1 / 14

SOFT-TRONIK, a.s.

SOFT-TRONIK, a.s. ProxySG ’s Policy. Michal Červinka Pre-sales SE. Construction - Policy Files. VPM created via Visual Policy Manager Local Policy File manualy created CPL Central Policy File global setting managed by BCSI by default Forwarding Policy File

argus
Download Presentation

SOFT-TRONIK, a.s.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SOFT-TRONIK, a.s. ProxySG’s Policy Michal ČervinkaPre-sales SE

  2. Construction - Policy Files • VPM • created via Visual Policy Manager • Local Policy File • manualy created CPL • Central Policy File • global setting managed by BCSI by default • Forwarding Policy File • forwarding rules (for backward compatibility only) Evaluated in THIS order by default …

  3. Construction - Policy Layers • <admin> Admin Authentication Layer • <admin> Admin Access Layer • <dns-proxy> DNS Access Layer • <proxy> SOCKS Authentication Layer • <ssl-intercept> SSL Intercept Layer • <ssl> SSL Access Layer • <proxy> Web Authentication Layer • <proxy> Web Access Layer • <cache> Web Content Layer • <forward> Forwarding Layer Prefered ordering Evaluated sequentialy

  4. Construction – Design of Layers • Separate decisions in separate layers • Start with general, proceed to more specific • Remember the default policy • ALLOW usualy for app acceleration • DENY typical for security GW

  5. Construction - Policy Rules • Rules evaluation • reflects order within the layer • „first match“ model • Design rule • go from specific to general

  6. Integrity – ALLOW vs. OK • ALLOW can reverse a previous denial • OK action available as „empty“ action

  7. Integrity – DENY vs. FORCE DENY • DENY can be overridden by a later ALLOW • FORCE_DENY terminates further policy evaluation • The same for exception vs. force_ exception

  8. Optimization • Try to avoid regular expressions • they are too CPU-intensive

  9. Optimization • Place rules most likely to match at the beginning of the layer • Place like conditions together within the layer • let the compiler optimize

  10. Optimization • Use subnets when possible • or group by „define subnet“ definition

  11. Optimization • Use definitions to minimize the number of rules

  12. Optimization • Select the Appropriate URL Condition

  13. Optimization • Use Layer Guards • to prevent layers from being evaluated unnecessarily

  14. Michal ČervinkaPre-sales SEmichal.cervinka@soft-tronik.czSOFT-TRONIK, a.s.OstravaTvorkovských 5709 00 Ostrava - Mariánské Horytel.: +420 597 488 811 fax: +420 596 622 486PrahaNagano Office and Technology Park,Nagano IIIU nákladového nádraží 10130 00 Praha 3tel: +420 266 109 211 fax: +420 283 840 236www.soft-tronik.cz

More Related