Ipswitch MOVEit File Transfer (DMZ)

Size: px

Start display at page:

Download "Ipswitch MOVEit File Transfer (DMZ)"

Lorin James
6 years ago
Views:

1 Secured by RSA Implementation Guide for RSA DLP Network Partner Information Last Modified: August 28 th, 2014 Product Information Partner Name Ipswitch Web Site Product Name Version & Platform 8.1 Product Description is an automated file transfer system that lets you manage, view, secure and control all activity through a single system. You will always know where your files are with predictable, secure delivery and extensive reporting. MOVEit reduces the need for IT hands-on involvement.

Solution Summary Content Scanning is an option that allows MOVEit File Transfer DMZ to control what data is sent to and from a MOVEit system based on the content of the data.

2 Solution Summary Content Scanning is an option that allows MOVEit File Transfer DMZ to control what data is sent to and from a MOVEit system based on the content of the data. This process protects a user's system from being infected by viruses or from losing or accepting critical data, typically when MOVEit DMZ is separated from the main system by a firewall. MOVEit DMZ will forward the data using Internet Content Adaptation Protocol (ICAP) to a user's Anti-Virus (AV) server and/or Data Loss Prevention (DLP) server before it completes the transmission. Depending on the results returned by the server(s), MOVEit will allow or block the transmission. Users must install and configure the AV and/or DLP servers separately. Different scanning servers may have different capabilities. A server may be configured to do AV, DLP or both. You can configure MOVEit to communicate with multiple different AV and DLP servers. You enable scanning at the system level, but you can have only one AV and one DLP server enabled at a time. You can then disable a specific AV or DLP process at the organization level. Partner Integration Overview User Actions Supported Remediation Actions Available Upload, Download, Copy, Move, Ad Hoc Send Allow, Block, Quarantine - 2 -

3 Partner Product Configuration Before You Begin This section provides instructions for integrating Ipswitch with RSA Data Loss Prevention (DLP) Suite. This document is not intended to suggest optimum installations or configurations. It is assumed that the reader has both working knowledge of all products involved, and the ability to perform the tasks outlined in this section. Administrators should have access to the product documentation for all products in order to install the required components. All Ipswitch products/components must be installed and working prior to the integration. Perform the necessary tests to confirm that this is true before proceeding. Configuring the Ipswitch There are three major tasks to complete adding the Data Loss Prevention (DLP) scanning in MOVEit DMZ. Configuring Content Scanning for DLP for your MOVEit System Configuring DLP Scanning for a MOVEit Organization Testing Data Transmissions with DLP Content Scanning Enabling the content scanning option causes MOVEit DMZ to scan uploaded files as follows: The size of the file, if known, must be less than the configured maximum. Files larger than this maximum size are entered into the MOVEit DMZ filesystem without being scanned. Files are scanned during the upload and are not entered into the MOVEit DMZ filesystem until the content scanner returns an indication that the file is not blocked for the user that is uploading the file. If the file violates a DLP policy, it will be processed according to the MOVEit policy and rulesets, and the user attempting to upload will receive an error message. Note that if a virus is found during a concurrent anti-virus scan, the file is automatically blocked from upload. If the ICAP server connection fails or the connection limit is exceeded, or if for some reason the file cannot be scanned, the upload will be rejected and the user will receive an error message. There is no support for re-scanning files, or scanning on downloads. The ability to download files is based on the results of the scan when the file was uploaded and rights for the user attempting the download. Quarantined files may be cleared for download under special circumstances. Configuring Content Scanning for DLP for your MOVEit System The Content Scanning feature sends incoming data from file transfers and Ad Hoc transfers, including subject, note/body and attachments, to the RSA Data Loss Prevention (DLP) server before MOVEit DMZ determines whether to complete the transmission. MOVEit DMZ uses the ICAP protocol to submit incoming data to the DLP server. The DLP server applies configured data protection policies as it scans the data. When the DLP server returns its response, MOVEit configurations determine whether to block, quarantine or allow the transmission. MOVEit logs all DLP policy violations returned by the DLP server. Repeat the following task for each organization in your MOVEit system that will use DLP content scanning. Perform the following procedures: 1. Log on to MOVEit DMZ as a system administrator, typically SysAdmin. 2. In the left pane, click Settings. 3. In the right pane for Settings, under System > Content Scanning, click Anti-Virus/DLP. 4. To add a scanner, click the Add Content Scanner button

