What are the security, performance, and bypass rules for each Content Security Policy protection level?
Article ID: 174669
Updated On:
Products
ProxySG Software - SGOS
Issue/Introduction
Starting in SGOS 7.x, you can enable a built-in Content Security Policy layer. Refer to the "Using Policy Services" chapter in the SGOS Administration Guide and the ProxySG Security Best Practices document.
Note that some Content Security Policy features require the specified subscriptions or settings:
- URL category detection requires a Symantec WebFilter subscription or Intelligence Services Basic or Advanced subscription.
- URL threat risk level detection requires an Intelligence Services Advanced subscription.
- URL Web Application detection requires the CASB Audit AppFeed (with Intelligence Services).
- Streaming protocol handoff must be enabled for detection of streaming clients.
Resolution
The following table summarizes the security, performance, and what gets bypassed with each protection level.
| Security Level/Policy Condition Types | Recommended | Strong | Maximum |
|---|---|---|---|
| Performance Level | High | Medium/High | Low |
| Risk Tolerance | High | Medium | Low |
| Safety Net (Always Scan) | Security categories; Categories: None, File Storage, Email, Compromised Sites; all URLs with Risk Level >=5 | ||
| Policy Condition Types for Bypassing | |||
| URL Category | Radio/Audio Streams, Audio/Video Clips, TV/Video Streams | None | |
| URL Threat Risk Level | Threat Risk Levels 1 - 2 | ||
| Web Application Name |
Software/Security Updates: Microsoft, Apple, Symantec UpdatesLow Risk/High Volume Apps High Volume/Low Risk Content: YouTube, Vimeo, Facebook |
Software/Security |
|
| True File-Type | JPG, GIF, PNG, TIF, ICO | None | |
| Streaming Client | Windows_media, real_media, quicktime, ms_smooth adobe_hds, apple_hls | None | |
| URL Domains | Stock Tickers, AV Signature Update Domains | ||
Feedback
Yes
No
Powered by
