Virtual Secure Web Gateway

Dear,

Today we received our evaluation unit of the Web Gateway, after a bit of searching we got the configuration running now, we run this appliance in TAP configuration. Now what I did not understand is why file and active content detection is not available in this mode. When you go into policy configuration and when you edit a policy then there's a heading that says "File and active content detection" but only with the actions Monitor and Ignore. When I let a user download the Eicar test string the reports indicates that there was a virus download, but why web gateway cannot stop this ?

2nd question: We'll set this device up in our datacenter to use it for multiple customers - with different lans - what we also want to achieve is that when users takes their laptop at home , that their internet traffic is still monitored by the web gateway, i thought that you must configure web gateway as a proxy in IE / Firefox, but that doesn't seems to be true or Is this a wrong decission from me ?

regards,

Steve

In span/tap mode the SWG is not able to block because the traffic is not passing through the device as it does when it is installed in inline mode. in Span tap mode it just gets a copy of all the traffic passing through the switch, when it is inline the traffic is actually moving throught the device so it can stop/block more.

For a bit more clarification on the difference between Span or Tap and Inline:

When we are Inline, we effectively control the entire connection as it occurs.  We have numerous methods of blocking in this case - we can take control of the session, we can redirect the session, we can delay the session, we can drop the packets altogether, etc...  In this mode, we can block whatever we like.

On a Span or Tap, we get a copy of the session and send a TCP RST to block it.  While this is effective for 90+% of the traffic we want to block, it does have two limitations:
1) File and Active Content Detection - The issue here is a matter of timing.  Even though the SWG is a VERY fast engine, by the time we get a copy of the packet stream via the Span port or Tap, the user actually already has a copy of the file.  Sending the TCP RST in this case is ineffective because we cannot RST the transmission that has already occurred.
2) Content that is not TCP based - Some Application and Malware phone home signatures do not utilize TCP 100% (they will use a mix of UDP, for example) and thus will not respond to a TCP RST.  This is why specifically for some applications you may get a 'Blocking ineffective in Tap mode' message when you configure a policy to block that application.

For the 2nd question you have:
Today SWG does not support acting as a proxy, so you would not be able to do this.  This will be coming in a future release.

HOWEVER - I would recommend against setting up in this manner.  If you allow users to connect to a proxy from outside of the network, all a malicious user would need is the IP address of your proxy (which is in the browser) to possibly launch a denial of service attack on your proxy.  You could mitigate this by forcing some authentication to the proxy, but it would not 100% solve the issue.  In addition, hard coding a proxy setting in the browser could cause issues at locations that use transparent proxies or proxies for authentication to WiFi access points (hotels, coffee shops, etc...).