Data Loss Prevention

 View Only

  • 1.  Various Servers, Same Policies

    Posted May 13, 2014 02:14 AM

    Hello and good morning everyone

    I currently came across a potential situation where I lack the understanding of the possibilities of Symantec DLP.

    In a nutshell:
    An environment containing one server (Enforce and Endpoint Prevent installed on it) is in use and all working well.
    Now, various new branch offices are to be set up. Due to regulations, these offices will not be treated as "internal" and therefore will be denied to connect to the current DLP environment. They need to connect to a server in a DMZ network.
    Then again, the currently used environment may not be moved into DMZ due to the DB connection.
    Means: A new server needs to be set up in the DMZ as a "slave" / "secondary" server, only managing the branch office agents and containing / distributing the same policies as the "master" / "primary".

    I tried to viaualize the matter in a quick drawing:
    dlp_branches_highlevel_01.png
    Is there any way to achieve this? What is needed effectively to do so?

    Cheers



  • 2.  RE: Various Servers, Same Policies

    Trusted Advisor
    Posted May 13, 2014 02:39 AM

    hi flutti,

     you are looking for a multi enforce system which is not possible for now with both system live (It seems to me that multi enforce sysem should be supported in 12.5, but not sure about that.) At least this is not standard product capabilities.

     if you cant manage a mutual DMZ (for enforce + DB) it will be quite difficult as you dont want to share all information between two enforce (detection servers will be different between both).

     You can imagine a quite complicated things doing some copy of database content (manually, via a replication or any other means) and update some content in "slave" one or just copy policies data (in DB and on enforce server). For sure it wont be supported by symantec and quite difficult to manage.

     

     regards.



  • 3.  RE: Various Servers, Same Policies

    Posted May 14, 2014 02:25 AM

    Hi Stephane and thanks for your input

    Unfortunately, it is absolutely impossible to place the current DLP server (DB is running on an internal Oracle cluster) to any other network than it is. This is due to confidentiality reasons.

    So in other words: No chance to do without creating a new environment explicitly for those new locations, even if it does just the same.

    I was really hoping to have the possibility of implementing a new server only managing the connections to the agents.

    Greetings