Professional Documents
Culture Documents
Policy Best Practices
Policy Best Practices
Policy Construct
Express Separate Decisions in Separate Layers
As policy grows and becomes more complex, maintenance becomes a signicant issue. Maintenance will be easier if the logic for each aspect of a policy is separate and distinct. Try to make policy decisions as independent as possible, and express each policy in one layer or two adjacent layers.
;Default policy is DENY dene subnet corporate_subnet 10.10.12.0/24 end ;First, explicitly allow access to only our users <proxy> client.address=corporate_subnet ALLOW ;Next, impose any authentication requirements (all access must be authenticated) <proxy> authenticate(corp_realm) ;Next, begin to exclude specic types of requests <proxy> url.domain=playboy.com DENY category=(gambling, hacking, chat) \ exception(content_lter_denied)
;Default policy is ALLOW dene condtion corporate_buddies im.buddy_id=billBCSI im.buddy_id=chrisBCSI . im.buddy_id=wendyBCSI end ;Impose any authentication requirements (all access must be authenticated) <proxy> authenticate(corp_realm) ;Next, apply general rules to specic types of requests <proxy> streaming.content=yes max_bitrate(56k) im.buddy_id=!corporate_buddies im.strip_ attachments(yes) ;Next, create bitrate exceptions to the layers above <proxy> group=executives max_bitrate(256k) group=marketing max_bitrate(156k) ;Next, create im attachment exceptions to the layers above <proxy> group=public_relations im.strip_attachments(no)
Ordering of Layers
Blue Coat policy supports several types of layers. If you are using the Visual Policy Manager (VPM), the layers are labeled with logical descriptions and the ordering of the layers displayed in the Policy layer selection menu reects the preferred ordering of the layers in policy. If you are writing CPL, the equivalent layer types are shown below:
Layer type <admin> <admin> <dns-proxy> <proxy> <ssl-intercept> <ssl> <proxy> <proxy> <cache> <forward> Logical Implementation Admin Authentication Layer Admin Access Layer DNS Access Layer SOCKS Authentication Layer SSL Intercept Layer SSL Access Layer Web Authentication Layer Web Access Layer Web Content Layer Forwarding Layer
Policy Integrity
Understand the Implications of Using the ALLOW Action
While most administrators are very comfortable using the ALLOW action, many do not fully understand the
affect that it can have on policy. Specically, the ALLOW action, depending on where it is being used in policy, can unintentionally reverse a previous denial that the administrator did not intend to reverse. For example, an administrator may create a rule indicating that a particular group of users is allowed to access sports sites. If this is achieved by creating a policy rule with the ALLOW action, it could unintentionally allow a request that perhaps would have been denied based on some other criteria characteristic of the request for example, that it was an executable download. The best way to avoid using the ALLOW action is to arrange your policy in the following way instead of having 2 layers one with the general rule and another with the exceptions create one layer in which the rules are arranged so that the exception group never matches on the original action at all. Since a layer will evaluate only until the request matches a rule, matching a condition (even one with no action) is still a match. Policy rules with no action are legal syntax, but for those who nd that it makes the policy harder to read, the OK action can be used. Example In this example, the administrator intended the third layer to allow users to go to sports sites. But actually, it is also allowing them to download executables. In the preferred implementation, by placing both the client rule and the category rule in the same layer, and replacing the ALLOW with an OK (no action), the rules can be ordered so that clients in the indicated subnet result in a match before the content-ltering category condition is evaluated. Because the match has no action and the ALLOW action was not applied to those users, no previous DENY actions are reversed.
TYPICAL IMPLEMENTATION <proxy> url.extension=.exe DENY <proxy> category=(sports) exception(content_filter_denied) <proxy> client.address=192.168.15.252/30 ALLOW PREFERRED IMPLEMENTATION <proxy> url.extension=.exe DENY <proxy> client.address=192.168.15.252/30 OK category=(sports) exception(content_filter_denied)
In this case, a better policy implementation would be to replace DENY with FORCE_DENY, which results in the immediate denial of any clients not in the my_users subnet. This prevents unnecessary processing of the users request a category lookup and server-side request in this particular example. Similarly, using force_exception( ) instead of exception( ) in the second layer will result in users in the my_users subnet being immediately denied if they attempt to access pornography or gambling sites instead of the request continuing evaluation in layer three. This prevents an unnecessary server-side request to determine which error page to present to the user. In this particular example, since the executable condition is the last rule in the policy, a force_exception( ) in layer three will not change the behavior of policy. If there was additional policy, however, you would also want to use force_exception( ) in layer three to ensure that executables of non-approved applications are immediately denied with the indicated exception.
TYPICAL IMPLEMENTATION define subnet my_users 10.0.0.0/8 192.168.0.0/16 end <proxy> client.address=!my_users DENY <proxy> category=(pornography, gambling) exception(content_filter_denied) <proxy> condition=executable condition=!approved_application \ exception(user_ defined.too_risky) PREFERRED IMPLEMENTATION define subnet my_users 10.0.0.0/8 192.168.0.0/16 end <proxy> client.address=!my_users FORCE_DENY <proxy> category=(pornography, gambling) force_exception(content_filter_denied) <proxy> condition=executable condition=!approved_application \ exception(user_ defined.too_risky)
Policy Optimization
Note: Using the Visual Policy Manager (VPM) versus Content Policy Language (CPL)
The VPM was designed to provide a user-friendly way for administrators to quickly create and install policy. While the VPM is the preferred method of conguring policy for most administrators, due to its ease of use, it currently supports only a subset of the functionality available through policy. For the recommendations in this section, the VPM can be used to implement the CPL policy that is provided. For implementing policy not available in the VPM, administrators can choose to convert their VPM policy into CPL and maintain only a local (CPL) policy le, or they can choose to maintain two separate policy les the VPM le for general policy, and the local (CPL) le for layers and/or rules that require syntax not available in the VPM. Some administrators nd that once they become more familiar with CPL syntax, they prefer writing CPL instead of nding the userfriendly equivalent in the VPM.
Note that in the previous examples, it is assumed that the URL scheme (http, https, etc) is irrelevant in the decision to deny and is thus not included in the preferred syntax column. Administrators often include the URL scheme when placing URLs in policy but often dont intend to limit the rule strictly to HTTP (for example). If the URL scheme is a requirement, the url.scheme= condition should be used.
Example 2 define category Depending on your default policy and whether you have implemented content ltering, administrators often create blacklists or whitelists of domains or URLs. Instead of listing these as individual policy rules, the define category denition should be used. Using the define category denition will result in more optimized policy, and often, policy that can be better managed. If multiple domain or URL rules are being evaluated and the same action is being triggered for each match, use of the define category denition is preferred.
TYPICAL IMPLEMENTATION <proxy> url.domain=etrade.com OK url.domain=nyse.com OK url.domain=stocktrader.com OK url.domain=scottrade.com OK category=(brokerage/trading) exception(content_filter_denied) OPTIMIZED IMPLEMENTATION define category exception_sites etrade.com nyse.com stocktrader.com scottrade.com end <proxy> category=exception_sites OK category=(brokerage/trading) exception(content_filter_denied)
Note: Layer guards are supported only in the VPM of SGOS 5.2 and higher. All SGOS versions support layer guards in CPL.
Corporate Headquarters
EMEA Headquarters
Hampshire, UK // +44.1252.554600
APAC Headquarters
Copyright 2009 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat, ProxySG, PacketShaper, ProxyClient and BlueSource are registered trademarks of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. v.TB-POLICYBP-v4-0309