M86 network device stops enemies at the gate

With the M86 Secure Web Gateway v10.0 in place, government networks are locked down tight.

Protecting users as they connect to the Internet is a critical challenge for network administrators, one that only grows with an organization’s size. Enforcing an across-the-board security policy is hard enough for users who physically log in to a network — and it's even harder for remote users. But don’t get me started on remote users.

Actually, do get me started. That’s because the Secure Web Gateway (SWG) Version 10.0 from M86 Security can help you do just that. It protects users from external threats — and themselves — not only while connecting locally but also when connecting to the network through a laptop or other mobile device. It does the latter through a cloud server, which synchronizes with the SWG appliance and enforces policies for a remote user running a client application.

M86 Secure Web Gateway Version 10.0

Pros: Extensive policy management; can enforce remote users.
Cons: Expensive; a few firewall ports need to be kept open.
Performance: A+
Ease of Use: B
Features: A
Value: B+
Price: $11,110

The model of SWG that we tested came in a single 1U rack-mountable appliance. It contained a scanning server and policy server all in one unit. Larger implementations can have the servers in separate devices or even host multiple scanning servers working in concert with a single policy server.

We found the SWG to be only a few steps more complicated to set up than a typical network appliance. In addition to the usual IP settings, certain ports in the firewall had to be opened for the SWG to talk to the external cloud server. Those ports had to be redirected to the SWG, which uses an internal IP address. And finally, each client must have a browser set to use the SWG as a proxy server. However, none of those tasks should be beyond any network administrator’s skill level. It just takes a little extra time.

In setting up the appliance, we incurred minimal download time for module updates. M86 wisely preloaded every single module that could be used on the SWG appliance, and the device simply unlocks the ones that the customer pays for, even if lots of time has passed between the initial purchase and need for a new module.

After the SWG was set up, it went right to work monitoring the HTTP and HTTP Secure traffic in both directions on our test network. It analyzed the data according to 43 basic policies, ranging from proprietary data going out — the dreaded data leakage — to content coming in from blacklisted sites. It then allowed or disallowed that data transfer depending on the settings. This appliance definitely allows a network administrator to fine-tune a security policy to match agency needs and security objectives.

When an event violates a policy, the SWG generates a log. The logs are displayed in the administrator interface and can be searched and archived for proof-of-compliance purposes.

The SWG’s contextual code analysis enables it to determine whether certain software is malicious. The Real-time Code Analysis engine figures out what the code would end up doing to your system, regardless of where it is coming from or how it might be hidden.

When an otherwise approved website is compromised with a bad section of JavaScript, the SWG can surgically remove the offending code and let the rest of the Web page go through. We found that feature to be especially useful, as even websites of major retailers can have poorly constructed or wrongly implemented code on their Web pages. Every time we tried to browse such a site, the SWG extracted the questionable programming and correctly displayed the HTML.

Another way that the SWG helps prevent data leakage is through its social media control. With this, we were able to keep a user from posting comments to sites such as Facebook while still allowing the user to visit those sites. That is a good compromise that will keep an organization's data secure while keeping its users happy enough not to riot.

But what really sets the SWG apart from similar devices is the way M86 uniformly secures users not only when they are directly logged in to the network but also when they are connected remotely or at a branch office. The cloud server associated with an SWG device is located off-site and constantly synchronizes with the SWG to keep its policies identical. To test that capability, we loaded a client application onto a remote computer. When connected to the Internet, it found the cloud server and used it as a Web proxy, enforcing the policy we had set up on the SWG. That feature could be a real lifesaver.

The price for M86 Security’s Secure Web Gateway Version 10.0 in the configuration we tested came to $11,110. Considering how much work it could save by consistently enforcing a security policy for local and remote users, that is not a bad price at all. Of course, larger-scale implementations are available at proportionally higher costs. The SWG would be ideal for any network administrator who is confronted with a new Internet security policy and needs to launch it quickly and relatively easily.

M86 Security, www.m86security.com