This collection of How To articles provides a step-by-step guide to implement SafeSquid, and optimally use its various features.
Install SafeSquid Secure Web Gateway
You can setup your secure web gateway using different installation mechanisms based on your deployment plan.
SafeSquid Appliance Builder (Recommended)
With rise of distributed workforces, backchanneling all traffic to an on-premise solution is not efficient. To setup SafeSquid SWG on your preferred Cloud PaaS platform or your own private cloud infrastructure, use the SafeSquid cloud image or cloud-init script.
If you want to setup SafeSquid on already existing infrastructure or if you want to use other Operating System in Linux family other than Ubuntu, you can download the SafeSquid tarball and manually install it. You will need to partition the disks appropriately, fine-tune some of the features, and make some additional configurations to services used by SafeSquid, like Monit and BIND9.
SafeSquid is regularly maintained, for bug fixes and enhancements. Upgrade to the latest stable version of SafeSquid to access the latest features, and the best user experience.
SafeSquid has an intrinsic Web-based UI, that will enable you to manage your instance, configure policies, fine-tune the features, and monitor your secure web gateway. First, create a policy on the top to allow at-least one admin account to access the configuration portal to avoid lockout when configuring policies.
For deep content inspection of encrypted HTTPS traffic, enable HTTPS Inspection to safeguard from concealed threats.
You may need to bypass SSL Inspection for websites that are not subject to decryption by proxy, like intranet websites. You may also choose to bypass inspection of requests with personal identification information.
SafeSquid has a dynamic user and group identity management system with configurable identification options.
Profile clients based on network identifiers
In shared workstation, guest, and static IP networks, the access control policies are defined based on device-specific network signatures. Moreover, devices that do not support credential verification, like printers, and IoT devices, are identified based on IP address. It also enables you to secure varied network segments differently.
SafeSquid is also optimised to concurrently connect with multiple directory services. When credentials are entered, SafeSquid intelligently verifies the user from appropriate directory service , and efficiently caches user data.
Integrate with PAM service
For flexible and modular authentication, SafeSquid supports integration with all Linux-PAM authentication modules, including biometric, and custom authentication schemes.
Verify user credentials with in-built credential store
Multi-Factor Authentication
For heightened security, combine network-based and credential-based authentication.
For applying uniform security policies based on the specific roles, responsibilities, and risk profiles of different user sets, you can add user profiles to groups.
On integrating your enterprise directory service, SafeSquid automatically extracts group membership information.
Applications that do not support proxy authentication need to be bypassed to ensure no disruption for them while maintaining user authentication for other applications.
To efficiently manage access to websites based on their content category, SafeSquid has a dynamic web categorisation engine. Real-time updates to SafeSquid’s web categorisation database ensures accurate classification of more than a million websites to over hundred categories. In addition to this, advanced heuristic algorithms categorize unknown websites in real-time, based on URL, content, functionality, target audience, thematic focus, and web traffic behavioural patterns.
Furthermore, custom categorisation empowers security administrators with the ability to manually classify websites into private categories. Wildcards can be used to categorise domain variants under the same category.
Control application behaviour
With SafeSquid, you can effectively control behaviour of every feature of every Web 2.0 application. By default, SafeSquid can identify every feature of over thousand applications, with a continuously updating database.
Furthermore, security administrators can define application signatures for custom-built enterprise software, and control their behaviour.
Results from search engines may be harmful or explicit. To ensure inappropriate content is not served, search engines have optional SafeSearch filters.
Moreover, to prevent cyberslacking on YouTube, organisations can limit access to specific category of videos, or specific YouTube channels, or even specific videos.
To prevent sophisticated phishing attacks, limit role-based login only to business-critical websites.
Upload/Download restriction
You can impose role-based site-specific file size limits, and type restrictions on uploads and downloads, including overall volume quota management.
To permit only viewing content on Web 2.0 applications without engaging in interactive features, organisations can implement "read-only" mode. This feature is particularly useful on social networking websites, like FaceBook, LinkedIn, Twitter, Reddit, etc.
SafeSquid can seamlessly redirect the users to preferred or region-specific versions of websites.
Secure access to product interface
By provisioning a dedicated network channel for the product interface, you can isolate the policy configuration. Furthermore, you can restrict access of the interface to administrators only.
Advertisements are annoying, intrusive, and distracting. Blocking banner Ads results in cleaner-looking web pages that load faster, and conserve bandwidth.
SafeSquid offers customizable scheduling options for security policies, allowing temporal control over web traffic. Thus, you may allow access to specific websites based on the time of day, like social media during lunch hours.
DNS tunnelling attacks evade the legacy HTTP-based security solutions as the exploit is carried out via DNS queries, which is traditionally perceived as non-threatful. Integrating with a customisable DNSBL server enables your Security Operations Centre (SOC) to effectively block of domains at DNS level.
Filter IP based on geolocation
To defend against state-sponsored cyberattacks, and regional malware outbreaks, SafeSquid’s Geo-IP can block traffic from specific geographical regions.
Enforce Content Security Policy (CSP)
By restricting the sources of executable scripts and resources, enforcing CSP at the secure web gateway mitigates the risk of Cross-Site Scripting (XSS) and other injection attacks.
