Cisco Cisco Web Security Appliance S670 User Guide
D E C R Y P T I O N P O L I C Y G R O U P S
C H A P T E R 1 0 : D E C R Y P T I O N P O L I C I E S
181
the terms and definitions used in this book, see “Digital Cryptography Terms” on page 184.
For an overview of HTTPS the protocol, see “HTTPS Basics” on page 186.
For an overview of HTTPS the protocol, see “HTTPS Basics” on page 186.
Decryption Policy Groups
Decryption Policies define how the appliance should handle HTTPS connection requests for
users on the network. You can apply different actions to specified groups of users. You can
also specify which ports the appliance should monitor for HTTPS transactions.
users on the network. You can apply different actions to specified groups of users. You can
also specify which ports the appliance should monitor for HTTPS transactions.
When a client makes an HTTPS request on a monitored secure port, the appliance compares
the request to the Decryption Policy groups to determine in which Decryption Policy group
the request belongs. Once it assigns the request to a Decryption Policy group, it can
determine what to do with the connection request. For more information about evaluating
policy group membership, see “Policy Group Membership” on page 113.
the request to the Decryption Policy groups to determine in which Decryption Policy group
the request belongs. Once it assigns the request to a Decryption Policy group, it can
determine what to do with the connection request. For more information about evaluating
policy group membership, see “Policy Group Membership” on page 113.
The appliance can perform any of the following actions on an HTTPS connection request:
• Drop. The appliance drops the connection and does not pass the connection request to
the server. The appliance does not notify the user that it dropped the connection. You
might want to drop connections to third party proxies that allow users on the network
bypass the organization’s acceptable use policies.
might want to drop connections to third party proxies that allow users on the network
bypass the organization’s acceptable use policies.
• Pass through. The appliance passes through the connection between the client and the
server without inspecting the traffic content. You might want to pass through connections
to trusted secure sites, such as well known banking and financial institutions.
to trusted secure sites, such as well known banking and financial institutions.
• Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts
the traffic and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP
connection. By decrypting the connection and applying Access Policies, you can scan the
traffic for malware. You might want to decrypt connections to third party email providers,
such as gmail or hotmail. For more information about how the appliance decrypts HTTPS
traffic, see “Decrypting HTTPS Traffic” on page 191.
connection. By decrypting the connection and applying Access Policies, you can scan the
traffic for malware. You might want to decrypt connections to third party email providers,
such as gmail or hotmail. For more information about how the appliance decrypts HTTPS
traffic, see “Decrypting HTTPS Traffic” on page 191.
Note — The actions above are final actions the Web Proxy takes on an HTTPS request. The
“Monitor” action you can configure for Decryption Policies is not a final action. For more
information, see “Understanding the Monitor Action” on page 182.
“Monitor” action you can configure for Decryption Policies is not a final action. For more
information, see “Understanding the Monitor Action” on page 182.
Once the appliance assigns a Decryption Policy to an HTTPS connection request, it evaluates
the request against the policy group’s configured control settings to determine which action to
take. You can configure URL filter and web reputation settings to determine how to handle
HTTPS requests for a particular policy group. For more information about how the appliance
uses Decryption Policy groups to control HTTPS traffic, see “Controlling HTTPS Traffic” on
page 207.
the request against the policy group’s configured control settings to determine which action to
take. You can configure URL filter and web reputation settings to determine how to handle
HTTPS requests for a particular policy group. For more information about how the appliance
uses Decryption Policy groups to control HTTPS traffic, see “Controlling HTTPS Traffic” on
page 207.
Note — IronPort recommends creating fewer, more general Decryption Policy groups that
apply to all users or fewer, larger groups of users on the network. Then, if you need to apply
more granular control to decrypted HTTPS traffic, use more specific Access Policy groups. For
more information about Access Policy groups, see “Access Policies” on page 149.
apply to all users or fewer, larger groups of users on the network. Then, if you need to apply
more granular control to decrypted HTTPS traffic, use more specific Access Policy groups. For
more information about Access Policy groups, see “Access Policies” on page 149.