Presentation is loading. Please wait.

Presentation is loading. Please wait.

1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXYSG POLICY BEST PRACTICES  Thank you for joining today’s Blue Coat Customer Support.

Published byBeatrix Cannon Modified over 8 years ago

Similar presentations

Presentation on theme: "1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXYSG POLICY BEST PRACTICES  Thank you for joining today’s Blue Coat Customer Support."— Presentation transcript:

1 1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXYSG POLICY BEST PRACTICES  Thank you for joining today’s Blue Coat Customer Support Technical Webcast! The Webcast will begin just a minute or so after the top of the hour to allow today’s very large audience sufficient time to join You may join the teleconference through the numbers provided in your invite, or listen through your computer speakers Audio broadcast will go live when the Webcast begins The Presentation will run approximately 60 minutes There will be a 30-minute Q/A session thereafter  Please submit questions using the Webex Q/A feature!

2 2Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. PROXYSG POLICY BEST PRACTICES BRENT “BUCKY” BALDWIN Sr. Consultant, Professional Services June 24, 2014

3 3Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. AGENDA  Policy Construct  Policy Integrity  Policy Optimization  Q&A

4 4Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. The building blocks to policy POLICY CONSTRUCT

5 5Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT OVERVIEW Blue Coat Policy is:  Subjective  Powerful  Flexible  CPL (Content Policy Language)  VPM (Visual Policy Manager)  Hybrid

6 6Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT GENERAL GUIDELINES Express Separate Decisions in Separate Layers  Keep policy logic separate & distinct  One Layer  Adjacent Layers

7 7Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT DISTINCT LAYERS

8 8Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT THE MODEL Be Consistent With The Model  Default Blue Coat Policy aligns with the corporate security policy ALLOW – Easier to implement DENY – where security is more important (e.g. government or banking)  Global deny list  Global allow list  Model policy: General rules then exceptions

9 9Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT EXAMPLE ;Default Policy is DENY Define subnet corporate_subnet 10.1.1.0/24 end ;First, explicitly allow access to only our users client.address=corporate_subnet ALLOW ;Next, impose any authentication requirements authenticate(corp_realm) ;Next, begin to exclude specific types of requests url.domain=playboy.com DENY category=(gambling, hacking, games) exception(content_filter_denied) ;Next begin exceptions to the general rule group=execs, managers url.domain= fantasyfootball.com ALLOW

10 10Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT POLICY OPTIONS

11 11Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT ORDERING OF LAYERS Ordering of Layers

12 12Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT LAYER NAMING url.domain = competitor.com Deny category=(Gambling) Deny

13 13Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT TRIGGERS AND ACTIONS -Allow/Deny -Trace -Force_Deny -Exception

14 14Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY CONSTRUCT COMMON HTTP TRIGGERS http://www.support.blah.com:80/path.path_path/demo_file.html?sess=1234 ProtocolHostPortPathQueryFileExtension url.scheme= url.host= url.host.regex= url.address= url.domain= url.port= url.path= url.path.regex= url.extension= url.query= url.query.regex= url= url.regex=

15 15Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. 15 POLICY INTEGRITY Best practices for maintenance and operational excellence

16 16Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY RULE EVALUATION IN LAYERS

17 17Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY RULE EVALUATION IN LAYERS

18 18Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY ACTIONS Allow OK Deny Force Deny Actions

19 19Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY ALLOW VS OK TYPICAL IMPLEMENTATION url.extension=.exe DENY category=(sports) exception(content_filter_denied) client.address=192.168.15.252/30 ALLOW

20 20Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY ALLOW VS OK PREFERRED IMPLEMENTATION url.extension=.exe DENY client.address=192.168.15.252/30 OK category=(sports) exception(content_filter_denied)

21 21Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY DENY & FORCE_DENY Understand the Difference: DENY FORCE_DENY Category = (suspicious) DENY Client.address = 192.168.15.42 ALLOW Category = (suspicious) Force_DENY Client.address = 192.168.15.42 ALLOW

22 22Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY OPERATORS The “and” operator: CPL: client.address=1.1.1.1 url.domain=abc.com url.extension=(exe, com) DENY

23 23Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY OPERATORS The “and” operator with a negate: CPL: client.address=1.1.1.1 url.domain=abc.com url.extension=!(exe, com) DENY

24 24Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY TYPICAL IMPLEMENTATION Negate and Exception: define subnet my_users 10.0.0.0/8 192.168.0.0/16 end client.address=!my_users DENY category=(pornography, gambling) exception(content_filter_denied) condition=executable condition=!approved_application exception(user_defined.too_risky)

25 25Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY INTEGRITY PREFERRED IMPLEMENTATION Negate and Force Exception: define subnet my_users 10.0.0.0/8 192.168.0.0/16 end client.address=!my_users FORCE_DENY category=(pornography, gambling) force_exception(content_filter_denied) Condition = executable condition=!approved_application exception(user_defined.too_risky)

26 26Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.26Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. The need for speed. POLICY OPTIMIZATION

27 27Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION IMPLEMENTATION TYPES CPL  Can be scripted  For implementing policy not available in the VPM Using the Visual Policy Manager (VPM) versus Content Policy Language (CPL) VPM  User-friendly  Graphical  Easy to use  Preferred method of configuring policy for most administrators  Supports subset of the functionality available through CPL

28 28Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION OVERVIEW OF REGEXES  Use Regular Expressions (regex) Only When Absolutely Necessary  Are the most CPU-intensive policy that you can implement  Can result in sub-optimized policy  Sometimes used when administrators are not fully aware or don’t understand the numerous conditions available in VPM/CPL

29 29Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION GENERAL REGEX GUIDELINES  Be careful with special characters: \ ^ $. | ? * + ( ) { } [ ] * is not a wildcard! * or.* are almost always unnecessary!  Be specific in what you are looking at:

30 30Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION MORE REGEX GUIDELINES  Be specific in what you are looking for:

31 31Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION GENERAL GUIDELINES  Place Rules Most Likely to Match at the Beginning of the Layer  Group Like Conditions  Subnets  Appropriate URL Condition  Use Definitions  Use Layer Guards

32 32Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION RULE PLACEMENT Optimized Implementation url.domain=www.abc.com DENY url.domain=www.jkl.com DENY url.domain=www.mno.com DENY url=http://www.def.com/chatweb/ DENY url=http://www.ghi.com/finance/ DENY im.buddy_id=bill DENY im.buddy_id=bob DENY Rule placement speeds processing: Typical Implementation url.domain=www.abc.com DENY url=http://www.def.com/chatweb/ DENY url=http://www.ghi.com/finance/ DENY url.domain=www.jkl.com DENY im.buddy_id=bill DENY url.domain=www.mno.com DENY im.buddy_id=bob DENY

33 33Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION SUBNETS Optimized Implementation client.address=10.1.1.252/30 DENY Rule placement speeds processing: Typical Implementation client.address=10.1.1.252 DENY client.address=10.1.1.253 DENY client.address=10.1.1.254 DENY client.address=10.1.1.255 DENY

34 34Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION APPROPRIATE URL CONDITION url.domain=company.com url.domain=www.company.com url.domain=www.company.com/cgi-bin url.path=”/cgi-bin/” url=http://www.company.com/cgi-bin/ url=http://www.company.com/cgi-bin/query.pl?q=test#fragment

35 35Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION DEFINITIONS Optimized Implementation define subnet test_network 10.0.0.0/8 192.168.0.0/16 216.52.23.3 216.52.23.5 end client.address=test_network category=(gambling) OK category=(gambling) exception(content_filter_denied Place common items into a condition Typical Implementation client.address=10.0.0.0/8 category=(gambling) OK client.address=192.168.0.0/16 category=(gambling) OK client.address=216.52.23.3 category=(gambling) OK client.address=216.52.23.5 category=(gambling) OK category=(gambling) exception(content_filter_denied)

36 36Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION LAYER GUARDS group=corporate_user url.domain=competitor.com DENY category=(gambling) exception(content_filter_denied)

37 37Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION LAYER GUARDS Optimized Implementation authenticate(myrealm) group=hr user=bluecoat\bob.kent OK url.domain=mercurynews.com/hotjobs OK url.domain=sfgate.com/jobs/ OK url.address=216.52.23.5 DENY category=(news/media) exception(content_filter_denied) Layer guards allow execution of a layer upon condition match Typical Implementation authenticate(myrealm) group=hr user=bluecoat\bob.kent OK group=hr url.domain=mercurynews.com OK group=hr url.domain=sfgate.com/jobs/ OK group=hr url.address=216.52.23.5 DENY group=hr category=(news/media) exception(content_filter_denied)

38 38Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION LOCAL DATABASE

39 39Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. POLICY OPTIMIZATION LOCAL DATABASE

40 40Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. SUMMARY Policy Construct: How to express policy decisions in layers Importance of consistency within the policy model Logical ordering of layers Policy Integrity: Look at the different types of Triggers & Actions How use of Actions affect policy How the policy is evaluated Policy Optimization: VPM & CPL examples Talk about Importance of Rule Placement Correct syntax used for Conditions & Definitions within policy Use of Layer Guards

