Introducing Dynamic Data Protection: The next generation of security.

Our Blog

Going beyond the local proxy for mobile users

Share

Monday, May 07, 2018

Web is often one of the first channels that IT administrators look to secure. For years, this has been achieved by installing a Secure Web Gateway (SWG) in the network’s perimeter, which would implement a scanning proxy.

The perimeter no longer exists. Not for IT services, and not for the users themselves. Employees today travel often – using their corporate issued or own devices on public Wi-Fi networks and other insecure situations. Protecting Web browsing only on corporate premises is not enough.

The typical solution for this increasingly common scenario used to be simple. Talk to a vendor that provides a cloud or a hybrid Secure Web Gateway service, pay them some money, and consider your problem solved. The resulting Web traffic flow would look like this:

 

Proxies Aren’t Geo Friendly

However, things are not always as simple as they seem. The world is big – it has geo-political divisions, diverse languages and locales, complex local and global networks, and finally, network latency. As soon as an organization starts sending all their Web traffic via a global service, these factors get a chance to remind us of their existence.

Check out this example:  a hotel chain that has a few properties in Indonesia, while using a Cloud SWG solution. The likelihood of the cloud service having a data center in Indonesia is very slim, so it’s safe to assume that all the traffic is being proxied via a different country, such as Singapore.

That is when our hotels are likely to bump into what is known as geographical restrictions and localizations. Services, such as Google, are using the source IP to determine the user’s country of origin. In this case, they would incorrectly place the user in Singapore, not Indonesia, and render the language of the search results accordingly. This modest example could be solved by using Google’s country-specific domain. But that can’t be said about local internet TV stations, and other paid-for services that actively restrict access from other countries.

Of course, not everyone has properties in Indonesia, and this example might seem far-fetched. However, consider that the world has 195 countries, that people tend to travel, and the situation does not seem so far-fetched anymore.

This is the point where we might say that geo-restriction is not a business-critical problem. As long as we can tolerate our Google restaurant searches showing us options in a neighboring country, and lack of access to local celebrity news, we are fine. However, what if we move our previous example to Chile and Brazil respectively? The ping latency, as of today, from Santiago to Sao Paulo is 129 msec, which is enough to add very noticeable delay on any non-trivial Web-based operations. For companies that use cloud applications to run their business, this is where the impact is felt.

Eliminate the Proxy – Go Direct

It’s not hard to pinpoint one common root cause to all these challenges: a proxy. Is there a way to protect a distributed, mobile workforce without using one? The requirement seems challenging, but it does have an answer, and it’s rooted in an emerging concept called Security-as-a-Service.

Having “as-a-Service” at the end of a given solution has long been a way to riches and success, however in this case, it is a very specific and tangible alternative. Specifically, do not use a proxy, but have a local agent that queries Cloud services to secure Web traffic. Here’s a depiction of this approach:

The solid lines show the flow of traffic, while the dashed lines correspond to the side channels. In our hypothetical Indonesian hotel example, the traffic would never leave the country. While the traffic is flowing, the Cloud services are consulted on the transaction’s validity and potential security risks. Should a security risk be identified, a block page is shown instead of the original site’s content. The parallel nature of retrieving the Web response and consulting the policy reduces latency; in most cases, the user will get the same browsing speed as without a security solution!

This is the approach taken by the Forcepoint Direct Connect Endpoint for Web; a solution deployed on hundreds of thousands of machines across the globe. It provides the best of both worlds: protection and enforcement everywhere without compromising latency and end user experience.

The Direct Connect Endpoint is protecting hundreds of thousands of users in Fortune 500 companies and smaller organizations around the globe and is of the many innovations brought by Forcepoint into the world of Web Security.

Regaining the proxy

Before we wrap up, it’s worth noting that no solution is perfect for every organization. There are many situations in which a proxy still makes a lot of sense, and there are other solutions that solve some of the challenges above for unmanaged devices.

 

About the Author

Roman Kleiner

Roman Kleiner has been with Forcepoint since 2009, and is responsible for the Secure Web Gateway portfolio. Previously to that, Roman held technical leadership and management roles within InfoSec in Symbian (later acquired by Nokia), and Finjan (later acquired by Trustwave). Roman holds a...