Cisco Cisco Web Security Appliance S170 사용자 가이드
12-2
Cisco IronPort AsyncOS 7.5.7 for Web User Guide
Chapter 12 Decryption Policies
Decryption Policies Overview
•
Secure anonymizing proxy. Some web servers offer a proxy service over an HTTPS connection that
allows users to circumvent acceptable use policies. When users on the network use a secure proxy
server outside the network, they can access any website, regardless of its web reputation or malware
content.
allows users to circumvent acceptable use policies. When users on the network use a secure proxy
server outside the network, they can access any website, regardless of its web reputation or malware
content.
The appliance uses both a URL filtering engine and Web Reputation Filters to make intelligent decisions
about when to decrypt HTTPS connections. With this combination, administrators and end users are not
forced to make a trade-off between privacy and security.
about when to decrypt HTTPS connections. With this combination, administrators and end users are not
forced to make a trade-off between privacy and security.
You can define HTTPS policies that determine if an HTTPS connection can proceed without examination
or whether the appliance should act as an intermediary, decrypting the data passing each way and
applying Access Policies to the data as if it were a plaintext HTTP transaction.
or whether the appliance should act as an intermediary, decrypting the data passing each way and
applying Access Policies to the data as if it were a plaintext HTTP transaction.
To configure the appliance to handle HTTPS requests, you must perform the following tasks:
1.
Enable the HTTPS Proxy. To monitor and decrypt HTTPS traffic, you must first enable the HTTPS
Proxy. For more information, see
Proxy. For more information, see
.
2.
Create and configure Decryption Policy groups. Once the HTTPS Proxy is enabled, you can
create and configure Decryption Policy groups to determine how to handle each request from each
user. For more information, see
create and configure Decryption Policy groups to determine how to handle each request from each
user. For more information, see
.
3.
Import custom root certificates (optional). Optionally, you can import one or more custom root
certificates so the Web Proxy can recognize additional trusted root certificate authorities used by
HTTPS servers. For more information, see
certificates so the Web Proxy can recognize additional trusted root certificate authorities used by
HTTPS servers. For more information, see
.
Note
When the HTTPS Proxy is disabled, the Web Proxy passes through explicit HTTPS connections and it
drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for
explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests.
drops transparently redirected HTTPS requests. The access logs contain the CONNECT requests for
explicit HTTPS connections, but no entries exist for dropped transparently redirected HTTPS requests.
This book uses many terms from digital cryptography. This book also includes sections with background
information about HTTPS and digital cryptography for reference only. For a list of the terms and
definitions used in this book, see
information about HTTPS and digital cryptography for reference only. For a list of the terms and
definitions used in this book, see
. For an overview of HTTPS
the protocol, see
Note
Sections in this chapter that refer to a “certificate and key” imply a certificate and private key.
Decryption Policy Groups
Decryption Policies define how the appliance should handle HTTPS connection requests for users on the
network. You can apply different actions to specified groups of users. You can also specify which ports
the appliance should monitor for HTTPS transactions.
network. You can apply different actions to specified groups of users. You can also specify which ports
the appliance should monitor for HTTPS transactions.
When a client makes an HTTPS request on a monitored secure port, the appliance compares the request
to the Decryption Policy groups to determine in which Decryption Policy group the request belongs.
Once it assigns the request to a Decryption Policy group, it can determine what to do with the connection
request. For more information about evaluating policy group membership, see
to the Decryption Policy groups to determine in which Decryption Policy group the request belongs.
Once it assigns the request to a Decryption Policy group, it can determine what to do with the connection
request. For more information about evaluating policy group membership, see
.
The appliance can perform any of the following actions on an HTTPS connection request:
•
Drop. The appliance drops the connection and does not pass the connection request to the server.
The appliance does not notify the user that it dropped the connection. You might want to drop
connections to third party proxies that allow users on the network bypass the organization’s
acceptable use policies.
The appliance does not notify the user that it dropped the connection. You might want to drop
connections to third party proxies that allow users on the network bypass the organization’s
acceptable use policies.