soft-tronik, a.s
DESCRIPTION
SOFT-TRONIK, a.s. ProxySG ’s Policy. Michal Červinka Pre-sales SE. Construction - Policy Files. VPM created via Visual Policy Manager Local Policy File manualy created CPL Central Policy File global setting managed by BCSI by default Forwarding Policy File - PowerPoint PPT PresentationTRANSCRIPT
SOFT-TRONIK, a.s.ProxySG’s Policy
Michal ČervinkaPre-sales SE
Construction - Policy Files
• VPM– created via Visual Policy Manager
• Local Policy File– manualy created CPL
• Central Policy File– global setting managed by BCSI by default
• Forwarding Policy File– forwarding rules (for backward compatibility only)
Evaluated in THIS order by default …
Construction - Policy Layers• <admin> Admin Authentication Layer• <admin> Admin Access Layer• <dns-proxy> DNS Access Layer• <proxy> SOCKS Authentication Layer• <ssl-intercept> SSL Intercept Layer• <ssl> SSL Access Layer• <proxy> Web Authentication Layer• <proxy> Web Access Layer• <cache> Web Content Layer• <forward> Forwarding Layer
Prefered ordering
Evaluated sequentialy
Construction – Design of Layers
• Separate decisions in separate layers
• Start with general, proceed to more specific
• Remember the default policy– ALLOW usualy for app acceleration– DENY typical for security GW
Construction - Policy Rules
• Rules evaluation– reflects order within the layer– „first match“ model
• Design rule– go from specific to general
Integrity – ALLOW vs. OK
• ALLOW can reverse a previous denial• OK action available as „empty“ action
Integrity – DENY vs. FORCE DENY
• DENY can be overridden by a later ALLOW• FORCE_DENY terminates further policy
evaluation• The same for exception vs. force_ exception
Optimization
• Try to avoid regular expressions– they are too CPU-intensive
Optimization
• Place rules most likely to match at the beginning of the layer
• Place like conditions together within the layer– let the compiler optimize
Optimization
• Use subnets when possible– or group by „define subnet“ definition
Optimization• Use definitions to minimize the number of rules
Optimization
• Select the Appropriate URL Condition
Optimization
• Use Layer Guards– to prevent layers from being evaluated unnecessarily
Michal ČervinkaPre-sales [email protected]
SOFT-TRONIK, a.s. OstravaTvorkovských 5709 00 Ostrava - Mariánské Horytel.: +420 597 488 811 fax: +420 596 622 486
PrahaNagano Office and Technology Park,Nagano IIIU nákladového nádraží 10130 00 Praha 3tel: +420 266 109 211 fax: +420 283 840 236
www.soft-tronik.cz