Our organization is in the process of migrating from MWG6 to MWG7. Wtih the different policies engines and the granularity of our existing policy structure, this has proved to be a rather difficult initiative on our end. As I am manually re-writing each policy into MWG 7 format (we have more than 80 MWG6 policies) I am beginning to wonder if our policy structure is excessive. I've read some of the best practices documents (which are very good by the way) regarding web mapping/policy mapping:
I'd like to get information from either support or from other organizations regarding policy structure and granularity. In particular, I'd like to know more about the following topics:
1. How granular are your policies? For example, in our organization, we strive to follow the "least privilege" concept. This means, any deviation from our default policy is granted on a per user, per site basis. So since we block social networking in our default policy, we would have a different policy for a user who needs access to twitter, and another for one who needs access to myspace and another for one who needs access to facebook. If the same user needs to be able to upload to dropbox, that's another exception i need to make for this user. Would love to hear how other organizations are tackling this in MWG7.
2. Are you using AD Groups for rule assignment? We used this in MWG6 because I believe there was no other way to assign multiple users to a group. In MWG7 though, this is possible with lists so I'm wondering if there is any value in continuing to use this. In my mind, it's just added administration.
3. Any tips on how you upgraded from MWG6 to MWG7. I've gone through some of the guides and have also used the list converter. The problem is that in MWG6, we would build everything off of the default policy which means that the whitelist entries were often duplicated when doing an export through the list converter. This means that I have to clean up the rules and re import them into MWG7 which is a very lengthy process. Any tips from those out there who have done this are highly appreciated.
Message was edited by: bragot on 6/25/13 9:17:04 AM CDT
1. We do not have per user policies (only for groups). If user needs to more access - it moved to group with higher access rights.
2. Yes we are using AD groups for assignment.
3. Please remember, that MWG7 without any rules will permit access (in most cases). So you only need to specify what to block. About migration - we have about 3 appliances and few virtual appliances - so we start migration for one device for small group of our users and during month finishes for all.
For my point of view you need create a default ruleset (filter rules) which retrive group information from user and according to this make filtration using lists. After creation this it is only need to fill block/permit lists in MWG.
For example - block rule that block access according to extracted group name (please read https://community.mcafee.com/docs/DOC-3649):