ProxySG Policy best practices

Download Report

Transcript ProxySG Policy best practices 

PROXYSG POLICY BEST PRACTICES
Thank you for joining today’s Blue Coat
Customer Support Technical Webcast!
• The Webcast will begin just a minute or so after the top of the hour to
allow today’s very large audience sufficient time to join
• You may join the teleconference through the numbers provided in
your invite, or listen through your computer speakers
• Audio broadcast will go live when the Webcast begins
• The Presentation will run approximately 60 minutes
• There will be a 30-minute Q/A session thereafter
 Please submit questions using the Webex Q/A feature!
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
1
PROXYSG
POLICY BEST PRACTICES
BRENT “BUCKY” BALDWIN
Sr. Consultant, Professional Services
June 24, 2014
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
2
AGENDA
 Policy Construct
 Policy Integrity
 Policy Optimization
 Q&A
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
3
POLICY CONSTRUCT
The building blocks
to policy
Copyright©©2014
2014Blue
2013
BlueCoat
CoatSystems
SystemsInc.
Inc. All
AllRights
RightsReserved.
Reserved.
Copyright
4
POLICY CONSTRUCT
OVERVIEW
Blue Coat Policy is:
 Subjective
 Powerful
 Flexible
 CPL (Content Policy Language)
 VPM (Visual Policy Manager)
 Hybrid
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
5
POLICY CONSTRUCT
GENERAL GUIDELINES
Express Separate Decisions in Separate Layers
 Keep policy logic separate & distinct
 One Layer
 Adjacent Layers
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
6
POLICY CONSTRUCT
DISTINCT LAYERS
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
7
POLICY CONSTRUCT
THE MODEL
Be Consistent With The Model
 Default Blue Coat Policy aligns with the corporate security
policy
• ALLOW – Easier to implement
• DENY – where security is more important (e.g. government or
banking)
 Global deny list
 Global allow list
 Model policy: General rules then exceptions
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
8
POLICY CONSTRUCT
EXAMPLE
;Default Policy is DENY
Define subnet corporate_subnet
10.1.1.0/24
end
;First, explicitly allow access to only our users
<proxy "Web Access">
client.address=corporate_subnet
ALLOW
;Next, impose any authentication requirements
<proxy "Web Auth>
authenticate(corp_realm)
;Next, begin to exclude specific types of requests
<proxy “Web Filter">
url.domain=playboy.com DENY
category=(gambling, hacking, games) exception(content_filter_denied)
;Next begin exceptions to the general rule
<proxy "Restricted Access">
group=execs, managers url.domain= fantasyfootball.com ALLOW
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
9
POLICY CONSTRUCT
POLICY OPTIONS
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
10
POLICY CONSTRUCT
ORDERING OF LAYERS
Ordering of Layers
Layer Type
Logical Implementation
<admin>
Admin Authentication Layer
<admin>
Admin Access Layer
<dns-proxy>
DNS Access Layer
<proxy>
SOCKS Authentication Layer
<ssl-intercept>
SSL Intercept Layer
<ssl>
SSL Access Layer
<proxy>
Web Authentication Layer
<proxy>
Web Access Layer
<cache>
Web Content Layer
<forward>
Forwarding Layer
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
11
POLICY CONSTRUCT
LAYER NAMING
<proxy “Corp Web Filter">
url.domain = competitor.com Deny
category=(Gambling) Deny
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
12
POLICY CONSTRUCT
TRIGGERS AND ACTIONS
-
Allow/Deny
Trace
Force_Deny
Exception
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
13
POLICY CONSTRUCT
COMMON HTTP TRIGGERS
Protocol
Host
Port
Path
File
Extension Query
http://www.support.blah.com:80/path.path_path/demo_file.html?sess=1234
url.scheme=
url.host=
url.port=
