For teams running secure web gateways (SWGs), also referred to as proxies, in today’s complex, dynamic network environments, extensive observability is a must have. Symantec offers a range of flexible deployment options for its SWGs, offering support for cloud, edge, and hybrid approaches. This blog explores a Broadcom solution that provides comprehensive observability for the Symantec edge offering, Symantec Edge SWG (formerly ProxySG). With this Broadcom solution, network security and operations teams can establish concrete baselines and gain insights for optimally managing their entire Edge SWG estate. (Note: For information on monitoring Symantec Cloud SWG, read the recent blog post)
How to Gain Visibility to Boost Security and Performance
For today’s network operations teams, optimizing both network security and performance is more vital than ever. However, meeting these objectives keeps getting more difficult. Business services continue to rely on increasingly complex, dynamic, and multi-cloud network environments. In these environments, it gets ever more difficult to authoritatively track and manage performance and ensure security policies are consistently adhered to.
Hurdles Posed by Edge SWG
Edge SWG runs on premises, and is available on either a physical or virtualized appliance. When teams are running Edge SWG appliances, they can encounter some unique challenges. The solution’s advanced policy engine and sophisticated rules can introduce processing overhead, which comes at a cost from a performance standpoint. However, most teams lack visibility into the details of this processing, which can exacerbate the challenges associated with managing network performance and security in modern environments.
When running Edge SWG, teams often view the platform as a black box, because they lack the ability to get in-depth statistics on overall processing performance and on the performance of the specific modules within it. Furthermore, given the many advanced integrations Edge SWG enables, teams have a great deal of flexibility in terms of solution deployment. However, these different options can also introduce complexity in terms of configuring and tracking proxy performance.
Where Traditional Monitoring Falls Short
Within most enterprises, teams have been leveraging traditional monitoring solutions to track various network devices, such as proxies, firewalls, and routers. These tools support tracking device availability (up/down), CPU utilization, memory, sessions, and other types of aggregated statistics.
While traditional monitoring approaches are necessary to gain visibility into the health and status of devices that comprise the network, they don’t provide a complete and holistic view of the network. Failures aren’t typically as simple as a device going down or running out of resources. An end-to-end view is needed to truly understand how the network is performing and what the end-user experience is like.
More specifically, traditional monitoring solutions lack in-depth visibility into Edge SWG. Edge SWG terminates connections and performs advanced threat processing based on the actual content or payload, rather than packet-based approaches. Because these capabilities extend beyond session- or flow-based approaches, these traditional solutions lack detailed visibility into this advanced processing stack.
Implications of a Lack of Visibility
Since teams lack visibility into the overhead added by the solution, whenever network issues arise, the Edge SWG platform is often erroneously viewed as the cause. This presents a number of problems. Fundamentally, if the Edge SWG is erroneously blamed for an issue, teams may not continue the effort needed to find the real root cause. Further, if a problem isn’t correctly understood, the proposed “solution” may do more harm than good.
Requirements: SWG Observability
To overcome these obstacles, teams need detailed Edge SWG observability. By gaining this observability, teams can track the performance “cost” of each step in an Edge SWG transaction. Edge SWG observability enables teams to monitor key metrics, trace the cost of processing web requests, and generate logs to feed into dashboards. In this way, teams can gain the insights they need to proactively manage their Edge SWG deployments.
The Broadcom Solution
Broadcom now delivers a complete solution that enables you to gain comprehensive observability in your Edge SWG deployments. With this solution, you can establish concrete baselines and leverage insights for optimally managing your entire Edge SWG estate. The solution features two key elements:
- AppNeta. AppNeta provides active synthetic network and application testing, delivering rich metrics based on path, packet, web, and flow data.
- DX NetOps. DX NetOps offers comprehensive network monitoring for traditional, software-defined, and cloud-based architectures. DX NetOps provides unified visibility, high scalability, and advanced analytics.