4 The Configure Content Scanning Settings page appears: 5. For each DLP application you want DMZ to access, complete the fields: Scan uploads: Yes means content scanning is enabled for the MOVEit DMZ system, for all organizations. No means content scanning is disabled for all organizations on the system. Name: This is a user-defined name for the content scanning activity, such as DLP scan. Server URL: This is the address of the RSA DLP ICAP server. This address requires the prefix icap:// (for example: icap://rsa_icap_srv:1344/srv_conalarm) Server Type: Use the default setting of - Auto Detect - or select the type of DLP server from the list of supported types. Server allows "204" responses: The default setting Yes will allow faster scanning, as the 204 response allows the server to return an updated header without body data. Maximum file size to scan: The default setting of 15 MB (recommended) means that uploaded files that exceed 15 MB in size will not be fully scanned. MOVEit DMZ does not exclude files larger than the size selected, it actually scans up to the size selected on all files. IF no problem is found in the partial scan, the file is allowed into the DMZ filesystem. If you do not want to have a maximum size for file scanning, enter 0 for this option. Server connection timeout: The default setting of 5 seconds means that if MOVEit DMZ cannot establish a connection with the scanning server within 5 seconds, a connection failure occurs. MOVEit DMZ will attempt to connect again until the maximum number of server connection tries is reached. Server send timeout: The default setting of 30 seconds means that if MOVEit DMZ cannot send to the anti-virus server within 30 seconds, a connection failure occurs. MOVEit DMZ will attempt to connect again until the maximum number of server connection tries is reached

5 Server receive timeout: The default setting of 30 seconds means that if the DLP server cannot receive from MOVEit DMZ within 30 seconds, a connection failure occurs. MOVEit DMZ will attempt to connect again until the maximum number of server connection tries is reached. Server connection tries: The default setting of 3 means that MOVEit DMZ will try up to 3 times to create the initial connection to the anti-virus server. Change Content Scanning: After making any entries or changes, click this button to apply the changes. Test Content Scanning: Tests the DLP capability by sending a known fake infected file (EICAR.COM) to the ICAP server and ensuring that the file is marked as infected or ensuring that the DLP server was contacted successfully. (To avoid problems with other AV packages that may be running on the system, the EICAR is stored encrypted.) Before testing, be sure to save any changes to the settings by clicking the Change Content Scanning button. 6. Click Change Content Scanning button. Important: You can set Scan Uploads to Yes for only one DLP scanner at a time. That is, only one DLP scanner can be enabled on your system at any given time. 7. Click the Test Content Scanning button to make sure the connection to the scanner works. Configuring DLP Scanning for a MOVEit Organization Repeat this task for each organization in your system that will use DLP content scanning. Perform the four basic procedures below: Enable Content Scanning for the organization. Create rulesets, which determine how MOVEit handles files that violate one or more DLP server policies. They can be applied at the user-class level or user level. Create rules for a ruleset to define the action MOVEit DMZ will take for a specific DLP policy or set of matching policies. Assign DLP rulesets to user classes, which will act as defaults for newly created users. To enable content scanning for an organization, proceed as follows: 1. Log on to MOVEit DMZ as an Organization administrator. 2. In the left pane, click Settings. 3. In the right pane, under Security Policies > Content Scanning, select Data Loss Prevention (DLP). 4. Under Edit Data Loss Prevention (DLP) Settings, click Yes to enable Content Scanning for the organization. This affects the DLP server that is currently enabled for the system. 5. Click Change DLP Settings. To continue and create rulesets and their rules, proceed as follows: - 5 -

