Cisco Cisco Web Security Appliance S160 Guía Del Usuario
11-3
Cisco IronPort AsyncOS 7.5 for Web User Guide
Chapter 11 Decryption Policies
Decryption Policies Overview
•
Pass through. The appliance passes through the connection between the client and the server
without inspecting the traffic content. You might want to pass through connections to trusted secure
sites, such as well known banking and financial institutions.
without inspecting the traffic content. You might want to pass through connections to trusted secure
sites, such as well known banking and financial institutions.
•
Decrypt. The appliance allows the connection, but inspects the traffic content. It decrypts the traffic
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. By
decrypting the connection and applying Access Policies, you can scan the traffic for malware. You
might want to decrypt connections to third party email providers, such as gmail or hotmail. For more
information about how the appliance decrypts HTTPS traffic, see
and applies Access Policies to the decrypted traffic as if it were a plaintext HTTP connection. By
decrypting the connection and applying Access Policies, you can scan the traffic for malware. You
might want to decrypt connections to third party email providers, such as gmail or hotmail. For more
information about how the appliance decrypts HTTPS traffic, see
.
Note
The actions above are final actions the Web Proxy takes on an HTTPS request. The “Monitor” action
you can configure for Decryption Policies is not a final action. For more information, see
you can configure for Decryption Policies is not a final action. For more information, see
.
Once the appliance assigns a Decryption Policy to an HTTPS connection request, it evaluates the request
against the policy group’s configured control settings to determine which action to take. You can
configure URL filter and web reputation settings to determine how to handle HTTPS requests for a
particular policy group. For more information about how the appliance uses Decryption Policy groups
to control HTTPS traffic, see
against the policy group’s configured control settings to determine which action to take. You can
configure URL filter and web reputation settings to determine how to handle HTTPS requests for a
particular policy group. For more information about how the appliance uses Decryption Policy groups
to control HTTPS traffic, see
Note
Cisco recommends creating fewer, more general Decryption Policy groups that apply to all users or
fewer, larger groups of users on the network. Then, if you need to apply more granular control to
decrypted HTTPS traffic, use more specific Access Policy groups. For more information about Access
Policy groups, see
fewer, larger groups of users on the network. Then, if you need to apply more granular control to
decrypted HTTPS traffic, use more specific Access Policy groups. For more information about Access
Policy groups, see
For information about creating and using policy groups, see
Note
The next two sections contain information about digital cryptography and HTTPS for reference only.
Personally Identifiable Information Disclosure
If you choose to decrypt an end-user’s HTTPS session, then the Web Security appliance access logs and
reports may contain personally identifiable information. Cisco recommends that Web Security appliance
administrators take care when handling this sensitive information.
reports may contain personally identifiable information. Cisco recommends that Web Security appliance
administrators take care when handling this sensitive information.
You also have the option to configure how much URI text is stored in the logs using the
advancedproxyconfig
CLI command and the
HTTPS
subcommand. You can log the entire URI, or a
partial form of the URI with the query portion removed. However, even when you choose to strip the
query from the URI, personally identifiable information may still remain.
query from the URI, personally identifiable information may still remain.
Understanding the Monitor Action
When the Web Proxy evaluates the control settings against a transaction, it evaluates the settings in a
particular order. Each control setting can be configured to one of the following actions for Decryption
Policies:
particular order. Each control setting can be configured to one of the following actions for Decryption
Policies:
•
Monitor