To block virus uploads and downloads, SafeSquid offers diverse antivirus setups to ensure comprehensive protection against various threats. To defend against Zero-Day malwares, we recommend minimising the vulnerability window using a multi-layered antivirus scanning approach.
SafeSquid’s integrated on-the-wire malware scanner employs advanced heuristic techniques to evaluate and sanitize all payloads, including those that are compressed or encrypted.
SafeSquid seamlessly integrates with the ClamAV engine for signature-based malware detection. Furthermore, it’s customisable configuration empowers security administrators to add PCRE keyword expressions sensitive to the organisation. Thus, enabling deep packet inspection for confidential information in archive files, emails, and Instant Messaging (IM) traffic.
SafeSquid facilitates simultaneous connection with various ICAP-based threat detection services for broader security coverage. With its Intelligent Threat Quarantine Mechanism, SafeSquid automatically isolates content flagged by ICAP services.
SafeSquid’s Content Analyser has a keyword scoring system to thoroughly inspects all textual, and multimedia content in real-time to prevent the exposure to unsuitable materials such as pornography or violence. Furthermore, you can utilizes Perl Compatible Regular Expressions for sophisticated keyword detection in content filtering. User-adjustable settings allow fine-tuning the sensitivity of the content detection system. The image filtering AI systems updates in real-time for up-to-date and effective visual content analysis.
Websites generally use third-party cookies for tracking user activity. Blocking third-party cookies is essential for user privacy and security. SafeSquid offers you user-configurable option to limit the tracking data received by remote websites, bolstering user privacy.
Prioritise mission critical traffic
Mission-critical applications and services are vital for the business continuity. By prioritizing mission-critical traffic, the applications get the necessary bandwidth and low latency to perform optimally.
Segregate network channel for an application
Provisioning dedicated pathways for mission-critical applications reduces the risk of network congestion. Additionally, implementation of QoS policies ensures high-priority traffic gets the required resources and treatment.
In the event of a network disruption or disaster, managing bandwidth ensures that essential services and applications continue to operate, supporting business continuity and disaster recovery efforts.
Multi-homing your network
Using multiple Internet Service Providers (ISPs) minimises the risk of downtime due to outage at internet provider. Splitting load between different ISPs allows you to manage bandwidth more effectively by leveraging the combined capacity of multiple ISPs.
Cluster your proxy servers
By linking multiple Proxy nodes in a load-balanced or failover cluster, you can enhance performance and reliability. SafeSquid supports both active-active and active-standby modes, catering to different operational requirements. Instances activated with the same key will have consistent policy replication, and private web category synchronisation.
Content Caching leads to faster load times and reduced bandwidth usage at the cost of increased management complexity and potential staleness of cached content. SafeSquid offers a neat, efficient, and manageable solution to only store content from frequently accessed websites.
Organisations can customize blocking templates to conform to organizational branding and communication styles.
Recover from a disaster
With SafeSquid’s 365-days integrated cloud backup and disaster recovery, you can access the last saved configuration.
With a range of versatile Proxy Operational configuration settings, SafeSquid can cater to diverse network requirements.
As a forward proxy, SafeSquid acts as an intermediary for requests from the clients seeking resources from other servers, enabling organizations to protect internet users. Here, client applications are explicitly set to use a specified proxy server
As a reverse proxy, SafeSquid sits between external clients and internal servers, intercepting requests from clients and forwarding them to the appropriate server, enabling organizations to protect web resources.
You can choose to route traffic through multiple proxy servers before reaching the final destination. A multi-layered approach makes it harder for attackers to intercept or tamper with the traffic.
To facilitate proxy-unaware applications, seamlessly redirect traffic by configuring SafeSquid as a Transparent Proxy. As no configuration is required, deployment is quick and easy.
Leverage Proxy Auto-Configuration (PAC)
SafeSquid supports PAC files to enable automatic traffic distribution across proxy cluster.
SafeSquid generates large log files and reports for traffic analysis. To ensure enough space is always available, managing disk space on a SafeSquid server is crucial.
To identify the root cause of usability issues and performance bottlenecks, SafeSquid offers multiple levels of troubleshooting assistance.
Monitor SafeSquid health
SafeSquid Dashboard displays the status of each modular function, integration, and database, and enables administrators to analyse performance of your secure web gateway.
To visualise performance metrics, administrators can also generate the performance plots.
Use the SWG troubleshooter
SafeSquid’s troubleshooting tool provides a web interface to assist you in identifying common problems in the accessing websites.
SafeSquid has customisable logging options for diverse usage analytics, debugging, and performance validation requirements. SafeSquid’s Open Format logs are human-readable, and structured for programmatic analysis using elementary tools. Logs are also streamed to the product interface for quick impact analysis of configuration changes.
SafeSquid application logs are stored in plain text form under the /var/log/safesquid directory. A comprehensive set of logging modules offers advanced forensic capabilities for enhanced network security and usage analysis.
Manage log storage
SafeSquid logs are automatically time-stamped, and latest log file is rotated. For reducing footprint, SafeSquid has configurable options for compressing log files, and scavenging old data.
SafeSquid also facilitates real-time transport of logs to remote aggregators and analytics facilities like SIEM.