Zscaler Offers Secure Web Gateway Features: Review

Spyware also can be blocked by category. For example, I could allow password-stealers while blocking all others, although I’m not sure why someone would do that. Browser control is somewhat interesting. I could easily enforce policy to block older browsers with known vulnerabilities or simply block a browser entirely. In my testing, the service blocked about three quarters of the malware downloads that I attempted over http.

Under Advanced Threats, I found a lot of settings designed to address today’s malware threats. There are settings for blocking botnet traffic to known command-and-control servers, ActiveX controls, known and suspected phishing sites, IRC tunneling, anonymisers, Cross-Site Scripting, and also traffic destined to countries or regions. (It was preconfigured to block China, and I easily added Russia and Brazil.)

There also are extensive controls for allowing or blocking P2P file-sharing such as BitTorrent and eDonkey, as well as P2P anonymisers such as Tor and P2P VOIP (voice over IP) such as Skype and Google Talk. For some strange reason, all this P2P stuff was configured to be allowed by default, but after a few clicks, I shut it all down. One thing I really liked is a reminder to save and activate changes: Far too many web GUIs have allowed me to wander off a page without saving settings.

It was also very easy for me to set policies to block various content categories of websites. It’s possible to set different configurations for different locations, so I could block gambling sites from the office but allow them to be accessed from outside the office. I could also block or allow access to various webmail sites. The same goes for streaming media sites and social networks and blogs.

Rules can be pretty complex. For example, instead of simply blocking Twitter, I could configure Zscaler to allow reading but not posting. However, content filtering worked about as well as it does with most of the other products in this category, meaning that the same weaknesses regarding identification of sites and correctly categorising them by content and not by URL are present. For instance, blogs hosting image thumbnails of pornography are not correctly classified as pornography.

Bandwidth control

It started to get really interesting when I drilled down into bandwidth control features. The service comes preconfigured with seven types of application classes, including “general surfing” and “large files.” It’s also possible to add application classes.

Then, under bandwidth policy, I could allocate minimum and maximum bandwidth by application class. For example, I could allow 100 percent of bandwidth for web conferencing but only 10 percent for streaming media. Although this was one of the most interesting features to play with, I was unable to assign bandwidth by user, which makes this feature moot because we all know that a security administrator could never subject the CEO to the same streaming media bandwidth rules as a regular employee. I worked around this by creating users and groups and then applying different bandwidth rules on a site-by-site basis.

Then I clicked on Administration and drilled down to Admin & User Accounts. Users can be forced to authenticate against a hosted user database, Microsoft Active Directory or OpenLDAP. I could show an acceptable usage policy for every session, day or week—or never.

I liked the role-based system administrator options, which allowed me to limit access to the GUI and certain settings. I also liked the ability to define various real-time alerts, such as this: “If three virus download attempts are made within five minutes, then issue an alert via email and/or RSS.”