Data Loss Prevention

 View Only
Expand all | Collapse all

How to monitor OCS on network level?

  • 1.  How to monitor OCS on network level?

    Posted Oct 25, 2011 03:32 AM

    Hi everyone; I would like to find out if it is possible to monitor OCS (Office Communicator) traffic at network level. (Using network monitor appliance)

    Client - server communication or server - server communication monitoring will be the options.

    I see IM MSN, IM Yahoo Messanger, but no OCS in the protocols list.

    Regards;

     

    Ferhat



  • 2.  RE: How to monitor OCS on network level?

    Posted Oct 25, 2011 08:52 AM

    What version of DLP are you talking about?

     

    Does OCS have a defined protocol or port that it communicates over?

     

    Are you using the Endpoint Agent and could define a custom application?



  • 3.  RE: How to monitor OCS on network level?

    Broadcom Employee
    Posted Oct 26, 2011 03:44 AM

    Hi, Ferhat,

    If you are using DLP V11, then, the Microsoft Office Communicator is already in the Application Monitoring list:

    If you are using DLP V10.x, then, add the Microsoft Office Communicator into the list manually:

     



  • 4.  RE: How to monitor OCS on network level?

    Posted Oct 31, 2011 11:51 AM

    Hi Yang_zeng;

    Thank you for the answer.

    We are using V10 at the moment, and I'm looking for a network level solution. So the agent leven proposition will not work for me.

    And jjesse, also thank you for the answer. As far as I can find, OCS uses SIP for client communication.

    I think a manuel policy creation will be needed.

     



  • 5.  RE: How to monitor OCS on network level?

    Posted Apr 20, 2012 08:39 AM

    Hi

    Say this post, actually the only one concerning OCS or Lync, and wanted to know if and how you solved this?

    We also want to monitor the file transfers over the Lync FTA protocol but can´t get it working properly.

    Anyone have any idea how this is done please let us know.

     

    Thanks



  • 6.  RE: How to monitor OCS on network level?

    Posted Apr 21, 2012 01:45 PM

    So please forgive me as I'm not as familiar with the configuration of standing up MS OCS or LYNC, but don't these operate in the same manner as many systems before, the client talks to the server inside your environment? Based on the multiple network segments you would have, it sounds like this would be a VERY difficult task to trace down one point where you can see all this traffic (further complicated if there is redundancy or load balancing) to process.

    In most cases this would better be handled by the Agent as it could analyze the documents or sensitive content on the endpoint device. The other question would be, what is the use case to monitor files internally? If it's to stop cross-departmental communciation of sensitive content, then again this is a better case where you would want the Agent to help solve that issue because it can handle both this as well as other internal use cases that Network coverage may not.

    The root cause for the Network coverage, would be to really cover anything sensitive leaving. Many times we work with customers to really understand what the problem they're tryign to solve is, because it may be something that was brought up, but not actually critical to protect (insider to inider information for example).

    Lastly, based on the fact that you are on V10, I would say the likelihood of the network engine to understand that protocol may be a bit degraded as both OCS and LYNC are newer MS products using newer protocols.



  • 7.  RE: How to monitor OCS on network level?

    Posted Apr 23, 2012 02:48 AM

    The way our customer has setup lync is that they can create connections to other lync systems and even send out invites to external parts that is a one time initiation for ex. conferensing. Thats where the problem lies.

    I have looked at the agent but since, at least from what i know of, you can't monitor JUST that one application. Its on/off for all application monitoring and we really dont want to monitor all others at the moment.

    We're actually on version 11.5.1 so that wouldn't be a problem.



  • 8.  RE: How to monitor OCS on network level?

    Posted Apr 23, 2012 09:26 AM

    Ok, that makes a little more sense then. I wasn't aware that OCS and LYNC had more extensible capabilities in this area to communicate externally. Good to know.

    In regard to the agent, this is incorrect. As Yang Zhang pointed out above, the application monitoring will allow you to select OCS. If you want to add a custom application (LYNC), you can specify this as well. You have the ability to check off which applications will be monitored however, so you can disable the others that you don't want to monitor. I would suggest setting up a test machine and verify this internally for yourselves to be comfortable with it.



  • 9.  RE: How to monitor OCS on network level?

    Posted Apr 24, 2012 08:50 AM

    The capability to communicate externally is an additional feature MS added. License cost included though i think.

    No I didn't mean that you can't select applications like that. I know i can close features to monitor only what i want. What i meant was that you can't really pinpoint different apps for different policys. Though that would be a much welcomed feature.

    I've also digged a bit deeper myself and it seems that the Lync traffic is all TLS and not beeing able to monitor this without some decrypting tool that MS have. To much hassle so i'll go with the agent bit as well.

    Thanks for the information Shawn.



  • 10.  RE: How to monitor OCS on network level?

    Posted Apr 25, 2012 08:34 AM

    Ahh, ok yes. We have had customers asking for features like that. I believe some enhancements to that functionality is in the works. No solid timeline information unfortunately, but rest assured the sentiment is shared and has been heard by PM from customers.

    Interesting. I had a feeling MS would start using some type of encryption on their chat protocols to help secure the platform. Good information to have, thank you.

    Glad I could be of help!