Руководство Пользователя для Cisco Cisco Web Security Appliance S170
7-2
Cisco IronPort AsyncOS 7.7.5 for Web User Guide
Chapter 7 Policies
Block Versus Allow Decisions
Block Versus Allow Decisions
The Web Security appliance is permissive by default. That is, requests are allowed unless specifically
blocked in a policy group.
blocked in a policy group.
File Types
AsyncOS first looks at information in file headers to identify file types. If warranted, it then scans the
file. If a header identifies a file as one type, for example a PDF, and then through scanning AsyncOS
determines that the file is actually of another type, for example, an executable, AsyncOS blocks the
transaction even if the actual file type is allowed by policy. It does this because the misidentification of
file types indicates a possible security threat.
file. If a header identifies a file as one type, for example a PDF, and then through scanning AsyncOS
determines that the file is actually of another type, for example, an executable, AsyncOS blocks the
transaction even if the actual file type is allowed by policy. It does this because the misidentification of
file types indicates a possible security threat.
Policy Types
The Web Security appliance uses multiple types of policies to enforce organizational policies and
requirements.
requirements.
•
Identities. “Who are you?”
•
Decryption Policies. “To decrypt or not to decrypt?”
•
Routing Policies. “From where to fetch content?”
•
Access Policies. “To allow or block the transaction?”
•
Cisco IronPort Data Security Policies. “To block the upload of data?” Cisco IronPort Data
Security Policies actions are defined on the Web Security appliance.
Security Policies actions are defined on the Web Security appliance.
•
External DLP (data loss prevention) Policies. “To block the upload of data?” External DLP
Policies actions are defined on an external DLP appliance.
Policies actions are defined on an external DLP appliance.
•
Outbound Malware Scanning Policies. “To block the upload of malicious data?”
•
SaaS Application Authentication Policies. “To allow this user access to the SaaS application?”
You use the policies together to create the behavior you need or expect when clients access the web.
To define policies, you create policy groups. After you create policy groups, you can define the control
settings for each group. For more information about working with policy groups, see
settings for each group. For more information about working with policy groups, see
.
All policy types have a global policy group that maintains default settings and rules that apply to web
transactions not covered by another policy. For more information on global policies, see
transactions not covered by another policy. For more information on global policies, see
.
Policy
File Type
(identified by header)
(identified by header)
File Type
(determined by scanning)
(determined by scanning)
Result
Block file-type X
X
N/A (file not scanned)
Block
Allow file-type X
X
X
Allow
Allow file-type X and
Allow file-type Y
X
Y
Block