How DPI is transforming next-gen secure web gateways

Tobias Roeder portrait

by Tobias Roeder
published on: 26.04.2023

A secure web gateway (SWG), also known as a web proxy, acts as a checkpoint that enforces an enterprise’s Internet access policies. Initially a URL filtering tool, SWGs serve as the entry and exit point that connect enterprise users to their applications and data. SWGs can be on-premises or cloud-based, with the latter leveraging third-party servers to filter incoming and outgoing traffic flows.

A traditional secure web gateway is aimed at controlling employees’ web usage. It blocks unauthorized web access, regulates Internet usage and optimizes bandwidth by restricting unimportant sites. Traditional SWGs also provide advanced threat protection against threats, such as phishing, ransomware, hijacking, infiltration, and malware.

Clouds and remote workers everywhere

The rise of cloud and SaaS applications blurred the boundaries of enterprise networks. Web traffic from these applications has to be allowed at all times, as internal users turn to the convenience of cloud and SaaS to manage scores of internal operations, and as shadow IT continues to support employees in their daily tasks. This renders secure web gateways ineffective as the official checkpoint, as threats can easily slip through any of the millions of authorized flows that are active every minute. Another trend that has challenged the efficacy of SWGs is the surge in remote workers and the rapid growth of IoT endpoints. With a traditional SWG, traffic from devices outside the enterprise network is backhauled into the enterprise network, adding unwanted latencies to cloud and SaaS applications.

Tackling cloud complexities with next-gen SWG

Taking these trends into consideration, vendors have launched next-gen SWG solutions that boast a number of new capabilities. Primary among these is the zero-trust network access (ZTNA) policy, which requires repeated authentication every time a new application, transaction or instance is initiated. Next-gen SWG also incorporates cloud-based security services, such as CASB, DLP, FWaaS, remote browser isolation and sandboxing, which collectively form the secure service edge (SSE). Supplementing these with WAN services which include provisioning and management of private lines, in turn creates the fully-fledged secure access service edge (SASE). This supports a flexible network architecture capable of addressing highly distributed workloads. Next-gen SWG also features a number of other capabilities, including encrypted traffic intelligence through SSL/TLS inspection and advanced threat intelligence.

Different apps, different journeys

An SWG relies on application-level controls as opposed to packet-level steering. Application control requires application awareness and this is where tools such as DPI software come into the picture. R&S®PACE 2 and R&S®vPACE are leading DPI engines from ipoque that leverage frequently updated traffic signature libraries to deliver highly accurate classification of traffic by protocols, applications, and services. The engines adapt to both standard and VPP-based cloud environments, supporting any type of SWG implementation.

Application awareness by ipoque allows SWG solutions to identify each application. This facilitates application-based access control, such as application blocklisting/allowlisting and dynamic authentication that includes passwords, two-factor authentications, automatic log-outs and limits for concurrent sessions for selected applications/users. For example, priority users accessing standard applications have far fewer restrictions than general users accessing sensitive applications. This dynamism ensures an optimal balance between accessibility and efficiency for each unique situation, effectively safeguarding an organization’s valuable data and resources.

Next-gen SWGs provide multiple filtering lanes that are optimized for different categories of applications. Application awareness enables latency-sensitive applications, such as remote surgery and autonomous driving to be accorded priority processing for guaranteed performance and reliability.

Keeping threats at bay

Apart from blocking and controlling application traffic, next-gen SWGs also enforce a number of security policies to prevent and detect threats. Application awareness greatly augments a next-gen SWG’s capability in implementing these policies with dynamic screening rules, which can be tightened based on the application identity. DPI solutions from ipoque have an unrivalled capability in detecting anomalous, malicious, and suspicious traffic, even across flows that are encrypted, obfuscated, and anonymized. This strengthens an SWG’s core capabilities in identifying on-going and impending security events. Additionally, DPI solutions form ipoque offer first-packet classification. This is based on advanced caching techniques, and machine learning/deep learning-based encrypted traffic intelligence (ETI) and enables accurate identification of applications right from the first packet alone. It thereby ensures that virtually no malicious packets seep into the network.

One of the most critical classes of applications are those carrying sensitive data, such as personally identifiable information (PII) and banking credentials. These are common targets for attackers and must be screened more thoroughly. This includes routing through a firewall or a DLP service. Similarly, applications that allow universal access and those that are accessed very frequently or that involve file transfers (uploads and downloads) must be carefully monitored due to the sheer volume of packets that are involved. This is a perfect avenue for inconspicuous threats. Our nexgt-gen DPI engines R&S®PACE 2 and R&S®vPACE can identify applications almost instantaneously, which enables SWGs to autonomously implement application-based security policies.

Anomalies in traffic metrics can imply a sudden change in user behavior. These can also be indicative of an ongoing security incident. SWG solutions, having both application awareness and threat intelligence, lets network operators understand and decipher these anomalies faster, leveraging unique application attributes in terms of packet and flow behavior. Sudden departures from the norm in the form of new users or new traffic sources, non-authorized destinations, unusually large data transfers, and sudden surges in previously infrequent transactions call for added scrutiny.

Encrypted applications and those high on global threat intelligence lists should also be screened in more detail. In addition, cloud and SaaS applications that have reported data breaches or which are known to have loose security policies should be flagged and monitored closely to prevent them from being manipulated by threat actors. Having real-time application awareness thus enables an SWG’s threat detection policies to be aligned to different degrees of vulnerabilities, using granular benchmarking.

Helping other network tools

DPI engines from ipoque also complement secure web gateways in a number of other ways. Using metadata extraction and combining parameters such as speeds, latency, time-to-first-byte, packet loss, jitter and total bandwidth with application identification, R&S®PACE 2 and R&S®vPACE help network administrators with traffic management policies. As the middle box between users and applications, SWGs collect information on the performance of each application and service, allowing intelligent network resource allocation. Fine-grained insights from R&S®PACE 2 and R&S®vPACE also help administrators to pin down any performance degradation and can help in diagnosing DDoS attacks and malware. By pairing secure web gateways with technology from ipoque, network administrators benefit from advanced analytics derived from a single point of inspection.

Strong growth for next-gen SWG

With the global SWG market expected to grow at a CAGR of 19.65% from 2023 to 20281 , it is important that SWG vendors explore the latest technologies for application and threat awareness to ensure that their tools are equipped with the observability they need. Adding this capability is easy with the next-gen DPI software R&S®PACE 2 and R&S®vPACE from ipoque, as both solutions are readily available for deployment in any network, for any number of applications.



Tobias Roeder portrait

Tobias Roeder

Contact me on LinkedIn

Tobias holds a degree in electrical engineering and has more than eight years of experience in product development. For a number of years, Tobias has been working as an application engineer for the deep packet inspection (DPI) software R&S®PACE 2 at ipoque, a subsidiary of the Rohde & Schwarz company. Tobias provides engineering services from the packet processing level up to the application level. In customer consulting, he identifies the optimal implementation to fulfill customer requirements and assists with the architectural decisions that go along with embedding DPI into network solutions. When he’s not at work, Tobias plays disc golf and enjoys doing CrossFit.

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for the ipoque newsletter

Stay informed about the latest advances and trends in
deep packet inspection and network traffic visibility