PolicyBestPractises.ppt
Download
Report
Transcript PolicyBestPractises.ppt
SOFT-TRONIK, a.s.
ProxySG’s Policy
Michal Červinka
Pre-sales SE
Construction - Policy Files
• VPM
– created via Visual Policy Manager
• Local Policy File
– manualy created CPL
• Central Policy File
– global setting managed by BCSI by default
• Forwarding Policy File
– forwarding rules (for backward compatibility only)
Evaluated in THIS order by default …
Construction - Policy Layers
•
•
•
•
•
•
•
•
•
•
<admin>
<admin>
<dns-proxy>
<proxy>
<ssl-intercept>
<ssl> SSL
<proxy>
<proxy>
<cache>
<forward>
Admin Authentication Layer
Admin Access Layer
DNS Access Layer
SOCKS Authentication Layer
SSL Intercept Layer
Access Layer
Web Authentication Layer
Web Access Layer
Web Content Layer
Forwarding Layer
Prefered ordering
Evaluated sequentialy
Construction – Design of Layers
• Separate decisions in separate layers
• Start with general, proceed to more specific
• Remember the default policy
– ALLOW usualy for app acceleration
– DENY typical for security GW
Construction - Policy Rules
• Rules evaluation
– reflects order within the layer
– „first match“ model
• Design rule
– go from specific to general
Integrity – ALLOW vs. OK
• ALLOW can reverse a previous denial
• OK action available as „empty“ action
Integrity – DENY vs. FORCE DENY
• DENY can be overridden by a later ALLOW
• FORCE_DENY terminates further policy
evaluation
• The same for exception vs. force_ exception
Optimization
• Try to avoid regular expressions
– they are too CPU-intensive
Optimization
• Place rules most likely to match at the beginning
of the layer
• Place like conditions together within the layer
– let the compiler optimize
Optimization
• Use subnets when possible
– or group by „define subnet“ definition
Optimization
• Use definitions to minimize the number of rules
Optimization
• Select the Appropriate URL Condition
Optimization
• Use Layer Guards
– to prevent layers from being evaluated unnecessarily
Michal Červinka
Pre-sales SE
[email protected]
SOFT-TRONIK, a.s.
Ostrava
Tvorkovských 5
709 00 Ostrava - Mariánské Hory
tel.: +420 597 488 811
fax: +420 596 622 486
Praha
Nagano Office and Technology Park,
Nagano III
U nákladového nádraží 10
130 00 Praha 3
tel: +420 266 109 211
fax: +420 283 840 236
www.soft-tronik.cz