Cisco Cisco Web Security Appliance S690 用户指南
214
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
D A T A S E C U R I T Y A N D E X T E R N A L D L P PO L I C I E S O V E R V I E W
In the Information Age, your organization’s data is one of its most prized possessions. Your
organization spends a lot of money making data available to your employees, customers, and
partners. Data is always on the move by traveling over the web and email. This increased
access poses challenges for information security professionals to figure out how to prevent the
malicious, accidental, or unintentional loss of sensitive and proprietary information.
organization spends a lot of money making data available to your employees, customers, and
partners. Data is always on the move by traveling over the web and email. This increased
access poses challenges for information security professionals to figure out how to prevent the
malicious, accidental, or unintentional loss of sensitive and proprietary information.
The IronPort Web Security appliance secures your data by providing the following
capabilities:
capabilities:
• IronPort Data Security Filters. The IronPort Data Security Filters on the Web Security
appliance evaluate data leaving the network over HTTP, HTTPS, and FTP to control what
data goes where and how and by whom.
data goes where and how and by whom.
• Third party data loss prevention (DLP) integration. The Web Security appliance integrates
with leading third party content-aware DLP systems that identify and protect sensitive
data. The Web Proxy uses the Internet Content Adaptation Protocol (ICAP) which is a
lightweight HTTP based protocol that allows proxy servers to offload content scanning to
external systems. By offloading the content scanning to dedicated external systems, the
Web Proxy can take advantage of the deep content scanning in other products while
being free to perform other Web Proxy functions with minimal performance impact.
data. The Web Proxy uses the Internet Content Adaptation Protocol (ICAP) which is a
lightweight HTTP based protocol that allows proxy servers to offload content scanning to
external systems. By offloading the content scanning to dedicated external systems, the
Web Proxy can take advantage of the deep content scanning in other products while
being free to perform other Web Proxy functions with minimal performance impact.
By working with the IronPort Data Security Filters and external DLP systems, the Web Security
appliance allows you to protect information and intellectual property and enforce regulatory
and organization compliance by preventing users from unintentionally uploading sensitive
data. You define what kind of data is allowed to leave the network.
appliance allows you to protect information and intellectual property and enforce regulatory
and organization compliance by preventing users from unintentionally uploading sensitive
data. You define what kind of data is allowed to leave the network.
To restrict data that is leaving the network, the Web Security appliance provides the following
types of policy groups:
types of policy groups:
• IronPort Data Security Policies. When you enable the IronPort Data Security Filters, you
can create IronPort Data Security Policies to enforce business policies. For example, you
can create a Data Security Policy that prevents users from sending out Excel or zip files.
For more information, see “Data Security Policy Groups” on page 216.
can create a Data Security Policy that prevents users from sending out Excel or zip files.
For more information, see “Data Security Policy Groups” on page 216.
• External DLP Policies. When you configure the appliance to work with an external DLP
system, you can create External DLP Policies to pass data leaving the network to the
external DLP system which scans the content and determines whether or not to block the
request. For more information, see “External DLP Policy Groups” on page 217.
external DLP system which scans the content and determines whether or not to block the
request. For more information, see “External DLP Policy Groups” on page 217.
Depending on your organization’s needs, you might want to use both Data Security and
External DLP Policies. For example, you might use the IronPort Data Security Policies to block
data uploads to websites with a low reputation score. This way, the data is never sent to the
external DLP system for a deep content scan, which improves overall performance.
External DLP Policies. For example, you might use the IronPort Data Security Policies to block
data uploads to websites with a low reputation score. This way, the data is never sent to the
external DLP system for a deep content scan, which improves overall performance.
Bypassing Upload Requests Below a Minimum Size
Many websites are interactive, meaning users send data as well as receive data. Users might
send data when logging into a website or sending simple form data. A lot of web traffic can
send data when logging into a website or sending simple form data. A lot of web traffic can