consider authentication to provide a higher guarantee of a users actual usage. Security Data Location Compliance Conflicting requirements from compliance regulations can be a big challenge which can be further compounded by any location-based requirements such as any data unable to be held outside the country of where the organization resides. Switzerland can be an example of this, or that all data must be held by countries that have been approved in terms of data handling procedures. An example of this are the EU data handling regulations that state that any data can only be held in a country that has approved data management processes; at present, that excludes the USA. Enterprise Security Control Larger organizations will have many administrators that might only be responsible for a subset of users, so ensuring that they only have control over their subset of users can be very important this is also known as delegated administration. Reporting is often based on this model perhaps HR personnel can directly access the reporting console themselves and run just the reports that they need. With more administrators and report generators accessing the system, keeping track of any changes and actions is critical, and this is where audit logs come into play.
Infrastructure Complexity Management Todays threat landscape and the advent of Web 2.0 have resulted in not only more serious threats but, far higher volumes. This has resulted in more capable, but also complex security solutions. When integrated onsite, these solutions can demand significant server resources and can also be very difficult to properly integrate into an organizations network while maintaining performance. System Version Updates With the more serious Internet threats facing organizations today, and the speed at which new threats emerge, having an effective and resilient product updating mechanism is vital to ensure customers are protected as much as possible. The volume of product rule updates, threat data updates and product updates themselves is just increasing. These can present challenges for organizations with strict change control processes, not to mention the quick fall-off of protection should something go wrong. Mobile and Branch Office Support: Awkward and Expensive Perhaps one of the most difficult requirements to solve with on-premises solutions is how to extend coverage to a mobile workforce and small branch offices. In the past, organizations have mandated that all mobile users connect back to HQ for Internet access, or branch offices relay all of their Internet traffic back through HQ, where the on-premises solutions are located. Think of the ineffective case of forcing a small branch office in Singapore to connect back through HQ in the States for access to local Singapore Web sites. Also, with mobile users, not only will they revert to what works the fastest, which will be to go to the Internet directly, but they will also have little to no security coverage, so not only do they infect themselves, but what happens when they do connect back into the organizations network with infected laptops?
Page 4
cloud Web security is managed through browser-based tools and causes all subscriber HTTP/HTTPS traffic to route through the cloud node to deliver services like URL filtering, malware blocking, and content filtering.
Hybrid cloud Web security solutions run a combination of on-premises hardware/software and cloud-based software. The hybrid approach is often designed to meet specific requirements of existing on-premises appliance installations, such as adding support for mobile users or meeting requirements for logging and reporting data storage.
facilities, where processes for systems management and maintenance are leveraged across thousands of systems. The following chart provides a typical comparison analysis of TCO for an on-premises vs. pure cloud solution for a 100-user small enterprise:
$18,000 $16,000 $14,000 $12,000 $10,000 $8,000 $6,000 $4,000 $2,000 $0
End Yr. 2 End Yr. 3 End Yr. 4 End Yr. 5 End Yr. 6 End Yr.7
On- n premises SaaS
Version and Feature Enhancement Benefits SaaS vendors often implement their software in the cloud, such that a single central version is configurable and manageable for all subscribers. This is often described as multi-tenancy. Multiple subscribers consume the application with safe access and management of their data. When SaaS vendors develop new features and functions, they can update the central version of the application and deliver it simultaneously to all subscribers. This can speed up the process of responding to feature requirements, because it eliminates the process of delivering and integrating new versions to thousands or more different onpremises installations.
As in most such analyses, the initial upfront costs for the onpremises solution are significantly higher, as are ongoing IT labor and support costs. Eventually the lines cross due to the effect of higher recurring costs with SaaS, but the crossing point may be several years beyond the useful life of the technology being consumed. Initial Costs Pure cloud solutions also benefit from the flexibility to incrementally deploy users based on gradual expansion. The typical on-premises purchase accounts for all eventual users of a system, and the quantity of hardware and/or software purchased for the system when fully deployed. Too frequently after such purchases, it is often several years or more before all of the purchased licenses and devices are actually deployed to the full user base at full capacity. Pure cloud solutions are typically purchased by month or by quarter, and only for users as they are added to the service. Thus, pure cloud solutions offer much greater control over the timing of purchase costs associated with user rollout. Simplification of Information Technology Resource Management A typical on-premises system requires knowledgeable installation and management of the devices and/or software that surround and integrate with the solution. This means everything from network infrastructure equipment, to operating system patching, to database administration and management. Each on-premises installation is a collection of dependent subsystems which must be successfully managed both independently and collectively by on-site IT personnel. Pure cloud solutions outsource most of this problem to the IaaS provider, who is managing the dependent subsystems by platform across thousands of servers, switches, firewalls, and virtual machines. The only information technologies that need to be managed on-premises to consume SaaS from the cloud, are PC systems with browsers and Internet connectivity. The result is a simple environment for delivering information technology to the enterprise.
M86 Security offers free product trials and evaluations. Simply contact us or visit www.m86security.com/downloads
Corporate Headquarters 828 West Taft Avenue Orange, CA 92865 United States Phone: +1 (714) 282-6111 Fax: +1 (714) 282-6116 International Headquarters Renaissance 2200 Basing View, Basingstoke Hampshire RG21 4EQ United Kingdom Phone: +44 (0) 1256 848 080 Fax: +44 (0) 1256 848 060 Asia-Pacific Millennium Centre, Bldg C, Level 1 600 Great South Road Ellerslie, Auckland, 1051 New Zealand Phone: +64 (0) 9 984 5700 Fax: +64 (0) 9 984 5720
Version 04/06/10
Copyright 2010 M86 Security. All rights reserved. M86 Security is a registered trademark of M86 Security. All other product and company names mentioned herein are trademarks or registered trademarks of their respective companies.