Cisco Cisco Web Security Appliance S170 用户指南
7-2
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 7 Policies
Block Versus Allow Decisions
Related topics
•
.
•
•
Block Versus Allow Decisions
The Web Security appliance is permissive by default. That is, requests are allowed unless specifically
blocked in a policy group.
blocked in a policy group.
File Types
AsyncOS first looks at information in file headers to identify file types. If warranted, it then scans the
file. If a header identifies a file as one type, for example a PDF, and then through scanning AsyncOS
determines that the file is actually of another type, for example, an executable, AsyncOS blocks the
transaction even if the actual file type is allowed by policy. It does this because the misidentification of
file types indicates a possible security threat.
file. If a header identifies a file as one type, for example a PDF, and then through scanning AsyncOS
determines that the file is actually of another type, for example, an executable, AsyncOS blocks the
transaction even if the actual file type is allowed by policy. It does this because the misidentification of
file types indicates a possible security threat.
Policy Types
The Web Security appliance uses multiple types of policies to enforce organizational policies and
requirements.
requirements.
•
Identities. “Who are you?”
•
Decryption Policies. “To decrypt or not to decrypt?”
•
Routing Policies. “From where to fetch content?”
•
Access Policies. “To allow or block the transaction?”
•
Cisco IronPort Data Security Policies. “To block the upload of data?” Cisco IronPort Data
Security Policies actions are defined on the Web Security appliance.
Security Policies actions are defined on the Web Security appliance.
•
External DLP (data loss prevention) Policies. “To block the upload of data?” External DLP
Policies actions are defined on an external DLP appliance.
Policies actions are defined on an external DLP appliance.
•
Outbound Malware Scanning Policies. “To block the upload of malicious data?”
•
SaaS Application Authentication Policies. “To allow this user access to the SaaS application?”
You use the policies together to create the behavior you need or expect when clients access the web.
Policy
File Type
(identified by header)
(identified by header)
File Type
(determined by scanning)
(determined by scanning)
Result
Block file-type X
X
N/A (file not scanned)
Block
Allow file-type X
X
X
Allow
Allow file-type X and
Allow file-type Y
Allow file-type Y
X
Y
Block