Data Loss Prevention

 View Only

  • 1.  Bandwidth DLP Detection Server

    Posted Oct 07, 2013 05:20 AM

    Hello,

    I have two questions :

    Question 1 :

    I implement a firewall rule in Symantec Endpoint Protection: This rule prohibits communications between clients and the DLP Endpoint server during peak hours.

    It is not applied to all sites, but only for sites narrowband, in addition to these sites does not back many incidents.

    Please confirm me that he will neither impacts if we decide to extend this solution ?

    Question 2 :

    What value to set for optimal bandwidth agent DLP configuration on links 512kbps or 256kbps ?

     

    Thank’s for your help.



  • 2.  RE: Bandwidth DLP Detection Server

    Posted Oct 07, 2013 05:48 AM

    Hi Maverick,

    By design, DLP queues incidents on the detection server / endpoint agent in the absence of Network connectivity. The only possible issues are:

    • Too much disk space may be utilized by the incident cache. This may be mitigated by providing sufficient disk space
    • The bandwidth utilization may peak when the network opens up. However, if you can cap the bandwidth utilization at your switch level, this may be addressed.

     

    • Specific to bandwidth recommendations, there are no specific guidelines.
    • It is quite normal to expect a lot of False positives being generated during the initial policy rollout phase, and thus excessive bandwidth utilization.
    • Capping at a lower bandwidth would mean that the Detection server may take more time to transfer incidents

    I have seen customers where thousands of incidents are generated daily during the initial rollout phase. You need to keep the following in consideration:

    • Server incident cache will grow
    • The server incident cache mechanism is designed to support occassional network outages and not for daily caching requirements. Hence, it is possible that you may see some issues when leveraging server incident caching as an Infrastructure design.

     



  • 3.  RE: Bandwidth DLP Detection Server

    Posted Oct 07, 2013 06:35 AM

    hello Denis,

    Thank's for youor return,

    I understand the problem when we implement a firewall rule in Symantec Endpoint Protection, such the :

    • Too much disk space may be utilized by the incident cache. This may be mitigated by providing sufficient disk space
    • The bandwidth utilization may peak when the network opens up. However, if you can cap the bandwidth utilization at your switch level, this may be addressed.

    Please what the best value for you  to set for optimal bandwidth agent DLP configuration on links 512kbps or 256kbps ?

     

    Thank's.



  • 4.  RE: Bandwidth DLP Detection Server

    Posted Oct 07, 2013 06:51 AM

    Hi Maverick,

    Honsetly, I would not go with this configuration unless there were no options. However, given limited options my choice would be to start with 512kbps or higher.

    Also to be on the safer side, I would avoid implementing too many policies in the beginning. It would be safer to start with lesser policies (preferably one) and gradually tune and add more.

    Denis

     



  • 5.  RE: Bandwidth DLP Detection Server

    Posted Oct 07, 2013 06:53 AM

    Subject to the incident volume being logged, you may choose to reduce the bandwidth to a lower value over a period of time..