CensorNet Secure Web Gateway review

CensorNet’s Web Security Gateway (WSG) is an on-premises security appliance with a sharp focus on controlling the latest web applications. It goes way beyond common web filtering products as, instead of applying limited ‘block’ or ‘allow’ enforcements, it provides real-time discovery and analysis for over 150 web apps.

Instead of blocking users completely from specific apps, CensorNet allows administrators to gather detailed information about what their users are up to first. Armed with these reports, they can create granular security policies that keep users safe but won’t stop them doing their jobs.

Implemented as a web proxy, SWG also provides comprehensive URL filtering backed up by a database with over 140 categories. HTTPS inspection comes as standard and the captive portal feature provides a simple solution for controlling BYOD users.

Installation

SWG runs on Ubuntu 14.04 and is provided as an ISO file so it can be hosted on a physical or virtual server. For testing, we loaded it on our Dell PowerEdge R820 VMware ESXi server, but it’ll work just as happily on Hyper-V, VirtualBox or XenServer.

Deployment is a swift process, as we attached the ISO to a new VMware VM, booted it up and followed the console’s quick start wizard. After setting the location, language plus IP address and securing admin access, we then moved over to the appliance’s web interface.

After applying a license, we started downloading CensorNet’s URL database and left it running in the background while we configured the appliance. The tidy web console opens with an overview showing VM resource usage, the status of Internet access and the proxy, an activity bar graph showing allowed and blocked hits plus a pie chart for detected web categories.

Proxies, users and certificates

WSG supports a number of methods for deploying web proxy settings to users. It can be set manually or via Group Policy, the appliance can act as a default gateway or you can use WPAD (web proxy auto-detection) with DHCP or DNS.

We took the manual approach and configured our Windows desktops to grab the PAC (proxy auto-configuration) script directly from the appliance. For local authentication, we added groups, user names and passwords from the console. We also imported our AD users from our domain controller – given all this, a useful feature is the option to stop multiple logins from the same proxy account.

For full web app discovery and analysis, you’ll need the SSL Intercept feature enabled which requires a certificate installed on each system. This is very simple as we just downloaded it from the appliance and imported it manually onto each desktop.

Security policies

Security policies are extremely versatile as they can run in logged unfiltered, filtered, restricted, blocked or advisory modes where the latter allows users to override a blocking action. When accessing a specific site, users can be redirected to another if you so choose and regular expressions can be used for URL keyword and phrase matching.

The web categories are neatly organized into subject groups which can be individually blocked, allowed or ignored. They can also have time quotas applied so if you’re feeling generous, you can allow employees to access games or social networking sites during their lunch break.

When applying policies to groups, we used the scheduler to decide precisely when they were active on each day. Oddly, we found the paintbrush tool provided for selecting time segments wouldn’t work in Microsoft Edge.

Analyze this

The web app analysis is very impressive and we found SWG capable of providing a wealth of information about usage. We tested with a range of apps including LinkedIn, Facebook, Twitter, Gmail, OneDrive, IDrive, Google Drive and Google Apps where the web console provided a complete graphical breakdown on who was using them and which device they were accessing them from.

Selecting a user from the graph took us straight to the analysis page where we could see precisely what they were doing and this included links to web sites they had accessed. SWG records all activities so for Gmail, we could see when they logged in, who they sent emails to, if they read or deleted emails, imported address lists and much more.

Assign risk level thresholds to each web app category and you’ll be notified when a user accesses them. The SWG catalog provides a complete list of all web app actions and for Facebook alone you can assign risk levels to 46 activities such joining a group, editing a profile, sharing posts, uploading files or creating pages.

Setting up alerts is trickier as CensorNet hasn’t updated its online help for this activity. Even so, after some practise, we created keyword dictionaries and alerts that warned us when users sent webmail messages to specific addresses, logged into a cloud storage app or downloaded a file.

Verdict

CensorNet’s Secure Web Gateway provides supremely versatile security policies and even though the BitDefender anti-malware component is optional, it’s still better value than much of the competition. CensorNet’s sophisticated discovery and analysis make the Secure Web Gateway a great choice for businesses that want more control over cloud application usage in the workplace.