Online security is a hot topic and for good reason. Cybercriminals have invested heavily in online attacks and for obvious reasons — most businesses rely on the internet for daily business applications. While many employees are tasked with technical roles, few are cybersecurity experts. Businesses both large and small face a challenging, sophisticated threat landscape and it’s the average employee that often constitutes the last line of defense.
In a recent article, Gartner called out the fact that there are several security goals specifically in the area of web access and the array of solutions in this space are confusing and expensive. There is also overlap in which solutions map to certain goals. Organizations should take the time to understand their security needs and map the several technology solutions to those needs.
7 major security goals for web gateway solutions:
1. Enforce and report on acceptable use policies (AUP)
Allow or deny access based on a list of categorized URLs such as gambling, alcohol, and pornography.
2. Block known bad URLs
Inspect traffic to deny access or require end-user approval to access a website based on a risk-based scoring approach provided by the vendor based on threat intelligence.
3. Protect from malicious file downloads
Inspect binaries downloaded from the web for malicious behavior using techniques such as sandboxing (behavior-based) and malware scanning (signature-based).
4. Detect and block malicious content hosted within a site
Do deeper inspections of executable code hosted within websites including decrypting traffic for static analysis to prevent malware from executing locally on a client.
5. Provide visibility and protection into SaaS via native CASB capabilities or integration
Discover shadow IT access to SaaS applications and apply whitelist or blacklist policies for access including granular application controls to manage application features.
6. Bandwidth shaping
Apply bandwidth control to certain websites or sections of websites such as YouTube that will restrict the available bandwidth to preserve bandwidth for business applications.
7. Provide content inspection natively for DLP or integration with EDLP
Inspect file uploads including the decryption of TLS either in line or through an integrated DLP tool to apply data protection policies.
Note that each such architecture has significant flaws:
- Full Proxy: For Full Proxy to work, all encrypted web traffic must be decrypted and analyzed by the proxy. This means that a custom proxy certificate must be installed and trusted on all endpoints using the proxy, and the encrypted traffic to/from the website must be re-encrypted and spoofed using the proxy’s certificate. This raises a number of issues, for example the proxy must be absolutely trusted and the process breaks security concepts like Certificate Transparency . Further, the proxy represents a single point of failure and must be sized to handle all web traffic from all clients – a considerable expense. For more details on proxy issues, read this in-depth technical article: https://www.secureworks.com/research/transitive-trust.
- DNS Redirection: DNS Redirection is a nice, simple technique but suffers from relatively weak security: it can only validate the domain name of the website, which means that good websites (think GitHub) that happen to have malicious content placed on them will be entirely allowed or entirely blocked. Further, the categorized list of websites is difficult to keep up to date, and can often be inaccurate as new websites are set up, existing good sites are compromised, and formerly bad sites clean up their acts. In particular, DNS Redirection cannot detect “zero-day” malicious websites, i.e. websites that are specifically set up for a new attack campaign, or malicious ads that are injected into legitimate ad services. DNS Redirection is a great start, but must be supplemented by other technologies to be truly secure.
- Remote Browser Isolation (RBI): The primary issue with RBI is cost: cost to host all those temporary VMs running in the cloud, and cost to ship internet bandwidth back and forth. There are other practical considerations such as website compatibility, business interruption due to functions (like file downloading) that are disabled via RBI, and so forth.
As you can imagine, each proposed architecture also satisfies a different set of goals: Full Proxy can perform bandwidth shaping, for example, whereas DNS Redirection cannot.
The VIPRE Approach
Taken together, VIPRE can achieve the first four goals identified within the Gartner framework:
- Enforce and Report on acceptable use policies (AUP)
- Block known bad URLs
- Protect from malicious downloads
- Detect and block malicious content hosted within a site
VIPRE’s architecture does not fall neatly into any of the three core architectures identified by Gartner, although we leverage aspects of all three to provide a best-of-breed approach with minimal impact on your organization’s environment. Let’s address each goal in turn:
Enforce and Report on acceptable use policies (AUP)
In many ways this is the simplest goal to implement, as all that is required here is to observe which websites a user attempts to visit, and then to enforce your organization’s policies on those attempts as well as report on which site visits are attempted. The approach most naturally suited to achieve this goal is DNS Redirection, which is similar to VIPRE’s implementation but with a twist: instead of forcing your organization to use a special DNS provider, we redirect DNS traffic at the endpoint level.
VIPRE’s Web Access Control implementation works like this:
- An application on the user’s endpoint attempts to visit a website
- The app requests a DNS lookup on the website’s name, seeking to resolve the IP address for that website
- VIPRE’s network protection agent sees the DNS request, and sends a parallel query to our hostname information service; in the meantime, the DNS request goes to your standard configured DNS servers
- The agent receives both the response from your DNS server, as well as the response from our hostname information service which includes website categorization
- The agent checks to see if the website should be blocked based on your organization’s configured policies, and the website categorization information provided by our service
- If the site should be blocked, the application receives a redirected IP address that sends the user to an informative block page; if not, the app gets the site’s normal IP address.
Note that one advantage to this approach is that since the VIPRE agent intercepts all DNS queries, it cannot be circumvented by the user or the app (or malware) sending queries directly to a non-standard DNS server (i.e. circumventing the OS-based nameservice). Also, organizations don’t need to reconfigure their DNS servers to point somewhere else, and the solution will work regardless of whether the end user is on the corporate network or not.
