Traffic patterns are changing on corporate wide area networks (WANs) and this is leading to the need for new architectures and use of new services. In “the olden days” the corporate data centre (or multiple data centres) was the destination for most traffic from branches, offices, factories etc., as the important traffic used applications, built and hosted by the corporation in these data centres. Employees did want and need to access the public internet, so this access was provided from selected data centres where corporations would spend their capital buying servers and licences for firewalls and for URL filtering – the ability to apply policies to limit which websites employees could access.

Hub and spoke architectures

This “hub and spoke” architecture limited the number of locations where this expensive equipment was required, but also sometimes created poor user experience as traffic was “tromboned” between a local machine and local website via a data centre perhaps on another continent. As cyber-security became an increasing issue, additional facilities were added at these secure web gateway locations, antivirus and Data Loss Protection (DLP) along with the ability to create and terminate secure socket layer (SSL) connections, and perhaps the creation of a “sandbox” environment, which is where you could check out suspicious code before allowing it into the network.

Change in traffic destination

The economics of scale which have enabled telecoms service providers to offer “virtual private networks” at far lower cost than each customer building his own “actual private network” entered the computing and applications space. Gartner logged a 37% pa rise in spending on Infrastructure as a Service (IaaS)in 2019 as offerings such as Amazon Web Services, Microsoft Azure and Alibaba Cloud lured processing from corporate data centres to cloud locations. Similar changes drove applications such Microsoft Office from enterprise data centre deployments to the Software as a Service (SaaS) subscription-based services, in this case O365 – which Microsoft report is growing at 65% per year. With all of these locations easily accessible from the public internet.

Impact on Secure Web Gateways

As more and more corporate traffic needed to leave the “walled garden” corporate network, the secure web gateways needed to grow and increasingly became pinch-points for performance both in throughput and latency. The same cloud economics that drove IaaS and SaaS could be applied to secure web gateways, leading to the rise of the cloud-based secure web gateway. However, hub and spoke architectures still imposed the latency issues, hence the drive for local internet breakout to directly access internet-based destinations from branch, HQ or factory locations.  Here the cost of replicating a mini version of a secure web gateway at each location again drove the attractiveness of access a cloud-based secure web gateway from remote sites, and even from roaming devices such as laptops and phones.

Gartner Category

Late last year, Gartner published its annual Magic Quadrant for Secure Web Gateways – the report is available via the Zscaler website here – where Gartner define a secure web gateway as needing to provide three key functions; URL filtering, malware protection and application filtering. Gartner put the market size in 2019 as just over $2bn but others have a broader definition with larger market sizes and forecast growth rates between 15% and 20% pa.

Cloud-based solutions are growing the fastest, but just as hub and spoke architectures still remain in many networks, hardware-based solutions still comprise around 50% of the market, according to Gartner.

Clear Blue Water

This Magic Quadrant report is somewhat of a rarity, as only one company is shown within the “Leader” quadrant with clear blue water between it and the “Challengers” (based on ability to execute) and the “Visionaries” (based on completeness of vision). That company is Zscaler, who are synonymous with the cloud based secure web gateway solution and are still purportedly growing their market share. Zscaler have their equipment at around 150 locations worldwide – this scale being an advantage as connections are typically required to two separate cloud nodes and performance dependant on being close to these nodes. To access the service, secure tunnels are created using GRE or IPSec technology to one of the secure gateway nodes at these locations – called a Public Service Edge node (and formerly called a ZEN node), and a back-up tunnel created to a second Public Service Edge node. All traffic to internet-based locations is then routed over this tunnel, and return traffic only accepted within this tunnel. The router or firewall that creates this tunnel blocks all other inbound traffic from the internet, ensuring a secure perimeter is maintained.

Other key players of note

Broadcom have a strong offer in the market following their acquisition of Symantec in 2019.  Symantec have a very strong premise-based (hardware) offer and are expanding their cloud-based service which they are hosting in Google Cloud. Cisco also have a strong offer here. They have a range of premise-based solutions termed Web Security Appliance, but are putting most of their focus into the cloud-based Umbrella service. This differs from Zscaler as it leads with a “recursive DNS” filter – just the initial DNS query (the query that translates a URL to an IP address) is sent to the cloud and if blacklisted or risky then the connection is not made. This is a simple approach for an initial move into cloud-based secure web gateways, to which can be added the full range of secure web gateway features, Firewall as a Service and Cloud Access Security Broker etc later as required.

Forcepoint and McAfee both offer premise-based and cloud-based services, neither with the footprint of Zscaler however. Likeke Zscaler, Cisco and Broadcom, a range of advanced services on top of the basic secure web gateway minimums. For those in the Asia Pacific region, most especially China, both QI-ANXAN and Sangfor Technology offer primarily premise-based solutions suitable from small and medium sized customers as well as corporations.

Increasing the attractiveness of internet-based WANs

A move from “walled garden” MPLS to use of internet transport and local breakout need no longer by a route to increased security risk.  By adding the capabilities of the secure web gateway vendors to new WAN solutions based on internet and exploiting technologies such as SD-WAN, corporates can save money and enhance user experience.

Here at Brodynt we specialise in finding the best internet transport and providing an overall service management wrap to enable you to focus on deploying a range of technologies to meet enterprise needs.

Have a question? Get in touch!

You are always welcome to drop us an e-mail to and one of our Account Managers will be happy to assist you! Alternatively, engage in a discussion by leaving a comment below and don’t forget to share the article with your friends and colleagues!