How to protect VPN users with Symantec Web Gateway (SWG) appliance
search cancel

How to protect VPN users with Symantec Web Gateway (SWG) appliance

book

Article ID: 152178

calendar_today

Updated On:

Products

Web Gateway

Issue/Introduction

You have users that connect to your network via a Virtual Private Network (VPN). You would like to know if Symantec Web Gateway (SWG) can protect those users and if so, to what extent.

 

Resolution


NOTE: VPN implementations vary greatly from manufacturer to manufacturer. Symantec strongly suggests implementing in a test lab before placing an SWG/VPN implementation into production. Note that SWG appliance in inline mode acts as a bridge.
 

  • Requirements: VPN concentrator in front of SWG in inline mode, Proxy behind SWG in inline mode. Browser on VPN client configured to use the proxy behind SWG.  Starting with SWG version 5.0.1.1, Web gateway can act as the proxy server.

     

    Expected Result: SWG "sees" and scans web traffic from the web proxy. If VPN clients have a browser configured to use the web proxy behind SWG, the SWG appliance filters web traffic and checks downloads with antivirus.

     

  • Expected Drawbacks: Requires knowledge of proxy server implementation, especially caching.
  • Diagram:







Technical Information
 


NOTE: VPN implementations vary greatly from manufacturer to manufacturer. The following implementation plans are hypothetical and have not been tested within Symantec. These may serve as a guide for further research with your VPN vendor. Symantec strongly suggests implementing in a test lab before placing an SWG/VPN implementation into production. Note that SWG appliance in inline mode acts as a bridge. Further note that the diagrams shown assume that the VPN client encrypts and sends all network traffic through the VPN concentrator. VPN implementations which do not send all network traffic via the VPN concentrator may see a corresponding degradation in protection from SWG.



1. VPN integrated at firewall with SWG connected to a tap port on the firewall
Diagram:


Expected Result: SWG "sees" and filters normally per tap mode SWG filtration.
Expected Drawbacks: SWG can only scan what the firewall sends across the tap port. If the firewall does not send all traffic, SWG will not scan all traffic. SWG does not perform all types of filtration when in tap mode.





2. VPN concentrator installed behind SWG in inline mode
Diagram:

Expected Result: SWG scans network traffic from the VPN concentrator as if from a non-VPN client machine.
Expected Drawbacks: Expensive in terms of bandwidth.








 


Powered by Wolken Software