M86 SWG 5000
Strengths: Active real-time content inspection, dynamic web page repair, improved reporting and extensive policy-based security offering
Weaknesses: HTTPS scanning still optional, basic social networking controls
Verdict: Web content security doesn't get any tighter, as unique real-time inspection delivers stiff protection against the latest web-based threats
Businesses looking for a web content security solution are faced with many choices, but M86's Secure Web Gateways have unique capabilities. In this exclusive review, we look at the SWG 5000 appliance, which can handle up to 5,000 users and features M86's latest v10 code.
The SWG 5000 is delivered as a quality IBM System x3550 M2 rack server equipped with a pair of quad-core E5506 Xeons and 4GB of DDR3 memory. Storage is handled by a pair of 146GB SAS SFF hard disks, managed as a mirrored array by the integral IBM ServeRAID controller.
At its core, the SWG 5000 delivers M86's patented active real-time content inspection, which identifies malicious code. It passively examines the code, checks it through to completion and, if it doesn't like what it sees, blocks it.
Rebranded for the v10 release, M86's Dynamic Web Repair has been in all SWG products for a while. It checks web pages being downloaded and transparently removes any malicious code. It sends the cleaned-up web page to the user, so avoiding blocking the entire page and potentially saving on administrative overheads.
These features are included in the standard SWG subscription and M86 provides a number of optional extras. AV measures are available; you can choose from Kaspersky, McAfee or Sophos.
For web filtering, you have Websense or IBM's Proventia. M86's own lower-cost Filter List option is £2,400 annually for 1,000 users. It still only offers HTTPS scanning as an option (£2,690).
For the web-caching kit, we strongly recommend specifying this when buying. It comprises an extra pair of 73GB SAS drives and a new RAID. If you add it later on, you have to back up your config, fit the new hardware and reimage the appliance.
The data leakage feature scans documents looking for keywords and blocks their transmission. It can scan HTTP, HTTPS and FTP, including basic text files and has the ability to scan webform content.
Remote workers get more attention with the SWSH (Secure Web Service Hybrid) agent, which teams up with Amazon's EC2 hosted service to deploy multiple virtual appliances. Now available for Windows 7, the agent routes all web traffic on laptops or remote PCs to the nearest SWG cloud scanner.
For testing, we deployed the appliance in one-arm mode, where it defaults to an explicit proxy. We manually changed browser settings to point to the appliance, but you can just as easily use group policies or PAC scripts. The appliance can also operate in a two-arm mode as a transparent proxy.
Policies determine how the appliance handles traffic and these contain multiple rules. Each rule focuses on a specific threat type.
Initial configuration is made a lot easier, as M86 provides three default policies (basic, medium and strict). You can fine-tune them or add proxy authentication and integrate with AD.
Policy creation is simple enough. Rules are placed in order of priority within the policy and the X-Ray feature will prove handy for testing, as this can be applied to whole policies or specific rules.
Rules are used to configure AV scanning and web content filters and the M86 Filter List has over 50 URL categories. Performance was very good; with the games and gambling categories blocked, our test clients were unable to access any of these types of sites.
Social networking was handled well, but many of these sites are classed under different categories. We have mentioned before that it would be useful if M86 provided a simple URL category query tool, but this still hasn't materialised.
Reporting facilities have improved with the new Security Reporter appliance. It allows you to create reports on all user web activity and security risks and customise them. Reports are easy to create, have impressive levels of detail and are all exportable to PDF, CSV and PNG formats.
The SWG 5000 offers a unique and very effective range of security measures against web threats. It is easy to deploy and configure, with the latest code adding a number of useful new features, including greatly improved reporting.