The Many Failures of Secure Web Gateways: Part 1 - Malicious Files
Secure Web Gateways (SWGs) are supposedly critical components in enterprise cybersecurity architecture. They are designed to prevent unauthorized access to certain websites, filter unwanted software/malware from user-initiated web/internet traffic, and enforce corporate and regulatory policy compliance. Organizations rely on SWGs for a variety of reasons, primarily to protect against web-based threats, to control employee internet usage, to prevent data loss, and to ensure secure data transfer in and out of the organization’s network.
In this series of posts, we will delve into the various shortcomings of Secure Web Gateways (SWGs). In our first installment, we examine the limitations of SWGs in scanning files, discuss how attackers can exploit these weaknesses to circumvent defenses, and reveal the potential for malicious files to infiltrate and compromise organizations.
Let’s begin with a comparative study based on publicly available documentation from well-known SWG providers — such as CloudFlare, Cisco Umbrella, Netskope, Palo Alto, and Zscaler.
The Achilles’ heel of file scanning by SWGs lies in the fact that beyond a certain point, pausing or delaying the download or viewing of a file by the user — without significantly affecting the user experience — is not feasible.
Due to this, SWGs are forced to limit their scanning. Here are the some of the limitations:
- File Size Limits: Each SWG enforces its own maximum file size that can be processed, ranging from as low as 15MB to up to 400MB. When users attempt to download or upload files exceeding these limits, the transfer is either blocked or the file is allowed without being scanned, which poses a security risk.
- File Type Limits: SWGs maintain specific lists of permissible file types for transfer. While some gateways permit a wide array of file types, others restrict this to a select group, aiming to enhance security but potentially hindering users who need to work with types not on the list. Certain file types, particularly executables or files that could potentially contain threats like password-protected archives, may either be outright blocked or undergo limited processing, which could potentially allow threats to slip through if not detected at the surface level.
- Compressed Archives:
– Levels of Recursion: The depth to which SWGs inspect compressed files varies, with some delving into one to three levels of a zip file, while others probe up to 16 layers deep. Shallow inspection may miss threats buried deep within archives, while deeper inspection can impact performance.
– Maximum Files in Archive: There are constraints on the number of files within an archive that SWGs will scan, sometimes as few as 300 files. This limit can pose a challenge when dealing with extensive archives, potentially leaving some files unchecked.
– Encrypted Archives could be outright blocked or not scanned. - Queuing and Rate Limiting by Firewall Forwarding Capacity: SWGs have a limited capacity for data that can be actively processed and forwarded through the firewall, which can lead to queuing and rate limiting, especially during peak traffic periods. This can result in significant delays in accessing files, disrupting workflows and reducing worker productivity as they wait for files to be scanned and approved for download or upload.
Summary of File Processing Limitations by SWG Providers
While SWGs are essential they are not a silver bullet for web security. They often need to be part of a layered defense strategy, complemented by other upstream security measures, such as in-browser detection and prevention. SWGs are insufficient as a standalone solution primarily because of the complexity and dynamism of web-based threats, the limitations in processing and inspecting large or complex file types, and the challenges in keeping up with sophisticated cyber-attack methods that constantly evolve to bypass traditional security measures.
In our previous blog, we spoke about the need for browser-native solutions that complement Secure Web Gateways to overcome the limitations of these solutions.
It is crucial for organizations to recognize these limitations and implement a comprehensive security approach that includes, but is not limited to, Secure Web Gateways. In the next couple of days, we will be doing a series of posts showing you demonstrations on how Secure Web Gateways fail. Stay tuned for interesting discoveries!
We asked the community on what some limitations are to Secure Web Gateways. Here are some crowdsourced opinions!
Sources:
CloudFlare
https://developers.cloudflare.com/cloudflare-one/policies/gateway/http-policies/antivirus-scanning/#non-scannable-files
Cisco Umbrella
https://docs.umbrella.com/umbrella-user-guide/docs/supported-file-types
https://docs.umbrella.com/umbrella-user-guide/docs/manage-file-analysis
Netskope
https://docs.netskope.com/en/netskope-help/data-security/data-loss-prevention/advanced-file-scanning/
Palo Alto
https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-overview/advanced-wildfire-file-type-support/advanced-wildfire-file-type-support-complete
https://docs.paloaltonetworks.com/advanced-wildfire/administration/advanced-wildfire-deployment-best-practices/advanced-wildfire-best-practices#idc7df8b80-ea18-40a0-8130-cdacf7b9176e
https://docs.paloaltonetworks.com/advanced-wildfire/administration/configure-advanced-wildfire-analysis/firewall-file-forwarding-capacity-by-model
Zscaler
https://help.zscaler.com/zia/configuring-security-exceptions-malware-protection-policy
https://help.zscaler.com/zia/about-file-type-control
