Overview and Essentials

Create and manage rulesets to control the web content access of Local and Remote Devices.

Important Notes:

Changing default Category Allow/Block settings

The DrawBridge comes with a preset Action for each included Category. When you assign an Action (Allow/Block) to a Category, you're simply applying a change that gets higher priority than the default setting. This means:

1. You don't need to re-specify your Action preference for every built-in Category -- you only need to include the Categories in your Access Policy that you wish to assign a different action to than is default.

   For example: built-in Category Sports is set to a default action of Block.

   • If Block is the action you prefer, you do not need to add it to an Access Policy (eg. Company Preferences) with an action of Block -- the default setting is already doing this.
   • If Allow is the action you prefer, then you do need to add it to an Access Policy (eg. Company Preferences) with an action of Allow to override the default action.

2. In the event a custom Access Policy is removed, the filter will revert to the default Action for that Category.

Default Category settings are Business-focused

The default settings for the Built-in Categories are tightly scoped to business-usage needs. Depending on your usage expectations, you will want to set more categories to Allow in your Company Preferences Access Policy, or in a custom Access Policy.

Categories, Category Types, and Actions

Categories contain Patterns:

Pattern: a text string representing a domain or regular expression.

Categories can be one of two types:

• Classifier category
• ACL (Access Control List) category

Actions that can be assigned to a category, by type:

• Classifier category:
  • Allow
  • Block
  • Ignore
• ACL category:
  • Whitelist (allow in spite of Classifier score, above)
  • Blacklist (block in spite of Classifier score, above)
  • Blanketblock (block all requests Not matching these patterns)

Understanding Classifier categories

Classifier category patterns consist primarily of word and phrase lists (and also domains). The Redwood filter engine evaluates HTTP/S requests and responses and totals up a score for all categories with matching patterns. Then Redwood applies the action (Allow/Block) assigned to the top-scoring category.

Built-in Category patterns are managed by Compass Foundation. If you have improvements you wish to have considered for inclusion in the Built-in Categories, please send a detailed email to support@compassfoundation.io.

Understanding ACL actions & categories

Background

The Redwood filter engine analyzes all the components of a URL, including:

• Schema
• Top-level Domain (TLD), Domain, and Subdomains
• Path
• Query String

Also, Redwood analyzes additional parameters of the HTTP request:

• Method
• Content Type
• User Agent
• Referrer
• and more

Illustrated:

In general, an ACL leverages one or more of these parameters to "tag" a specific action to a request, despite the Category score assigned to the request by the Classifier.

(In other words, this prevents an "arms-race" situation wherein competing actions are assigned by various Classifier categories; an ACL action will always take effect when the parameters match, no matter what the Classifier score and associated Category Action is.)

Note: for an ACL action to fire, the request must meet the minimum threshold score of 200 points. At that point, the action assigned by the ACL to the request is "authoritative", again, no matter the Classifier score.

Redwood Actions

• allow (permit the request)
• block (deny the request)
• ignore (do not factor in the score assigned by this category)
• censor_words (strip out profanity)
• disable_proxy_headers (strip out the X-FORWARDED-FOR header)
• hash_image (generate a mathmatical hash of this picture)
• phrase_scan (evaluate content for matching word phrases)
• require_auth (force HTTP 407 proxy authentication)authentication response/challenge)
• sslbump (intercept the SSL/TLS encrypted session)
• sslbypass (do Not intercept the SSL/TLS encrypted session)
• virus_scan (hand off fileresponse to external analysis engine)

For example, ACLs managed behind-the-scenes of the DrawBridge instruct Redwood to fire the SSL/TLS-inspection action on all requests (or not, in the case of SSLbypass/"Bypass Filter").

ACL Categories in the Console

Categories of the the type ACL enable you to leverage the "authoritative" nature of ACLs in your filter configuration.

In general, it is recommended to configure the desired policy by assigning Allow or Block to the built-in Classifier categories as this is a much less maintenance-intesive route to content control.

However, perhaps you want to Always assign a specific action (eg. Block) to a specific website. ACL categories are your friend in such a case: by adding a domain to an ACL category with a Block action assigned, the website will always block, even if the action assigned to the Classifier category is Allow.

The preset Always Allow and Always Block options in the Access Policy Dashboard are putting the domains in an ACL category that has the corresponding action assigned to it. These apply Company-wide.

Note: the default score assigned to all ACL category patterns is "1500". Adjusting this number will have no impact on the outcome of the action taken for that pattern, so long as the number is over the minimum score threshold of 200 -- the key detail here is that the pattern is part of an ACL category, so the action assigned to the ACL category is what will happen.

Advanced ACLs in the Console

Advanced ACLs simply expose many more "knobs" to apply a specific action with more granularity. Perhaps, for example, you want to only sslbypass a specific website for a specific Device Group. Advanced ACLs give you the toolset to configure that.

FAQ

• Q: What happens if I put a domain in both Always Allow and Always Block? Or what if I put a domain in two different ACL categories with competing actions assigned?

• A: Don't do that. :) In such a case, the outcome will be arbitrary. Decide what action you really want to have happen and adjust the policy accordingly.

---

What is an Access Policy?

An Access policy is the grouping of Devices, Actions, Times, (and, optionally, Applications) to create a customized DrawBridge content filter configuration.

This diagram illustrates:

The Drawbridge supports the "stacking" or "layering" of Access Policies, enabling you to tailor the content filter experience for your users.

Access Policies by Type/Scope

• Company Access Policies: ruleset scope: one Company
• Access Policy Groups: ruleset scope: one Accountability Policy; available to apply to member Companies
• Universal Access Policy Groups: ruleset scope: globally available to all DrawBridges
• System Access Policies: rulesets scoped a specific DrawBridge; applies to all tenant Companies on that system

Company Access Policies

All access policies that are available or are associated with a particular Company. If you’re signed in as an administrator you will see all policies associated with all the companies on that DrawBridge.

Click the drop-down option to display the Action Group and Device Group associated with a particular excess policy line.

Actions for regular categories

• Allow
• Block
• Ignore

Actions for ACL categories

Whitelist

A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Allow, in spite of the content scores. Use with caution!

Filter processing flowchart:

Blacklist

A Category consisting of domains (and/or regular expression patterns) that the DrawBridge will Always Bllow, in spite of the content scores.

Filter processing flowchart:

Blanketblock

A Category consisting of domains (and/or regular expression patterns) to which the DrawBridge will apply regular category-based filtering and block access to all other sites not specified in the blanketblock category (or a linked category)

Filter processing flowchart:

Normal Category Filtering (for comparison)