This solution is available as an add-on to our world-class Endpoint Security Cloud solution and is called Web Access Control.
Block known bad URLs
On the endpoint side, blocking malicious URLs comes in two parts, one of which is based on the same technique used for AUP enforcement, and the other of which is used to block URLs specifically. A URL is made up of several pieces, the two key ones for this use case being the hostname and the path. The trick with blocking malicious URLs is that the path part of the URL is carried in the web traffic content, and therefore in most cases is encrypted. This means that the DNS Redirection technique will not work for any site that is mostly OK, but hosts some malicious content somewhere on it.
VIPRE’s solution uses a layered approach, with DNS Protection (implemented in the same way as Web Access Control, see the previous section for a detailed explanation) blocking access to known-bad entire sites, and a proxy performing deep web content analysis and looking for malicious code from a given URL. In our case however the proxy lives inside the browser itself as an extension, which means that it does not need to decrypt the page content in order to see it as the browser has already decrypted the content.
Both of these solutions are carried as core parts of our Endpoint Security solutions, with no additional add-ons required.
VIPRE has another arrow in the quiver, however, which is implemented in a basic version in our core Email Security product, and then in a much more advanced mode in our Phishing Protection add-on (included in Advanced Threat Protection as well). This solution protects solely against bad URLs that are sent to your users via email, which is by far the most common vector. The first line of defense is part of the standard Email Security package, and simply scans all inbound emails for any known-bad URLs. Any emails with known-bad URLs at the time of receipt are placed into quarantine for review.
With Phishing Protection/ATP, you get an additional layer of defense if the attacker is smart enough to leverage a “zero-day” attack, one where the malicious website is set up some time after the email is delivered to the end user – in this case, the URL is not yet known to be malicious at the time of initial scanning, so the email will go through. With Phishing Protection, however, if and when a user clicks on that URL to visit it, they are redirected (via URL rewriting) to a special service that does another check on that URL to see if it is malicious. If it is, the user is presented with a friendly block page; otherwise they are allowed to proceed.
Protect from malicious file downloads
Protecting against malicious files is our bread and butter, and several of our solutions come into play here. To enumerate them:
- Files hosted by known-bad sites will be blocked by DNS Protection (Endpoint Security) as above
- Files that are hosted at known-bad URLs will be blocked by our browser content inspection extensions (Endpoint Security) as above
- Files that are attached to emails, or are hosted at known-bad sites/URLs embedded in emails, will be blocked by standard email malware scanning (Email Security)
- If the source of the malicious file is unknown and the browser proceeds to download it, it will usually be caught immediately by our malware scanning engine (Endpoint Security)
- If the file is previously unknown (a zero-day threat), but is sent via email, it will be blocked by an in-line forensic sandbox which comes with Attachment Sandboxing or our Advanced Threat Protection bundle (Email Security)
- If the file is a zero-day threat, it may not be caught by standard signature scanning but will be blocked by our behavior-based Advanced Active Protection as soon as the file is executed (Endpoint Security)
In other words, VIPRE provides for several layers of complementary protection against malicious files, with on-device behavior monitoring being the last line of defense. We should also note that your users should really be trained not to go around downloading and running untrusted content – something VIPRE can help with as well: https://www.vipre.com/vipre-security-awareness-training/
Detect and block malicious content hosted within a site
Here we come to the trickiest security goal, that of blocking malicious web content hosted on not-known-to-be-malicious websites. Unlike blocking known-bad sites or URLs, detecting malicious web content can be very tricky: the browser vendors spend a ton of time trying to lock down their browsers to prevent host compromise, and their best efforts have always been circumvented by determined attackers. Again, VIPRE has several complementary solutions.
The first solution piggybacks on the same browser extension we use to block malicious URLs: just like URLs, webpages are content within web traffic so the same VIPRE browser extension mentioned above can examine the entire page, including all loaded sub-resources, to look for malicious web exploit signatures. As before, we do this within the browser to avoid any issues with in-line decryption of web traffic. These signatures are updated along with our standard AV signatures, so are kept current with the latest threats. Of course, if a zero-day threat manages to get past the webpage scanning, we still have Advanced Active Protection monitoring for malicious behavior. All these solutions are included within Endpoint Security.
For customers of Email Advanced Threat Protection, however, we will soon support an additional layer of protection for URLs embedded within received emails: even if a website/URL is previously unknown to be malicious, when a user clicks on that embedded URL the user will be redirected to a service, as mentioned above, but that service will now visit the target URL on behalf of the end user first and will do a full sandbox analysis of the content of that website. The end user will see the results of that analysis and, if safe, can proceed to the website. This new technology is closer to a Remote Browser Isolation solution, in that VIPRE will be spinning up temporary VMs in the cloud to visit webpages on behalf of end users and checking the site, browser, and operating system’s behavior in that VM to ensure that no malicious content is discovered.
Secure Web Access With VIPRE
This brief explains the common goals of most organizations for securing access to web resources, and provides some technical information on how VIPRE implements their solution to achieve those goals. Our approach provides robust protection to achieve the first four goals identified by Gartner, and avoids many of the pitfalls of the legacy industry architectures outlined in the Gartner report – including weakened encryption and cost. If your organization seeks to address these goals, we encourage you to trial our Endpoint and Email solutions to see how we can help you.