Cisco Cisco Web Security Appliance S170 Guía Del Usuario
13-4
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 13 Data Security and External DLP Policies
Evaluating Data Security and External DLP Policy Group Membership
•
Monitor. The Web Proxy continues comparing the transaction to the other Data Security Policy
group control settings to determine whether to block the transaction or evaluate it against the Access
Policies.
group control settings to determine whether to block the transaction or evaluate it against the Access
Policies.
For Cisco IronPort Data Security Policies, only the Block action is a final action that the Web Proxy takes
on a client request. A final action is an action that causes the Web Proxy to stop comparing the
transaction to all other control settings. The Monitor and Allow actions are intermediary actions. In both
cases, the Web Proxy evaluates the transaction against the External DLP Policies (if configured) and
Access Policies. The Web Proxy determines which final action to apply based on the Access Policy
group control settings (or an applicable external DLP Policy that may block the request).
on a client request. A final action is an action that causes the Web Proxy to stop comparing the
transaction to all other control settings. The Monitor and Allow actions are intermediary actions. In both
cases, the Web Proxy evaluates the transaction against the External DLP Policies (if configured) and
Access Policies. The Web Proxy determines which final action to apply based on the Access Policy
group control settings (or an applicable external DLP Policy that may block the request).
shows the order that the Web Proxy uses when evaluating control settings for
Cisco IronPort Data Security Policies. The flow diagram shows that the only actions applied to a
transaction are the final actions: Block and evaluate against the Access Policies.
transaction are the final actions: Block and evaluate against the Access Policies.
For more information on the possible Access Policy actions, see
. For
more information on the Monitor action for Access Policies, see
.
External DLP Policy Groups
To configure the Web Security appliance to handle upload requests on an external DLP system, perform
the following tasks:
the following tasks:
Step 1
Define an external DLP system. To pass an upload request to an external DLP system for scanning, you
must define at least one ICAP-compliant DLP system on the Web Security appliance. Do this on the
Network > External DLP Servers page. For more information, see
must define at least one ICAP-compliant DLP system on the Web Security appliance. Do this on the
Network > External DLP Servers page. For more information, see
Step 2
Create and configure External DLP Policy groups. After an external DLP system is defined, you
create and configure External DLP Policy groups to determine which upload requests to send to the DLP
system for scanning.
create and configure External DLP Policy groups to determine which upload requests to send to the DLP
system for scanning.
When an upload request matches an External DLP Policy, the Web Proxy sends the upload request to the
DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning. The DLP system scans
the request body content and returns a block or allow verdict to the Web Proxy. The allow verdict is
similar to the Allow action for Cisco IronPort Data Security Policies in that the upload request will be
compared to the Access Policies. The final action the Web Proxy takes on the request is determined by
the applicable Access Policy.
DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning. The DLP system scans
the request body content and returns a block or allow verdict to the Web Proxy. The allow verdict is
similar to the Allow action for Cisco IronPort Data Security Policies in that the upload request will be
compared to the Access Policies. The final action the Web Proxy takes on the request is determined by
the applicable Access Policy.
For more information about configuring External DLP Policy groups, see
.
Evaluating Data Security and External DLP Policy Group
Membership
Membership
Each client request is assigned to an Identity and then is evaluated against the other policy types to
determine which policy group it belongs for each type. The Web Proxy evaluates upload requests against
the Data Security and External DLP Policies.
determine which policy group it belongs for each type. The Web Proxy evaluates upload requests against
the Data Security and External DLP Policies.