In today's web-based world, web threats are higher than ever before whether it's a phishing, or malware, end users identity compromise or stealing sensitive information’s. The majority of malware comes from two things, hidden downloads in popular/trusted Websites, and malware distribution through social networking, peer-to-peer (P2P), and Webmail which making every company to look for implementing a Secure Web Gateway for their organization.
What is A Proxy-Secure Web Gateway?
There are many types of proxy servers does all kinds of things. In this article, I will refer to the most common and widely used web proxies or Forward proxy (especially Bluecoat) that facilitate the access to the content and services found on the Internet.
As the name implies, a forward proxy placed in an isolated network probably demilitarized zone is an intermediary between your private your network (Client PC) and the Internet (Web servers). This server makes requests to websites, servers, and services on the Internet on behalf of a client.
How Forward Proxy Works?
Consider if you are using a web browser to visit https://www.tcs.com and your browser is configured to use a proxy server through Group policy update. Once you type www.tcs.com, the request is sent to the proxy server. The proxy server intercepts the request if it’s set to do so and it changes the source IP address as its own interface IP address and evaluates and applies all the security policies and then forwards the request to the web server where the website is hosted. Origin content server sends the response back to the proxy which, in turn, returns it to you. The proxy server will be acting as the destination web server for client PCs and acting as a client for the Origin content server perspective. As a result, website sees the proxy server as the actual visitor, rather than seeing you.
Benefits and Security Features that Proxy Offers
- Inspection and validation of SSL traffic.
- Content caching and traffic optimization.
- Bandwidth Savings and Improve speed.
- Streaming media splitting and caching - Request High-Volume Data Streams Once – While Forwarding to Multiple Requestors.
- Method level controls, per protocol, File type control and browser control.
- Privacy: Hide Your IP Address, Location & Other Information.
- User Authentication, authorization, and Accounting.
- Easy integration with other security solutions like DLP, Fire eye in enterprise environments.
- More Granular Categorization at the URL/URI Level using Web/Content Filtering.
- Multi-layered deep content inspection and analysis to identify data loss and threats. Advanced real-time web filtering and risk scores.
Inspection and Validation of SSL Traffic
When SSL inspection is enabled, once the content is fetched from the Origin content server proxy will decrypts the encrypted content from the OCS and inspects it and check for the presence of any malicious traffic. If it is clean traffic, Proxy then re-encrypts the content and sends the content to the sender which is achieved using certificate emulation described below.
Since the Proxy server is not the server, it can't present the server certificate to terminate the SSL connection with the client. Therefore, the Proxy must create a certificate for the client side connection. The proxy uses certificate information provided by the origin content server and forges a certificate (re-signs the certificate using its own private key) known as certificate emulation, based on that information and presents it to the client. For example, if a client wants to connect to google.com. With SSL interception enabled, the Proxy terminates this connection locally and responds with "I'm google.com". Proxy initiates an SSL connection with the real google.com web server (as a client), takes the information from the actual certificate of google.com, creates a new certificate on the fly with the same information, signs this new certificate with its own CA and sends it to the client. The client believes it is talking directly to google.com, but in reality, there are two independent SSL connections from the client to the Proxy and from the Proxy to gooole.com.
Anti-Virus Scanning for Advanced Threat Protection
The proxy does a lot more than scan for viruses. It offers advanced malware detection at the gateway by detecting and blocking viruses, worms, Trojans, and spyware. Bluecoat has a proxy and AV engines as appliances which communicate each other using an open standard protocol 'Internet Content Adaptation Protocol(ICAP)' which allows content engines to send HTTP-based content to an ICAP server for performing virus scanning. The Proxy is the ICAP client, and the AV is the ICAP server. Proxy forwards the Web content that needs to be scanned to the AV. It then filters and adapts the content and returns it to the Proxy. The scanned content is then served to the user who requested the content and cached on the Proxy.
Once an object is cached, it is not scanned again until either the object contents change or the AV database changes. The AV database is a pattern file that allows anti-virus software to identify viruses. Whenever the database changes, the AV engine needs to rescan any requested objects that are in the cache, because the new database might contain updates on emerging malware threats.
For a non-cacheable object, the AV scans the object and creates a fingerprint—a secure hash of the file’s contents. AV engine compares the file’s fingerprint against a database of fingerprints that is constructed as a result of scanning objects. The object will not be scanned again unless either its fingerprint changes (indicating the content has changed) or the AV database changes.
