What is Secure Web Gateway?

SWGs are available as on-premises appliances (hardware and virtual), cloud-based services, or in hybrid mode (combined on-premises appliances and cloud-based services).

Traditionally SWG and SD-WAN were perceived as separate technologies, tempting organizations to augment their existing SD-WAN solution with an SWG from a separate provider. These disparate solutions often fail to blend architecturally, fail to provide functional integration, perform inadequately, and lack end-to-end visibility, configuration and analytics.

Specific shortcomings of a “bolted-on” SWG include::

• SWG and SD-WAN are each managed from its own console, resulting in management complexities and very limited traffic visibility.
• Uses inefficient legacy access methods (static VPNs, traffic backhauling) to the SWG.
• Minimal application-level intelligence, classification and application traffic prioritization.

• No means to protect against oversubscribed or lossy access links; traffic cannot, or does not, leverage the overlay and traffic management capabilities (such as SLAs, FEC, traffic remediation, and granular application-level prioritization) inherent in an SD-WAN.
• Not scalable when hundreds of branches are involved (requires hundreds of tunnels to be provisioned to the SWG PoP), or when there is a large percentage of WFA users.
• Slow and cumbersome to rekey or to re-issue certificates for legacy IPSec.
• Traffic is not encrypted when GRE tunnels are used, exposing sensitive data to leakage.
• Traffic segmentation and multi-tenancy for traffic isolation breaks down.
• Typical SWG services provide north-south traffic paths (to/from Internet and SWG clients), but lacks the architecture to forward and protect traffic across east-west paths (between SWGs).
• Siloed point-solutions from multiple vendors for different functions—SD-WAN, SWG, ZTNA, CASB—lead to frequent repetition of functions (authentication, en/decryption, TLS Proxy) that increase latency, lower throughput and cause poor QoE.

Enterprise IT and Security Administrators are looking to secure users and devices. They need:

• An authenticated and access-controlled solution.
• Strong and proven encryption to secure traffic from WFA users to SWGs.
• SWGs to secure user traffic to/from Internet-placed applications.

To achieve these goals, a fully comprehensive Secure Access Service Edge (SASE) feature-set is necessary, and an SWG is now an indispensable tool for web security and an integral part of SASE solutions.

The leading-edge Versa SASE solution includes fully integrated SD-WAN, SWG, CASB, ZTNA and branch FWaaS capabilities that deliver the following additional benefits:

• Single-pass data path for optimal efficiency and least latency.
• Single-pass software architecture eliminating repetition of functions and best QoE.
• Single-pane-of-glass to manage all functions: SWG, ZTNA, Firewall, Router and SD-WAN Gateway.
• Single policy language to ensure comprehensive security and compliance for all users.
• A single Forward Proxy to manage and work with (one company to share certificates with), eliminating proxy chaining. The Versa Forward Proxy serves all functions including SD-WAN, ZTNA, SWG, CASB, and more.
• A global POP network of Versa Cloud Gateways.
• Rich access options: A SASE client (with authentication, policy/compliance enforcement, multiple active connections), standard tunnel options (GRE, IKEv2 IPSEC), and integrated SD-WAN options.