Data Loss Prevention

 View Only

Configuring a detection server for an Endace card 

Nov 21, 2010 10:05 PM

After installing DLP as a Network Detection server there are additional configuration options that must be done both on the detection server and within the Enforce UI.

Installing the Endace card on the detection server

The first problem to be aware of is to make sure the Endace drivers and software is installed in a folder that has no spaces, c:\endace instead of the default: c:\program files\endace

From the Enforce server copy the dagextraconfig.bat from c:\vontu\protect\bin to c:\endace\dag-3.3.1\bin. Do not worry that this bat file is commented out, an error will be generated if this file is missing

Change the boot.ini to enable the /3GB switch

If you are running Windows Server 32-bit on the detection side the 3GB switch needs to be enabled in the boot.ini file. The following steps need to be done:

  • Change the attributes on the file from the command type: attrib.exe –s –h –r c:\boot.ini
  • Open the boot.ini in notepad
  • Copy the line that reads like: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /noexecute=alwaysoff
  • At the end of the line add /3GB /userva=3030 so it will look like this: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Enterprise" /fastdetect /noexecute=alwaysoff /3GB /userva=3030
  • Restart the detection server

Once the span port is connected to the Endace card traffic can be verified by opening a command line, navigating to the c:\Endace\dag-3.3.1\bin directory and type: dagsnap –d0 –v –o tracefile, traffic should be displayed in the window.

Changing settings on the Enforce UI

The following settings need to be changed within the Enforce UI in order for Network Monitor to work correctly with an Endace card.

In the UI for Enforce navigate to System -> Overview and then select the correct detection server. Click on the Server Settings button and make changes to the following items::

  • PacketCapture.IS_ENDACE_ENABLED from false to true
  • PacketCapture.ENDACE_BIN_PATH to the location you installed the software to (c:\endace\dag-3.3.2\bin)
  • PacketCapture.ENDACE_LIB_PATH to the location you installed the software to (c:\endace\dag-3.3.2\lib)
  • PacketCapture.ENDACE_XILINX_PATH to the location you installed the software to (c:\endace\dag-3.3.2\xilinx)

After making the above changes, restart the Vontu services on each detection server using an Endace card. Once the services are back from restarting, select Configure, dag0 should be then select the Endace card

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Dec 20, 2010 04:26 PM

Will do ;]

Actually...I've been working on the Endpoint Prevent module for some time now and been doing a lot of reading. I think I'm pretty proficient with it but there's one thing that I really have no clue about. You know when you go to System -> Servers -> EndpointServer...there is a tab called "Server Settings". I have no clue about what those variables do. I found a table in the DLP documentation explaining the "Endpoint Settings" tab but couldn't find anything for the other one.

It would be unfair to ask you to document all of the purposes and parameters of each of those options but I guess it would qualify as information I'm looking for on DLP =P

I highly doubt I'd ever modify any of those stuff...but just for knowing's sake...it'd be good.

Dec 20, 2010 04:00 PM

Trying to come up w/ content people would find useful.  Let me know if there are more articles or information you are looking for on DLP :)

Dec 16, 2010 11:32 AM

I know I'm going to need this page in the future. This looks REALLY helpful

*bookmarked*

Thanks for the share bro =]

Related Entries and Links

No Related Resource entered.