6 6. In the right pane, under Configure DLP Rulesets, click the Add DLP Ruleset button. The Add DLP Ruleset pane appears. 7. Complete the fields: Name: Name of the ruleset. Description: Description for a Ruleset. Default Action: Action to invoke when one or more violations are found in the data by the DLP scanner, but none of the rules in the ruleset match the violations reported to MOVEit: Block: Terminates transmission. Quarantine: Upload will be allowed, but Download will not be allowed. Files will be tagged, and an audit log entry will be recorded indicating that the file violates one or more DLP policies. Files may be untagged later, at which point normal permissions will take effect. Allow: Transfer (upload and download) will be allowed, and files will be tagged. An audit log entry will be recorded indicating that the file violates one or more DLP policies. Add Ruleset: Displays the Edit DLP Rules section so you can specify one or more matches against DLP policies that will be applied. 8. Click Add Ruleset. 9. In the right pane, under Edit DLP Rules, click Add DLP Rule

7 The Add DLP Rule pane appears. 10. For each rule in the ruleset, complete the fields: Policy Mask: Values entered that MOVEit uses when it scans the information returned from the DLP scanner to determine if there was a policy violation. Best practice is to use the asterisk wildcard on either side of a value so it matches a significant value within the response, for example *SSN*. Note: This value must match a value in the response data returned by the DLP scanner. This is a typically the name of the policy from the scanner. However, some DLP systems allow users to specify text to be returned, so the value might depend on how your DLP system is configured. For example, if you use *SSN* as the mask, and your scanner returns SSN as part of the data associated with that type of policy violation, MOVEit will apply the appropriate action for that violation.. Policy Action: Action to take if there is a violation of the policy. Block: Terminates transmission. Quarantine: Upload will be allowed, but Download will not be allowed. Files will be tagged, and an audit log entry will be recorded indicating that the file violates one or more DLP policies. Files may be untagged later, at which point normal permissions will take effect. Allow: Transfer (upload and download) will be allowed, and files will be tagged. An audit log entry will be recorded indicating that the file violates one or more DLP policies. Comment: Information pertinent to this particular policy mask. 11. Click Add Rule. Success or error messages appear in the ribbon at the top of the pane. 12. When you have added all the rules for this ruleset, click Return to DLP Ruleset. 13. To create additional rulesets and their rules, repeat steps 1 through

To continue and assign DLP rulesets to user classes, proceed as follows: 1. Under the Edit User Class DLP Rulesets section, for a user class display the drop-down list of rulesets you configured. 2.

Note: This will apply to all uses in the class, including those for whom a ruleset was applied at the user level. 5. Repeat steps 1 through 4 for each user class.

8 To continue and assign DLP rulesets to user classes, proceed as follows: 1. Under the Edit User Class DLP Rulesets section, for a user class display the drop-down list of rulesets you configured. 2. Select the ruleset that you want to use for that user class. 3. Click the Change Ruleset button for that user class. 4. A confirmation pane appears. Click Yes to confirm the change. Note: This will apply to all uses in the class, including those for whom a ruleset was applied at the user level. 5. Repeat steps 1 through 4 for each user class. To continue and assign rulesets to specific users, which overrides the ruleset assigned to the user class for that user, proceed as follows: 1. In the left pane, click Users. 2. In the right pane, select the appropriate user. 3. In the right pane, for the User Profile, under User Settings > DLP Ruleset, click Change Ruleset. 4. From the Change DLP Ruleset pane, click the drop-down list, and select the appropriate ruleset for this user

9 5. Click Change DLP Ruleset. You should now be able to test your configuration. Testing Data Transmissions with DLP Content Scanning The following steps are for administrators who configured DLP for an organization to do some initial testing. 1. Create test files with data that violate your DLP policies and with data that will not violate any policies. 2. Log on to MOVEit DMZ as a specific type of user. 3. Upload data by various means, including sensitive and non-sensitive data, also in subject strings and notes/body where possible: Upload your test files to your filesystem. Upload your test files as attachments to packages. Use the Outlook Plug-in to send files as attachments. 4. Review the results, and note the following: a. Attempts to upload data that show DLP violations, should be blocked, quarantined or allowed per the action specified in the ruleset for the uploading user. Files, packages or s that were blocked should not appear in DMZ. Files, packages or s that were quarantined will be uploaded, but Download will not be allowed. Files will be tagged, and an audit log entry will be recorded indicating that the file violates one or more DLP policies. Files may be untagged later, at which point normal permissions will take effect. Files, packages or s that were allowed will be uploaded and tagged. An audit log entry will be recorded indicating that the file violates one or more DLP policies. b. In Folders, for lists of files that were uploaded with DLP policy violations, the DLP policy violation icon appears to the right of the file name, and depending on the rights of the user, the name of the policy or policies that were violated appears. c. In Packages, depending on the rights of the user, the name of the policy or policies that were violated appears following the package information. d. In File Information, depending on the rights of the user, more information about the DLP violation and DLP server appears. e. Administrators can override policy violations on quarantined files, for example in cases where the violation inappropriately blocked the recipient from downloading the file. For a specific file under the File Action section, administrators can click Clear DLP Policy Violations. Scanner Availability If Content Scanning is enabled, MOVEit DMZ checks every few minutes to make sure the enabled AV and/or DLP scanner is available. This is part of the SysCheck routine (see Advanced Topics - System Internals - Scheduled Tasks), which can generate a built-in notification. It first checks the AV scanner and then the DLP scanner. If the either scanner is unavailable, SysCheck sends an message to the Send Errors To address and warns that the MOVEit DMZ server will not be able to transfer files until this situation is addressed. When the scanner becomes available again, SysCheck sends an that states that scanning is now working

