In today’s digital workplace, we use the internet constantly. It allows us to find information in seconds that otherwise could take weeks of research to procure, and has opened up a world of virtual communication, allowing remote or hybrid teams to perform as effectively as collocated teams. But our reliance on the internet also makes us vulnerable to web-based threats such as malware, phishing, and Man-in-the-Middle (MitM) attacks.
Web security should be a priority for any business, and particularly those with remote workers who communicate over an internet connection. When one connection is compromised, it can take minutes for bad actors to spread malware through a company’s network. We’ve explored the most effective types of web security, and found that the best solutions fall into two categories: web filtering and browser isolation.
There are two main types of web filtering: cloud-based and DNS. Cloud web filtering platforms, or “Secure Web Gateways” (SWGs), filter harmful websites and block web-based viruses and malware from being downloaded to the user’s machine. They scan for malicious website code, filter harmful URLs, and prevent data loss.
DNS web filtering platforms sort internet traffic based on DNS lookups. Every webpage has a unique IP address, which browsers connect to the domain name to be able to load the page. DNS filters sit between the browser and domain so that browsers can’t load malicious sites. Many DNS filtering platforms come with a pre-configured blacklist of harmful domains that can’t be accessed on protected networks.
The second type of web security we’ve explored is browser isolation. Browser isolation platforms isolate users’ online browsing activity in a safe environment that’s detached from the local network. The best browser isolation solutions are cloud-based and execute web-based commands in a secure server, or “remote desktop”. When using this remote desktop, the user experiences totally normal browsing, but it takes place independent of their local machine. This means that malicious webpages and attachments are contained or sandboxed within the virtual environment and never reach the user’s local system.
In this article, we’ll explore the top ten web security solutions, including a range of cloud-based and DNS filtering solutions as well as browser isolation platforms. We’ll give you some background information on the provider and the key features of each solution, as well as the type of customer that they are most suitable for.
Cisco are a global network, infrastructure and security vendor that offer a variety of security solutions to protect digital communications across the world. Their Umbrella solution, launched in 2019, offers flexible, cloud-based security via a Secure Web Gateway. The solution combines multiple functions that admins can monitor from one user-friendly console, making it easy to add and protect devices remotely. Cisco Umbrella is available in three packages, which have been designed to protect any sized organization, from small businesses to multinational enterprises.
Cisco Umbrella offers DNS security, a Secure Web Gateway, firewall as a service (FWaaS) and cloud access security broker (CASB) functionality in a single console called the Umbrella Secure Internet Gateway (SIG). Admins can monitor threats and configure protection across all of these areas from one easy-to-use management portal. Additionally, Umbrella comes with integrated threat response so that security teams can investigate the root cause of security incidents to avoid repeat attacks.
The three Umbrella packages utilize sophisticated machine learning and extensive threat intelligence from Cisco Talos, one of the world’s largest commercial threat teams, to detect and protect against known and zero-day threats. This means that the solution can offer powerful web filtering protection against malware, phishing and DNS tunneling attacks.
Cisco Umbrella has been praised by customers for its quick and easy deployment and user-friendly management portal, that also monitors devices operating remotely from the office. Its quick deployment means that this solution offers almost immediate, reliable security coverage across all ports and protocols. This, combined with the scalable package options, makes Cisco Umbrella a good cloud option for most organizations looking for a solid web security solution.
WebTitan DNS Filter is Titan HQ’s web filtering solution that leverages advanced domain name system filtering controls to provide strong threat protection. The WebTitan platform filters over 500 million URLs to secure users against malicious webpages (including phishing pages), viruses, and web-based malware. The solution is easy to use and features a comprehensive policy engine with granular rules and categories for content filtering to match any business need.
WebTitan DNS Filter stops users from access malicious web content with a URL database that covers over 650 million end users. The solution provides protection against malware and viruses by blocking dangerous downloads, and the AI-powered engines detect zero-day phishing domains and malicious URLs to help prevent users falling victim to phishing attacks. Admins can manage and monitor their web security remotely via API with no latency. Through the remote management console, admins can configure granular policies per user, IP agent and group. Admins can also generate a wealth of reports to ensure that WebTitan is catching the threats facing their organization. These reports can also be used to ensure and prove compliance with legal standards.
Customers praise the WebTitan platform for it’s ease of use, cost-effectiveness and granular content filtering policies. The solution is fast and highly scalable, which makes it easy to add new devices to the platform as an organization grows. This flexibility makes it suitable for SMBs and larger enterprises alike. Its margin friendly pricing and fully multitenant environment also make WebTitan a popular choice amongst the MSP community. Finally, WebTitan is a particularly strong solution for education environments, allowing admins to configure policies to protect students and ensure that educational compliance standards are met.
Symantec, the cybersecurity subsidiary of Broadcom, is a leader in appliance- and cloud-based web security solutions. The Symantec Cloud Secure Web Gateway (formerly Web Security Service) is an all-encompassing web security solution that offers a Secure Web Gateway and browser isolation. The service is compatible with Microsoft Office 365, and admins can configure separate policies for different Office 365 applications.
