Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Recommendations for SWG Hardening

  1. Last updated
  2. Save as PDF

SWG Application Hardening

Skyhigh Security recommends the following configurations to harden your SWG application in Skyhigh Secure Web Gateway (On-Prem).

Configure User Roles for SWG Management UI 

Skyhigh Security recommends that you assign different roles for each Admin user, and establish an access control mechanism in case of multiple admins accessing the SWG Management User Interface. To configure user roles for SWG Management UI:

  • To create roles based on Admin delegations, go to Accounts > Roles > Add.
  • To modify existing roles for an Admin, go to Accounts > Roles > Edit.
Enable HTTPS Connector

You can enable the HTTPS Connector in Secure Web Gateway to make sure that there is a secure connection established between the browser and SWG Management UI. To enable HTTPS Connector:

  • Go to Configuration > Appliances > (Appliance ID) > User Interface > UI Access > HTTPS Connector
  • If you do not require access to the REST interface, make sure that Enable REST-Interface over HTTPS is not selected.
Disable HTTP Connector

You can disable the HTTP Connector in Secure Web Gateway to prevent a plain text connection from being established between the browser and SWG Management UI. To disable HTTP Connector:

  • Go to Configuration > Appliances > (Appliance ID) > User Interface > UI Access > HTTP Connector
  • If you do not require access to the REST interface, make sure that Enable REST-Interface over HTTP is not selected.
Configure Login Message for SWG Management UI

You can configure the login banner with a message in Secure Web Gateway to display any important organizational disclaimers/warnings to users upon login. To configure the login message:

  • Go to Configuration > Appliances > (Appliance ID) > User Interface > Login Message
Change Default Password for SWG Management UI

You can change the default password in Secure Web Gateway to access the SWG Management UI. To change the default password:

  • Go to Accounts > Administrator Accounts > Admin > Set a new Password.

NOTE: Make sure that the new password meets the minimum password requirements of eight alphanumeric characters, one lowercase letter, one uppercase letter, and one number.

Substitute User Interface SSL Certificate

Replace the default CA for SWG Management UI with an organizational-approved Certificate Authority. Make sure that the user’s browsers are configured to trust sites signed by the above CA.

Maximum Users Allowed for SWG Management UI

For optimal access control for SWG Management UI, set the value of maximum number of simultaneous users, that would have access to UI at any given point of time.

  • Go to Configuration > Appliances > (Appliance ID) > User Interface > HTML UI > Maximum number of simultaneous users (1-999)
Recommended Additional Controls for SWG Management UI
  • You can configure HTTPS Client Certificate Authentication for better access control under Accounts.
  • Additionally, you can leverage external authentication services such as NTLM, LDAP, and Radius to authorize user logins.
Disable SNMP Services
  • By default, SWG will open ports 9161, and 161 for SNMP communication.
  • Unless required, disable by navigating to Configuration > Appliances > (Appliance ID) > SNMP > SNMP Port Settings > Listener address List.
Change default SNMP Listener Address
  • Go to Configuration > Appliances > (Appliance ID) > SNMP > SNMP Port Settings > Listener address List.
  • Change the default Listener address from 0.0.0.0:<Port> to <Listener IP>:<Port>.
Network Interface Segregation

Ensure dedicated network interfaces are configured for external and internal traffic segments.

  • Select Appropriate Interfaces from Configuration > Appliances > (Appliance ID) > Network Interfaces > Network Interface Settings.
Enable SWG Management UI Access over Internal Facing Network Subnets

Make sure that access to SWG Management UI (i.e. on Port 4711 or 4712) is only over Internal facing Networks.

  • Go to Configuration > Appliances > (Appliance ID) > User Interface > UI Access > HTTPS Connector > HTTPS Connector
  • Configure explicit interface IP address followed by Port in the format IP:Port
Substitute Proxy SSL Scanner CA Certificate

Replace the default SWG SSL Scanner certificate with Organizational approved certificate signed by dedicated CA. Make sure the user’s browsers are configured to trust sites signed by the above CA.

