Cisco Cisco Web Security Appliance S670 User Guide
13-3
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 13 Data Security and External DLP Policies
Working with Data Security and External DLP Policies
Working with Data Security and External DLP Policies
Cisco IronPort Data Security Policies and External DLP Policies define how the Web Proxy handles
HTTP requests and decrypted HTTPS connections for transactions that upload data to a server (upload
requests). However, Cisco IronPort Data Security Policies use logic defined on the Web Security
appliance and External DLP Policies use logic defined on the DLP system. An upload request is an
HTTP or decrypted HTTPS request that has content in the request body.
HTTP requests and decrypted HTTPS connections for transactions that upload data to a server (upload
requests). However, Cisco IronPort Data Security Policies use logic defined on the Web Security
appliance and External DLP Policies use logic defined on the DLP system. An upload request is an
HTTP or decrypted HTTPS request that has content in the request body.
When the Web Proxy receives an upload request, it compares the request to the Data Security and
External DLP Policy groups to determine which policy group to apply. If both types of policies are
configured, it compares the request to Cisco IronPort Data Security Policies before external DLP
Policies. After it assigns the request to a policy group, it compares the request to the policy group’s
configured control settings to determine what to do with the request.
External DLP Policy groups to determine which policy group to apply. If both types of policies are
configured, it compares the request to Cisco IronPort Data Security Policies before external DLP
Policies. After it assigns the request to a policy group, it compares the request to the policy group’s
configured control settings to determine what to do with the request.
How you configure the appliance to handle upload requests depends on the policy group type. For more
information, see
information, see
and
.
Note
Upload requests that try to upload files with a size of zero (0) bytes are not evaluated against Cisco
IronPort Data Security or External DLP Policies.
IronPort Data Security or External DLP Policies.
Data Security Policy Groups
To configure the Web Security appliance to handle upload requests on the appliance itself, perform the
following tasks:
following tasks:
Step 1
Enable the Cisco IronPort Data Security Filters. To scan upload requests on the appliance, you must
first enable the Cisco IronPort Data Security Filters. Usually, the Cisco IronPort Data Security Filters
feature is enabled during the initial setup using the System Setup Wizard. Otherwise, go to the Security
Services > Data Security Filters page to enable it.
first enable the Cisco IronPort Data Security Filters. Usually, the Cisco IronPort Data Security Filters
feature is enabled during the initial setup using the System Setup Wizard. Otherwise, go to the Security
Services > Data Security Filters page to enable it.
Step 2
Create and configure Data Security Policy groups. After the Cisco IronPort Data Security Filters
feature is enabled, you create and configure Data Security Policy groups to determine how to handle
upload requests from each user.
feature is enabled, you create and configure Data Security Policy groups to determine how to handle
upload requests from each user.
Cisco IronPort Data Security Policies use URL filtering, web reputation, and upload content information
when evaluating the upload request. You configure each of these security components to determine
whether or not to block the upload request. For more information about the security components that you
can configure and how the Web Proxy uses Data Security Policy groups to control upload requests, see
when evaluating the upload request. You configure each of these security components to determine
whether or not to block the upload request. For more information about the security components that you
can configure and how the Web Proxy uses Data Security Policy groups to control upload requests, see
.
When the Web Proxy compares an upload request to the control settings, it evaluates the settings in order.
Each control setting can be configured to perform one of the following actions for Cisco IronPort Data
Security Policies:
Each control setting can be configured to perform one of the following actions for Cisco IronPort Data
Security Policies:
•
Block. The Web Proxy does not permit the connection and instead displays an end user notification
page explaining the reason for the block.
page explaining the reason for the block.
•
Allow. The Web Proxy bypasses the rest of the Data Security Policy security service scanning and
then evaluates the request against the Access Policies before taking a final action.
then evaluates the request against the Access Policies before taking a final action.
For Cisco IronPort Data Security Policies, Allow bypasses the rest of data security scanning, but
does not bypass External DLP or Access Policy scanning. The final action the Web Proxy takes on
the request is determined by the applicable Access Policy (or an applicable external DLP Policy that
may block the request).
does not bypass External DLP or Access Policy scanning. The final action the Web Proxy takes on
the request is determined by the applicable Access Policy (or an applicable external DLP Policy that
may block the request).