What is a secure web gateway?

A secure web gateway blocks or filters out dangerous content and prevents data leakage. If a company uses a secure web gateway, all employee Internet traffic passes through it.

Learning Objectives

After reading this article you will be able to:

  • Understand what a secure web gateway is
  • Learn how secure web gateways work
  • Learn about application control, URL filtering, and other important capabilities

Copy article link

What is a secure web gateway?

secure web gateway

A secure web gateway, or secure Internet gateway, is a cyber security product that protects company data and enforces company security policies. Secure web gateways operate in between company employees and the Internet. Like a water filter, which removes dangerous impurities from water so that it is safe to drink, secure web gateways filter unsafe content from web traffic to stop cyber threats and data breaches. They also block risky or unauthorized user behavior.

All secure web gateway products contain these technologies:

  • URL filtering
  • Anti-malware detection and blocking
  • Application control

Secure web gateways may also include data loss prevention (DLP), content filtering, and other Internet traffic filters.

How does a secure web gateway work?

Some secure web gateways run on proxy servers. Just as someone may send a legal proxy to a live auction to represent them, a proxy server represents another device on the Internet. A proxy server is a server that makes requests and receives responses on behalf of a client device (e.g. a user's laptop) or another server. For secure web gateways, this proxy server can either be an actual physical server or a virtual machine in the cloud.

Other secure web gateways are software only; software-based gateways can run either on a company's premises or in the cloud as a SaaS application. And finally, some secure web gateways are deployed as on-premises "appliances": physical hardware devices that plug into a company's IT infrastructure.

No matter where they run or how they are deployed, all secure web gateways work in roughly the same way. When a client device sends a request to a website or application on the Internet, the request travels through the secure web gateway first. The gateway inspects the request and passes it along only if it does not violate established security policies, just as security guards may inspect a person's possessions at a physical security checkpoint before allowing them through. A similar process also occurs in reverse: all incoming data is inspected by the secure web gateway before it is passed along to users.

Because secure web gateways can run anywhere, they are especially helpful for managing remote employees. By requiring remote workers to access the Internet through a secure web gateway, companies that rely on a distributed workforce can better prevent data breaches, even if they do not have direct control over their employees' devices or networks.

What is a security policy?

A security policy is a rule that all data and network traffic within a company must conform to. For instance, suppose a company sets up a policy that all network traffic must be encrypted. Enforcing this policy would involve blocking websites that do not use HTTPS. A secure web gateway is one way to implement this policy, as it can filter out all non-HTTPS network traffic.

How do secure web gateways enforce security policies?

Secure web gateways can perform a number of actions on the web traffic they inspect and forward in order to enforce security policies:

URL filtering

A URL is the string of text that appears in the top of a browser when it loads a webpage: for instance, https://www.cloudflare.com/learning/. URL filtering is therefore a way to control which websites a user can load.

URL filtering typically involves the use of a blocklist: a list of known bad websites that are not allowed. If a user attempts to load a website that is on the blocklist, the secure web gateway blocks the request and the website does not load on the user's device.

Anti-malware scanning

Secure web gateways scan network traffic for malware, meaning they examine the data passing through and see if it matches up with code from known malware. Some gateways also use sandboxing to test for malware: they execute potentially malicious code in a controlled environment to see how it behaves. If malware is detected, the gateway blocks it.

A lot of network traffic on the Internet is encrypted* with HTTPS. Many secure web gateways can decrypt HTTPS traffic in order to scan the traffic for malware. After inspection, the gateway re-encrypts the traffic and forwards it to the user or the web server. (Learn how HTTPS encryption works.)

*Encryption is the process of altering data so that it appears to be random. Encrypted data cannot be read until it is decrypted. Decryption is the reverse of the encryption process.

Application control

Secure web gateways can detect which applications employees are using. Based on that, they can control what resources different applications can access or block certain applications altogether. Some secure web gateways offer even greater degrees of control over application usage: for example, they can control application use based upon a user's identity or location

Other secure web gateway capabilities include the following:

  • Content filtering: This feature detects certain kinds of content and blocks that content. For instance, content filtering can block explicit videos or photos from entering a corporate network. Company IT administrators can usually customize their secure web gateway's content filtering policy.
  • Data loss prevention (DLP): This feature is not offered by all web security gateways, but it can be highly effective for preventing breaches. DLP is somewhat like content filtering in reverse: instead of stopping content from coming into a network, it keeps content from leaving a network. DLP detects when confidential data is going out from a company-controlled environment, and redacts, blocks, or tokenizes* the data to prevent it from leaking. For example, DLP could be set up to detect and redact all 16-digit numbers sent in employee emails in order to stop confidential credit card numbers from leaving the network.

*Tokenization means replacing confidential data, such as a credit card number, with a placeholder value that maps to the confidential data.

How does this all look in practice? Here's an example:

Suppose Alice works at a company that uses a secure web gateway, and she wants to look at a picture of a rabbit. Alice clicks on a hyperlink that leads to a photo of a rabbit, causing her device to generate an HTTP request for the photo. The HTTP request goes to the secure web gateway proxy server, which inspects the request to make sure it isn't directed at a banned URL, then forwards the request out to the proper web server for the rabbit photo. Once it receives the requested photo from that web server, the secure web gateway scans it, then forwards it back to Alice. The entire process should take only milliseconds.

However, if Alice had been tricked into clicking a link to an unsafe website, thinking it was a link to the rabbit photo, the secure web gateway would identify the unsafe URL in the HTTP request and block it. Additionally, if Alice's company decides to implement an anti-rabbit policy, the secure web gateway can block the photo with content filtering.

How do secure web gateways fit into a SASE model?

SASE, or secure access service edge, bundles networking functions with various security functions (such as secure web gateways), and delivers them from a single global network.

Like many security products, a secure web gateway is a single-solution product that is often managed separately from other networking and network security functions. With a SASE framework in place, however, companies can implement and maintain their networks and network security from a single, cloud-based vendor.

How does Cloudflare keep web traffic secure?

Cloudflare Gateway offers comprehensive security for internal teams on the Internet, protecting both employees and internal corporate data. Cloudflare Gateway uses DNS filtering to block malicious content, gives administrators complete visibility of network traffic, and protects users from malicious online code with browser isolation.

Explore the capabilities of Cloudflare Gateway.