4 hours 25 minutes
Hi. Welcome to module to lessen 3.2.
And this lesson. We're gonna discuss Web proxies when proxies air just those devices that we funnel in users through when they're trying to access the Internet.
We'll talk about the functionality of Web proxies. What are they and how do we best implement them?
We'll talk about the differences between transparent and explicit proxies.
We'll discuss categories and policies and how we can combine those and use those to create our overall protection between that in user and that that Web destination.
And then we'll talk about some of the benefits of logging specifically in the proxy environment. Some of the things we can see with proxy logging and how we can use those things.
Let's first talk about Web proxy functionality.
The problem before proxies. The problem were you have an end user that's just trying to connect to something out there on the Internet. It's there's a whole host of security issues.
First of all, their I P addresses exposed. That in user has to be actually has to have a public I p address. It's exposed out there on the Web, and that opens it up to potential attack.
The protection in that case also relies on the end point. So we're relying on whatever any virus or whatever systems we have deployed on the endpoint itself to protect it from malicious things.
And then there's, ah, lack of visibility for the security team. Chances are, the security team doesn't have near as much visibility into every single endpoint in the environment as they would into a single device if we could choke everything through that one device.
So when we introduce proxies by forcing the in user device to connect to a proxy service before it goes out to the Internet, we can apply policy at that proxy device
it accomplishes. It fixes all those issues. It basically hides the I. P address of that in user so we can do some nap translations behind the proxy service. If the protection now is, is it still a thean point layer? But now there's also another layer of protection at the proxy layer. Weaken centrally, manage it much more effectively,
and it's an extra layer of protection.
And then we have much higher visibility to our security team and the ability to integrate that data with other tools. So think if we had, for example, logs that we had to gather from every single in point that showed wherein users went on the Web, where they interacted with
versus gathering those logs from a single point in the environment and integrating those logs with other tools, it's much easier to do with the proxy service.
There's two types of ways you can deploy proxies. One way is transparent and the other way is explicit,
and within the transparent model, there are a couple different ways you can deploy it. So let's first talk about transparent proxy
and what we're gonna call the routing method. The first of all, transparent proxy just means that the in point does not know that there's a proxy involved. The endpoints just gonna try to connect to that website. It doesn't have any configuration on it. It doesn't know there's a proxy involved at all. It just sends its traffic out on the wire, and it lets the network do the work.
That's what transparent proxy means
within transparent proxy. There's a couple ways we can accomplish this the first way I'm going to call it the routing method, and that's simply using the routers in the environment
to route specific Web traffic through the proxy service.
You can do this with a combination of default route and policy based routing. Perhaps you have default route that gets you to that gets you closer to the perimeter. And then right before that last hot before the proxy, you could do some policy based routing that that says, OK, everything. Now that's Port 80.
Report 443 Airport 21 or whatever. You actually want a proxy.
You point that to the proxy. In the rest of the traffic, you can send off through another default route, so it's a combination of ways you can do it. But the point here with the routing method is to use the routing infrastructure itself to use routing to throughout that traffic to the proxy service.
The other transparent method is by using W, C C P W C C. P stands for Web cache communications protocol.
And it's just a protocol.
The way this works is when that in device sends its request to a website again. This is a transparent proxy methods so that in device is just going to send that request out. It has no idea that there's a proxy.
The difference is is in this case using W. CCP. We can have a W CCP policy configured on that first hop interface of that router. We can have a policy configured there that says, OK, if you see certain types of traffic. TCP 80 TCP 443
TCP 21. Whatever types of traffic you intend to send through a proxy,
those types of traffic. If you see any of that traffic,
create a G R E tunnel with the proxy
in a Jerry tunnel, Jerry stands for generic routing encapsulation, and Jerry Tunnel is simply it's a lot likely VPN we discussed in previous lessons. It's essentially creating just encapsulated tunnel so that the the routers next hop is the proxy.
It may actually be routing through 10 different routers in the environment,
but at a layer three level at the next hopper, Outer looks like the proxy service, and everything between the router and the proxy is encapsulated,
so you can have his deputy C P policy that in as traffic comes into the interface, it's inspected, and if it matches certain criteria, it gets routed through this Jerry tunnel
and then hits the proxy and everything goes out the proxy. That way, all the other traffic can just go through the network as normal.
That's the W CCP transparent method
when it comes to explicit proxy. What we're talking about is we're talking about configuration that's actually on the end point. Now the endpoint is aware that there is a proxy involved because we have to configure something on the end point itself toe. Let it know that there's a proxy involved.
There's a couple of ways we can do it. We can do it manually or automatic. They're still configuration. Even in the automatic mode, there's still a configuration
if we use the automatic manually, configuring means we're just going to configure an I P address in our settings and say Point to that for any Internet browsing, that's your proxy
automatic configuration. You can actually point to a file called a Pack file and Pack stands for proxy auto config.
And this pack file is simply just a text file that tells the tells the system what to do and how how to use the proxy. We'll get into the pack file here in just a little bit.
But manual configuration with an explicit proxy essentially looks like we're not manual. Just explicit proxy. Looks like this. This is just a screenshot from a Mac device, and you can see here, I've got the automatic proxy configuration box checked, and then I've got a U R l In this case, I want to tell my system. Yes, You're going to use a proxy.
We're not sure which proxy yet. Go read this file in this. Your location and that file will tell you which proxy to use and which traffic to send to that proxy.
You could also configure it with just a manual configuration pointing directly to proxy. So in this case, I've got Ah, I'm saying I want all of my web traffic my http traffic to go to this certain i p address on a certain port. And that's my proxy device
or you configure multiple proxies. Maybe you've got one proxy for http and one for FTP and one for socks. You've got different protocols in different traffic that goes to different proxies in your environment. You can do that with explicit proxies. Well, by manually configuring it in the system