Data Loss Prevention

Hi,

I faced with question of possibility decryption SSL local on the mashine, where Endpoint Agent DLP is installed (Vontu).

Especially I want to know is it possible with help of Endpoint Agent's functios?

Regards.

SSL connections terminate on endpoints. Hence an endpoint agent can be used to detect data loss through ssl connections like https etc. There is no special configuration required for this as long as you have enabled the https channel in the agent configuration.

Hi Mercury,

SSL encryption and decryption happened on endpoint level, ideally it cant happend on network level for network level encrption and for decryption  (monitoring https), you need special architecture with web proxy integration and spcial certificate for encrypt an ddecrpt the traffic.

So you dont need to worry about decryption at enpoint level as it already happened there.

Also refer below

https://www-secure.symantec.com/connect/forums/using-blue-coat-ssl-decryption-dlp

Hi,

Thanks for help =)

Hi,

And what exactly means the options Email & Web for EP Agent? It cann't monitor these channels. According its features  - it can monitors only buffer on local machine. So many clients are confused.
Can somebody explain, for what these options are there? =)

Thanks.

the email /web traffic from the machine instaled with DLP agent will be monitored. 

Hi, Pete, thanks for your quickly answer!

In Symantec DLP (Vontu) EP Agent cannot monitor Email/Web traffic in network. There are Network Prevent for Web & Email, which do these functions. In fact DLP EP Agent can only controls the data, which user uses ON LOCAL MACHINE, but not network traffic. 

Agents can control data from being transferred, copied, printed, sent - yes (for example, by controlling buffer). But I don't understand why Email/Web channels were described there directly. Especially IE(HTTPS) & Firefox(HTTPS). Somebody can explain what it means??

If I can control buffer of local machine, for what there are such options as IE(HTTPS) & Firefox(HTTPS)? And why only HTTPS of IE and Firefox?But where other brousers?

As for link, it is another solution - Endpoint Protection, but not Endpoint Agent DLP =)

Thanks for understanding.

yes, until the network related servers are not introduced the traffic will not be monitored. However with endpoint t\you can still monitor that is still leavingthe machine which includes the HTTPs, email. IE and firefox are supported browser, if you want to use other browsers, you can use Application monitoring to inspect the data leaving from endpoint agent.

Ok, as I understand, it means that EP Agent controls data being WRITTEN in IE/Firefox?

it monitors the data that passes through these applications.

Specifically, there are plugins for the IE and Firefox. If you would like to monitor other web browsers, you would need to enable Application File Access, and then turn on Monitor Application File Access -> Open file.

I really don't understand WHY something of Email & Web Apps are repeated in other window? They have being already added in Application Monitoring's window, described again in Agent Configuration. This options have the same roles.

In Agent Configuration's window, whith help of Web channel option are describe protocols.
So, maybe, it means that there Agent not monitors neither IE or Firefox Apps. BY DEFAULT it can monitors HTTPS protocol, which used by them.
So I have next question:
 - what is different in monitoring HTTPS protocol used by IE & Firefox and ports monitoring?

All ok, I have solution. Thanks for help with understanding =))

Can you please explain the solution you obtained?

thnks

Mercuriy,

In this forum, the response that help you resolve the issue is marked as the solution. That way, when someone else has your same or similar issue, they can follow the thread and figure out what worked and what did not work.

Perhaps the clairification that for IE and Firefox, the Endpoint Agent has a plugin for them to allow for a check box to turn on monitoring. This is very commonly selected, and that's why we made it easy. However, there are many browseres and other software that needs to be monitored. That's why we have Application Monitoring. The most common use of a browser is HTTP(S) and FTP, however those are not the only functions of a browser, for example file:///C:/testfile. This other functionality is why in Application Monitoring we have File Open and File Read. So that we can intercept any messages that are opened or read by the application listed.

Please mark the answer that solves your question.

Best,

Ryan

Ryan,

Thanks for rectification.

Response that help me resolve the issue:

EP Agent has a plugin for IE & Firefox  HTPPS, so it can monitoring data WRITTEN by user in browser (but unfortunately this function isn't work correctly).

For example, I can get only some decrypt of confidence data in environment of IE & Firefox.  I have already changed detection server config on listening get-request too, but it doesn't work.

Maybe someone know how I can configure my system for correct decrypt HTTPS in IE&Firefox ?)

I work with IE 6.0 & Firefox 5.0 =)

Thanks.

Mercuriy-

Our IE plugin only works with IE 6, 7, 8, and in 11.5+ IE 9. We do not yet support IE 10. If you would like to support IE 10, you will need to use Application File Access. The same applies for Firefox 5.0+.

Hope this helps.

Best,

Ryan

Great thanks, Ryan

It's works correctly =)

Regards,

 Mercuriy

Hi, again =)

As for supported browsers - I found more exact information:

http://www.symantec.com/connect/forums/ymantec-vontu-dlp#comment-9141461

Where Pete writes:

"We support IE 6.x, 7.x, 8.x for DLP 9.x and 10.x.  IE 6 is no longer supported in v 11.x

We support Firefox 2.x, 3.0, 3.5 in DLP 9.x and 10.x.  Firefox 3.6 is supported with 10.5 Firefox 2.x is no longer supported in v 11.x."

I  have checked this information for DLP v11.x. -  works only IE 7.x, 8.x, 9.x, and Firefox 3.0, 3.5, 3.6.

Hope, it wiil be interesting for somebody.

how does the solution you have marked answers the question you have raised?

Ryan have helped to answer your most of the queries related to plugins, I belive his thread has to be marked as a solution.

Yes, Ryan has helped to answer on most of the queries related to plugins, but his answer was not exact: especially according to Firefox.

I am very thanks for Ryan's help in discussing the question! But, I lost some time to check the answer and find the correct information.

Sorry for marking the answer as solution so quickly without full check it!

Sorry again, I don't know the most rules of this forum.

Pete, I will change my mark =)

Regards,

Mercuriy.

According to the 11.6.3a Release notes, the 11.6.3 Agent supports IE 8 through 10 and Firefox through version 21.