Web Proxies Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

4 hours 25 minutes
Video Transcription
Let's go back to that pack, file said. You can do automatic configuration by pointing to a pack file
so a pack file is just a text file in a text file has a lot of different instructions that tells the endpoint what to do.
This is a sample of a pack file, and if we break it down, we could break it down by section just to show some examples of what a pack file can do
in this first section here that I have highlighted. The section is saying that if the destination host name matches Internet that domaine dot com or anything in ABC domaine dot com or abc domaine dot com,
then go direct so that return direct means don't use a proxy. In that case, go directly to that website
and you might use this because maybe some websites
are Don't don't function properly. If you go through a proxy this day and age, that's that's a lot rarer, but maybe some don't you know there's some websites I know there's some issues with, um,
certain videoconferencing websites where you're doing video streaming and audio streaming, and you're trying to share your screen and a lot of different things. Well, that requires a lot of different protocols, and each one of those has to be allowed through the proxy. And in some cases, some organizations just say, you know what? If you're gonna go toe, go to meeting or anything like that, bypass the proxy altogether,
go direct. And then that way we're not going to deal with all of these different
ranges of ports that we have to open up in the proxy and ranges of protocols that we have to make available.
The second piece of this pack file is an example of, you know, we can tell the device if you're using a certain protocol or if a specific girl in this case, if you're using FTP or if you're using http But you're going to this very specific girl, this abc domaine dot com slash folder and anything beyond that.
If you're connecting to that, then go to the proxy so you can get very, very granular and packed files.
This one here says, if if your I p address falls within one of these ranges, if the i p. Address of the destination you're trying to get to falls within one of these ranges go direct, and this is used a lot of times with intranet websites. There might be a website that's internal to the network. You don't want to force an internal laptop
to go through a proxy just to come back inside the environment. If it's if both entities air trusted. If it's a fully trusted site,
you can just tell the system to go directly to that site without going through the proxy. And this is how you would do it.
In this case, we're being very specific to say, If your I P address is within a certain range, go to this specific proxy and I've seen this one used a lot. Let's say you have a global organization. You can maintain a single PAC file within that organization that that directs how traffic in your environment will go. You can point
all of your browsers and all of your in points to this one pack file
and in each device, depending on where it is in, your network will go to a specific proxy so you could direct your European in users to go to the European proxy, your US and uses to go to the U. S. Proxy. And if you have somebody that travels when they pick up their laptop and they travel from us to Europe, they're not coming all the way back to the US to go out the proxy because
using the CPI, they've got an address. Now they're in Europe while they're on the European Network that can go out there direct.
So this is the way that you can direct geo direct traffic based on location
and you can have a catch. All rule at the end says everything else. Go to this other proxy.
The point here is just to show you, Ah, proxy pack file, auto configuration and how it works and the the plethora of things that you can do with a pack file. You can get very granular and how you control your Internet traffic by using a simple pack file and pointing everything to that pack file.
Let's talk a little bit about cattle categories and policies. Once we get the traffic to the proxy, a proxy uses a combination of categories and policies to direct what's allowed and what's not, and how the how the organization interfaces with the outside world
I have a screenshot here. This is just an example of the semantic. This is their blue co proxy product. Semantic uses four main category groups, so every website also every website, but
they make an attempt that constantly categorized websites. You URLs air constantly analysed and put into categories on, and there's four main categories for semantic every proxy vendors different. This is just a example. Here we have legal liability, which would be things like, you know, any illegal activity
like, you know, child trafficking and things like that.
Um, there's security, which may be hacking sites. Or it could be actually malicious sites that are trying to serve up malicious content.
There's non productive. That might be things like YouTube or things that might take people away from what they're doing in their day to day, Um, in their day to day jobs. Maybe some organizations want to block that sort of content. So there's category for that. And then there's business related, and that might be things like office 3 65 Maybe. Maybe you're using a cloud mail system
that would probably fall into the business related category.
