SWG - Adding the Last Piece to the TMG Replacement Puzzle
Yep, it’s another blog post on TMG replacement. However, until now we’ve neglected the last piece of the TMG replacement puzzle, (forward web proxy). In addition to remote access and application publishing, a large number or organizations have relied on Forefront Threat Management Gateway so secure their outbound web traffic. A typical TMG web proxy array, (shown below), resides in the DMZ and utilizes various features such as URL and content filtering to control outbound user access. Organizations that don’t provide outbound web security are at significant risk. Data loss, or the liability or loss of employee productivity due to inappropriate use of the Internet can be very costly.
Features and Functionality
An effective solution will include various features that work in concert to ensure secure and managed access.
Forward web proxy -
Providing a level of anonymity between corporate systems and resources on the Internet is a key requirement to providing secure web access. A solution should include a full forward proxy where outbound connections are terminated at the proxy and reestablished on behalf of the client. The client system (whether located on premises or remotely) should be obscured from the Internet resource.
URL/content filtering -
To prevent malicious or inappropriate traffic from entering the corporate environment, a web proxy needs to have visibility into a given site/content and respond accordingly. This includes both encrypted (SSL) traffic as well as unencrypted.
User access control -
Enterprises often need to control different users’ access to Internet resources according to a number of factors such as position, work hours, and general business need. For a web proxy to provide real value to the enterprise, it must incorporate a variety of features and functionality that control access based upon users’ attributes and behavior.
Auditing and compliance -
Ensuring acceptable use policies are appropriately configured and adhered to is a critical function of both HR and IT departments. A web proxy solution must include the ability to monitor and report on end-user activity.
“So what’s an IT admin supposed to do? Hmmm…. Let’s see…. If only there was a device strategically located in the enterprise infrastructure that could act as a point of control for outbound web access; maybe one with a glowing red ball.”
F5 Secure Web Gateway
Secure Web Gateway, (SWG) delivers a comprehensive, forward-proxy solution. The SWG solution, (shown below), incorporates BIG-IP® Access Policy Manager™, BIG-IP® Local Traffic Manager™, and BIG-IP® Advanced Firewall Manager™ that significantly streamlines web proxy deployments while providing enhanced functionality and security.
Compliance - Ensuring acceptable and secure web access is more than just good business; more often than not, it’s corporate policy—with the potential for very real consequences if not appropriately managed. Secure Web Gateway Services provide IT administrators and HR professionals with the tools they need to ensure acceptable use policies are both effective and appropriate. The solution includes several dynamically generated and exportable reports that provide a clear picture of the enterprise’s web activity. Additionally, the F5 solution can be integrated with many remote central logging systems.
F5’s Secure Web Gateway is a great alternative to TMG. The solution combines granular access control, robust compliance reporting, and a comprehensive categorization database to provide the single point of control enterprises need to ensure safe and appropriate web access.