Proxy Servers: Proxy servers would keep a copy of, or cache o,
that content as well. Then, if another client were to request the
same page soon thereafter, the proxy would simply provide the
cached content without re-requesting the same web page over the
T-1.Prevent bad thingsLog Data: Access list for all HTTP(s)
trafficCache Data: Copies of transacted objects for all HTTP(s)
traffic
Proxy Logs: Typical proxy logs not only include elements like
the time, requesters's IP address, and URL, but also the result
status of the request, and sometimes the username that made it.
Blue Coat Proxy: is an appliance used widely in corporate
enterprise networks. It includes the built-in ability to perform
SSL proxying.
Reverse Proxy: In this model, proxy servers generally broker
requests from a large number of clients systems to a smaller number
of servers. Often, a reverse proxy will provide load-balancing,
compression, and other performance-enhancing functionality.Squid
Proxy Server: Its an free, relatively easy to deploy but flexible
enough for complex deployments. Three main forensically relevant
elementsConfiguration file: /etc/squid/squid.conf -- the
configuration files will prove invaluable in determining the
location and meaning of other sources of evidence. The default conf
file is generally kept in /etc/squid/squid.conf.defaultLog files:
/var/log/squid/* -- log files provide what is essentially an access
roster for all client requests that the proxy handled.Cache Data:
/var/spool/squid -- proxy's cache provide the responses provided by
web serve to client requests.
Squid listens on port 3128 (http_port 3128 in config file)Access
Control: In squid to aid in creating fine-grained behaviour based
on traffic characterstics access control list can be created. Below
are some criteria to create ACL.IP based ACLUser
AuthenticationUser-AgentDay and TimeRegEx macting on requested
URL
refresh_pattern option : This option controls how squid
determines if the objects in its cache are "FRESH" or "STALE". If
an object in the cache is deemed "STALE", the proxy server will
attempt to retrieve a newer version from the appropriate server,
the re-cache the newly-update file.
Cache content live - Squid server providing the content also
sets parameters for how long the content should be cached. If these
parameters are not present Squid reverts to its configured
defaults.
Format of configuration:
#regexminpctmaxrefresh_pattern^ftp:144020%10080
RegEx: RegEx for requesr URLMin: Minimum time object considered
"FRESH"Pct: Percentage of object's age at cache time for which it
still be considered "FRESH"Max: Maximum time object considered
"FRESH"
|"Fresh": Serve from Cache |"Stale": Verify state from
server-------------------------------------------------------------------------------------------------------->
|||Last-Modified Date/TimeCache Expiration [server] Cached
http://www.squid-cache.org/Doc/config/refresh_pattern/
Basically a cached object is:
FRESH if expires < now, else STALESTALE if age > maxFRESH
if lm-factor < percent, else STALEFRESH if age < minelse
STALE
Squid Logs: acccess.log
Defaults:UNIX Time Stamp (sec.ms)Response time (ms)Requestor
IP/nameCache status & HTTP status codeReply size (bytes)Request
method (GET/POST/etc)URL requested*User name (if applicable)Squid
hierarchy status & server IP/peer nameMIME type
ex: 1339038269.433|531|192.168.75.19|TCP
MISS/200|17746|GET|http://www.nu.nl|-|DIRECT/62.69.184.21|text/html
Query strings are not logged by default. To enable this feature,
add the following to/etc/squid/squid.confstrip_query_terms off