The Cloud Secure Web Gateway uses strong SSL inspection to detect malware hidden in encrypted web traffic, and block this from reaching users’ end devices. Its advanced proxy architecture allows the solution to deliver a Secure Web Gateway that controls and inspects web and cloud traffic, terminating advanced threats and securing users’ data no matter their location. The solution also offers a cloud firewall service as an add-on, which covers all ports and protocols and ensures that consistent policies are applied across on-premise and remote devices. Finally, Symantec Cloud Secure Web Gateway features browser isolation capabilities, which direct uncategorized URLs to an isolated environment. From here, the pages are sent safely as images to the user’s browser for viewing.
In the web portal, admins can view reports and manage the service, but customer reviews find reporting and configuration capabilities to be limited. Broadcom does offer an enhanced reporting and management console, but this isn’t included in their web security solution; customers must purchase it as an add-on.
The Symantec Cloud Secure Web Gateway protection extends across mobile devices as well as desktops, making it an attractive solution for organizations with workers that regularly access company data remotely, e.g. by checking emails on a personal cell phone. We’d recommend this solution for enterprise organizations looking to invest in a powerful hybrid (cloud and on-premise) web security solution.
iboss’ cloud web security solution is founded on node-based technology, which the vendor calls “containerized gateways.” It delivers SaaS network security, with all firewall and proxy capabilities delivered in the cloud, meaning that customers’ networks aren’t drained of resources when running the solution. Organizations can adopt iboss’ public cloud service, implement containerized gateways in their own private cloud, or create a hybrid solution by integrating the two.
The iboss platform delivers all of its features, functions and security as a service in the cloud. This includes web filtering, malware defense and DNS protection. Delivering security in the cloud allows the solution to protect users’ internet access at all time, no matter their location. This makes the product particularly useful for organizations with a lot of remote employees. Security teams can customize filtering policies, as well as configure malware and data loss prevention rules, with these automatically applied to end users.
iboss’ solution deploys easily with 100% API-based integration, and is compatible with Office 365, MS Cloud App Security CASB and Azure. It’s easy set-up and powerful cloud-based protection make this solution ideal for enterprise organizations, who have a high number of remote employees.
Forcepoint, formerly Websense, offer a broad range of cybersecurity products, including Secure Email and Web Gateways, firewalls, and behavioral analytics. Their Secure Web Gateway solution is available as on-premise software, and as a cloud-based service. Users can also choose to create a hybrid service for protection both on-premise and away from the office. This makes it suitable for all organizations, no matter their state of cloud migration. Forcepoint’s management console supports reporting in each of these deployment environments.
Forcepoint’s SWG uses over 10,000 analyses to support their advanced threat detection, including real-time analysis of integrated data theft. Its comprehensive cloud application security allows organizations to monitor users’ cloud app behavior during work hours, as well as their online behavior, to uncover risks and remove security gaps.
The solution includes excellent logs and filters, with custom categories for activity monitoring. These granular controls allow organizations to fine-tune the level of protection to bring it in line with their company policies.
Forcepoint’s admin controls are a little complex, with customers reporting that there’s a learning curve for organizations that invest in this solution. However, the that the solution provides its customers. For this reason, we recommend Forcepoint’s Secure Web Gateway as a strong solution for mid- to enterprise-sized organizations looking for a cloud web filtering platform.
Menlo Security are a market leader in offering web security through isolation. Their technology helps to eliminate the risk of email and web-based threats by isolating all content and executing it on secure servers. This protects users comprehensively against malicious content, without having any adverse effects on the system’s performance or changing the way that users browse. Menlo’s platform is fully cloud-based and is fully compatible with platforms like Office 365.
Menlo’s Security Isolation Platform (MSIP) is founded on their Isolation Core technology. Their secure cloud proxy creates a digital barrier between the user and any potential sources of attack. Users carry out all of their work in a remote web browser within the cloud, and Menlo make sure that only safe information can pass through the gateway to the user’s endpoint device. This means that users can’t interact with phishing pages, and admins can configure settings to block additional websites, adverts and even popups. Additionally, the solution’s protection extends to cover Software as a Service (SaaS) applications. This means that any SaaS apps you use, such as Office 365, will run at full speed on a direct-to-internet connection, without the risk of compromising your security.
Menlo’s approach is built “in the cloud for the cloud”, and this cloud-first isolation strategy is what allows them to ensure security with zero compromise. Their solution is scalable to be able to support organizations of any size, but customers typically range from mid-sized to large enterprises.
Palo Alto Networks are a global cybersecurity leader offering enterprise-level security through AI, analytics, automation and orchestration. URL Filtering for Web Security is Palo Alto’s internet security solution, providing users with secure web access through a powerful URL filter with PAN-DB. The solution offers protection against phishing sites, HTTP-based command and control, malicious sites and pages that carry exploit kits.
