ProxySG Content Policy Language Guide
Best Practices
•Express separate decisions in separate layers.
As policy grows and becomes more complex, maintenance becomes a significant issue. Maintenance will be easier if the logic for each aspect of policy is separate and distinct.
Try to make policy decisions as independent as possible, and express each policy in one layer or two adjacent layers.
•Be consistent with the model.
Set the default proxy policy according to your policy model and then use blacklist or whitelist approaches as appropriate.
The recommended approach is to begin with a default proxy policy of deny in configuration. Allow requests in early layers and deny requests in later layers. Ensure that all layers that allow requests precede any layers that deny requests. The following is a simple illustration of this model:
define subnet corporate_subnet 10.10.12.0/24
end
;First, explicitly allow access to our users <proxy>
ALLOW client.address=corporate_subnet
;Next, impose any authentication requirements <proxy>
authenticate(corp_realm) ; all access must be authenticated
;And now begin to
<proxy>
DENY url.domain=forbidden.com
DENY category=(Gambling, Hacking, Chat)
;more layers…
•Expose only what is necessary.
Often, it may be useful to keep the rule logic and the condition definitions separate so that the rules can be maintained by one group, but the definitions by another. The rules may contain exception details or other logic that should not be modified; however, the conditions, such as affected groups or content, may change frequently. With careful separation of the rules and the conditions, the rules can be expressed in the local policy file, and users unfamiliar with CPL can update the condition definitions through the VPM.
When using this technique, installation order is important. Condition definitions must be available before policy referencing those conditions will compile, so the conditions you want to expose for general use must be defined in the VPM before they are referenced in the Local policy file.
48
