I’ve been applying some sort of “checklist” approach before deciding about recommending security products or solutions for companies I’ve worked with during my career. Basically, this approach provides me with a list of essential points to be considered and discussed before moving to PoC or other lab driven stage within a project. This way, it helps me ruling out potential bad choices and saving valuable time for better products evaluation.
Before getting to the list, I would like to outline a few points. When it comes to decision on buying or not a technical solution, I believe some decision makers (management level) cannot be completely blamed for their bad choices, they simply haven’t received enough evidence to be proven wrong or to consider alternatives. Sometimes technical teams are not able to present their ideas in a way management will understand them correctly. It’s not only about lack of communication skills but inability to promote ideas, to persuade other teams, to be clear about the risks involved if going another way.
Security architects should keep in mind that operational teams are users (privileged, by the way) and without their commitment, any project is likely to fail. Does not matter if the solution will be maintained by the firewall administrator or by the help desk analyst, they should agree with your ideas and back you up during decision making or management discussions.
When discussing about new product with those technical teams, avoid raising issues and limitations already in place without bringing a solution to the table. So, saving those fancy graphs and figures ($) for management presentation and making use of demos/VMs instead seems to be a clever idea, this way you will get them involved and engaged.
I will use Secure Web Gateway (SWG) term here to refer to any solution that can act as a gateway to protect/inspect web browsing mainly, as better defined here. This network element is also known as web proxy.
Who would be the target here? Vendors basically, but applicable to any security consultancy teams, and to be more specific, sales guys. Those who may later appear with an expert squad in the meeting room! Anyway, that’s the idea: to be provided with as much answers and technical information as possible.
Does the solution provide…
1 – high availability (HA) capabilities?
This represents a key point for network security design (and costs!). Some vendors provide load balancing or failover enabled appliances so high availability is addressed for most scenarios.
Other questions should be raised from here as well: is it mandatory to rely on a specific protocol to handle failover? Are PAC /WPAD mechanisms considered? Is there any enterprise level balancing solution (F5, Cisco ACE, Radware) to be integrated with the SWG?
2 – access to good support services?
Even after having HA in place, an incident’s root cause might indicate a hardware failure. In this case, replacement is the last resort, an operation often known as RMA. So, the time needed to have new hardware in has to be taken into account, some companies rely on spare servers, which is also an option.
And it’s not only about that kind of support, but how operational teams will be provided with help to troubleshoot an issue. Is it via phone only? Is there a field engineer locally available? Another term is commonly discussed here: SLA. Getting in contact with other customers and discuss about their cases is also encouraged.
3 – leading-edge filtering and inspection features?
Building up a comparison table matching required inspection capabilities and use cases against each product considered would do the job.
Would you buy or recommend a SWG that is not able to block access to a resource (file) based on its header content (also known as file signature)? We are in 2012 and there are still people relying on file extensions! The solution should enable administrators to inspect not only HTTP methods and URLs but the raw HTTP(S) packet if possible. It’s good when you are able to build a rule set based on source IP address but it’s better if you can do it based on user and group membership data, the latter enables administrator to apply rules based on users role, which is handy in most cases.
Since new web resources are being created and made accessible every second, it’s quite difficult to keep up with latest malicious domains and URLs, that’s when categorization and reputation services come into play. Basically, instead of applying a rule based on a set of URLs, the admin does it based on URL categories. Some solutions also mark URLs with a score (number), which can represent how malicious or how benign a given resource is, so that administrator can then block or allow traffic based on such value.
If you still have doubts about the importance of outgoing web traffic inspection, it’s good to do some research about how Botnets communication works (infection, payload download, etc), what covert channel means and what kind of techniques are available for attackers (Malware coders) to push and pull data within target’s infrastructure without being noticed. That’s why this filtering capabilities should be deeply evaluated so a SWG can act as a prevention mechanism for data exfiltration/extrusion.
4 – a fault tolerant and robust authentication mechanism?
This is an often overlooked feature when acquiring any security related product. To understand the importance and what should be addressed here, simply try answering the following: what happens if users authentication database/server is not accessible? Is it possible to easily get users (and product’s administrators) passwords by simply sniffing over the network?
Also, it’s not only about security, think about the CEO browsing experience having to continuously provide a password whenever a new browser window is opened. When it comes to authentication, you also should consider how the new solution will fit in regards to passwords policy (aging, length, etc).
5 – means to export log data to a SIEM or log management solution?
First things first, does it provide any log?! Trust me, there are still people selling (and buying!) crappy software out there.
Once you have logs, how exportable are they, what level of details they match, what settings can be applied in regards to retention/rotation? It’s not only about auditing/compliance and accounting/tracking. Logs are very valuable piece of data! SIEM solutions simply rely on that as main input, so makes no sense having your web proxy logs not being part of that process in most cases. If the company already have a SIEM solution in place, why not checking if the SWG’s logs are compatible?
As you can see, from simple direct questions you can end up with a handful of other key points for taking into account.
To read the second part, click here.