Data Loss Prevention

 View Only
  • 1.  Can DLP monitor or block SFTP and FTPS traffic?

    Posted May 18, 2012 01:37 AM

    Hi all, I am wondering whether Network Monitor or Network Prevent for Web could monitor or block SFTP and FTPS traffic?

    Thanks!



  • 2.  RE: Can DLP monitor or block SFTP and FTPS traffic?

    Posted May 18, 2012 09:50 AM

    Network monitor can see the traffic but won't be able to tell whether the content is sensitive or not since it will be encrypted. Network Prevent cannot block it based on content either.

    They will only be able to act based on packet header information (source and destination IP address for example) which isn't really useful for a DLP scenario.



  • 3.  RE: Can DLP monitor or block SFTP and FTPS traffic?

    Broadcom Employee
    Posted May 22, 2012 08:13 PM

    You can add a protocol to your DLP Enforce.

    Generally, the SFTP uses the port 22.



  • 4.  RE: Can DLP monitor or block SFTP and FTPS traffic?
    Best Answer

    Posted May 24, 2012 09:14 AM

    As xlloyd pointed out, the traffic is encrypted end to end so you won't be able to see the content. You would simply be able to identify the traffic exists on the Network Monitor.

    The only way to see the content would be in 2 different approaches:

    1. If you have a way to proxy the traffic that includes either decrypting the traffic, or some sort of proxy that supports SFTP proxy (meaning the server would act as the middle man for the transmission) which I don't know of existing.
    2. The other way you can go about identifying this sensitive transmission, is to use the Endpoint product to stop it before it enters the SFTP/FTPS stream. With the endpoint product, you can use Application Monitoring to specify the apps that would be used to transmit that data as blacklisted. This will mean that when those applications try to use sensitive content (aka user picks the file to upload) that the action would be blocked and the application would not be able to upload the file.

    In most customer sites I work with, they actually block SFTP/FTPS at the firewall as there generally isn't a business purpose for the protocol to be used. For the cases where there is a business purpose, they whitelist the IP of the servers that need to use that protocol on that firewall rule.

    Couple different approaches that I hope can help you out.