  • Go to Policy > SSL Client Context with CA and replace/add new certificate Authority.
  • You can configure HSM (Entrust, Luna) to enhance protection for your private keys.
Proxy Access for Authorized Users Only

You can leverage the Authentication and Authorization rule set schemas present under Rule Library to ensure that Proxy access is strictly controlled and available only to intended users.

  • Use the Template under Policy > Settings > Block -> Authorized Only to draft suitable warning messages for Unauthorized proxy access attempts.
  • It is highly suggested to use SWG Proxy along with an appropriate Firewall solution to ensure only directed traffic is sent to the filtering Proxies.
  • You can also leverage external services such as LDAP, NTLM, etc. for user authentication.
SWG Log Preservation for Auditing and Archival

Skyhigh Security highly recommends that you configure a remote host to capture SWG logs in order for long-term storage, archival, and analysis. 

  • Follow appropriate instructions for rsyslog and Splunk integrations.

SWG OS Hardening

Skyhigh Security recommends the following configurations to harden your SWG operating system in Skyhigh Secure Web Gateway (On-Prem).

Ensure SSH Access only over Internal Facing Network Subnets
  • Block SSH access (Port 22) from external networks by configuring theListenAddress parameter in the file /etc/ssh/sshd_config to the appropriate internal network address. Use Configuration > File editor > sshd_config to make changes to system files.
  • For example,ListenAddress <eth0 IP>.
  • Verify by executing the command netstat -alnp | grep sshd to check the Listening SSH IP Address.
SSH Warning Banner

Skyhigh Security recommends that you display the SSH Banner with appropriate organizational disclaimers/warnings before SSH login attempts.

  • Configure Banner parameter in the file /etc/ssh/sshd_config. Skyhigh Security recommends you to change the default banner in the file /etc/issue.net. Use Configuration > File editor > sshd_config to make changes to system files.
  • For example, Banner /etc/issue.net
Additional SSH Security Recommendations
  • Enable PAM Radius Authentication for SSH Logins.
  • Disable root login by ensuring PermitRootLogin is set to no inside /etc/ssh/sshd_config
  • Consider enabling SSH Public Key Authentication by configuring appropriate keys and setting PubkeyAuthentication to Yes
Linux Password Complexity

Skyhigh Security recommends administrators to configure complex Unix passwords that are more than 8 characters long, and have lower case, upper case, numeric, and special characters.

Obfuscate Default System Hostname String
  • The system default hostname may indicate the presence of SWG Proxy software upon CLI logins.
  • Use the command hostnamectl set-hostname new-hostname to change the system default hostname.
Disable Unused System Ports
  • Go to Configuration > Appliances > (Appliance ID) > Proxies (..).
  • Unless active proxy interception is required for respective protocols, disable the following ports under Configuration > Appliances > (Appliance ID) > Proxies (..):
    • FTP: 2121
    • ICAP: 1344
    • TCP: 9100
    • IFP: 4005
    • XMPP: 5222
Restrict System Ports Opened on Dedicated Listener Addresses for HTTP, FTP, ICAP, and SOCKS Protocols
  • Change the default Listener address from 0.0.0.0:<Port> to <Listener IP>:<Port>.
  • For example, go to Configuration > Appliances > (Appliance ID) > Proxies (..) > HTTP Proxy
  • Repeat for FTP Proxy, ICAP Server, Socks Proxy, TCP Proxy, IFP Proxy, and XMPP Proxy.
Update SWG Appliance Software

Refer to the Best Practices guide to update the Web Gateway Appliance software and adhere to appropriate instructions for upgrade based on the Controlled or Main release.

Maintenance/Reboot Recommendations
  • Make sure to back up the entire SWG application configuration on a regular basis, especially before any major modifications by selecting Troubleshooting > Backup/Restore > Backup to file.
  • Make sure to reboot the appliance after applying the above changes, and for any software updates to the appliance.
  • Security bulletins with details on the vulnerability, affected versions, CVSS score, description, and information on fixed versions are published after the vulnerability is fixed, along with the release to the KB center (https://kcm.trellix.com/corporate/index?page=content&id=SBXXXXX).
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.