Basic ProxyS Super Practic

PROXYSG POLICY BEST PRACTICES
Thank you for joining todays Blue Coat

Customer Support Technical Webcast!
The Webcast will begin just a minute or so after the top of the hour to
allow todays very large audience sufficient time to join
You may join the teleconference through the numbers provided in
your invite, or listen through your computer speakers
Audio broadcast will go live when the Webcast begins
The Presentation will run approximately 60 minutes
There will be a 30-minute Q/A session thereafter
Please submit questions using the Webex Q/A feature!
Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. 1

PROXYSG
POLICY BEST PRACTICES
BRENT BUCKY BALDWIN

Sr. Consultant, Professional Services
June 24, 2014

AGENDA
Policy Construct
Policy Integrity
Policy Optimization
Q&A

POLICY CONSTRUCT
The building blocks

to policy
Copyright2014
Copyright 2014Blue
2013 BlueCoat
CoatSystems
SystemsInc.
Inc. All
AllRights
RightsReserved.
Reserved. 4
POLICY CONSTRUCT
OVERVIEW
Blue Coat Policy is:

Subjective
Powerful
Flexible
CPL (Content Policy Language)
VPM (Visual Policy Manager)
Hybrid

POLICY CONSTRUCT
GENERAL GUIDELINES
Express Separate Decisions in Separate Layers

Keep policy logic separate & distinct
One Layer
Adjacent Layers

POLICY CONSTRUCT
DISTINCT LAYERS

POLICY CONSTRUCT
THE MODEL
Be Consistent With The Model

Default Blue Coat Policy aligns with the corporate security
policy
ALLOW Easier to implement
DENY where security is more important (e.g. government or
banking)
Global deny list
Global allow list
Model policy: General rules then exceptions

POLICY CONSTRUCT
EXAMPLE
;Default Policy is DENY

Define subnet corporate_subnet
10.1.1.0/24
end
;First, explicitly allow access to only our users

<proxy "Web Access">
client.address=corporate_subnet ALLOW
;Next, impose any authentication requirements

<proxy "Web Auth>
authenticate(corp_realm)
;Next, begin to exclude specific types of requests

<proxy Web Filter">
url.domain=playboy.com DENY
category=(gambling, hacking, games) exception(content_filter_denied)
;Next begin exceptions to the general rule

<proxy "Restricted Access">
group=execs, managers url.domain= fantasyfootball.com ALLOW

POLICY CONSTRUCT
POLICY OPTIONS

POLICY CONSTRUCT
ORDERING OF LAYERS
Ordering of Layers
Layer Type Logical Implementation

<admin> Admin Authentication Layer
<admin> Admin Access Layer
<dns-proxy> DNS Access Layer
<proxy> SOCKS Authentication Layer
<ssl-intercept> SSL Intercept Layer
<ssl> SSL Access Layer
<proxy> Web Authentication Layer
<proxy> Web Access Layer
<cache> Web Content Layer
<forward> Forwarding Layer

POLICY CONSTRUCT
LAYER NAMING
<proxy Corp Web Filter">

url.domain = competitor.com Deny
category=(Gambling) Deny

POLICY CONSTRUCT
TRIGGERS AND ACTIONS
- Allow/Deny
- Trace
- Force_Deny
- Exception

POLICY CONSTRUCT
COMMON HTTP TRIGGERS
Protocol Host Port Path File Extension Query
http://www.support.blah.com:80/path.path_path/demo_file.html?sess=1234
url.scheme=
url.path= url.query=
url.host=
url.port= url.path.regex=
url.host.regex= url.query.regex=
url.address=
url.extension=
url.domain=
url=
url.regex=

POLICY INTEGRITY
Best practices for

maintenance and
operational
excellence

POLICY INTEGRITY
RULE EVALUATION IN LAYERS

POLICY INTEGRITY
RULE EVALUATION IN LAYERS

POLICY INTEGRITY
ACTIONS
Allow
OK
Actions
Deny
Force Deny
POLICY INTEGRITY
ALLOW VS OK
TYPICAL IMPLEMENTATION
<proxy>
url.extension=.exe DENY
<proxy>
category=(sports) exception(content_filter_denied)
<proxy>
client.address=192.168.15.252/30 ALLOW

POLICY INTEGRITY
ALLOW VS OK
PREFERRED IMPLEMENTATION
<proxy>
url.extension=.exe DENY
<proxy>
client.address=192.168.15.252/30 OK
category=(sports) exception(content_filter_denied)

POLICY INTEGRITY
DENY & FORCE_DENY
Understand the Difference:

