search cancel

What are the security, performance, and bypass rules for each Content Security Policy protection level?

book

Article ID: 174669

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Starting in SGOS 7.x, you can enable a built-in Content Security Policy layer. Refer to the "Using Policy Services" chapter in the SGOS Administration Guide and the ProxySG Security Best Practices document.

Note that some Content Security Policy features require the specified subscriptions or settings:

  • URL category detection requires a Symantec WebFilter subscription or Intelligence Services Basic or Advanced subscription.
  • URL threat risk level detection requires an Intelligence Services Advanced subscription.
  • URL Web Application detection requires the CASB Audit AppFeed (with Intelligence Services).
  • Streaming protocol handoff must be enabled for detection of streaming clients.

Resolution

The following table summarizes the security, performance, and what gets bypassed with each protection level.

Security Level/Policy Condition Types Recommended Strong Maximum
Performance Level High Medium/High Low
Risk Tolerance High Medium Low
Safety Net (Always Scan) Security categories; Categories: None, File Storage, Email, Compromised Sites; all URLs with Risk Level >=5
Policy Condition Types for Bypassing
URL Category Radio/Audio Streams, Audio/Video Clips, TV/Video Streams None
URL Threat Risk Level Threat Risk Levels 1 - 2  
Web Application Name

Software/Security

Updates:

Microsoft, Apple, Symantec Updates

Low Risk/High Volume Apps

High Volume/Low Risk Content: YouTube, Vimeo, Facebook

Software/Security
Updates:

Microsoft, Apple, Symantec Update
True File-Type JPG, GIF, PNG, TIF, ICO None
Streaming Client Windows_media, real_media, quicktime, ms_smooth adobe_hds, apple_hls None
URL Domains Stock Tickers, AV Signature Update Domains