Web Security Gateway Review
Last Reviewed - May 2011
Barracuda Web Filter Gateway is a fantastic all round solution. We have tested and deployed the product in real network environments and like the new remote capabilities where it can protect users that are off the network as well via an agent known as WSA (Web Security Agent) that supports both Windows and Mac systems. Barracuda Web Filter Gateway is easy to use, simple to setup and configure and provides all the regular features such as transparent user filtering, multiple deployment options and good policy and reporting functionality at a granular level.
We would however have liked to see wizards helping in the process of setting the product up initially because although it is simple to setup we were clicking around ensuring we haven't missed anything. Also Barracuda does not seem to provide SSL content scanning, although they combat this partially in a different way by holding a database of known IP addresses to SSL domains. It is not a substitute to SSL content scanning but still proves to be useful.
Mcafee have completely re-built their secure web gateway, now called Mcafee Web Gateway (MWG). Previous to this Mcafee used the Secure Computing technology who is a company they had acquired a few years ago. The issue with the old architecture and technology was it just wasn't up to it in some areas such as flexibility within the policies. Now however Mcafee's new solution is very flexible, scalable and and will give any other solution a run for it's money. We have tested Mcafee Web Gateway in a VMware environment in our test lab.
When first setting up the appliance Mcafee gives you the choice of default policies depending on nature of your business such as health care, manufacturing, government, university or school and so on. Mcafee has a library of rule sets for your use you can import. This can be further fine tuned within policies but gives you a good start and an understanding of how policies are laid out. Policies themselves are made up of rule sets and rules and are prioritised from top to bottom just like firewall rules and if no rules are selected it is a default Allow All. Rules are created within rule sets, however criteria can also be specified on rule sets as well for providing further flexibility. Within rules and rule sets you can specify weather the rule is a request from within the organisation such as request for a web page or downloading an object such as a document, or a response such as uploading of content to a web 2.0 site or uploading of files and finally an embedded object option also used for specific requirements with objects. Rule sets can be nested into rules sets and criteria can be specified on rule sets or rules. Rules can optionally be combined with boolean logic using and/or criteria and can optionally use negative statement as well such as "If the user "Is Not" (negative statement) a "Manager" (AD user group), then "Block" (action) from Social Networking sites (Category) And "Block" "Manager" (AD user group) if the URL is Facebook.com. So here users can not access social networking sites at all and managers can use social networking sites other than Facebook. This is actually a basic capability and example of a rule within MWG and overall the way rule sets and rules are designed makes the MWG solution very flexible and you can create some very complex and powerful rules if required.
The interface design is very well designed. There are 5 major sections at the top including Dashboard, Policy, Configuration, Accounting and Troubleshooting. Many of the graphs and settings within the interface are interactive and easy to access. For example you can zoom into graphs within the dashboard by dragging your mouse over a certain time period, and you can click on criteria and actions within the policy rules to edit them directly from there. The interface consists of a powerful search facility and you can search for anything, it can be a rule, a category, a defined white list.
We like the granular list of traffic filtering criteria such as by user name, user group, IP address, cookie, URL string, reputation score and more. We like the search facility which makes it very easy to find objects and rules. We like the granularity of admin roles where you can assign Admins to specific rule sets. We like the flexibility in creating very specific and clever rules. We like the deployment options allowing you to deploy the solution in various ways using WCCP, as a web proxy, in line or transparent to the network. Overall it proves to be a fantastic solution. However rules and rule sets can take time to get used to especially if you are going to be creating large and complex rules, but the granularity is certainly there. Also we are not keen on Mcafee support, it can be a slow process.
Webroot delivers web security as a cloud service. Webroot also specialise in other cloud services and endpoint protection solutions. Webroot's data centres are based in the UK, US and Australia and provide filtering via the closest data centre depending on where you are in the world. This is known as global load balancing. Cisco is a partner of Webroot using Webroot's categorisation database. For antivirus Webroot has it's own heuristic capabilities and also uses anti-virus signatures from Sophos for extra layer of protection.
We like Webroot's DWP (Desktop Web Protection) client software, which is used in conjunction with the cloud service to provide a number of services to the end user. It is a lightweight software and runs as a service and it acts as a proxy for HTTP traffic. The software helps in a number of scenarios including when a user is off site it can cache the user name and password so that when a user browses the web this can be optionally logged and authenticated or even blocked depending on the who the user is. So it is able to provide automatic user name resolution where ever the user may be. The software is fully built to integrate with Active Directory and Group Policies so you can make changes to the software and deploy this to as many clients as required via AD. You can specify the proxy details within DWP so your client knows how to get to the cloud filtering service. Finally it supports dynamic hotspot management which resolves the issue when clients are trying to browse the web from a hotel, cafe or similar environment where the hotspot requires payment information from the end user. This is usually an issue because the user must disable the browser proxy settings, however DWP can sense that the connection is unavailable and automatically and temporarily adjusts settings to accommodate for this. DWP can be automatically updated. You can use a feature known as Process On Port Analysis where you can bypass the filtering of certain HTTP applications required in some environments. DWP also supports other useful utilities.
Webroot's web security features are managed via a portal you would login to. It is simple and easy to use and understand, however the portal as a whole is fairly basic. There is some level of granularity and users and groups can be defined via LDAP. Multiple policies can be utilised for different type of user groups and basic exceptions can be created. Webroot does not support SSL content scanning for HTTPS traffic and and no support for DLP.
We like Webroot for it's ease of use and offers solid protection against viruses and malicious websites, but some key features such as HTTPS scanning and DLP are missing. We would recommend Webroot for small to medium sized networks. We would recommend Webroot for larger networks also, but it's essential the client fully evaluates the service ensuring it has the level of flexibility required to accommodate their environment.
Websense is the market leader in web security. We have tested and deployed Websense solutions and from speaking to many IT professionals it is considered as the leader. Websense primary focus is web security and content filtering and deliver a strong product portfolio that is capable of various deployment options, integration with 3rd party technology such other proxy serves and WCCP. More important Websense provides a strong website category list, powerful real-time content scanning and protection, dynamic categorisation, and flexible SSL content scanning. Websense have a strong and experienced anti-malware team and flexible product options within their portfolio.
Websense is not the easiest to install and setup unfortunately, but this is because it is a functionally rich product and this also really depends on which Websense product you have purchased. However that said their latest version 7.6 is a lot more streamlined. In general though you would need to understand the different options, advantages and disadvantages. However once Websense is installed and configured, making daily changes to policies such as changing a website to block, allow, or allowing users to browse certain times of the day and so on is straight forward and the reporting, layout of the interface is very powerful, interactive, and very nice to use.
Websense can also provide filtering of remote users and branch offices all from one central management console. This option is known as hybrid filtering and makes the use of their hosted service for these external users and sites which synchronise with the central in house appliance. We have test this feature and works well. Websense also provide a failover option to their hosted service so if an appliance was to fail users would automatically get filtered by the hosted service. They do also provide standard high availability of two or more appliances.
Optionally you can integrate email and DLP security along with web into the same management console which is known as Triton. All three email, web and DLP are truly integrated in their latest version and offer a world class unified protection across all three areas.