Cisco Cisco Web Security Appliance S170 Guía Del Usuario
P O L I C Y G R O U P M E M B E R S H I P
C H A P T E R 6 : W O R K I N G W I T H P O L I C I E S
113
P O L I C Y G R O U P M E M B E R S H I P
All policy groups define which transactions apply to them. When a client sends a request to a
server, the Web Proxy receives the request, evaluates it, and determines to which policy group
it belongs. The Web Proxy applies the configured policy control settings to a client request
based on the client request’s policy group membership.
server, the Web Proxy receives the request, evaluates it, and determines to which policy group
it belongs. The Web Proxy applies the configured policy control settings to a client request
based on the client request’s policy group membership.
Transactions belong to a policy group for each type of policy that is enabled. If a policy type
has no user defined policy groups, then each transaction belongs to the global policy group
for that policy type.
has no user defined policy groups, then each transaction belongs to the global policy group
for that policy type.
Policy group membership for a Routing, Decryption, Access, Data Security, and External DLP
Policies is based on an Identity and optional additional criteria. That means that the Web
Proxy evaluates Identity groups before the other policy types
Policies is based on an Identity and optional additional criteria. That means that the Web
Proxy evaluates Identity groups before the other policy types
. The Web Security appliance
allows you to define some membership criteria at either the Identity level or the non-Identity
policy level. For more information, see “Policy Group Membership Rules and Guidelines” on
page 115.
policy level. For more information, see “Policy Group Membership Rules and Guidelines” on
page 115.
Suppose you define an Identity by subnet 10.1.1.0/24 and then create an Access Policy using
that Identity. The Access Policy membership applies to all IP addresses specified in the
Identity by default. You can then choose to configure the Access Policy membership so that it
applies to a subset of the addresses defined in the Identity, such as addresses 10.1.1.0-15.
that Identity. The Access Policy membership applies to all IP addresses specified in the
Identity by default. You can then choose to configure the Access Policy membership so that it
applies to a subset of the addresses defined in the Identity, such as addresses 10.1.1.0-15.
For more information defining membership for each policy type, see the following sections:
Authenticating Users versus Authorizing Users
The Web Security appliance separates where it authenticates users from where it authorizes
users.
users.
Authentication
is the mechanism by which the Web Proxy securely identifies a user. It
answers the following questions:
• Who is the user?
• Is the user really whom he/she claims to be?
Authorization
is the mechanism by which the Web Proxy determines the level of access the
user has to the World Wide Web. It answers the following questions:
• Is this user allowed to view this website?
• Is this user allowed to connect to this HTTPS server without the connection being
decrypted?