KEMBAR78
Web Proxy Servers: Functions & Security | PDF | Proxy Server | Networking
0% found this document useful (0 votes)
41 views2 pages

Web Proxy Servers: Functions & Security

The document discusses web proxy servers and how they are traditionally used for performance but now also serve proactive security purposes by preventing malicious content, logging and caching HTTP(S) traffic. It provides details on proxy server configurations, solutions, and how to analyze proxy server logs and cached data for security investigations.

Uploaded by

aaa zzz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
41 views2 pages

Web Proxy Servers: Functions & Security

The document discusses web proxy servers and how they are traditionally used for performance but now also serve proactive security purposes by preventing malicious content, logging and caching HTTP(S) traffic. It provides details on proxy server configurations, solutions, and how to analyze proxy server logs and cached data for security investigations.

Uploaded by

aaa zzz
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

# Web Proxy Servers

> - Traditionally used for performance reasons


> - Now serve proactive and post-incident purposes
> - Prevent known "bad" things
> - ==Log data==: access list for all HTTP(S) traffic
> - ==Cache data==: copies of objects sent via HTTP(S)
> - SSL/TLS can hider but interception is becoming more common

> ![[Pasted image 20230226094244.png]]

A **proxy server** is a server that is configured to broker network traffic between


a client system and a server system. Although proxies can be used with nearly any
protocol or network service, today we most frequently identify then in association
with web traffic that uses the HTTP and HTTPS protocols.

Proxy servers can also function as "reverse proxies". In this model proxy servers
generally broker requests from a large number of client systems to a small number
of servers. Often a reverse proxy will provide load-balancing, compression and
other performance-enhancing functionality.

The security movement also identified value in the data a proxy server often holds.
Network admins can configure proxy servers to block undesirable content, preventing
their client systems from accessing prohibited subject matter. In addition, the
"gatekeeper" nature of proxy servers provides two vital resources for information
security professionals: ==Content transaction and the cached data itself==.

The logs created by a web proxy server are invaluable in determining which URLs
were requested by clients. This can quickly answer the question" *Which inside
systems attempted to access a known malicious site or download*. Typical proxy logs
not only include elements like the time, requestor's IP address and URL, but also
the result status of the request and sometimes the username that made it.

In addition, a **caching proxy server's** very purpose is to keep copies of


resources retrieved by client systems. Security teams can retrieve those cached
objects for further analysis without touching an infected client system. The
proactive nature of a proxy server can help during the incident response process.

## Proxy Solutions

- Squid
- NGINX (reverse proxy)
- Apache Traffic Server
- Symantec/Blue Coat
- Forcepoint
- Barracuda

**Three main forensically relevant elements:


- ==Configuration file==: /etc/squid/squid.conf
- ==Log file(s)==: /var/log/squid/\*
- ==Cache data"==: /var/spool/squid/
- Locations vary

# Convert timestamps

The following awk statement will quickly convert **UNIX epoch timestamps** to
**human readable UTC** leaving the rest of each line intact.

```bash
$ sudo cate access.log | awk '{$1=strftime("%F %T", $1, 1); print $0' >
humanreadable.log}'
```

# Proxy Log Walkthrough: Process

- **Planning**
- Take into account resources and evidence we'd like to access
- Time allotted
- What existing analysis has been completed - the triage work on the employees
workstation
- **Evidence collection**
- The log files
- **Form hypotheses**
- An initial focus area
- Just need to determine enough to make an informed recommendation regarding
whether or not we feel the employee leaked any intellectual property
- **Analyze evidence**
- **Support/refute/refine hypothesis**
- Repeat until stable

You might also like