HELP
TABLE OF CONTENTS

Understanding SonicWALL Content Security Manager
Filtering Architecture

The following explains the structural hierarchy of the SonicWALL Content Security Manager filtering architecture. The Policies level includes the Default Categories (SonicWALL Content Filtering Service categories), the Custom Categories (user defined), and Privacy Threats. These categories are all managed at the policy level. These default and user defined policies can be applied to users or groups or assembled into a Policy Group for application of multiple policies to users or groups.

Default Categories

The 57 default categories included with the SonicWALL Content Filtering Service. Many of these default categories are distributed within the 12 default policy groups, which you can modify.

Note! Refer to Appendix A: Default Policy Groups and Categories of the SonicWALL Content Security Manager Administrator's Guide for a complete description of each default category.

The default categories include: Violence/Hate/Racism, Intimate Apparel/Swimsuit, Nudism, Pornography, Weapons, Adult/Mature Content, Cult/Occult, Drugs/Illegal Drugs, Illegal Skills/Questionable Skills, Sex Education, Gambling, Alcohol/Tobacco, Chat/Instant Messaging (IM), Arts/Entertainment, Business and Economy, Abortion/Advocacy Groups, Education, Cultural Institutions, Online Banking, Online Brokerage and Trading, Games, Government, Military, Political/Advocacy Groups, Health, Information Technology/Computers, Hacking/Proxy Avoidance Systems, Search Engines and Portals, E-Mail, Web Communications, Job Search, News and Media, Personals and Dating, Usenet News Groups, Reference, Religion, Shopping, Internet Auctions, Real Estate, Society and Lifestyle, Gay and Lesbian Issues, Restaurants and Dining, Sports/Recreation, Travel, Vehicles, Humor/Jokes, MP3/Streaming, Freeware/Software Downloads, Pay to Surf Sites, Kid Friendly, Advertisement, Web Hosting, Other, and Not Rated.

The Not Rated category blocks any site that does not fall into the default categories or cannot be rated by the SonicWALL Content Security Manager Dynamic Rating database.

Custom Categories

Custom Categories are special purpose filter definitions. You can create up to 128 Custom Categories that include the following filtering options:

Custom Categories allow you to create trusted and untrusted domains and URL policies as well as untrusted keyword policies. The Trusted URLs and Untrusted URLs allow you to specify domains, subdomains, URLs, and subdirectory to allow or block. The following table shows how the Content Security Manager handles domains and subdomains, URLs, and subdirectories in Custom Categories:

Domain, Subdomain, URL, and Subdirectories
Action
abc.com The domain, any subdomains, and any subdirectories are allowed or blocked. For example, subdomains www.abc.com, sports.abc.com will be allowed or blocked.
finance.yahoo.com Only this specific subdomain is allowed or blocked
abc.com/sports /all subdirectories of the domain (not subdomains) are allowed or blocked.
.gov, .com, .edu, .uk Blocks or allows top level domains

Custom Category Filtering Formula

The methodology used by the SonicWALL Content Security Manager for Custom Category filtering can be described in the following formulas:

abc.com = *.abc.com/*

abc.com/specificdirectory = abc.com/specificdirectory/*

The asterisks * represent wildcards.

Rules Used When Different Actions Are Applied

If a user belongs to a couple of groups and inherits two policies form those groups. After the SonicWALL Content Security Manager applies the "Most Permissive" algorithm and calculates a final policy for the user, the domain "abc.com" should be blocked, but "sports.abc.com" should be logged. What action should be applied to "sports.abc.com"? According to the rules in the table below "sports.abc.com" will be blocked.

Action for Domain
Action for Subdomain/Subdirectory
Final Action
Allow Allow Allow
Allow Log Allow
Allow Block Allow
Allow NA Allow
Log Allow Allow
Log Log Log
Log Block Log
Log NA Log
Block Allow Allow
Block Log Block
Block Block Block
Block NA Block
NA Allow Allow
NA Log Log
NA Block Block
NA NA Allow

Privacy Threats

Privacy threats include the blocking of Web threats (Cookies, ActiveX, HTTP Proxy Servers and Fraudulent Certificates), Untrusted File Types, as well as a Privacy Threat Exclusion List.

