Next: 6 Privacy Enforcement: The Up: The awayWEB Virtual VPN Previous: 4 HAT: Hypertext Address
Access to intranet resources is controlled according to the administrative security policy defined in the awayWEB system. The policy specifies the access control rules in terms of which users and groups may access which internal URLs by matching the URL from each user request with a list of URL patterns defined by the policy ruleset.
The awayWEB URL mechanism is far more powerful than access control mechanism implemented within firewall rule sets. Every element of the URL in each request may be used as part of the access control rule. Therefore very fine-grained control is possible over which users have what level of access. The rule matching allows the scope of a rule to be as broad as 'allow all authorised users to access all intranet hosts', down to very specific rules such as 'deny access to all *.xls files to all users not in the ``Finance'' group'. This is not possible with conventional IP based filter rules supplied by firewall applications.
These fine grained controls cover most features in the server - such as the privacy enforcement policy, URL encryption, cache control and compression (8.2). This allows the same flexibility of control for all aspects of the server configuration - for example, rules as powerful as 'use dynamic compression for all users in the ``Modem Users'' group when accessing '*.doc' files on any server in the '*.office.example.com' domain'' can be configured if required.
The use of strict 'top-to-bottom' ordering of the awayWEB policy rules allows for a compact and powerful expression of an organisations security policy. This generally requires very little maintenance therefore reducing overhead costs. Exceptions can be configured before a more general rule, rather than requiring endless lists of specific policies - for example:
The URL matching performed by the awayWEB system is based on patterns. This allows multiple servers or web pages to be grouped into a single rule.
The awayWEB system utilises a powerful pattern matching tool called ``regular expressions''. Below is an example of the power of pattern matching . The rules below can be used to allow some users to access a general intranet application, but only allow access when specific application parameters (such as account numbers) are used, and deny any other access:
An important security feature of the awayWEB system is the 'URL Normalisation' system. The use of pattern matching to allow or deny access is very powerful, but any individual web page can often be accessed in a multitude of different ways. Many different forms of a URL are recognised as equal by most web servers. Most elements of the URL have multiple possible formats, for example: