Blue Coat Systems Proxy SG Authentication and Denial

ProxySG Content Policy Language Guide

Authentication and Denial

One of the most important timing relationships to be aware of is the relation between authentication

and denial. Denial can be done either before or after authentication, and different organizations have

different requirements. For example, suppose an organization requires the following:

•Protection from denial of service attacks by refusing traffic from any source other than the

corporate subnet.

•The user name of corporate users is to be displayed in access logs, even when the user request has

been denied.

The following example demonstrates how to choose the correct CPL properties. First, the following is

a sample policy that is not quite correct:

define subnet corporate_subnet

10.10.12.0/24

end

<Proxy>

client.address=!corporate_subnet deny ; filter out strangers

authenticate(MyRealm) ; this has lower precedence than deny

<Proxy>

; user names will NOT be displayed in the access log for the denied requests

category=Gambling exception(content_filter_denied)

In this policy, requests coming from outside the corporate subnet are denied, while users inside the

corporate subnet are asked to authenticate.

Content categories are determined from the request URL and can be determined before

authentication. Deny has precedence over authentication, so this policy denies the user request before

the user is challenged to authenticate. Therefore, the user name is not available for access logging.

Note that the precedence relation between deny and authenticate does not depend on the order of the

layers, so changing the layer order will not affect the outcome.

The CPL property force_authenticate(), however, has higher precedence than deny, so the

following amended policy ensures that the user name is displayed in the access logs:

define subnet corporate_subnet

10.10.12.0/24

end

<Proxy>

client.address=!corporate_subnet deny ; filter out strangers

force_authenticate(MyRealm) ; this has higher precedence than deny

<Proxy>

; user names will be displayed in the access log for the denied requests

category=Gambling exception(content_filter_denied)

The timing for authentication over the SOCKS protocol is different. If you are using the SOCKS

authentication mechanism, the challenge is issued when the connection is established, so user

identities are available before the request is received, and the following policy would be correct.

define subnet corporate_subnet

10.10.12.0/24

end