Symantec™ Security Gateways Reference Guide - Sawmill

Controlling service accessContent filtering71Packet flowContent filteringRating ProfilesOne important aspect of a filter is the direction of the packet flow between the source and destination. Forexample, an output filter allowing FTP packets between source A and destination B (A -> B) meansdestination B can only respond to FTP packets sent from source A. Destination B cannot send a new FTPpacket to source A.The security gateway checks that the TCP ACK bit is set, indicating it is a response, for any packet itreceives from destination B addressed to source A. If the TCP ACK bit is not set, the packet is dropped. Togrant permission to both A and B to initiate FTP sessions, create an output filter that allows (A -> B) for FTPand an input filter that allows (B -> A) for FTP.Content filtering lets an administrator prevent access to objectionable material, or allow access to specificsites. The security gateway can allow or deny access to content through the following types of contentfiltering:■■■■■■Rating profilesURL listURL pattern matchingMIME typesFile ExtensionsNewsgroup profilesMany organizations want to enforce acceptable use policies at the security gateway. These policies limituser browsing to Web sites that do not fit within acceptable use criteria. For example, allowing access topornography or other objectionable material may be undesirable. To help address this issue, the HTTPproxy allows for content scanning with restrictions to certain types of sites. If a Web request is to aquestionable site, and the appropriate rating has been applied, the request is denied.Rating categoriesEach Web site in the URL database is listed in one or more categories. Rating profiles are then constructedusing these categories, not individual Web sites. A rating profile only looks at the category level, and deniesaccess to all Web sites that fall into that category. You can add more than one category to a profile if yourequire restriction to multiple types of sites. For service groups with an applied rating profile, the HTTPproxy searches through all URL entries in the categories defined by the rating profile. If a match occurs, therequest is denied.The URL database is categorized into 13 groups, with Web sites assigned to one or more groups. These 13categories include the following:Gambling Drugs/Non-medical Racism/Ethnic ImproprietySex/Nudity Gross Depictions Sex/ActsAlcohol-Tobacco Violence/Profanity Militant/ExtremistSex/AttireE/SportsOccult/New AgeSexEdFor instructions on configuring and applying a ratings profile, consult your product’s administrator guide.