DENY FORCE_DENY
<policy> <policy>
Category = (suspicious) DENY Category = (suspicious) Force_DENY
<policy> <policy>
Client.address = 192.168.15.42 ALLOW Client.address = 192.168.15.42 ALLOW
ALLOW DENY
POLICY INTEGRITY
OPERATORS
The and operator:
CPL:
client.address=1.1.1.1 url.domain=abc.com
url.extension=(exe, com) DENY
POLICY INTEGRITY
OPERATORS
The and operator with a negate:
CPL:
client.address=1.1.1.1 url.domain=abc.com
url.extension=!(exe, com) DENY
POLICY INTEGRITY
TYPICAL IMPLEMENTATION
Negate and Exception:
define subnet my_users

10.0.0.0/8
192.168.0.0/16
end
<proxy>
client.address=!my_users DENY
<proxy>
category=(pornography, gambling) exception(content_filter_denied)
<proxy>
condition=executable condition=!approved_application
exception(user_defined.too_risky)

POLICY INTEGRITY
PREFERRED IMPLEMENTATION
Negate and Force Exception:
define subnet my_users

10.0.0.0/8
192.168.0.0/16
end
<proxy>
client.address=!my_users FORCE_DENY
<proxy>
category=(pornography, gambling) force_exception(content_filter_denied)
<proxy>
Condition = executable condition=!approved_application
exception(user_defined.too_risky)

POLICY OPTIMIZATION
The need for

speed.
Copyright2014
Copyright 2014Blue
2013 BlueCoat
CoatSystems
SystemsInc.
Inc. All
AllRights
RightsReserved.
Reserved. 26
POLICY OPTIMIZATION
IMPLEMENTATION TYPES
Using the Visual Policy Manager (VPM) versus Content Policy Language (CPL)
VPM CPL
User-friendly Can be scripted
Graphical For implementing policy not
Easy to use available in the VPM
Preferred method of configuring

policy for most administrators
Supports subset of the
functionality available through
CPL

POLICY OPTIMIZATION
OVERVIEW OF REGEXES
Use Regular Expressions (regex) Only When Absolutely

Necessary
Are the most CPU-intensive policy that you can implement
Can result in sub-optimized policy
Sometimes used when administrators are not fully aware or
dont understand the numerous conditions available in
VPM/CPL

POLICY OPTIMIZATION
GENERAL REGEX GUIDELINES
Be careful with special characters:

\ ^ $ . | ? * + ( ) { } [ ]
* is not a wildcard!
* or .* are almost always unnecessary!
Be specific in what you are looking at:

Yes Avoid
url.host.regex
url.path.regex url.regex (the entire URL)
url.query.regex

POLICY OPTIMIZATION
MORE REGEX GUIDELINES
Be specific in what you are looking for:
Regex Finds
url.host.regex=\.com$ Finds hosts ending in .com note
that the period is escaped
url.host.regex=x+ Matches x one or more times
url.host.regex=x{2,5} Matches x 2 to 5 times
url.path.regex=^\/bad-directory\/ Finds all URLs that begin with /bad-
directory
url.query.regex=login=matt Finds query strings that contain
login=matt
(anchor this if possible)

POLICY OPTIMIZATION
GENERAL GUIDELINES
Place Rules Most Likely to Match at the Beginning of the

Layer
Group Like Conditions
Subnets
Appropriate URL Condition
Use Definitions
Use Layer Guards

POLICY OPTIMIZATION
RULE PLACEMENT
Rule placement speeds processing:
Typical Implementation Optimized Implementation

<proxy> <proxy>
url.domain=www.abc.com DENY url.domain=www.abc.com DENY
url=http://www.def.com/chatweb/ DENY url.domain=www.jkl.com DENY
url=http://www.ghi.com/finance/ DENY url.domain=www.mno.com DENY
url.domain=www.jkl.com DENY url=http://www.def.com/chatweb/ DENY
im.buddy_id=bill DENY url=http://www.ghi.com/finance/ DENY
url.domain=www.mno.com DENY im.buddy_id=bill DENY
im.buddy_id=bob DENY im.buddy_id=bob DENY

POLICY OPTIMIZATION
SUBNETS
Rule placement speeds processing:

<proxy> <proxy>
client.address=10.1.1.252 DENY client.address=10.1.1.252/30 DENY
client.address=10.1.1.253 DENY

POLICY OPTIMIZATION
APPROPRIATE URL CONDITION
url.domain=company.com
url.domain=www.company.com
url.domain=www.company.com/cgi-bin
url.path=/cgi-bin/
url=http://www.company.com/cgi-bin/
url=http://www.company.com/cgi-bin/query.pl?q=test#fragment