41 41Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. BLUE COAT CUSTOMER FORUMS  Community where you can learn from and share your valuable knowledge and experience with other Blue Coat customers  Please visit the Customer Forums pages at https://forums.bluecoat.com/forumdisplay.php?133-Blue- Coat-Support-Videos to view four new Knowledge Assets / Support Videos on ProxySG Policy. https://forums.bluecoat.com/forumdisplay.php?133-Blue- Coat-Support-Videos  Research, post and reply to topics relevant to you at your own convenience  Blue Coat Moderator Team ready to offer guidance, answer questions, and help get you on the right track  Access at forums.bluecoat.com and register for an account today!forums.bluecoat.com

42 42Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. THANK YOU FOR JOINING TODAY!  Please provide feedback on this webcast and suggestions for future webcasts to: supportnewsletter@bluecoat.com Webcast replay and slide deck found here: https://bto.bluecoat.com/training/custom er-support-technical-webcasts (requires BTO login)

43 43Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved. Q&A Questions?

44 44Copyright © 2014 Blue Coat Systems Inc. All Rights Reserved.

Download ppt "1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. PROXYSG POLICY BEST PRACTICES  Thank you for joining today’s Blue Coat Customer Support."

Similar presentations

Configuration management

Configuration management
Configuration management

Configuration management
Business Intelligence

Business Intelligence
© 2008 RightNow Technologies, Inc. Title Best Practices for Maintaining Your RightNow Knowledge Base Penni Kolpin Knowledge Engineer.

© 2008 RightNow Technologies, Inc. Title Best Practices for Maintaining Your RightNow Knowledge Base Penni Kolpin Knowledge Engineer.
[Title of meeting] [Name of sponsor] [Date] For guidance on working with PowerPoint and reformatting slides, click on Help, then Microsoft PowerPoint Help,

[Title of meeting] [Name of sponsor] [Date] For guidance on working with PowerPoint and reformatting slides, click on Help, then Microsoft PowerPoint Help,
Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.

Using XACML Policies to Express OAuth Scope Hal Lockhart Oracle June 27, 2013.
Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.

Microsoft ASP.NET Security Venkat Chilakala Support Professional Microsoft Corporation.
Due to the competitive nature of this document, the information contained within is considered to be of a proprietary and confidential nature and shall.

Due to the competitive nature of this document, the information contained within is considered to be of a proprietary and confidential nature and shall.
World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. www.skyviewpartners.com How IT is affected by Sarbanes-Oxley Act.

World Class Security Experts © Copyright 2004 SkyView Partners LLC. All rights reserved. How IT is affected by Sarbanes-Oxley Act.
Lesson 18: Configuring Application Restriction Policies

Lesson 18: Configuring Application Restriction Policies
IMPLEMENTATION OF AN E-LEARNING PLATFORM USING CMS

IMPLEMENTATION OF AN E-LEARNING PLATFORM USING CMS
Libraries and Institutional Content Management Systems

Libraries and Institutional Content Management Systems
Introduction to Systems Analysis and Design

Introduction to Systems Analysis and Design
Creating Online Class Communities Jennifer Dorman Discovery Education

Creating Online Class Communities Jennifer Dorman Discovery Education
© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, 2006 2:00pm EST, 11:00am PST George Spafford, President Spafford.

© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, :00pm EST, 11:00am PST George Spafford, President Spafford.
Primavera Highlights During COLLABORATE  Primavera Key Note: Making the Most of Your Oracle Primavera Investment Dick Faris, Primavera Co-Founder & Oracle.

Primavera Highlights During COLLABORATE  Primavera Key Note: Making the Most of Your Oracle Primavera Investment Dick Faris, Primavera Co-Founder & Oracle.
BTS730 Communications Management Chapter 10, Information Technology Management, 5ed.

BTS730 Communications Management Chapter 10, Information Technology Management, 5ed.
Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.

Drive Customer Satisfaction. Cut Costs. Improve Efficiencies. Oracle i Support Chris Kirby Senior Sales Consultant Oracle.
Product Portability “Optimizing Your Investment in Dimensions CM” Presented by Lovell & Mercier, Inc.

Product Portability “Optimizing Your Investment in Dimensions CM” Presented by Lovell & Mercier, Inc.
T. Rowe Price, Invest With Confidence and the Bighorn Sheep logo is a registered trademark of T. Rowe Price Group, Inc. Please dial 1-888-877-2663 from.

T. Rowe Price, Invest With Confidence and the Bighorn Sheep logo is a registered trademark of T. Rowe Price Group, Inc. Please dial from.

Similar presentations

Ads by Google