Welcome to the Proxy Update, your source of news and information on Proxies and their role in network security.

Thursday, August 19, 2010

Do You Really Need Anti-virus in Web Filtering?

The topic of anti-virus or anti-malware in the Secure Web Gateway is an issue that many organizations face when trying to deal with the onslaught of threats from the web. Traditionally web gateways include features such as proxy capability and URL filtering, and maybe even real time web page categorization to help with securing the organizations users from threats from the web and enforcing corporate policy.

The argument that many organizations face is that they are already paying for URL filtering, real time web rating, and a anti-malware program on the desktop. Why do they need to spend more to get anti-malware and anti-virus on the Secure Web Gateway? What, if any benefit does the end-user and organization get from adding anti-malware to the Secure Web Gateway, when the end-user is supposedly already protected by their desktop anti-virus program?

These are good questions, and ones the organization needs to look at carefully when making the decision to add anti-malware to the Secure Web Gateway. While an organization may have anti-malware programs running on their end-users desktops, they generally have little control over how often these programs are updated, or if they are even running (some end-users may have even disabled them to gain performance on their laptops or desktops). Would you trust your corporate security to your end-users? By relying on their desktop anti-malware, you're essentially relying on the end-user to make sure they are practicing the best cyber hygiene.

Maybe as as administrator you already trust that URL filtering and dynamic real-time rating are protecting you from web threats. While these two technologies are great as part of a layered defense mechanism, they each serve a distinct role in protecting the end-user and the organization. A URL filtering database provides the quickest way to provide feedback to an end-user on whether a website is safe. Known bad websites will already be categorized as malicious.

A website URL not found in the URL filtering database moves to the next layer of defense, typically cache of URL information found at a vendor's website, and then if still not found, a real time rating system that examines a website in real time to determine the category of the website. All these mechanisms drive toward determining not only the category of a website, but also whether or not that website has malicious content and then blocking it (or an embedded URL that contains malicious content) as appropriate.

All this sounds great, and many administrators may be lulled into thinking they are completely protected by this layered defense mechanism. But in reality they should add one more layer of defense, and that's the anti-malware/anti-virus scanning at the Secure Web Gateway. Why is this necessary? Think about what happens when a known good website gets attacked, and ends up with an infection of malware or virus. There's going to be a period of time before a URL database, or URL cache or even real-time rating system picks up on the infection. Until that information is updated, that website is being passed on as a "good" site. An anti-malware program at the gateway would add that layer of defense that would catch that the site has been infected and prevent the end-user from downloading a virus in that short window of vulnerability.

No infection is a good infection, and layered defense is a necessity with today's web threats. Make sure you close an additional window of vulnerability by adding anti-malware/anti-virus to your Secure Web Gateway. Adding a different vendor's anti-virus from your desktop anti-virus also adds another layer of protection, so that if one anti-virus vendor misses a threat the other has a greater chance of recognizing it.

No comments: