Web Proxies Part 2
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:02
>> Let's go back to that PAC file.
00:02
We said you can do automatic configuration
00:02
by pointing to a PAC file.
00:02
PAC file is just a text file and a text file has
00:02
a lot of different instructions
00:02
that tells the endpoint what to do.
00:02
This is a sample of a PAC file and if we break it down,
00:02
we can break it down by section just to show
00:02
some examples of what a PAC file can do.
00:02
In this first section here that I have highlighted,
00:02
this section is saying that if the destination host name
00:02
matches Intranet.domain.com or anything in
00:02
abcdomain.com then go direct so
00:02
that return direct means don't use
00:02
a proxy in that case go directly to that website.
00:02
You might use this because maybe
00:02
some websites don't function
00:02
properly if you'd go through a proxy.
00:02
This DNH that's a lot rarer but maybe some don't,
00:02
there's some websites,
00:02
I know there's some issues with
00:02
certain video conferencing websites where you're doing
00:02
video streaming and audio streaming and you're
00:02
trying to share your screen
00:02
and a lot of different things.
00:02
Well, that requires a lot of
00:02
different protocols and each one of those has to be
00:02
allowed through the proxy and in
00:02
some cases some organizations just say,
00:02
you know what if you're going to go
00:02
to GoToMeeting or anything
00:02
like that bypass the proxy all together,
00:02
go direct and then that
00:02
way we're not going to deal with all of
00:02
these different ranges of ports that we have to
00:02
open up in the proxy and ranges of
00:02
protocols that we have to make available.
00:02
The second piece of this PAC file is
00:02
an example of we can tell
00:02
the device if you're using
00:02
a certain protocol or if a specific URL,
00:02
in this case if you're using FTP or if you're using HTTP,
00:02
but you're going to this very specific URL,
00:02
this abcdomain.com/folder and anything beyond that.
00:02
If you're connecting to that then go to
00:02
the proxy so you can get very granular and PAC files.
00:02
This one here says,
00:02
if your IP address falls within one of these ranges,
00:02
if the IP address of the destination you're trying to
00:02
get to falls within one of these ranges go direct.
00:02
This is used a lot of times with Intranet websites.
00:02
There might be a website that's internal to the network.
00:02
You don't want to force
00:02
an internal laptop to go through a proxy
00:02
just to come back inside
00:02
the environment if both entities are trusted.
00:02
If it's a fully trusted site,
00:02
you can just tell the system to go directly
00:02
to that site without going through
00:02
the proxy and this is how you would do it.
00:02
In this case we're being very specific to say if
00:02
your IP address is within
00:02
a certain range go to this specific proxy.
00:02
I've seen this one used a lot let's say
00:02
you have a global organization.
00:02
You can maintain a single PAC file
00:02
within that organization
00:02
that directs how traffic in your environment will go,
00:02
you can point all of your browsers and
00:02
all of your endpoints to this one PAC file
00:02
and in each device depending on where it
00:02
is in your network will go to a specific proxy.
00:02
You could direct your European end users
00:02
to go to the European proxy,
00:02
your US end users to go to the US proxy.
00:02
If you have somebody that travels when they pick up
00:02
their laptop and they travel from US to Europe,
00:02
they're not coming all the way back to
00:02
the US to go out the proxy because
00:02
using DHCP they've got an address
00:02
now they're in Europe while
00:02
they're on the European network,
00:02
they can go out there direct.
00:02
This is a way that you can direct
00:02
geo direct traffic based on location.
00:02
Then you can have a catch all rule at the end it says
00:02
everything else go to this other proxy.
00:02
The point here is just to show you
00:02
proxy PAC file auto configuration and how it works
00:02
in the plethora of
00:02
things that you can do with a PAC file,
00:02
you can get very granular and
00:02
how you control your internet traffic
00:02
by using a simple PAC file
00:02
and pointing everything to that PAC file.
00:02
Let's talk a little bit about categories and policies.
00:02
Once we get the traffic to the proxy,
00:02
proxy uses a combination of categories and
00:02
policies to direct what's
00:02
allowed and what's not and how
00:02
the organization interfaces with the outside world.
00:02
I have a screenshot here. This is
00:02
just an example of the semantic,
00:02
this is their Blue Coat proxy product.
00:02
Semantic uses four main category groups.
00:02
Every website, I won't say every website but
00:02
they make an attempt that constantly categorize websites.
00:02
URLs are constantly analyzed and put
00:02
into categories and there's
00:02
four main categories for semantic.
00:02
Every proxy vendor is different,
00:02
this is just an example.
00:02
Here we have legal liability,
00:02
which would be things like
00:02
any illegal activity like
00:02
child trafficking and things like that.
00:02
There's security which may be hacking sites or it could
00:02
be actually malicious sites
00:02
that are trying to serve up malicious content.
00:02
There's non-productive that might be
00:02
things like YouTube or things that might take
00:02
people away from what they're doing in
00:02
their day to day jobs.
00:02
Maybe some organizations want to block
00:02
that contents so there's category for that.
00:02
Then there's business related and that might be things
00:02
like Office 365 maybe
00:02
you're using a Cloud mail system
00:02
that would probably fall into
00:02
the business related category.
00:02
Then within each of the categories,
00:02
there's subcategories and you can go in and you can click
00:02
through on semantic site and you can
00:02
read the description of what each of those is.
00:02
This particular one, this is malicious
00:02
sources I'll mountain that.
00:02
But the point here is that the websites,
00:02
these proxy vendors they try
00:02
to categorize as many websites
00:02
as possible into large buckets
00:02
of categories and then into subcategories
00:02
and then you can create rules in
00:02
your policy that allows
00:02
certain groups of people to get to certain things.
00:02
Maybe for example, if you're doing role
00:02
based access maybe you've
00:02
got the accounting group that
00:02
needs to get to certain types of websites.
00:02
Let's say for example maybe you've got
00:02
the marketing group you want to allow to get to
00:02
Facebook because they control
00:02
your social media for your company,
00:02
but you don't want everybody else to get to Facebook.
00:02
You can create a rule that says
00:02
marketing is allowed to get
00:02
to social media websites.
00:02
You might want to let your,
00:02
if you've got a threat hunting team
00:02
you might want to let your threat hunters
00:02
actually access those hacking sites
00:02
which you don't want to let everybody else do it.
00:02
Using a combination of categories and
00:02
policies is just the way that you create
00:02
this set of rules
00:02
that dictate how you interact with the Internet,
00:02
how your end users interact with the Internet.
00:02
You can also create, while we're still on this page,
00:02
you can create splash pages.
00:02
If a user tries to connect to
00:02
a site that they're not allowed to connect to,
00:02
you could have a splash page that pops
00:02
up and says this site is forbidden,
00:02
here's the reason it's because it
00:02
falls into this category.
00:02
You can even have, if you think this is miscategorized,
00:02
click here and your end users
00:02
could actually report that and say hey,
00:02
I need this to do my job it's categorized wrong.
00:02
I suggest that you use splash pages that one place that
00:02
I've seen that splash pages come in very
00:02
handy as with uncategorized sites.
00:02
There's a lot of sites out there that just
00:02
haven't been put into a category yet.
00:02
Malware uses uncategorized sites all the time.
00:02
Putting a splash page up for
00:02
uncategorized sites not necessarily
00:02
that blocks anyone from getting to them,
00:02
but at least a splash page that says hey,
00:02
this site is uncategorized,
00:02
are you sure this is a legitimate site?
00:02
Do you need this to do your job?
00:02
The end user can click yes.
00:02
They get annoyed by it, we
00:02
hear complaints about it all the time.
00:02
But really what we're doing,
00:02
it's not so much to control that end user going to
00:02
uncategorized sites as it is to control malware
00:02
from being able to automatically connect
00:02
some commanding control site
00:02
that has not been categorized yet.
00:02
Simply by putting that splash page up,
00:02
it's forcing some action
00:02
and a lot of malware doesn't have the capability
00:02
to click through that splash page
00:02
and it just dies right there.
00:02
Let's talk a little bit about remote workers.
00:02
It's easy to understand using WCCP or some of
00:02
those other transparent methods or
00:02
even proxy or explicit methods,
00:02
how we point internal users to a proxy.
00:02
But what happens when that user takes their laptop home?
00:02
They take it home for the evening maybe they
00:02
finish up some work there on the VPN,
00:02
they're done for the day,
00:02
and then what if that end-user wants to use
00:02
their laptop just to surf personal things.
00:02
Well, chances are that
00:02
the things that they're surfing in
00:02
their personal life are not all business related.
00:02
Some of them are shady than others.
00:02
You want a mechanism,
00:02
you don't want that business laptop
00:02
interacting with a malicious site while it's not on prem
00:02
getting compromised and then
00:02
they bring it in the next day they plug it in
00:02
and now that compromise systems inside your network.
00:02
You can enforce proxy policy even when the user is
00:02
off prem and you can do this using a cloud service.
00:02
Most of the major proxy vendors have
00:02
a cloud service component that you can
00:02
purchase as an addition or some
00:02
of them come with part of the package.
00:02
What you can do is you can take your proxy environment
00:02
internally in your network and you
00:02
can push those same policies to this cloud Proxy.
00:02
Now it's out there lives out there in the cloud.
00:02
Your end users when they're at home,
00:02
they can't connect to your internal proxy
00:02
because they're not on the internal network.
00:02
But you can configure
00:02
those company laptops to
00:02
point to a proxy PAC file for example and
00:02
that PAC file could be somewhere out there in
00:02
the proxy cloud in the public space so that you
00:02
could have one in public space and
00:02
one in the private space.
00:02
That PAC file could have a rule that says,
00:02
if your IP address is an internal IP,
00:02
go to the internal proxy,
00:02
if it's an external IP go to
00:02
the external proxy and you can still force your end users
00:02
to maintain the same rule set for
00:02
web browsing as they would if they
00:02
were sitting in the office.
00:02
Last thing I'll say about web proxies,
00:02
I want to talk about logging a little bit.
00:02
Proxy logs are one of
00:02
the most important logs that
00:02
you can collect in your environment.
00:02
They give a ton of information a ton of good things.
00:02
I'm not going to go through every one of these
00:02
but I listed a few of them here.
00:02
This is a ton of information every proxy log,
00:02
every time someone connects
00:02
to a website from your internal network,
00:02
it generates a ton of metadata, a ton of information.
00:02
All of this information can be used in other tools.
00:02
We talked about like the IPS device earlier,
00:02
maybe you get a threat feed in one of
00:02
your IPS is that says that HTTP
00:02
refer XYZ is suspicious.
00:02
You can take that threat feed and you can
00:02
apply it to your proxy logs and if you
00:02
see people starting to interact with that
00:02
HTTP refer in your proxy logs,
00:02
you can take an action.
00:02
If there's two or three logs
00:02
that you collect in your environment,
00:02
proxy logs should be way up on that list.
00:02
It should be in the top five for sure.
00:02
That's it for our lesson on web proxies.
00:02
Next up we're going to talk about network access control.
Up Next
Instructed By
Similar Content