POLICY OPTIMIZATION
DEFINITIONS
Place common items into a condition

<proxy> define subnet test_network
client.address=10.0.0.0/8 10.0.0.0/8
category=(gambling) OK 192.168.0.0/16
216.52.23.3
client.address=192.168.0.0/16 216.52.23.5
category=(gambling) OK end
client.address=216.52.23.3 <proxy>
category=(gambling) OK client.address=test_network
category=(gambling) OK
client.address=216.52.23.5
category=(gambling) OK category=(gambling)
exception(content_filter_denied
category=(gambling)
exception(content_filter_denied)

POLICY OPTIMIZATION
LAYER GUARDS
<Proxy Corp Web Access> group=corporate_user

url.domain=competitor.com DENY
category=(gambling) exception(content_filter_denied)

POLICY OPTIMIZATION
LAYER GUARDS
Layer guards allow execution of a layer upon condition match

<proxy> <proxy>
authenticate(myrealm) authenticate(myrealm)
<proxy> <proxy> group=hr

group=hr user=bluecoat\bob.kent OK user=bluecoat\bob.kent OK
group=hr url.domain=mercurynews.com url.domain=mercurynews.com/hotjobs
OK OK
group=hr url.domain=sfgate.com/jobs/ url.domain=sfgate.com/jobs/ OK
url.address=216.52.23.5 DENY
OK category=(news/media)
group=hr url.address=216.52.23.5 exception(content_filter_denied)
DENY
group=hr category=(news/media)
exception(content_filter_denied)

POLICY OPTIMIZATION
LOCAL DATABASE

POLICY OPTIMIZATION
LOCAL DATABASE

SUMMARY
Policy Construct:
How to express policy decisions in layers
Importance of consistency within the policy model
Logical ordering of layers
Policy Integrity:
Look at the different types of Triggers & Actions
How use of Actions affect policy
How the policy is evaluated
Policy Optimization:
VPM & CPL examples
Talk about Importance of Rule Placement
Correct syntax used for Conditions & Definitions within policy
Use of Layer Guards
BLUE COAT CUSTOMER FORUMS
Community where you can learn from and share your

valuable knowledge and experience with other Blue Coat
customers
Please visit the Customer Forums pages at
https://forums.bluecoat.com/forumdisplay.php?133-Blue-Coat
-Support-Videos
to view four new Knowledge Assets / Support Videos on
ProxySG Policy.
Research, post and reply to topics relevant to you at your
own convenience
Blue Coat Moderator Team ready to offer guidance, answer
questions, and help get you on the right track
Access at forums.bluecoat.com and register for an account
today! Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. 41
THANK YOU FOR JOINING TODAY!
Please provide feedback on this webcast and suggestions

for future webcasts to:
supportnewsletter@bluecoat.com
Webcast replay and

slide deck found here:
https://bto.bluecoat.com/training/custo
mer-support-technical-webcasts
(requires BTO login)

Q&A
Questions?


Basic ProxyS Super Practic

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Basic ProxyS Super Practic

Transféré par

Droits d'auteur :

Formats disponibles

PROXYSG POLICY BEST PRACTICES

Thank you for joining todays Blue Coat

Please submit questions using the Webex Q/A feature!

Copyright 2013 Blue Coat Systems Inc. All Rights Reserved. 1

BRENT BUCKY BALDWIN

June 24, 2014

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 2

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 3

The building blocks

Blue Coat Policy is:

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 5

Express Separate Decisions in Separate Layers

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 6

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 7

Be Consistent With The Model

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 8

;Default Policy is DENY

;First, explicitly allow access to only our users

;Next, impose any authentication requirements

;Next, begin to exclude specific types of requests

;Next begin exceptions to the general rule

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 9

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 10

Layer Type Logical Implementation

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 11

<proxy Corp Web Filter">

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 12

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 13

Protocol Host Port Path File Extension Query

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 14

Best practices for

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 15

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 16

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 17

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 19

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 20

Understand the Difference:

The and operator:

The and operator with a negate:

Negate and Exception:

define subnet my_users

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 24

Negate and Force Exception:

define subnet my_users

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 25

The need for

Preferred method of configuring

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 27

Use Regular Expressions (regex) Only When Absolutely

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 28

Be careful with special characters:

Be specific in what you are looking at:

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 29

Be specific in what you are looking for:

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 30

Place Rules Most Likely to Match at the Beginning of the

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 31

Rule placement speeds processing:

Typical Implementation Optimized Implementation

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 32

Rule placement speeds processing:

Typical Implementation Optimized Implementation

Copyright 2014 Blue Coat Systems Inc. All Rights Reserved. 33