Block Web Threats

Privacy Threats includes compromises Block Cookies, Block ActiveX, Block HTTP Proxy Server, and Block Fraudulent Certificates. These settings are always activated as Block and cannot be deleted or modified.

Untrusted File Types

These are groupings of file extensions used for similar purposes. SonicWALL Content Security Manager allows you to filter Internet content based on file extension. For example, you can restrict access to particular types of files from sites within an otherwise permitted. File type filtering is activated via policies. SonicWALL provides several predefined file types for use in filtering. You can modify these, or create new file types to suit your needs.

Untrusted File Types compromises of Java Applets, Executable Files, Video Files, Audio Files, and user specified file types by extension. You have two available actions for Untrusted File Type categories in policies: Block and Log Only, which you specify in the Web Filters > Policies page. Log Only allows users to access the file types in the Untrusted File Types category but logs each access event in the Content Security Manager log.

Privacy Threat Exclusion List

The Privacy Threat Exclusion List is a list of domains that act as an exclusion list for Privacy Threats. Domains specified in the Privacy Threat Exclusion List cannot act upon any other Class. Only a single Privacy Threat Exclusion List can be specified, but it can be shared among multiple policies.

The Trusted Domains includes Web sites your trust, which are sites that you believe users can access without damaging your network or data. Cookies, ActiveX, Java and all other file types specified in the Untrusted File Types categories are not blocked for these sites.

You have one available action for the Privacy Threat Exclusion List in policies: Trusted, which is specified in the Web Filters > Policies page.

Policies

The SonicWALL Content Security Manager is built around policy-based filtering. Filtering categories are grouped into containers called Policies. The filtering categories include the default content filtering categories, custom filter categories, and privacy threats filtering. These policies then become the building blocks of Policy Groups. These policy groups are then assigned directly to users and user groups for enforcement. Defining a policy involves specifying a set of default categories, custom categories, and privacy threats into a single entity. You can create any mix within a policy from the available categories.

Policy Actions

For each category element, you specify a policy action or the category may allow only a default action. The following actions can be applied to category elements:

Policy Groups

Policy groups are the highest level container, and they typically comprise multiple policies. For example, the default policy group *Default contains the policies *Adult Content, *Drugs/Alcohol/Tobacco, and *Racism/Hate/Violence/Weapons, which you can modify to add or remove policies.

There are 12 default policy groups that include: *Block Nothing, *Adult Content, *Drugs/Alcohol/Tobacco, *Racism/Hate/Violence/Weapons, *Entertainment/Lifestyles, *Information Technology, *Productivity Group, *Bandwidth Group, *Sports/Games/Gambling, *Education, *Shopping, and *Miscellaneous.

The *Block Nothing policy group is an allow-all policy that does not include any default content filtering categories.

All of the 12 policy groups included with the SonicWALL Content Security Manager’s Content Filtering Service have an asterisk * before the name to distinguish it from custom categories you create. The asterisk helps you identify these policy groups form custom policy groups you create.

User-defined group policies are also allowed, and they can comprise any combination of the Default, Custom Category, and Privacy Threat classes listed above.

*Default Policy Group

The *Default policy group is a predefined policy group that provides the baseline filtering for all network users. When you setup the SonicWALL Content Security Manager on your network, this policy group is automatically applied to all users on the network unless you apply a specific filtering policy, regardless of the user authentication method used on your network: Local Users and Local Groups on the Content Security Manager, RADIUS, or Active.

The *Default policy group is initially configured to block the most common objectionable content categories. It contains the default policies:

Depending on your organization’s content filtering needs, you can modify the *Default policy group to include any of the 12 default policies included with the SonicWALL Content Security Manager, and any custom content filtering policies you create.

SonicWALL Content Security Manager Policy Application

The SonicWALL Content Security Policy can apply one policy or policy group to a user or a user group, but it is likely that a user is a member of more than one user group. Because users can be members of multiple user groups with different filtering policies applied, it is critical to understand how SonicWALL Content Security Manager policies are effected when there is more than one policy that applies to a user or group.

There are four key concepts involved with SonicWALL Content Security Manager policy application:

Trusted and Untrusted Categories

The SonicWALL Content Security Manager includes two key filtering elements that are incorporated into filtering policies that define the behavior of multiple policy application:

Most Permissive (Least Restrictive) Policy Behavior

The SonicWALL Content Security Manager uses a “most permissive” or “least restrictive algorithm when multiple policies are applied to a user or user group. This method of policy application means that when policies are combined, the most permissive grouping of trusted (allowed) or untrusted (blocked) policies from multiple policies are applied.

