Data Loss Prevention

 View Only
  • 1.  DLP and Web Filter for ISA 2006

    Posted Feb 08, 2012 06:16 AM

    Hello.

    Please help me to understand that some question about using DLP and Web Filter with Network Prevent Filter...

    1) Which address I must insert at stage 7 installation process of "Installing the Web filter to ISA" If I have array of 2 ISA servers (10.1.1.1 and 10.1.1.2, array adress 10.1.1.3)?

    (Stage 7: If you are installing to a local ISA configuration server, skip this step.
    On the User Information screen,enter the DNS name or IP address of the remote ISA configuration server computer, then click Next.
    )

    2) If I set option "Trial Mode" in System->Configure Server-> Network Prevent the SYMC ISA Web filter will work only in monitoring?

    Thank you



  • 2.  RE: DLP and Web Filter for ISA 2006

    Posted Feb 08, 2012 10:41 AM

    Hi alexovi4,

    1) Use the array addres

    2) Yes it will only work in monitoring. It will not block any traffic but will still generate events as if the traffic was blocked. This setting can be easily turned off my changing a setting in the server configuration page.

    Hope this helps,
    ~Xavier

    ---------------------

    If this post has helped you or solves your problem, please don't forget to vote or mark as a solution.



  • 3.  RE: DLP and Web Filter for ISA 2006

    Posted Feb 08, 2012 12:09 PM

    Hi, Xavier. Thank for your reply.

    1) Ok, clear. Here I must use the address of ISA configuration server.

    2) Which action (reaction on incidents) I can config if I disable (don't check) "Trial Mode"?

     

    New question: using Symantec's guides i try to config Symantec Web DLP Filter with array of two ISA servers. When I create a file share and set parameter "config file path" to network shares  - the Windows Firewall services is not started. What's may be happen? What I must to check?

    In the Event Log there is the next message:

     ISA Server failed to load Web Filter DLL C:\Program Files\Microsoft ISA Server\\symc_isa_plugin.dll. 
    

    Thank



  • 4.  RE: DLP and Web Filter for ISA 2006
    Best Answer

    Posted Feb 08, 2012 12:55 PM

    No prob!

    You can configure all same response rules in trial mode and in regular mode. The only difference if that in trial mode, if you have a "block connection" response rule for example, it won't be blocked (it will just report it as blocked). Trial mode is used in the early stages of configuration so that accurate policies can be built without blocking legitimate traffic that may be caught and blocked (false positive).

    Once you are finished testing, just take it out of trial mode and all the response rules will be enforced as normal.

    For your other problem, it seems like the ISA server can't reach that directory. Double check that the server can reach the file share and that the config file is in the location. (Ensure you type the path to the fileshare properly).

    Also, what do you mean by "the Windows Firewall services is not started"? Is it that you did not enable the service or that you get an error message that the service is not started?

    Regards,
    ~Xavier

    ---------------------

    If this post has helped you or solves your problem, please don't forget to vote or mark as a solution.



  • 5.  RE: DLP and Web Filter for ISA 2006

    Posted Feb 08, 2012 01:16 PM

    I've re-created a network share with isa_plugin.conf file, more accurately check the permissions and the Windows Firewall services is started normally.

    Thank for help.



  • 6.  RE: DLP and Web Filter for ISA 2006

    Posted Feb 08, 2012 01:30 PM

    Good to hear it!

    smiley



  • 7.  RE: DLP and Web Filter for ISA 2006

    Posted Feb 09, 2012 05:49 AM

    xlloyd, colleagues

    Can your provide me an aditional information about principle of work Symantec DLP ISA filter. I read the guides, but don't fully understand all moments...

    - If I correctly understand firstly request from the client is received on ISA, the it fully resend to Network Prevent Web server using ICAP. After that Netwok Prevent analyze the content and take a decision. Then Network Prevent return to ISA full request or only Yes/No reply?

    - Which delay usually you watch when using ISA Web Filter? How much traffic can be processed by ISA Web Filter?

    Thank you



  • 8.  RE: DLP and Web Filter for ISA 2006

    Posted Feb 09, 2012 07:56 AM

    Sure, here are some steps:

    The Network Prevent server can respond with yes or no. It can also give a "modify" response so that the bad content is replaced with filler text. So instead of seeing:

    Hi guys, here is the account number and credit card information I got for you:

    Chadwell Quintin 7/24/1977 Mastercard  5274 5763 9425 9961  Jan-2014 678226614706
    Chalker Lanny 10/7/1982 Mastercard  5301 7455 2913 8831  Oct-2014 057210723072
    Chesser Orlando 9/12/1941 Discover  6011 6874 8256 4166  Apr-2015 086565019453

    They will see:

    Hi guys, here is the account number and credit card information I got for you:

    --Content has been removed as it has violated data policy--

    As for processing delay, that depends on the ability of the ISA server and Network Prevent server. I thought I saw official numbers say that with a regular network card you get somewhere aroun 100-200 Mbps of traffic throughput but I can't find the document. If you use an Endace network card then that can go up to about 900Mbps.

    For many deployments the regular NIC should be fine unless you're deploying for more than 10,000 people. Also, Symantec recommends that you have 2 NICs on the Network Prevent. One for talking to ISA and one for talking to Enforce.

    Be sure to get a good idea of the traffic in the environment before deploying to the customer.