Cisco Cisco Web Security Appliance S170 ユーザーガイド
7-7
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 7 Policies
Policy Group Membership
Policy Group Membership
All policy groups define which transactions apply to them. When a client sends a request to a server, the
Web Proxy receives the request, evaluates it, and determines to which policy group it belongs. The Web
Proxy applies the configured policy control settings to a client request based on the client request’s
policy group membership.
Web Proxy receives the request, evaluates it, and determines to which policy group it belongs. The Web
Proxy applies the configured policy control settings to a client request based on the client request’s
policy group membership.
Transactions belong to a policy group for each type of policy that is enabled. If a policy type has no user
defined policy groups, then each transaction belongs to the global policy group for that policy type.
defined policy groups, then each transaction belongs to the global policy group for that policy type.
Policy group membership for a Routing, Decryption, Access, Data Security, and External DLP Policies
is based on an Identity and optional additional criteria. That means that the Web Proxy evaluates Identity
groups before the other policy types. The Web Security appliance allows you to define some membership
criteria at either the Identity level or the non-Identity policy level. For more information, see
is based on an Identity and optional additional criteria. That means that the Web Proxy evaluates Identity
groups before the other policy types. The Web Security appliance allows you to define some membership
criteria at either the Identity level or the non-Identity policy level. For more information, see
Suppose you define an Identity by subnet 10.1.1.0/24 and then create an Access Policy using that
Identity. The Access Policy membership applies to all IP addresses specified in the Identity by default.
You can then choose to configure the Access Policy membership so that it applies to a subset of the
addresses defined in the Identity, such as addresses 10.1.1.0-15.
Identity. The Access Policy membership applies to all IP addresses specified in the Identity by default.
You can then choose to configure the Access Policy membership so that it applies to a subset of the
addresses defined in the Identity, such as addresses 10.1.1.0-15.
For more information defining membership for each policy type, see the following sections:
•
•
•
•
•
Authenticating Users versus Authorizing Users
The Web Security appliance separates where it authenticates users from where it authorizes users.
Authentication is the mechanism by which the Web Proxy securely identifies a user. It answers the
following questions:
following questions:
•
Who is the user?
•
Is the user really whom he/she claims to be?
Authorization is the mechanism by which the Web Proxy determines the level of access the user has to
the World Wide Web. It answers the following questions:
the World Wide Web. It answers the following questions:
•
Is this user allowed to view this website?
•
Is this user allowed to connect to this HTTPS server without the connection being decrypted?
•
Is this user allowed to directly connect to the web server, or must it connect to another proxy server
first?
first?
•
Is this user allowed to upload this data?
The Web Proxy can only authorize a user to access an Internet resource after it authenticates who the
user is. The Web Proxy authenticates users when it evaluates Identity groups, and it authorizes users
when it evaluates all other policy group types. What that means is the Identity group indicates who is
making the request, but does not indicate whether that client is allowed to make the request.
user is. The Web Proxy authenticates users when it evaluates Identity groups, and it authorizes users
when it evaluates all other policy group types. What that means is the Identity group indicates who is
making the request, but does not indicate whether that client is allowed to make the request.