Palo Alto’s URL Filtering uses a combination of static analysis and machine learning through PAN-DB to identify threats and protect users from them. PAN-DB is Palo Alto’s cloud-based URL database. This global threat intelligence allows for automated, real-time protection that blocks newly discovered malware and exploit sites.
Palo Alto’s solution offers multiple URL categories as well as a risk rating for each site, which allows admins to create more insightful policies at a granular level. The solution also features credential phishing protection that analyzes suspicious URLs for malicious content. Finally, Palo Alto’s URL Filtering includes firewall integration, which helps to simplify policy configuration and administration without affecting the speed of any web-based applications.
Customers praise Palo Alto’s URL Filtering for Web Security solution for its effective protection and clear visibility into their networks’ URL traffic. All of Palo Alto’s solutions are delivered via their integrated platform, which enable the protection of mobile devices as well as clouds and networks. We recommend this solution for any large enterprises looking for a powerful URL filtering tool, and particularly those with a number of remote employees working from different locations around the world.
Skyhigh Security is a cybersecurity provider that offers a range of data-aware, cloud-based security solutions, including a secure service edge, a cloud access security broker, network access security, app security, and web security. The Skyhigh Secure Web Gateway (formerly part of the McAfee Enterprise suite) offers intelligent, real-time protection against known and unknown web-based threats without compromising the end user’s browsing experience.
To block known threats, the Skyhigh Secure Web Gateway (SWG) uses embedded browser code emulation and an anti-malware engine that blocks malicious URLs and corrupted files. The solution’s policy engine is rule-based, which enables organizations to configure granular policies for enhanced protection and reporting. The platform also uses global threat intelligence to carry filter sites based on a profile of secure web pages and keywords.
To block unknown and zero-day threats, the platform offers remote browser isolation and a machine learning-powered and emulation-based sandbox, which ensure that any malicious activity is executed in an environment isolated from the user’s endpoint.
The Skyhigh Secure Web Gateway is a strong web filtering solution for mid-sized to large enterprises, particularly those that are looking for a web security solution as part of a wider secure service edge (SSE), as this product integrates seamlessly with Skyhigh’s SSE offering. Its keyword filtering capabilities also make it a strong solution for those in educational settings, where restrictive access controls can help protect vulnerable users.
Trend Micro have over 30 years of experience in producing simple, safe and trustworthy cybersecurity solutions. InterScan Web Security (IWS) is their software-only Secure Web Gateway that customers can deploy on-premise, in the cloud, or as a hybrid combination of the two. This is supported by the synchronization of policies for cloud and on-premise users.
The InterScan Web Security solution uses anti-malware, URL filtering, sandboxing and botnet detection to protect users against advanced threats such as malware and zero day exploits, as well as to protect cloud-based applications. Users that choose to deploy the cloud-based service also benefit from machine learning technology, leveraging the real-time protection of Trend Micro’s Smart Protection Network to defend the system against new and emerging threats. Admins can configure protection settings for over 1,000 applications at a granular level, which makes it easy to enforce company acceptable use policies. The management console also enables admins to view reports that allow complete visibility into web usage. These reports include real-time monitoring so that you can see web use as it happens, allowing for on-the-spot remediation.
Trend Micro’s InterScan Web Security is a powerful solution for SMBs looking for a SWG that’s particularly good at protecting mobile endpoints. Customers have reported that it’s easy to deploy and manage and are generally satisfied with Trend Micro’s support services. However, it’s usually sold as a part the vendor’s Smart Protection Complete Suite. For this reason, we recommend it particularly for those who want a SWG to fit into a broader security suite, or those who already have a strategic relationship with Trend Micro. Trend Micro also have a mature channel partner platform, with a number of partnership opportunities on offer, so this solution is also available for MSPs to leverage.
ZScaler are market leaders in providing powerful cloud-based web security that grows with the customer’s organization. Their Internet Access (ZIA) solution is a Secure Web Gateway that proxies and filters web traffic from head offices, branch locations and mobile devices. Customers can also purchase optional features, such as a firewall and cloud-based sandboxing, to further enhance their web protection. The lack of hardware means that ZIA is quick and easy to deploy, so that customers are protected within minutes of investing in the solution.
The ZScaler Internet Access SWG offers advanced malware detection across all web content, including SSL and TLS traffic, regardless of the website’s reputation. Because it’s a cloud-based application, ZIA is able to utilize powerful machine learning technology to protect against emerging zero-day exploits. The solution also includes a basic firewall, DNS filtering and CASB functionality, which protect cloud-based applications as well as actual web browsing. Customers have the option to add and upgrade features for an additional cost. The solution features an easy-to-use management platform, where admins can access real-time reporting and analytics, with per-user views to enable enhanced protection for each user.
Quick to deploy and with instant Office 365 integration, ZScaler’s solution is ideal for mid- to large-sized enterprises looking for a purely cloud-based Secure Web Gateway. ZScaler hold a large market share in the US, but their large cloud footprint means that they’re also able to offer this solution in locations that competitors tend to be unable to serve, such as the Middle East, Russia and Africa. This makes ZIA a particularly strong solution for global organizations with offices in these areas.