url.host.regex=
url.path=
url.query=
url.path.regex=
url.query.regex=
url.address=
url.extension=
url.domain=
url=
url.regex=
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
14
POLICY INTEGRITY
Best practices for
maintenance and
operational
excellence
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
15
POLICY INTEGRITY
RULE EVALUATION IN LAYERS
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
16
POLICY INTEGRITY
RULE EVALUATION IN LAYERS
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
17
POLICY INTEGRITY
ACTIONS
•Allow
•OK
Actions
•Deny
•Force Deny
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
18
POLICY INTEGRITY
ALLOW VS OK
TYPICAL IMPLEMENTATION
<proxy>
url.extension=.exe DENY
<proxy>
category=(sports)
exception(content_filter_denied)
<proxy>
client.address=192.168.15.252/30 ALLOW
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
19
POLICY INTEGRITY
ALLOW VS OK
PREFERRED IMPLEMENTATION
<proxy>
url.extension=.exe DENY
<proxy>
client.address=192.168.15.252/30 OK
category=(sports) exception(content_filter_denied)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
20
POLICY INTEGRITY
DENY & FORCE_DENY
Understand the Difference:
DENY
<policy>
Category = (suspicious) DENY
FORCE_DENY
<policy>
Category = (suspicious) Force_DENY
<policy>
<policy>
Client.address = 192.168.15.42 ALLOW
Client.address = 192.168.15.42 ALLOW
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
21
POLICY INTEGRITY
OPERATORS
The “and” operator:
CPL:
client.address=1.1.1.1 url.domain=abc.com
url.extension=(exe, com) DENY
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
22
POLICY INTEGRITY
OPERATORS
The “and” operator with a negate:
CPL:
client.address=1.1.1.1 url.domain=abc.com
url.extension=!(exe, com) DENY
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
23
POLICY INTEGRITY
TYPICAL IMPLEMENTATION
Negate and Exception:
define subnet my_users
10.0.0.0/8
192.168.0.0/16
end
<proxy>
client.address=!my_users
DENY
<proxy>
category=(pornography, gambling) exception(content_filter_denied)
<proxy>
condition=executable condition=!approved_application
exception(user_defined.too_risky)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
24
POLICY INTEGRITY
PREFERRED IMPLEMENTATION
Negate and Force Exception:
define subnet my_users
10.0.0.0/8
192.168.0.0/16
end
<proxy>
client.address=!my_users FORCE_DENY
<proxy>
category=(pornography, gambling) force_exception(content_filter_denied)
<proxy>
Condition = executable condition=!approved_application
exception(user_defined.too_risky)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
25
POLICY OPTIMIZATION
The need for
speed.
Copyright©©2014
2014Blue
2013
BlueCoat
CoatSystems
SystemsInc.
Inc. All
AllRights
RightsReserved.
Reserved.
Copyright
26
POLICY OPTIMIZATION
IMPLEMENTATION TYPES
Using the Visual Policy Manager (VPM) versus Content Policy Language (CPL)
VPM
CPL
 User-friendly
 Can be scripted
 Graphical
 For implementing policy not
available in the VPM
 Easy to use
 Preferred method of configuring
policy for most administrators
 Supports subset of the
functionality available through
CPL
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
27
POLICY OPTIMIZATION
OVERVIEW OF REGEXES
 Use Regular Expressions (regex) Only When Absolutely
Necessary
 Are the most CPU-intensive policy that you can implement
 Can result in sub-optimized policy
 Sometimes used when administrators are not fully aware or
don’t understand the numerous conditions available in
VPM/CPL
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
28
POLICY OPTIMIZATION
GENERAL REGEX GUIDELINES
 Be careful with special characters:
\ ^ $ . | ? * + ( ) { } [ ]
* is not a wildcard!
* or .* are almost always unnecessary!
