As most websites move to SSL, packet analysis is becoming increasingly more tricky. However, setting up a proxy server is one way to create a central point for protection and monitoring. Typically, setup involves blocking all outbound network traffic that does not go through the proxy. The proxy server stores logs of all URLs accessed, and you can extend the functionality with content filtering black lists. In today’s example, I am leveraging Fedora 28 and Squid.
Installation
To get started, simply run: yum install squid
Next, start the squid service with: service squid start
Configure the Browser
If you have configured the perimeter firewall to no longer allow outbound internet only from your proxy, then the next step will be to configure the proxy server setting in your browser. You can find this in most browsers by navigating to Settings → Network Connections. I am setting this example up on my local box, so that is why I used localhost as the proxy server. In most cases, you would want to use the IP address of your proxy server:
Logs
If you run this on your network and limit all inbound/outbound traffic, then you have an amazing tool for analyzing web behavior. Looking at /var/log/squid/access.log will show you all of the web traffic for each client:
Improving Security
You can extend the use of Squid by installing blacklists from sites such as Shalla’s List and the tool SquidGuard.
Conclusion
By adding a proxy server, you are adding a significant amount of situational awareness, after incident visibility, and protection. Squid is one of the many options, but it has been around for years and supports many OS’s and other systems. As always, feel free to let me know if you have any questions via email: support@automox.com.
About Automox
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, Mac, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.