Web Gateway Deployment Methodologies - Inline Deployment

In today’s complex network architectures, sometimes it seems there are limitless ways to deploy networking equipment. While that may be the case for some networking gear, in actuality there are probably only a few proven deployment methodologies for web gateways that are effective and provide complete security. In this article, we’ll talk about the most four most common different types of web gateway deployments. Sometimes referred to as forward proxies; these devices are used to secure web access for an organization’s internal end-users. The three commonly used deployment scenarios for web gateways are: inline proxy, explicit proxy, transparent and SPAN port. Each one of these deployments has its advantages and disadvantages and we’ll discuss these as we explain each methodology over the next few days. For today's article we'll focus on inline deployments

Inline Proxy Deployment

Inline deployment is probably the simplest and easiest to describe. Smaller deployments, like branch office scenarios, typically use inline deployment, due to the ease of deployment and absolute security level that it provides.

With an inline deployment, the web gateway is placed directly in the path of all network traffic going to and from the internet. (See Figure 1). In this scenario, all network traffic will go through the web gateway device. If you choose this deployment methodology, make sure your web gateway is capable of bypassing network traffic that you don’t want processed by the web gateway. In many instances, you can choose to either “proxy” or “bypass” a specific protocol. If you “proxy” the protocol, that means the web gateway will terminate the traffic from the client to the server locally, and then re-establish a new connection acting as the client to the server to get the requested information.

Inline Deployment Advantages

The upside of an inline deployment is the ease of deployment, and the guaranteed assurance that all web traffic will flow through the device. There is no chance of a user bypassing controls, as long as the device is inline and in the only path available to the internet. It’s less likely an end-user can bypass a web gateway that is deployed using inline deployment, as all internet bound http traffic will be processed and handled by the web gateway. Inline is generally considered the most secure deployment methodology and the way to go if security is the primary concern.

Inline Deployment Disadvantages


The downside of an inline deployment is a single point of failure. Even with technologies, like “fail to wire”, which allows all traffic to flow through when a device fails, many organizations are uncomfortable with a single device in the data stream to the internet. Any partial failure of the device could cause an outage, which is the main concern for this deployment. For a small organization, or a branch office a short disruption is probably not as large a concern as it is for a larger organization which may view internet accessibility to be mission critical.

Another disadvantage with inline is a necessary requirement of managing all the protocols that are proxied by this web gateway (a side effect of this being the most secure method of deployment). Because the web gateway is inline, any other protocol (ftp, CIFS, etc), will either need to be proxied or bypassed (for protocols that the web gateway cannot handle) by the web gateway. The IT admin will need to administer this list and the handling of each protocol used by the organization.

Tomorrow, we'll look at Explicit Deployments.