Data Loss Prevention R71. Release Notes

Size: px

Start display at page:

Download "Data Loss Prevention R71. Release Notes"

Ashley Douglas
5 years ago
Views:

1 Data Loss Prevention R71 Release Notes 19 September 2010

2 2010 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS and FAR TRADEMARKS: Refer to the Copyright page ( for a list of our trademarks. Refer to the Third Party copyright notices ( for a list of relevant copyrights and third-party licenses.

3 Important Information Latest Version The latest version of this document is at: For additional technical information, visit the Check Point Support Center ( Revision History Date Description 19 September 2010 Updated supported platforms for UserCheck client ("DLP Supported Platforms" on page 8) 12 September 2010 Added limitation: Bond HA or Bond LS (including Link Aggregation) is not supported in combination with bridge interfaces ("Configuring DLP in Bridge Mode" on page 12). 12 July 2010 Improved formatting and document layout. 13 June 2010 Improved explanation of Configuring Windows and Exchange Server ("Configuring Exchange and Win Server" on page 10). 25 April 2010 First release of this document. Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:cp_techpub_feedback@checkpoint.com?subject=feedback on Data Loss Prevention R71 Release Notes).

4 Contents Important Information... 3 Introduction... 5 DLP Features... 5 Check Point Advantages... 6 DLP and Privacy... 6 DLP Administrator Permissions... 7 Minimum Requirements... 8 DLP Supported Platforms... 8 HTTPS Port for DLP Gateway Management... 8 DNS Required Configuration... 9 Mail Server Required Configuration... 9 Configuring DLP and Relay on DMZ... 9 Configuring DLP Between Internal Mail Server and Internet...10 Configuring Exchange and Win Server...10 Configuring a Dedicated DLP Gateway...10 Configuring Capacity...11 Configuring DLP Gateway with Web Proxy...11 Configuring Portal Certificate...11 Configuring DLP in Bridge Mode Required Routing in Bridge Mode...12 Configuring Bridge IP Address...12 Required VLAN Trunk Interfaces...12 Upgrading DLP Gateway Configuring Localization of DLP... 13

5 DLP Features Introduction Welcome to Check Point Data Loss Prevention. Check Point Revolutionizes the DLP Market by moving from Detection to Prevention of Data Loss Incidents. Prevents data loss of critical business information Stops sending or uploading sensitive information outside the organization. Network-based solution prevents breach of corporate data sharing policies intentional or unintentional. Provide easy compliance with data protection standards (such as PCI-DSS, HIPPA, GLBA, SOX, etc). Combines technology and processes to make DLP work Innovative MultiSpect data classification engine combines users, content and process into accurate decisions. New UserCheck technology empowers users to remediate incidents in real time. Self-educating system does not require IT/security personnel in incident handling while educating the users on proper data sharing policies. Easy deployment for immediate data loss prevention Implement a preventative DLP solution on your existing gateway in less than one day Leverage over 250 pre-defined policies to create your own policy without the need for costly professional services Get better control and auditing capabilities with centralized security management DLP R71 is deployed as a dedicated gateway on supported platforms. This document contains important information regarding the current release. Before installing DLP, also review these documents: R71 Release Notes ( R71 Known Limitations ( DLP Features Provides an overall non-intrusive and reliable deployment. Prevents data loss without disrupting work. Detects real issues, based on flexible, easily customized data type recognition including: out-of-the-box Rule Base, rich set of placeholder types, wizard for new types, easily managed Fuzzy Logic types. Educates users to prevent the vast majority of incidents - unintentional data leakage - with the unique UserCheck feature. Notifies Data Owners to enable easier accountability. Captures specific data for DLP administrator to review, without demanding undue exposure to sensitive data. Integrates human context into the automated system. Matches data by Rule Base, similar to Check Point firewall, easily customized for different parameters. Offers several deployment options to fit different organizations. Identifies internal organization based on existing Active Directory, and allows for DLP between internal groups. Provides MultiSpect for greater accuracy: Introduction Page 5

6 Check Point Advantages CPcode-based data types - Open Scripting Language offering unmatched flexibility. Complex data recognition through AND, OR, and NOT matches. Management flags for data types and rules. Check Point Advantages DLP is a Software Blade in the Check Point solution, giving trustworthy Data Loss Prevention. The automation of DLP removes the burden from IT and promotes best practice guidelines. DLP is able to recognize more data and more different types of data, to a greater granularity and flexibility in fine-tuning for your own needs, than any other offering. It supports several means of identifying data, beyond keyword and regular expressions. In addition to a number of more complex matches, easily created and managed through wizards and the DLP management GUI, you can create data types (data identification components) based on the open CPCode syntax. DLP comes with a large set of built-in data types, including out-of-the-box recognition of Credit Cards, HIPPA, PCI, and many others. Thus, you have functional and trustworthy data recognition and transmission matching on day 1 of deployment. DLP generates only relevant alerts and caches user actions for one-ask per thread, saving you hours of unnecessary repetitive manual checks. With the flexibility of DLP, you can fine-tune the day 1 deployment to real, relevant, and non-intrusive Prevention within a relatively short time. You won't need outside analysis or a security team to perform manual reviews. The unique user integration of the UserCheck feature into the automated solution provides cost effective and quick deployment. DLP does not rely on proxies. DLP and Privacy DLP captures original data that caused a rule match, including the body of the transmission and attached files. We recommend that you disclose to your users how your DLP deployment works. Tell users that transmissions that violate the data security guidelines of your organization will be stored and may be read by security personnel. Information disclosure recommendations: 1. Disclose the privacy policy BEFORE deploying DLP. 2. Translate the most important DLP rules into guidelines and tell your users what is not allowed and will result in captured transmissions. 3. Explain that DLP scans only transmissions originating from computers inside the organization (including any source that uses organization resources, such as Remote Access or VPN connections). 4. Explain how to handle Ask User violations. Notifications to users of DLP incidents can be sent by (for SMTP traffic) or displayed in a popup from the Check Point UserCheck client in the system tray (for SMTP, HTTP, FTP, etc). If the incident of the notification is in Ask User mode, the user can click the Send or Discard link in the popup of Check Point UserCheck to handle the incident in real-time. Important - Make your users are aware of the purpose of the Check Point UserCheck client: handle the DLP options directly from the popup. If the user exits the client, the alternative web page that provides the Ask User options may not function. 5. Explain that captured transmissions will be logged and saved, and that some may be reported to managers (Data Owners). 6. Explain that captured s, attachments, web posts, etc. will be available for review by security personnel. 7. Explain that review of original transmissions is for organization data security alone - you are not collecting personal information. Therefore, your users do not have, nor require, the option to not have their transmissions scanned. Introduction Page 6

7 DLP Administrator Permissions 8. Make sure that you maintain your guidelines: do not keep or use original transmissions for any use other than review of DLP incidents and rules. DLP Administrator Permissions With specific permissions, a DLP administrator can view logs and captured data (the actual , FTP files, HTTP posts, and so on). Without these permissions, some data will be hidden, and the administrator will not have access to the captured data itself. Important - To create an administrator account that has DLP permissions, you must give full permissions over all Check Point software blades. To configure permissions for the DLP administrator: 1. From the Manage menu, select Users and Administrators. 2. Select the administrator account or click New > Administrator to create a new administrator user account. The Administrator Properties window opens, displaying General Properties. 3. Click New next to the Permissions Profile field. The Permissions Profile Properties window opens. 4. Make sure Read/Write All is selected. 5. Select Manage Data Loss Prevention. 6. Click OK. Introduction Page 7

8 DLP Supported Platforms Minimum Requirements In this section DLP Supported Platforms 8 HTTPS Port for DLP Gateway Management 8 DNS Required Configuration 9 Mail Server Required Configuration 9 Configuring a Dedicated DLP Gateway 10 Configuring Capacity 11 Configuring DLP Gateway with Web Proxy 11 Configuring Portal Certificate 11 DLP Supported Platforms The dedicated DLP Gateway is supported on: DLP DLP SecurePlatform Open Server, with these minimum requirements: Intel Xeon processor 5100 series CPU equivalent or higher, at least 2 cores 4GB RAM 250 GB Hard disk The UserCheck client application is supported on these Microsoft Windows platforms: XP Pro (SP3) Server 2003 (SP1-2) Vista (SP1) 32-bit Server 2008 (SP1) Windows 7 32-bit and 64-bit HTTPS Port for DLP Gateway Management Connectivity with other components Check Point Data Loss Prevention is a Software Blade. It needs connectivity to a Security Management Server and a SmartDashboard. You need a Check Point gateway for DLP, or a DLP-1 appliance. You will also probably have a protecting VPN Security Gateway in front of the DLP gateway. The environment must include a DNS. Required port for dedicated DLP deployment The port for DLP gateway on SecurePlatform, for the HTTP WebUI Management, is HTTPS 4434, and not 443 as is default for other Security Gateways. Minimum Requirements Page 8

9 DNS Required Configuration DNS Required Configuration The environment must include a DNS. If you use an IP address instead of a DNS name, s sent to users to notify of incidents will contain URLs with that IP address. Some clients may consider URLs with IP addresses to be possible phishing s and will then issue a warning and disable the links. To prevent this, use a DNS name, not an IP address. Mail Server Required Configuration DLP rules have different action settings. Action Detect Description The data transmission event is logged in SmartView Tracker. Administrators with permission can view the data that was sent. The traffic is passed. Inform User Ask User Prevent The transmission is passed, but the incident is logged and the user is notified. The transmission is held until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision is logged and can be viewed under the User Actions category in SmartView Tracker. The data transmission is blocked. When you begin to add or set Data Owners to be notified, a mail server becomes a required component of the DLP system. The DLP gateway sends mail notifications to users and Data Owners, so the gateway must be able to access the mail server as a client. The mail server must be able to act as a mail relay. This allows users to release (Send) s that DLP captured on Ask User rules. The mail server must be configured to trust the DLP gateway. Consult with your mail server vendor or documentation. Configuring DLP and Relay on DMZ A specific configuration for the DLP gateway is required if these are all true: The DLP gateway and the mail relay that handles SMTP traffic leaving the organization are in the DMZ zone. Use of this mail relay is one of the following: There is a mail server inside the internal network, such as Exchange, that relays its outgoing SMTP traffic through the mail relay. Users clients are configured to work directly with the mail relay. The DLP Policy works only on SMTP. If this is true, configure the DLP gateway to recognize the mail server as internal to My Organization and the relay in the DMZ as external. To configure the DLP and Relay in the DMZ: 1. Open the Data Loss Prevention tab in SmartDashboard. 2. Open My Organization. 3. In the Networks area, select These networks and hosts only and click Edit. The Networks and Hosts window opens. Minimum Requirements Page 9

10 Configuring a Dedicated DLP Gateway 4. Click Add. If the Internal Mail Server is already defined as a Check Point network object, select it from the list. Otherwise, click New and define it as a Host. 5. Click OK. 6. Repeat steps to add other Internal Mail Servers. 7. If users clients are configured to work directly with the mail relay that is located in the DMZ using SMTP, add their networks. Select user networks from the list (or click New to define these networks) and then click OK. 8. Do Install Policy on the DLP gateway. Configuring DLP Between Internal Mail Server and Internet If the DLP gateway sits between an internal mail server and an internal mail relay going outside the organization, no more configuration is needed. Verify that the interface leading to the mail relay is configured as external. A mail relay will resend s using the next DNS MX record mail server, if the first send did not succeed. Different mail servers treat send failures in different ways. Some will try the next MX if the destination is unreachable. Other mail servers will try the next MX if the target server returns a 4xx SMTP error. If the DLP gateway sits in front of a mail server that does not automatically try the next MX on a 4xx error (such as Mcafee IronMail, postfix 2.0 or earlier and qmail), the mail will not be sent. If you can configure your internal mail server to re-send on 4xx, you do not need more configurations. If you cannot perform this configuration, deploy the DLP gateway to be an intermediate between two internal mail servers. For example, put the DLP gateway in the DMZ with the relay server ("Configuring DLP and Relay on DMZ" on page 9). Configuring Exchange and Win Server Sometimes, some of the s stay in the outgoing queues of the outgoing mail server longer than expected. This may happen after Ask User or Prevent actions are done on a previous . You can assume this is the case if any of these symptoms are true: You notice that s are delayed at the outgoing mail server for up to 60 seconds. Users notice that Check Point UserCheck client notification displays are delayed for up to 60 seconds. To fix this issue: You must configure the outgoing mail server to repeat connecting to the external mail servers more frequently by lowering the "glitch retry interval". For Windows server and Exchange servers, these Microsoft Knowledge base articles explain how to do this: For Windows Server 2003 and Exchange Server 2003: ( For Exchange Server 2007: ( Configuring a Dedicated DLP Gateway Enable Data Loss Prevention on a Check Point DLP gateway of version or above. To configure a dedicated DLP-1 appliance: 1. Create a new DLP-1 object: Network Objects > Check Point > DLP-1 gateway. 2. Complete the DLP Blade wizard. To configure a dedicated DLP gateway on an Open Server: 1. In SmartDashboard, open the properties window of the gateway. 2. In General Properties, click Communication and initialize the SIC; or in the Platform area, select the R71 version. 3. Select the DLP Software Blade. Minimum Requirements Page 10

11 Configuring Capacity The DLP Blade wizard opens. 4. Complete the wizard. Configuring Capacity The DLP gateway has a setting: Maximum concurrent connections. By default, this is 25,000. When you prepare for DLP gateway installation, make sure that the value of this setting fits your environment. To change this setting: 1. Configure the DLP gateway as a Check Point network object in SmartDashboard. 2. Open its properties (double-click the DLP gateway object). 3. On the left pane of the properties window, click Capacity Optimization. 4. Change Maximum concurrent connections as needed. 5. Do Install Policy on the DLP gateway. Configuring DLP Gateway with Web Proxy If you have a web proxy between the DLP gateway and the Internet, configure the gateway to allow HTTP/HTTPS traffic through the proxy. Only one proxy can be configured for DLP. If you have more than one proxy configured, the DLP gateway should be located after all the proxies. Note - HTTPS traffic is not scanned by DLP. To allow HTTP/HTTPS traffic to pass through the web proxy: 1. In SmartDashboard, open the properties window of the DLP gateway object and then open the Authentication page. 2. Select Use Next Proxy. 3. In the Host IP field, enter the IP address of the web proxy server. 4. In the Port field, enter the listening port of the web proxy server. 5. Click OK. Configuring Portal Certificate The DLP gateway uses a self-signed certificate that is generated during installation for the DLP Portal. The certificate should be generated with the DNS name of the DLP Portal as defined in Data Loss Prevention > DLP Portal of the gateway properties window. To replace the default certificate with a custom certificate: 1. Open the $DLPDIR/portal/apache/ssl directory. 2. Replace server.crt and server.key with your certificate and key files. 3. Restart the DLP Portal: a) Run $DLPDIR/scripts/dlpportalstop b) Run $DLPDIR/scripts/dlpportalstart Minimum Requirements Page 11

12 Required Routing in Bridge Mode Configuring DLP in Bridge Mode You can deploy DLP in bridge mode, with the requirements described in this section for routing, IP address, and VLAN trunks. Note the current limitations: In an environment with more than one bridge interface, the DLP gateway must not see the same traffic twice on the different interfaces. The traffic must not run from one bridged segment to another. Inter-bridge routing is not supported. This includes inter-vlan routing. Routing from the bridge interface to a Layer3 interface, and from Layer3 interface to the bridge, is not supported. Traffic on the bridge interface must run through the bridge or be designated to the DLP gateway. If the DLP gateway in bridge mode is behind a cluster, the cluster must be in HA mode. If the bridge interface is connected to a VLAN trunk, all VLANs will be scanned by DLP. You cannot exclude specific VLANs. Bond High Availability (HA) or Bond Load Sharing (LS) (including Link Aggregation) is not supported in combination with bridge interfaces. Required Routing in Bridge Mode There must be routes between the DLP gateway and the required servers: Security Management Server DNS server Mail server, if an SMTP Relay server is configured to work with the gateway There must be a default route. If this is not a valid route, it must reach a server that answers ARP requests. Configuring Bridge IP Address The bridge interface can be configured without an IP address, if another interface is configured on the gateway that will be used to reach the UserCheck client and the DLP Portal. If you do add an IP address to the bridge interface after the Security Gateways are started, run the cpstop and cpstart commands to apply the change. Required VLAN Trunk Interfaces A single bridge interface must be configured to bind the DLP gateway for a VLAN trunk. If an IP address is configured on the bridge, the IP address must not belong to any of the networks going through the bridge. Users must have routes that run traffic through the bridge interface of the DLP gateway. The gateway handles this traffic and answers to the same VLAN of the original traffic. In a VLAN trunk interface, another interface must be configured as the management interface for the required bridge routing. Configuring DLP in Bridge Mode Page 12

13 Required VLAN Trunk Interfaces Upgrading DLP Gateway To upgrade from an EA installation of DLP R71 gateway to GA, you must first install the GA version on another machine. On the EA gateway, use the export utility to export the database, captured data, and configuration files in an archive file. Then use the import utility on the new GA gateway to give it your database, data, and configuration. To upgrade your DLP deployment to R71 GA: 1. Install R71 GA on a clean gateway computer. 2. Copy the $DLPDIR/upgrade/dlpexport executable from the GA gateway to the EA gateway. 3. On the EA gateway, run the executable:./dlpexport The export will take several minutes, depending on the size of the captured data. It copies the database, the captured data, and specific configuration files. 4. Move the output file to the GA gateway. 5. On the GA gateway, run the import script: $DLPDIR/upgrade/dlpimport path_imported_file The copied imported file pathname can be relative or absolute. The import may also take several minutes. 6. Note the output of the import script. There may be some user action required. If you customized configuration files during EA, the script will tell you which files you should consider changing in the GA to match the customizations. Be careful about duplicating the configurations. We recommend that you consult with Check Point Technical Support. In other steps, the import script will ask you questions about how to proceed. Stay with the import process until it is done. 7. When prompted, reboot the GA gateway. Configuring Localization of DLP These procedures explain how to localize backend files to display user-related notifications in the language you want. Note - Even without these configurations, DLP can detect different languages in the data that it scans. This procedure assumes you have localized the dictionary and notification files. For more information on the files to change, see the R71 Data Loss Prevention Administration Guide ( To localize notification text in SmartDashboard: 1. Open SmartDashboard > Data Loss Prevention. 2. From the categories on the left, select Policy. 3. In a rule that has notification as part of the Action, right-click Action and select Edit Notification. 4. Change the notification for the relevant language. 5. To apply the changes, do Install Policy on the DLP gateway. Note - Although, the notification messages that you localize in SmartDashboard will be displayed in the appropriate language in the UserCheck client, some text is static and will remain in English. Important - Changes in the files will be lost when you upgrade to the next version. We recommend you maintain a copy of the all changes files, to overwrite upgraded files in English. Upgrading DLP Gateway Page 13

Data Loss Prevention. R75.40 Hotfix. Getting Started Guide. 3 May Classification: [Protected]

Data Loss Prevention. R75.40 Hotfix. Getting Started Guide. 3 May Classification: [Protected] Data Loss Prevention R75.40 Hotfix Getting Started Guide 3 May 2012 Classification: [Protected] 2012 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are