Cleveland Security User Group

I was wondering if others who have implemented DLP have all of these servers. I know it depends on what you have your DLP doing, my main question is has anyone set this up with servers sharing responsibilities.

Data Loss Prevention Enforce Platform
Data Loss Prevention Network Monitor
Data Loss Prevention Network Prevent
Data Loss Prevention Network Discover
Data Loss Prevention Network Protect
Data Loss Prevention Endpoint Discover
Data Loss Prevention Endpoint Prevent

Thanks!

You need to remember, detection server can only do one thing at a time. now let us separate the server names you gave here: Vontu Enforce - the main server, the enforce server is responsible for: reporting, policy creation/management/deployment, writing to the DB and more. DLP Network Monitor - Detection server that is responsible of analyzing packets and data flow (file copies, P2P Protocols, IM messages and more) on your network. The Network Monitor connects to your network with a mirror port/SPAN port and he is totally passive. DLP Network Prevent - This detection server separates to 2: 1) Network Prevent Web - The server connects to the company's proxy (a proxy that can send data over the ICAP Protocol) and analyzes data that is sent to the internet - Web Mails (Gmail,Yahoo Mail etc.), http requests (Google search, Yahoo search, Bing) the server has the ability to deny confidential data sending over mail or searching Google for confidential data. 2) Network Prevent Mail - The server connects to the companies MTA (Mail Transfer Agent) and analyzes the all the mails being sent out of the organization. the server has the ability to deny confidential data sending over mail or a feature that adds a string to the header for the MTA to encrypt the mail. Data Loss Prevention Network Discover/Protect - The same detection features with a twist. Network Discover analyzes storage locations (Databases, SharePoint's, Network attached storage etc.) over the network and finds confidential data. The Protect Add-on has the ability to copy the confidential data and also a quarantine feature that allows you to cut the file to another place and leave a marker suggesting that the data has been transferred. Data Loss Prevention Endpoint Discover/Protect - The same detection features with a twist. Endpoint Discover analyzes the endpoint computers and finds confidential data. The Protect Add-on has the ability to block any attempts to send the data over the internet or copying the files to USB Devices and more. now to your question, sharing responsibilities is not an option since the detection servers have different designation. you could create the same policy and send it over to a couple of servers, and they will operate according to that policy but the places in which they would be able to enforce those policies are up to the server designation Naor Penso

Actually, sharing responsiblities is absolutely an option -- you can run Vontu / Symantec DLP in a 1 tier, 2 tier, or 3 tier (n tier) configuration. For example, you can run Vontu Enforce, the Oracle database, and a Network Discover detection server on a single logical machine. If you want to break out a separate Network Monitor detection server, a separate Endpoint Discover/Protect server, etc. you can do that. -- Sean Steele, CISSP, CISA Sr. Security Consultant infoLock Technologies 877.610.5625 x219 direct 202.270.8672 mobile ssteele@infolocktech.com