Data Loss Prevention

Hi Fellows,

We have a physical server with below specs for Network Monitor. We are observing Error 1206 on this server. Traffic on the server is around 50-60Mbps and only http policy was enabled.

The policy detects any packet for protocol HTTP and no response rule is configured. This policy is configured to have incidents stored on DB from whcih we can analyze the pattern and determine information data leakage.

Please suggest the remedial.

Regards,

Atif

do you get the long message wait time also? this comes from a couple of reasons

to many policies

complex polices

to much traffic

improperly configured network monitor ( i dont believe this would be the case)

you shold probally also see file reader errors, what kind of hard specs are on the server...

Hello,

How much wait time did you have ? Does your server able to reduce wait time during low traffic period ?

 First check that you are only monitoring HTTP post and not all HTTP traffic (at monitor server configuration level and not at policy level).

In my opinion, Then 120 GB as disk size seems to be quite short especially if you have some wait time cause temporary file will fill your disk quite quickly.

For your policy, is that only detection HTTP traffic and no specific detection rule ? How many incident do you have per hour ? Too high incidents rate can generate an overload too.

You could get Error 1206 (Long message wait times) can also happen if your CPU(s) are not fast enough to process the Detection Load.

http://www.arrknine.com

Atif,

You mentioned the policy is flagging "any packet for protocol HTTP". With a bandwidth rate of around 50-60Mbps, I would imagine you are simply having a large influx of incidents. This isn't quite as scalable to identify sensitive information as you are simply grabbing ALL HTTP traffic. The processing of this much data, putting incidents in the DB, and making them avaialble in incidents in the GUI, is going to cause your systems to throw these messages.

I would consider turning off this policy, and try to reduce the policy to look for some subset of sensitive content to begin with. Consider using one of the built in policies or templates avaialble to start with to see what type of data is seen. Once you get a feel for what the data you see is, you can start to prune down the policies to find specifically what you need. The other approach many customers use it to talk to the business units to identify what the sensitive data they want to block is and start building policies around this. Unfortunately most organizations can't scale to look at ALL HTTP transmissions for sensitive data. 

Thanks Guys,

I have disabled the policies and you guys are right that capturing HTTP packets with that much bandwidth was causing overload on the server to read, analyze and store those as incidents. I am going to use a keyword or POST or template policy for Network Monitor to see how that goes.

Thanks again folks. Appreciate the responses.

Atif,

you may want to consider looking at resources, 2 dual core cpus 3.0 ghz and 16 gig of memory should work if you are running red hat. If you have multiple switch consdier another monitor box for each switch but honestly you only need to see the egress traffic, so it is the correct location? just some ideas to think about

Thanks stumunro.

I found that there must be some policy with specific keywords or template for monitoring. No matter how strong is the hardware, monitoring protocol level is not DLP domain. Those are for NetWitness kinda stuff.

Regards.