Configuring RSA Data Loss Prevention Suite Note: Before you can start utilizing Ipswitch MOVEit File Transfer (DMZ), an RSA DLP Network ICAP Server must be deployed and properly configured.

Once you have deployed the RSA DLP ICAP server, there are a number of steps required to configure the ICAP Server for proper inspection of content: Enabling Detection of Content in URLs Configuring

10 Configuring RSA Data Loss Prevention Suite Note: Before you can start utilizing Ipswitch MOVEit File Transfer (DMZ), an RSA DLP Network ICAP Server must be deployed and properly configured. For instructions, see the RSA DLP Network Deployment Guide. Once you have deployed the RSA DLP ICAP server, there are a number of steps required to configure the ICAP Server for proper inspection of content: Enabling Detection of Content in URLs Configuring Content Blades to Detect Content in URLs and HTTP Forms Enabling Detection of Content in URLs The steps to enable content detection in URLS are as follows: 1. From the RSA DLP Enterprise Manager, select the Admin tab Preferences. 2. Under Network Preferences, select the Detect Content in URLs checkbox. 3. Click Save to preserve your changes

Configuring Content Blades to Detect Content in URLs and HTTP Forms The second step for ICAP configuration is to ensure that for any given policy, the

Select the Policies tab Content Blades Content Blade Manager. 2.

11 Configuring Content Blades to Detect Content in URLs and HTTP Forms The second step for ICAP configuration is to ensure that for any given policy, the associated content blades are configured to detect content in URLs and HTTP forms. To do this, perform the following steps via the DLP Enterprise Manager: 1. Select the Policies tab Content Blades Content Blade Manager. 2. Ensure that (as in the US Social Security Number example provided below) the option to detect content in URLs or HTML forms is Enabled for the given content blade. 3. Save your changes and verify that this option is enabled for any other relevant content blades

12 End User Experience The following screenshot demonstrates what a user would see when receiving sensitive data within. Note: The screenshots provided below are for example purposes only. Individual clients may behave slightly differently in the way they process blocked attachments depending on rules created with MOVEit File Transfer (DMZ)

13 Certification Checklist for RSA Data Loss Prevention Suite Date Tested: August 28 th, 2014 Certification Environment Product Name Version Information Operating System RSA DLP Enterprise Manager (SP2) Windows Server 2008 R2 (x64) RSA DLP Network ICAP Server (SP2) Appliance Ipswitch MOVEit File Transfer DMZ 8.1 Windows Server 2012 Action Upload, Download, Copy, Move, Ad Hoc Send Policy Content Result Allow Binary file with sensitive content Allow Plaintext file with sensitive content Block Block Quarantine Quarantine Binary file with sensitive content Plaintext file with sensitive content Binary file with sensitive content Plaintext file with sensitive content JJO / PAR = Pass = Fail N/A = Non-Available Function

Cisco Systems, Inc IronPort

Cisco Systems, Inc IronPort IronPort RSA Secured Implementation Guide for RSA DLP Network Partner Information Last Modified: December 5 th, 2012 Product Information Partner Name Cisco Systems, Inc Web Site www.cisco.com Product Name