Security "Bits"

Hairpinning: The Bottleneck in Most Secure Web Gateway Architectures

By Jeff Birnbaum | July 13, 2021 at 5:00 AM

Secure Web Gateways (SWGs), software for controlling access to websites and SaaS not managed by corporate IT, have evolved from hardware appliances installed on premises, to software running on end user devices with varying degrees of interaction with the security provider’s hosted infrastructure. But the details on how the software interacts with the security provider’s infrastructure makes all of the difference with respect to performance, security, and ease of management. The Bitglass SmartEdge SWG architecture uniquely addresses these concerns in several ways.

Most SWG architectures take a performance hit because all web traffic must pass through the security provider’s infrastructure for inspection before being forwarded  to the destination website. This architecture leads to a phenomenon called hairpinning because, like the shape of a hairpin, the traffic is taking a detour before getting to its final destination. This architecture not only adds latency due to propagation delays of the extra network hop, but adds additional latency when the security provider’s infrastructure is overloaded due to unexpected peaks in traffic.

Bitglass addresses this issue by not requiring all web traffic originating on the user device to be sent to our infrastructure on AWS. Instead, our on-device SmartEdge SWG only needs to send traffic to our infrastructure for two use cases. The first use case is when the user tries to reach a URL for the first time. The SmartEdge agent sees that request and queries the closest Bitglass cache node server to retrieve the appropriate web browsing policy for that combination of user group, device type, URL category, location, and URL reputation. Possible results of that query are allow access, deny access, or allow secure access (file uploads and downloads are blocked in accordance with DLP and malware scanning policies). Assuming the website is not blocked, all web traffic is exchanged directly between the device and the website, thus avoiding hairpinning.

The second use case for sending unmanaged application traffic to our infrastructure on AWS is when the user is connected to a website with a “secure” web access policy enforced and attempts to upload or download a file. In this case, any file upload attempt first causes a copy of that file to be sent to the closest Bitglass local edge data center on AWS to scan for malware or sensitive data. If a match is found, a message is sent from our server to the SmartEdge agent indicating that the upload should be blocked. If no match is found, the file can then be uploaded from the user device directly to the website. For any file download attempt, the file is downloaded and kept in quarantine on the device while a copy of that file is also sent to the closest Bitglass local edge data center on AWS for malware or sensitive data scanning.  If a match is found, the quarantined file is deleted. If a match is not found, the file is released from quarantine and appears in the user's default download folder. 

Since file uploads and downloads are a small fraction of typical web traffic, the net effect of Bitglass’ unique SmartEdge SWG architecture is to significantly increase effective throughput. For example, when Bitglass was competing against two other SWG vendors for a SWG deployment for a Fortune 100 company, in benchmark tests over 2 Mbps internet connections, Bitglass had nearly double the performance compared to the other vendors. 

The Bitglass SWG architecture also enhances security and manageability with our unique method of managing SSL certificates needed for communication between the SmartEdge agent and our infrastructure on AWS. With most SWG vendors, to allow encrypted communication between the device and the vendor’s cloud infrastructure, the customer must store their own private key and associated certificate on the vendor's hosted server, with the associated loss of trust. In addition, the customer has to manage client certificates on each endpoint. 

Bitglass eliminates these requirements with our patent-pending Trapdoor Proxy technology. Here, Bitglass uses self-managed keys and certificates on our hosted servers. There is no need to place institutional keys and certificates in the cloud, mitigating risk. In addition, each SmartEdge agent carries a fully functional crypto engine. Keys and certificates are self-generated periodically on the endpoint agent. Even if a device is stolen or compromised, the keys on the device cannot be used to spoof any other device. In addition to enhancing security, there is no administrative overhead required to manage certificates on the endpoints.

Bitglass’ unique on-device SWG architecture provides clear advantages with respect to performance, security, and ease of management.

To get the full details on what to look for in modern SWGs, as well as a list of evaluation questions to consider, download our Secure Web Gateway Buyer’s Guide


Download the Guide



see all