Deny Corporate Computers Direct Internet Connectivity

What Is It? Proxying can be taken many ways but at the core of it is a system that intercepts and handles requests on behalf of a client connecting to a service. They most commonly reside between the private network and public networks such as the Internet. There are several types of proxies commonly used such as forward and reverse proxies and they can take on the form of load balancers, firewalls, DNS proxies, transparent proxies and anonymisers like the TOR network. Long gone are the days when you configured your computer with a public-IP address and browsed the web unimpeded. At a minimum you probably sit behind a firewall using Network Address Translation (NAT) located at a choke point to manage all inbound and outbound traffic. This is fundamentally a proxy but at a lower network layer.

Not everything has to flow through a proxy as local IP addresses on your LAN are quite commonly seen as trusted and known, so while you may have a proxy configured in your network settings, it’s probably being bypassed for local networks. In some cases, traffic is designated to bypass proxy servers altogether, although this is the exception rather than the rule as it bypasses the protection offered by a proxy.

Proxies can be used for good and evil, but still act as a layer between you and whatever you are connecting to whether browsing the news and getting the latest football scores or lurking somewhere in the dark web. Many organisations use proxies to control inbound and outbound connections, such as load balancing a server farm for your whizbang application or making sure you can’t get to your favourite gambling website to put a bet on a horse during the Melbourne Cup. Specialised proxies have also gained favour for encrypted payload inspection and other filtering to offload some of the work the firewall (and other appliances) must do. 

Proxies are available from freely-available open-source solutions up to massive load balanced and highly available vendor-driven solutions for enterprises. Long story short, you want to have a layer between you and everything else whether the traffic is inbound or outbound.

Where Do I Start? The answer to the question “do I need a proxy?” is a given: yes, you do. The question should be “what kind of proxy/proxies do I need?” For starters, you should already have a firewall in place, so perhaps it’s time to do a health check on that vital piece of equipment. By the same token, consider a full proxy health check of other systems as well if they sit in the middle of your transactions. In due course, locate any systems that do connect directly, and this can include both inbound and outbound services. Ask the questions and get the right people involved.

Once you have a lay of the land, it’s time to ask if you need proxy services and if you can improve any of the existing services. A proxy can be a valuable tool in a defence in depth strategy but can also become an obstacle if implemented incorrectly. Understand your traffic flows, which services traverse the network, and the volume of data they must handle. A proxy can quickly bring a network to its knees if it’s bogged down handling requests and this is true of any type of proxy. You really need to understand your network, so please don’t hesitate to put your hand up if you need help in gathering the details.

With an understanding of your network, you can determine the best way to leverage proxies to your advantage. Inspection of web traffic and encrypted packet inspection will probably be one of your first thoughts. You’ll also need to consider if you want to use traditional on premise systems, or whether you will take advantage of the many cloud-based offerings available. Perhaps a hybrid approach works best. Proper planning and design work up front can save a lot of pain further down the road.

How do I make It Work? You may find you don’t need any additional proxy services and that your present architecture provides adequate security. If you’re already using some of the other mitigation strategies, additional Proxying may be overkill, so be prepared for the conclusion that this isn’t a priority.

For those of you that have decided you need a proxy (or another proxy), proceed with planning your implementation. Maybe you need a reverse proxy to handle a large volume of traffic to a web server farm you host. Maybe you’re looking to do some web filtering and encrypted packed inspection. Maybe you just want a transparent proxy to passively watch your traffic for trend analysis. Once you have determined your purpose, evaluate your options and pick the products and services that best fit your needs and budget.  I know I keep saying this over and over, but if you don’t have the skills in house to make a proxy implementation work for you, please don’t hesitate to reach out for help. This is also true for ongoing management of the solution and a Managed Security Service is a worthwhile investment.

If you’re using the intelligence and logs gathered by a proxy, please be sure to feed them into your SIEM (if you have one) or other logging platform. It’s worthwhile adjusting this feed now and then so you’re only gathering useful information from the proxies.

With a plan and design in place, implement the solution. Be sure to thoroughly test the solution with as many scenarios and use cases as you can – the last thing you need is a proxy blocking a critical application! If this involves encrypted traffic, it is doubly critical to test and verify.

Pitfalls? Please, please, please make sure that you spec your proxy solution to handle the workloads you are inspecting plus room for growth. Users get very grumpy when their connections slow down. How many times have you heard “the network is slow” or “the network is down” when really, it’s just swamped trying to protect the masses? 

Because there are so many ways to implement proxies, there are more ways than I can elaborate on here, so be sure that whichever proxy solution you choose is fit for purpose. Be wary around solutions that purport to be full forward and reverse proxies – it needs to be able to handle BOTH loads, conceivably at the same time, so planning and verifying your requirements and specifications is paramount.

Ghosts in the Machine? A proxy by itself is not a be-all and end-all, so never allow yourself to get a false sense of security. Remain vigilant and practice safe computing and be sure a proxy works in your defence in depth strategy or else you may be wasting time and money. Realise that human error can and will occur in even most robust environments so while focusing on prevention, also plan for response and recovery.

Anything Missing? Any time you plan to manage network traffic, please be sure you have a policy supported and enforced by management. As with everything else in your infrastructure, change management is a must to properly vet and control proposed changes and their intended purposes.

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party.  The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such.  Appropriate legal advice should be obtained in actual situations.  All images, unless otherwise credited, are licensed through ShutterStock

Views: 7

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service