Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

DLP Servers and Infrastructure

Created: 17 Nov 2009 • Updated: 21 May 2010 | 3 comments

I was wondering if others who have implemented DLP have all of these servers. I know it depends on what you have your DLP doing, my main question is has anyone set this up with servers sharing responsibilities.

Data Loss Prevention Enforce Platform
Data Loss Prevention Network Monitor
Data Loss Prevention Network Prevent
Data Loss Prevention Network Discover
Data Loss Prevention Network Protect
Data Loss Prevention Endpoint Discover
Data Loss Prevention Endpoint Prevent

Thanks!

Comments 3 CommentsJump to latest comment

Naor Penso's picture

You need to remember, detection server can only do one thing at a time.
now let us separate the server names you gave here:

Vontu Enforce - the main server, the enforce server is responsible for: reporting, policy creation/management/deployment, writing to the DB and more.

DLP Network Monitor - Detection server that is responsible of analyzing packets and data flow (file copies, P2P Protocols, IM messages and more) on your network. The Network Monitor connects to your network with a mirror port/SPAN port and he is totally passive.

DLP Network Prevent - This detection server separates to 2:
1) Network Prevent Web - The server connects to the company's proxy (a proxy that can send data over the ICAP Protocol) and
analyzes data that is sent to the internet - Web Mails (Gmail,Yahoo Mail etc.), http requests (Google search, Yahoo search, Bing)
the server has the ability to deny confidential data sending over mail or searching Google for confidential data.
2) Network Prevent Mail - The server connects to the companies MTA (Mail Transfer Agent) and analyzes the
all the mails being sent out of the organization. the server has the ability to deny confidential data sending over mail or a
feature that adds a string to the header for the MTA to encrypt the mail.

Data Loss Prevention Network Discover/Protect - The same detection features with a twist. Network Discover analyzes storage locations (Databases, SharePoint's, Network attached storage etc.) over the network and finds confidential data.
The Protect Add-on has the ability to copy the confidential data and also a quarantine feature that allows you to cut the file to another place and leave a marker suggesting that the data has been transferred.

Data Loss Prevention Endpoint Discover/Protect - The same detection features with a twist. Endpoint Discover analyzes the endpoint computers and finds confidential data. The Protect Add-on has the ability to block any attempts to send the data over the internet or copying the files to USB Devices and more.

now to your question,
sharing responsibilities is not an option since the detection servers have different designation.
you could create the same policy and send it over to a couple of servers, and they will operate according to that policy but the places in which they would be able to enforce those policies are up to the server designation

Naor Penso

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)

ssteele's picture

Actually, sharing responsiblities is absolutely an option -- you can run Vontu / Symantec DLP in a 1 tier, 2 tier, or 3 tier (n tier) configuration.

For example, you can run Vontu Enforce, the Oracle database, and a Network Discover detection server on a single logical machine. If you want to break out a separate Network Monitor detection server, a separate Endpoint Discover/Protect server, etc. you can do that.

--
Sean Steele, CISSP, CISA
Sr. Security Consultant
infoLock Technologies
877.610.5625 x219 direct
202.270.8672 mobile
ssteele@infolocktech.com

--
Sean Steele, CISSP, CISA, CRISC
Sr. Security Consultant
infoLock Technologies
202.509.9535  direct
202.270.8672  mobile
ssteele@infolocktech.com&

Naor Penso's picture

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:Arial;
mso-bidi-theme-font:minor-bidi;}

/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:Arial;
mso-bidi-theme-font:minor-bidi;}

You are partially correct,
you can choose from 3 different implementations:
1) single tier: Vontu Enforce and Oracle DB and a Detection server on the same server
2) second tier: Vontu Enforce and Oracle DB on the same server
3) third tier: All are on different servers.

But YOU CAN'T install 2 Detection servers (Vontu network prevent and endpoint server for example) on the same server.
i think that this is what JamieMurdock meant.

Naor Penso.

For Forum threads, please click "Mark as Solution" if answered.
For all content, please give a thumbs up if you agree with or support the post.
Thanks :)