With the Broadcom solution, teams can validate overall performance of Edge SWG, monitor capacity and health, and gain detailed visibility needed to troubleshoot issues. With this solution, organizations can fully leverage their Edge SWG investments and boost operational efficiency in managing their complex network environments. All customers who are running current versions of Edge SWG can harness the Broadcom solution.
In the following sections, we offer a look at how the solution delivers comprehensive Edge SWG observability, and the advantages the solution provides.
How Symantec Edge SWG Works
Following is an overview of how the solution works:
- AppNeta is deployed within the customers’ network, often within the DMZ.
- The solution can then be configured to continuously send identical web requests.
- AppNeta can deliver visibility into Edge SWG’s advanced layer 4-7 processing of traffic.
- The solution adds all timing details, including the processing time required by each specific Edge SWG module.
- This information is then fed into the event log.
- The event log is then fed into DX NetOps, which is typically deployed in the network operations center.
Benefits: How the Solution Can Help
Detailed Visibility into Edge SWG
The Broadcom solution provides the visibility to look at the processing time of specific components within the proxy and measure total processing time. With the solution, teams can monitor the complete Edge SWG estate and the entire network delivery path.
The solution provides visibility into the entire Edge SWG processing stack, including DNS, authentication, categorization, TLS handshake, advanced threat protection analysis, and upstream server response time. If the Edge SWG appliance is running at 70-80% CPU usage, teams can not only find that out, but determine which specific modules are consuming that CPU and how that compares to baselines.
The solution’s consistent submission and measurement of requests is critical. While end user requests are logged all the time, those requests vary substantially, including in terms of when they’re made, resources accessed, activities, network routes, and so on. This variability makes it difficult, if not impossible, to establish realistic baselines.
The Broadcom solution uses periodic and regular synthetic requests, that is, transactions running over the same network path, accessing the same resources, and so on. In this way, teams can gain a clear picture of what baselines are.
Through these consistent requests, teams can distinguish between legitimate anomalies and differences that may be associated with such variables as time of day or day of week. For example, teams can understand normal response times for a request made at 2:00 pm (when usage is extremely high) versus 2:00 am (when usage is extremely low).
Holistic and Granular Insights
With the Broadcom solution, your teams can establish baselines for each individual component and for the Edge SWG appliance overall. Further, you can gain end-to-end visibility across all the network environments your users’ transactions rely upon, whether traffic runs across internally managed networks; external ISP, SaaS, or cloud provider networks; or any combination thereof.
The Broadcom solution can create dynamic thresholds that enable teams to effectively analyze data, filter out redundant event noise, and establish intelligent baselines and thresholds for alerting.
If the SWG is under duress and running “hot,” for example due to a high volume of connections, all requests will be affected, including the synthetic traffic and other user-initiated interactions. In this way, performance issues can immediately be identified and acted upon.
Alerts can be generated when specific components exceed established thresholds. For example, if a TLS handshake that typically takes 9ms suddenly takes 900ms, administrators can immediately be alerted and start diagnosing the issue.
Fast Root Cause Identification
When issues arise, teams can authoritatively determine whether the Edge SWG appliance is at fault or not. If there is an issue with Edge SWG, administrators can immediately determine which module is the cause. This means teams can much more quickly and intelligently focus their efforts on addressing the real problem.
Specific Use Cases
By leveraging the Broadcom solution, teams can address a number of use cases:
- Remote diagnostics. Do objective, efficient diagnosis and troubleshooting in remote environments.
- Policy validation. Make sure your organization is consistently complying with security policies and regulatory mandates.
- Managing upgrades and cloud migrations. Monitor SWG behavior and user experience, before, during, and after an upgrade or cloud migration.
To achieve their organization’s availability and security imperatives, today’s teams can’t afford to have blind spots. With the Broadcom solution, teams can eliminate the potential blind spots associated with Edge SWG environments. With the solution, teams can gain comprehensive observability, so they can effectively track behavior, address issues, and optimize performance.
To see the Broadcom solution for yourself, be sure to request a demo.