Policy Union or Intersection

Multiple policy application based on the SonicWALL Content Security Manager’s “most permissive” algorithm is broken down into two methods depending on the elements of the policy: intersection or union. The intersection of policy A and B means only the subset of untrusted (blocked) policies common in all the policies are applied in the combination. Any policies not in all the policies are allowed. The union of policy A and B means all trusted (allowed) policies are applied in the combination of policies.

To allow for the definition of more restrictive sets, it is possible to add the *Default policy group to every custom-policy such that the elements of the *Default policy group will always appear in the intersection of multiple policies (and will always be applied). The *Default policy group is editable, and by default contains the *Adult Content, *Drugs/Alcohol/Tobacco, and *Racism/Hate/Violence/Weapons policies.

Policy Inheritance

If a user does not have an assigned policy, then the user inherits the policies from each group of which the user is member. If one of the groups does not have an assigned policy, then the user inherits the policies from super groups to which this group is a direct member (from closest super group with an assigned policy). Recursion stops at the first group with an assigned policy.

If a student does not have an assigned policy, but the student does belong to the High School group, then the HighSchool policy is applied to that student. If the High School group is not allowed to view pages in the Nude category, then another high school student who belongs to the High School group, but who also belongs to the photography group, which is allowed to view Nude category pages. The photography student has access to the Nude category even though that student is a member of the HighSchool group.

If another student is on the swim team and on the photography group and the school allows swim team members to view Swim Suit rated pages, this student can view Swim Suit and Nude pages because the student is also a member of the photography group.

If a user does not have a policy and does not inherit any policy from any of the groups then the *Default policy group applies to the user.

To ensure proper content filtering, the *Default policy group should be configured to be the most restrictive policy, then each custom policy should be configured to grant privileges that are otherwise restricted by the *Default policy group.

For example, the *Default policy group has all categories filtered (checked), except category 53. Kid Friendly. The affect is all network users can only access sites rated as Kid Friendly. If you create a Sales Group policy and filter only 4. Pornography, members of the Sales Group, can access all sites except Pornography, including Kid Friendly.

Active Directory Policy Inheritance

If a user doesn’t have an assigned policy, the user inherits the policies from each group of which the user is a member. If one of the groups does not have an assigned policy, then the user inherits the policies from super groups to which this group is a direct member (from closet super group with an assigned policy). Recursion stops at the first group with an assigned policy. If a user does not have a policy and does not inherit any policy from any of the groups, the *Default policy group applies.

Example of Active Directory policy inheritance:

  1. Active Directory has the groups Sales and Marketing.
  2. A Sales policy is created that blocks Gambling. It is applied to the Sales Active Directory group.
  3. A Marketing policy is created, blocking Religion. It is applied to the Marketing Active Directory group.
  4. The *Default policy group blocks *Adult Content, *Drugs/Alcohol/Tobacco, and *Racism/Hate/Violence/Weapons. It is added to the Sales and Marketing policies at their creation.
  5. User A is a member of the Sales and Marketing Active Directory groups and receives the most permissive (intersection) or the Sales policy and Marketing policy.

    Gambling (from Sales policy) and Religion (from Marketing policy) do not intersect, so they would not appear in the final set and effectively negate each other.

    *Adult Content, *Drugs/Alcohol/Tobacco, and *Racism/Hate/Violence/Weapons (*Default policy group) appear in the intersecting final set, so they are blocked.

Content Security Manager Policy Inheritance

The *Default policy group applies to all not-authorized users (users that are not logged into Content Security Manager). A user (an authorized user who has logged into SonicWALL Content Security Manager) inherits the policy from group Everyone if the user is not a member of any other group.

Note! If you are using the SonicWALL Content Security Manager for user authentication, filtering policies are applied only to groups.

If a user group does not have an assigned policy, then the user inherits policies from the groups of which he is a member. If one of the groups does not have an assigned policy, the user inherits policies from the super groups of which this group is a direct member (from the closest super group with an assigned policy).

Help Table of Contents