Authentication, Authorization, and Accounting
Some proxies and servers require authentication before granting access to resources on the Internet. Authentication is the process of determining who the actual user is and identify who he is claiming to be. Authorization process determines whether the user has the authority to do certain tasks. Logically, authentication precedes authorization which is two different processes. When a proxy receives a request from a client requesting access to a website which requires authentication. The proxy responds with HTTP connection request by prompting the user for a username and password. The client then sends their credentials to the proxy which in turns checks with Active directory if it is valid or incorrect. If it is valid, the connection is allowed. It also allows network administrators to apply specific security policies on a per-user/group/department basis instead of IP address or global access policies.
There are several millions of websites available on the internet and it is very difficult to create internet rules and policies in proxy per individual domain basis. Bluecoat proxy provides both an on-box content filtering database and off-box dynamic categorization (Web pulse) cloud service for real-time categorization of URLs that are not categorized in the on-box database. Web Pulse dynamic categorization includes both traditional content evaluation, for categories such as pornography, as well as real-time malware and phishing threat detection capabilities. Proxy vendors also support third-party content filtering vendor database such as Internet watch foundation http://www.iwf.org.uk/. A website is added to a category when the content of the website meets the criteria for the content category.
For example, facebook.com/twitter.com are categorized under Social networking and Google.com is categorized as Search Engines. Similarly, all the web URLs can be grouped into various categories, such as social networking, gambling, pornography, news media, and shopping, etc. A proxy server is able to analyze URLs that users are requesting, determine what category the website belongs to, and classify the traffic into the appropriate category class. This gives us granular visibility into the type of web traffic on the corporate network.
With content filtering enabled, the request from the client has been allowed but the response from the origin content server is inspected at the proxy AV layer. The actual payload of the packet is examined to determine what the actually intended file type by verifying the content-type header and file type extension and based on that allow/deny decision is then made. This provides the ability to block viruses, e-mail attachments, advertisements, redirects, web bugs, cookies, Java, ActiveX, pop-ups, media types and embedded objects, etc.
By serving the contents locally from its proxy cache it reduces latency and minimizes the transmission of data over the Internet, and thereby improves the user experience.
Object Caching: When a web page is accessed, a proxy server can store it and, when the next person requests it, it first checks if the page has changed. If it hasn't changed, it forwards the local copy without re-downloading the whole page from the web server.
Byte Caching: It is a technique used in WAN optimization. Consider if you have two Proxies on either side of a WAN link or Head office branch office deployments. In Byte caching, the device at one end will replace commonly seen byte pattern (00111000 will be replaced with B3) with a pre-defined (or learned) token so that the DATA sent over the Layer 1 physical media (wire) will be less compared to sending the original stream as it is.
Object Pipelining: Pipelining allows the Proxy server to open several connections to a server, speeding up the delivery of content into the cache.
Object Pre-fetching: Content on a requested web page several levels deep is requested and cached for fast delivery to users. HTTP compression: Compression reduces a file size but does not lose any data. When it is enabled, the proxy server always requests compressed content from the origin content server. Decompression, content transformation, and recompression at the proxy end during the content scanning increase response time by a small amount because of the CPU overhead which can be negligible in most cases.
Bandwidth Savings & Improved Speed
It helps them save bandwidth. Proxy servers can compress traffic, cache files and web pages from the Internet and even strip ads from websites before they reach your computer. This allows companies to save bandwidth, especially when they have hundreds or thousands of employees, accessing mostly the same popular websites and also reduces the latency in loading the web pages. It provides control over what the users are accessing and using the Internet. Forcing users to access the Internet only through proxy servers we have detailed logs of all the websites they accessed, when, for how long, etc. Detailed usage reports are available about each user can easily identify misbehaving users.
Using a proxy server for streaming delivery (audio and video) improves the quality of streaming media by user experience issues such as frozen playback, jagged video, patchy audio, and unsynchronized video and audio as packets are dropped or arrive late. It supports the most popular streaming media clients such as Windows Media, Real Media, QuickTime, and Flash. The proxy provides acceleration features such as live splitting, video-on-demand caching, content pre-population, and multicasting. The more clients that request the same media stream, the more bandwidth is used. Conversely, the more bandwidth that is available, the better the quality of media streams.
Proxy servers are really great and effective only if SSL inspection is turned on and how you have configured when exceptions and error handling when SSL inspection is turned off because in the recent web most of the security issues and compromises are happening via encrypted communication only. It all depends on how the proxies are configured in a production environment, and how they are secured. A proxy server may provide all the benefits mentioned above or none of them. It all depends on how it was set up and why.
Authored By - Venkatesh G
TCS Enterprise Security and Risk Management
TCS Enterprise Security and Risk Management
Rate this article: