Cisco Cisco Web Security Appliance S380 Guida Utente
E V A L U A T I N G D A T A S E C U R I T Y A N D E X T E R N A L D L P P O L I C Y G R O U P M E M B E R S H I P
C H A P T E R 1 1 : D A T A S E C U R I T Y A N D E X T E R N A L D L P P O L I C I E S
219
E V A L U A T I N G D A T A S E C U R I T Y A N D E X T E R N A L D L P PO L I C Y G R O U P
M E M B E R S H I P
M E M B E R S H I P
Each client request is assigned to an Identity and then is evaluated against the other policy
types to determine which policy group it belongs for each type. The Web Proxy evaluates
upload requests
types to determine which policy group it belongs for each type. The Web Proxy evaluates
upload requests
against the Data Security and External DLP Policies.
The Web Proxy applies the configured policy control settings to a client request based on the
client request’s policy group membership.
client request’s policy group membership.
To determine the policy group that a client request matches, the Web Proxy follows a very
specific process for matching the group membership criteria. During this process, it considers
the following factors for group membership:
specific process for matching the group membership criteria. During this process, it considers
the following factors for group membership:
• Identity. Each client request either matches an Identity, fails authentication and is granted
guest access, or fails authentication and gets terminated. For more information about
evaluating Identity group membership, see “Evaluating Identity Group Membership” on
page 127.
evaluating Identity group membership, see “Evaluating Identity Group Membership” on
page 127.
• Authorized users. If the assigned Identity requires authentication, the user must be in the
list of authorized users in the Data Security or External DLP Policy group to match the
policy group. The list of authorized users can be any of the specified groups or users or
guest users if the Identity allows guest access.
policy group. The list of authorized users can be any of the specified groups or users or
guest users if the Identity allows guest access.
• Advanced options. You can configure several advanced options for Data Security and
External DLP Policy group membership. Some of the options (such as proxy port, and URL
category) can also be defined within the Identity. When an advanced option is configured
in the Identity, it is not configurable in the Data Security or External DLP Policy group
level.
category) can also be defined within the Identity. When an advanced option is configured
in the Identity, it is not configurable in the Data Security or External DLP Policy group
level.
The information in this section gives an overview of how the Web Proxy matches upload
requests to both Data Security and External DLP Policy groups. For more details about exactly
how the Web Proxy matches client requests, see “Matching Client Requests to Data Security
and External DLP Policy Groups” on page 219.
requests to both Data Security and External DLP Policy groups. For more details about exactly
how the Web Proxy matches client requests, see “Matching Client Requests to Data Security
and External DLP Policy Groups” on page 219.
The Web Proxy sequentially reads through each policy group in the policies table. It
compares the upload request status to the membership criteria of the first policy group. If they
match, the Web Proxy applies the policy settings of that policy group.
compares the upload request status to the membership criteria of the first policy group. If they
match, the Web Proxy applies the policy settings of that policy group.
If they do not match, the Web Proxy compares the upload request to the next policy group. It
continues this process until it matches the upload request to a user defined policy group, or if
it does not match a user defined policy group, it matches the global policy group. When the
Web Proxy matches the upload request to a policy group or the global policy group, it applies
the policy settings of that policy group.
continues this process until it matches the upload request to a user defined policy group, or if
it does not match a user defined policy group, it matches the global policy group. When the
Web Proxy matches the upload request to a policy group or the global policy group, it applies
the policy settings of that policy group.
Matching Client Requests to Data Security and External DLP Policy Groups
Figure 11-1 on page 220 shows how the Web Proxy evaluates an upload request against the
Data Security and External DLP Policy groups.
Data Security and External DLP Policy groups.