ProxySG Content Policy Language Guide
Authentication and Denial
One of the most important timing relationships to be aware of is the relation between authentication and denial. Denial can be done either before or after authentication, and different organizations have different requirements. For example, suppose an organization requires the following:
•Protection from denial of service attacks by refusing traffic from any source other than the corporate subnet.
•The user name of corporate users is to be displayed in access logs, even when the user request has been denied.
The following example demonstrates how to choose the correct CPL properties. First, the following is a sample policy that is not quite correct:
define subnet corporate_subnet 10.10.12.0/24
end
<Proxy>
client.address=!corporate_subnet deny ; filter out strangers authenticate(MyRealm) ; this has lower precedence than deny
<Proxy>
;user names will NOT be displayed in the access log for the denied requests category=Gambling exception(content_filter_denied)
In this policy, requests coming from outside the corporate subnet are denied, while users inside the corporate subnet are asked to authenticate.
Content categories are determined from the request URL and can be determined before authentication. Deny has precedence over authentication, so this policy denies the user request before the user is challenged to authenticate. Therefore, the user name is not available for access logging. Note that the precedence relation between deny and authenticate does not depend on the order of the layers, so changing the layer order will not affect the outcome.
The CPL property force_authenticate(), however, has higher precedence than deny, so the following amended policy ensures that the user name is displayed in the access logs:
define subnet corporate_subnet 10.10.12.0/24
end
<Proxy>
client.address=!corporate_subnet deny ; filter out strangers force_authenticate(MyRealm) ; this has higher precedence than deny
<Proxy>
;user names will be displayed in the access log for the denied requests category=Gambling exception(content_filter_denied)
The timing for authentication over the SOCKS protocol is different. If you are using the SOCKS authentication mechanism, the challenge is issued when the connection is established, so user identities are available before the request is received, and the following policy would be correct.
define subnet corporate_subnet 10.10.12.0/24
end
28