Cisco Cisco Web Security Appliance S190 Guía Del Usuario
10-3
Cisco IronPort AsyncOS 7.0 for Web User Guide
OL-23079-01
Chapter 10 Decryption Policies
Decryption Policies Overview
This book uses many terms from digital cryptography. This book also includes
sections with background information about HTTPS and digital cryptography for
reference only. For a list of the terms and definitions used in this book, see
sections with background information about HTTPS and digital cryptography for
reference only. For a list of the terms and definitions used in this book, see
. For an overview of HTTPS the protocol, see
.
Note
Sections in this chapter that refer to a “certificate and key” imply a certificate and
private key.
private key.
Decryption Policy Groups
Decryption Policies define how the appliance should handle HTTPS connection
requests for users on the network. You can apply different actions to specified
groups of users. You can also specify which ports the appliance should monitor
for HTTPS transactions.
requests for users on the network. You can apply different actions to specified
groups of users. You can also specify which ports the appliance should monitor
for HTTPS transactions.
When a client makes an HTTPS request on a monitored secure port, the appliance
compares the request to the Decryption Policy groups to determine in which
Decryption Policy group the request belongs. Once it assigns the request to a
Decryption Policy group, it can determine what to do with the connection request.
For more information about evaluating policy group membership, see
compares the request to the Decryption Policy groups to determine in which
Decryption Policy group the request belongs. Once it assigns the request to a
Decryption Policy group, it can determine what to do with the connection request.
For more information about evaluating policy group membership, see
The appliance can perform any of the following actions on an HTTPS connection
request:
request:
•
Drop. The appliance drops the connection and does not pass the connection
request to the server. The appliance does not notify the user that it dropped
the connection. You might want to drop connections to third party proxies that
allow users on the network bypass the organization’s acceptable use policies.
request to the server. The appliance does not notify the user that it dropped
the connection. You might want to drop connections to third party proxies that
allow users on the network bypass the organization’s acceptable use policies.
•
Pass through. The appliance passes through the connection between the
client and the server without inspecting the traffic content. You might want to
pass through connections to trusted secure sites, such as well known banking
and financial institutions.
client and the server without inspecting the traffic content. You might want to
pass through connections to trusted secure sites, such as well known banking
and financial institutions.
•
Decrypt. The appliance allows the connection, but inspects the traffic
content. It decrypts the traffic and applies Access Policies to the decrypted
traffic as if it were a plaintext HTTP connection. By decrypting the
connection and applying Access Policies, you can scan the traffic for
malware. You might want to decrypt connections to third party email
content. It decrypts the traffic and applies Access Policies to the decrypted
traffic as if it were a plaintext HTTP connection. By decrypting the
connection and applying Access Policies, you can scan the traffic for
malware. You might want to decrypt connections to third party email