Cisco Cisco Web Security Appliance S370 사용자 가이드
E X T E R N A L D L P P O L I C Y G R O U P S
C H A P T E R 1 1 : D A T A S E C U R I T Y A N D E X T E R N A L D L P P O L I C I E S
217
• Allow. The Web Proxy bypasses the rest of the Data Security Policy security service
scanning and then evaluates the request against the Access Policies before taking a final
action.
action.
For IronPort Data Security Policies, Allow bypasses the rest of data security scanning, but
does not bypass External DLP or Access Policy scanning. The final action the Web Proxy
takes on the request is determined by the applicable Access Policy (or an applicable
external DLP Policy that may block the request).
does not bypass External DLP or Access Policy scanning. The final action the Web Proxy
takes on the request is determined by the applicable Access Policy (or an applicable
external DLP Policy that may block the request).
• Monitor. The Web Proxy continues comparing the transaction to the other Data Security
Policy group control settings to determine whether to block the transaction or evaluate it
against the Access Policies.
against the Access Policies.
For IronPort Data Security Policies, only the Block action is a final action that the Web Proxy
takes on a client request. A final action is an action that causes the Web Proxy to stop
comparing the transaction to all other control settings. The Monitor and Allow actions are
intermediary actions. In both cases, the Web Proxy evaluates the transaction against the
External DLP Policies (if configured) and Access Policies. The Web Proxy determines which
final action to apply based on the Access Policy group control settings (or an applicable
external DLP Policy that may block the request).
takes on a client request. A final action is an action that causes the Web Proxy to stop
comparing the transaction to all other control settings. The Monitor and Allow actions are
intermediary actions. In both cases, the Web Proxy evaluates the transaction against the
External DLP Policies (if configured) and Access Policies. The Web Proxy determines which
final action to apply based on the Access Policy group control settings (or an applicable
external DLP Policy that may block the request).
Figure 11-3 on page 226 shows the order that the Web Proxy uses when evaluating control
settings for IronPort Data Security Policies. The flow diagram shows that the only actions
applied to a transaction are the final actions: Block and evaluate against the Access Policies.
settings for IronPort Data Security Policies. The flow diagram shows that the only actions
applied to a transaction are the final actions: Block and evaluate against the Access Policies.
For more information on the possible Access Policy actions, see “Access Policy Groups” on
page 150. For more information on the Monitor action for Access Policies, see
“Understanding the Monitor Action” on page 151.
page 150. For more information on the Monitor action for Access Policies, see
“Understanding the Monitor Action” on page 151.
External DLP Policy Groups
To configure the Web Security appliance to handle upload requests on an external DLP
system, perform the following tasks:
system, perform the following tasks:
1. Define an external DLP system. To pass an upload request to an external DLP system for
scanning, you must define at least one ICAP-compliant DLP system on the Web Security
appliance. Do this on the Network > External DLP Servers page. For more information,
see “Defining External DLP Systems” on page 229.
appliance. Do this on the Network > External DLP Servers page. For more information,
see “Defining External DLP Systems” on page 229.
2. Create and configure External DLP Policy groups. After an external DLP system is
defined, you create and configure External DLP Policy groups to determine which upload
requests to send to the DLP system for scanning.
requests to send to the DLP system for scanning.
When an upload request matches an External DLP Policy, the Web Proxy sends the upload
request to the DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning.
The DLP system scans the request body content and returns a block or allow verdict to the
Web Proxy. The allow verdict is similar to the Allow action for IronPort Data Security Policies
in that the upload request will be compared to the Access Policies. The final action the Web
Proxy takes on the request is determined by the applicable Access Policy.
request to the DLP system using the Internet Content Adaptation Protocol (ICAP) for scanning.
The DLP system scans the request body content and returns a block or allow verdict to the
Web Proxy. The allow verdict is similar to the Allow action for IronPort Data Security Policies
in that the upload request will be compared to the Access Policies. The final action the Web
Proxy takes on the request is determined by the applicable Access Policy.