 Be specific in what you are looking at:
Yes
url.host.regex
url.path.regex
url.query.regex
Avoid
url.regex (the entire URL)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
29
POLICY OPTIMIZATION
MORE REGEX GUIDELINES
 Be specific in what you are looking for:
Regex
Finds
url.host.regex=\.com$
Finds hosts ending in “.com” – note
that the period is escaped
url.host.regex=x+
Matches “x” one or more times
url.host.regex=x{2,5}
Matches “x” 2 to 5 times
url.path.regex=^\/bad-directory\/
Finds all URLs that begin with “/baddirectory”
url.query.regex=login=matt
Finds query strings that contain
login=matt
(anchor this if possible)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
30
POLICY OPTIMIZATION
GENERAL GUIDELINES
 Place Rules Most Likely to Match at the Beginning of the
Layer
 Group Like Conditions
 Subnets
 Appropriate URL Condition
 Use Definitions
 Use Layer Guards
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
31
POLICY OPTIMIZATION
RULE PLACEMENT
Rule placement speeds processing:
Typical Implementation
Optimized Implementation
<proxy>
url.domain=www.abc.com DENY
url=http://www.def.com/chatweb/ DENY
url=http://www.ghi.com/finance/ DENY
url.domain=www.jkl.com DENY
im.buddy_id=bill DENY
url.domain=www.mno.com DENY
im.buddy_id=bob DENY
<proxy>
url.domain=www.abc.com DENY
url.domain=www.jkl.com DENY
url.domain=www.mno.com DENY
url=http://www.def.com/chatweb/ DENY
url=http://www.ghi.com/finance/ DENY
im.buddy_id=bill DENY
im.buddy_id=bob DENY
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
32
POLICY OPTIMIZATION
SUBNETS
Rule placement speeds processing:
Typical Implementation
Optimized Implementation
<proxy>
client.address=10.1.1.252
client.address=10.1.1.253
client.address=10.1.1.254
client.address=10.1.1.255
<proxy>
client.address=10.1.1.252/30 DENY
DENY
DENY
DENY
DENY
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
33
POLICY OPTIMIZATION
APPROPRIATE URL CONDITION
url.domain=company.com
url.domain=www.company.com
url.domain=www.company.com/cgi-bin
url.path=”/cgi-bin/”
url=http://www.company.com/cgi-bin/
url=http://www.company.com/cgi-bin/query.pl?q=test#fragment
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
34
POLICY OPTIMIZATION
DEFINITIONS
Place common items into a condition
Typical Implementation
Optimized Implementation
<proxy>
client.address=10.0.0.0/8
category=(gambling) OK
define subnet test_network
10.0.0.0/8
192.168.0.0/16
216.52.23.3
216.52.23.5
end
client.address=192.168.0.0/16
category=(gambling) OK
client.address=216.52.23.3
category=(gambling) OK
client.address=216.52.23.5
category=(gambling) OK
<proxy>
client.address=test_network
category=(gambling) OK
category=(gambling)
exception(content_filter_denied
category=(gambling)
exception(content_filter_denied)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
35
POLICY OPTIMIZATION
LAYER GUARDS
<Proxy “Corp Web Access”> group=corporate_user
url.domain=competitor.com DENY
category=(gambling) exception(content_filter_denied)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
36
POLICY OPTIMIZATION
LAYER GUARDS
Layer guards allow execution of a layer upon condition match
Typical Implementation
Optimized Implementation
<proxy>
authenticate(myrealm)
<proxy>
authenticate(myrealm)
<proxy>
group=hr user=bluecoat\bob.kent OK
group=hr url.domain=mercurynews.com
OK
group=hr url.domain=sfgate.com/jobs/
OK
group=hr url.address=216.52.23.5
DENY
group=hr category=(news/media)
exception(content_filter_denied)
<proxy> group=hr
user=bluecoat\bob.kent OK
url.domain=mercurynews.com/hotjobs
OK
url.domain=sfgate.com/jobs/ OK
url.address=216.52.23.5 DENY
category=(news/media)
exception(content_filter_denied)
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
37
POLICY OPTIMIZATION
LOCAL DATABASE
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
38
POLICY OPTIMIZATION
LOCAL DATABASE
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
39
SUMMARY
•
•
•
•
Policy Construct:
How to express policy decisions in layers
Importance of consistency within the policy model
Logical ordering of layers
•
•
•
•
Policy Integrity:
Look at the different types of Triggers & Actions
How use of Actions affect policy
How the policy is evaluated
•
•
•
•
•
Policy Optimization:
VPM & CPL examples
Talk about Importance of Rule Placement
Correct syntax used for Conditions & Definitions within policy
Use of Layer Guards
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
40
BLUE COAT CUSTOMER FORUMS
 Community where you can learn from and share your
valuable knowledge and experience with other Blue Coat
customers
 Please visit the Customer Forums pages at
https://forums.bluecoat.com/forumdisplay.php?133-BlueCoat-Support-Videos to view four new Knowledge Assets /
Support Videos on ProxySG Policy.
 Research, post and reply to topics relevant to you at your
own convenience
 Blue Coat Moderator Team ready to offer guidance, answer
questions, and help get you on the right track
 Access at forums.bluecoat.com and register for an account
today!
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
41
THANK YOU FOR JOINING TODAY!
 Please provide feedback on this webcast and suggestions
for future webcasts to:
[email protected]
Webcast replay and
slide deck found here:
https://bto.bluecoat.com/training/custom
er-support-technical-webcasts
(requires BTO login)
Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
42
Q&A
Questions?
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
43
Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.
44