And within each of the categories, there's sub categories, and you can go in and you can click through on semantics site, and you can read the description of what each of those is in this particular one. This is malicious sources or mountain yet, but the point here is that
the websites, these proxy vendors, they try to category categorizes many websites as possible into large buckets of categories and then into sub categories. And then you can create rules in your policy that allow certain groups of people to get to certain things. So maybe, for example, if you're doing role based access,
maybe you've got the accounting group that needs to get to certain types of websites. Or, let's say, for example, maybe you've got the marketing group you want to allow to get to Facebook because they control your social media for your company. But you don't want everybody else to get to Facebook. You can create a rule that says marketing is allowed to get to social social media websites.
Uh, you might want to let your If you've got a threat hunting team, you might want to let your threat hunters
actually access those hacking sites, which don't want to let everybody else do it.
So using a combination of categories and policies is just the way that you create this. The set of rules that dictate how you interact with the with the Internet, how your any users interact with the Internet.
You can also create all we're still in the speed you can create splash pages. So if a user tries to connect to a site that they're not allowed to connect to, you could have a splash page that pops up and says, This site is forbidden. Here is the reason is, because it falls into this category
you could even have. You know, if you think this is mis categorized, click here and you're in. Users could actually report that and say, Hey, I need this to do my job.
It's categorized wrong.
I I suggest that you use Splash pages. That one place that I've seen, that splash pages come in very handy is with uncapped ago rised sites. There's a lot of sites out there that just haven't been put into a category yet.
Malware uses uncanny arised sites
all the time,
so putting a splash page up for a categorized sites, not necessarily that blocks anyone from getting to them, but at least a splash page that says, Hey, this site is uncanny arised. Are you sure this is a legitimate site? Do you need this to do your job in user can click. Yes,
they get annoyed by it. We hear complaints about it all the time, but really, what we're doing. It's not so much to control that in user going toe. Categorize sites
as it is to control malware from being Alberto, automatically connect some command and control site that has not been categorized yet
simply by putting that splash page up, it's forcing some action in a lot of malware. Doesn't have the capability to click through that splash page, and it just dies right there.
Start a little bit about remote workers. So it's easy to understand using W CCP or transparent. You know, some of those other transparent methods or even proxy are explicit methods how we point internal users to a proxy. But what happens when that user takes their laptop home?
They take it home for the evening. Maybe they finish up some work there on the VPN. They're done for the day and then what If that in user wants to use their laptop just to surf personal things, well, chances are that the things that they're surfing in their personal life are not all not all business related. Some of them are shady other than others.
So you you want a mechanism. You don't want that business laptop interacting with a malicious site while it's not on Prem
getting compromised, and then they bring it in the next day they plug it in. And now that that compromise systems inside your network so you can enforce proxy policy even when the users off prim
and you can do this using a cloud service. Most of the major proxy vendors have AH cloud service component that you can purchase as an addition, or some of them come with part of the package.
And what you could do is you can take your proxy environment internally in your network, and you can push those same policies to this cloud proxy. So now it's out there. It lives out there in the cloud,
so you're in users when they're at home. They can't connect to your internal proxy because they're not on the internal network, but you can configure those company laptops to point to a proxy pack file, for example. And that pack file could say that pack file could be somewhere out there
in the proxy cloud in the public space so that you could have one in public space and one in the private space.
That pack file could have a ruling that that says, if your I P address is an internal i p, go to the internal proxy. If it's an external i p, go to the external proxy and you can still force urine users to maintain the same rule set for Web browsing as they would if they were sitting in the office.
Last thing will say about Web proxies. I want to talk about logging a little bit.
Proxy logs are one of the most important logs that you can collect in your environment that give a ton of information a ton of good things. I'm not gonna go through every one of these, but I can. I listed a few of them here.
This is a ton of information, every proxy log. Every time someone connects to a website from your internal network, it generates a ton of metadata of ton of information. All of this information can be used in other tools.
Maybe you get a threat feed in one of your we talked about like the I PS device earlier. Maybe you get a threat feet in one of your I ps is that says http. Refer.
X y Z is is suspicious.
You can take that threat feed, and you can apply it to your proxy logs. And if you see people starting to interact with that, http, refer in your proxy logs, you can taken action. So you if, if there's if there's a
two or three logs that you can you collect in your environment. Proxy logs should be way up on that list. It should be in the top five for sure.
All right, that's it for our lesson on Web proxies. Next up, we're gonna talk about network access control
Up Next