Cyber threat is on the rise, and many organizations struggle to provide comprehensive protection. What organizations really need is more granular control and visibility over their internet traffic. While Next Generation Firewall (NGFW) or similar solutions assist organizations to protect against malware and zero-day attacks, this security protection can be further enhanced with user identification, productivity monitoring and full visibility into encrypted traffic through a Secure Web Gateway (SWG). Combined, NGFW and SWG's deliver holistic network security, a strengthened security posture and provide more granular control over your network.
NGFW and SWG’s are often deployed together, as they complement each-others capabilities. NGAF lacks visibility into application and web traffic, causing network blind spots and a widened attack surface. A secure web gateway provides any capabilities necessary to combat and mitigate those risks.
Unified Threat Management (UTM) combined with a network firewall are rumoured to offer an alternative all-in-one solution on a single device. More often than not, UTMs suffer performance degradation when all features are enabled and present a wider attack surface when features are disabled, while workarounds often require purchase of additional, expensive upgraded throughput solutions.
With many different solutions competing, customers are often overwhelmed by their choices, as each solution has its own strengths and weaknesses, and no company wants to sacrifice features and capabilities, important to network security. This is where we find Sangfor Next Generation Firewall (aka NGAF) with Internet Access Gateway (aka IAG, Secure Web Gateway), a perfect amalgamation.
While Sangfor NGAF and IAG have some similar capabilities, there are several distinct differences including:
- User Identity and SSL Decryption. Visibility is a key element for any security solutions ability to impose security policies in their environment. With enhanced SSL decryption policies running on both gateway and client machines, and alongside user authentication methods, organizations will have pinpoint accuracy when identifying users, encrypted applications and possible threats traversing the environment.
- Logging and Reporting. IAG has more granular logging and reporting which can be stored for a longer period of time. NGFW and UTM are generally limited in their storage and reporting capabilities, especially when it comes to incident detail. Customers must install a separate server for a Business Intelligence (BI) external report center, to maximize reporting storage capability.
- Application Control. IAG offers enhanced application control, allowing customers to block or allow applications, and application control to limit the specific functions of applications. Administrators can block Facebook games and applications while continuing to allow their users to post to, or browse Facebook.
- Proxy Avoidance. IAG is built with this key feature to prevent users from bypassing organizational security protections, and ensuring that they adhere to an Acceptance Use Policy (AUP). Consistently updating signatures and detection of mechanism enhancement ensures all proxy tools are blocked by IAG’s Anti-Proxy feature.
There are a few configuration concerns to consider when using NGAF alongside IAG. The idea behind this type of deployment is to not to hinder any solution capabilities, and allow NGAF and IAG to complement each other.
a. Inline (Bridge Mode)
Inline is the most common deployment method, as it allows IAG to view and control application traffic. Also, this deployment enables user authentication and malware scanning of all internet access traffic. In most cases, administrators can opt for either IAG as a Forward Proxy and transparent forwarding while in bridge mode to enable these features.
While inline deployment mode is a great option for many administrators, it can create performance issues due to overall throughput disparities between NGAF and IAG, as IAG performs traffic inspection at a more granular level, while NGAF has higher overall throughput performance. Therefore, it is paramount for customers to ensure both are capable of handling any amount of throughput and bandwidth.
b. Forward Proxy
Alternatively, forward proxy deployment mode can be another option to solve the bandwidth disparity issues, by only forwarding internet access traffic through IAG. NGAF administrators can enforce security settings to prevent endpoint machines from accessing the internet directly, except via IAG forward proxy. Administrators then have unparalleled visibility and control of internet access traffic. IAG will filter each connection between client and website or application, allowing it to inspect every packet that passes through.
c. HTTP/HTTPS DNAT for Traffic Redirection or Policy Based Routing (PBR)
NGAF perform traffic redirection or PBR only traffic related to HTTP and HTTPS. In this deployment mode, administrators require no changes to their endpoint machines and IAG can be used to monitor and control web activities. On the other hand, NGAF provides IPS, APT detection and VPN gateway services. This deployment mode is ideal for customers who are looking to enjoy best of both worlds with security protection.
As you can see, we highly recommend deploying a comprehensive solution by utilizing both NGAF and IAG. This result brings enhancement to strengthen your security posture and optimize your internet access traffic with NGAF and IAG.
Do you want to know more? Need any consultancy assistance? Don’t worry, we got you cover. Kindly contact Sangfor local representative for more info or you can visit our website and social media below.
