Content security policy

The content security policy comprises a number of combined components that determine the content that is allowed to flow between web sites and your organization. You create your policy by adding Content Rules and other Policy References to ICAP Policy Routes. An ICAP policy route defines traffic between two points. The first point identifies entities within your organization by using Machine Lists and User Name Lists. The second point identifies groups of web sites known in the Gateway as Internet Zones.

When data flows through the Gateway, it is checked against content rules that have been configured for the route the traffic is taking. Depending on those rules, a number of actions can be performed. Included in these actions is the detection and removal of sensitive, dangerous or inappropriate content, hidden macros, scripts and document properties from communication flow by using Adaptive Redaction and Sanitization.

You define your content policy from the Policy Center Home Page.

Show me the user interface

Tell me about...

• Content rules

  Content rules are the processing rules of your content security policy. Each content rule states that if a communication meets a specified set of conditions, the Policy Engine will perform a specified set of actions.

  When you configure content rules in your Gateway, you set What to look for? clauses and What to do? actions for each rule. For example, you could have a What to look for? clause that checks for viruses in a particular file type and then a What to do? action that blocks the communication.

• Policy references

  Policy references are items that can be referenced when you define your security policy. For example, you can add the Informs reference to your policy route to send notifications when specific content rule conditions are met.

  For a list of policy references and what action they perform, see the About Policy Reference topic.

• Machine and User Names lists

  A Machine List is a listing of the machine addresses for one or more users to whom you want to apply a common policy. Similarly, User Names lists is a grouping of user names of one or more users to whom you want to apply a common policy. These groupings typically represent users who share a common link within your organization, for example:

  • Functional groupings, for example, a Sales department or regional office
  • Role-oriented groupings, for example, managers
  • Relational groupings, for example, company partners

  By defining and using machine lists, you can choose not to authenticate individual users. Any machine whose IP address is contained in a machine list will have access to the Gateway, regardless of the user.

• Internet Zones

  Internet Zones is a Gateway feature that allows you to identify and categorize web sites by the content that they offer. This has the benefit of grouping a range of sites that share a common theme according to a potential threat or benefit that they represent to your organization.

  To help with categorization, your Gateway has a URL Filter Database that comprises a number of categories that reference millions of web pages. You can access this database when creating Internet Zones. For example, you could create an Internet Zone called 'Potential Risks' and add categories from the database that your organization considers a breach of policy.

  You can also create an Internet Zone comprising sites that do not require policy enforcement. For example, you could create an Internet Zone called 'Trusted Sites' and add your organization's own web site, or servers that are used to update machines with security updates and patches.

  The use of Internet Zones is an efficient way of making use of the computing resources on your Gateway because it allows you to specify entire sections of the web as unacceptable to your organization. In this way, a user will be blocked from visiting such sites and the Gateway will not have to check for other threats on the site such as viruses and spyware.

• Web policy routes and how they relate to Machine and User Name lists, and Internet Zones

  A Web policy route defines two endpoints, one being associated within your organization, for example, a list of users or machines, and one or more Internet Zones, for example, web sites that are associated with gambling.

  Your Gateway starter policy contains has a number of default Web Policy routes from Everyone to various Internet Zones.

  You apply a default action to all traffic that takes a given route and then apply any content rules.

• Global Web Policy

  The Global Web Policy contains a number of options that add to your security policy including safe Search, file upload and download size restrictions. The Global Web Policy is applied against all traffic that passes through your Gateway and is independent of specific policy routes and rules. For more information, see the About Global Web Policy topic.

• Adaptive redaction and sanitization

  With Adaptive Redaction you can detect and manage sensitive data from information that flows through your Gateway. For example, a credit card number identified in a communication can be obscured before it is viewed by the recipient. Adaptive redaction can apply to documents, attachments and media types. For more information on using this feature, see Adaptive redaction.

  You use Sanitization to detect and remove active content, embedded content, URLs or hyperlinks, scripts or macros and document properties from communications. Sanitization purges potential harmful content from documents, attachments and media types. For more information on using this feature, see Sanitization.

See also...

• How Policy is Applied to Routes