ndlp_930_pg_e_en-us.pdf - Product Guide Revision E McAfee Data Loss Prevention 9.3.0 For use with ePolicy Orchestrator 4.5 4.6 5.0 Software COPYRIGHT

ndlp_930_pg_e_en-us.pdf - Product Guide Revision E McAfee...

This preview shows page 1 out of 351 pages.

Unformatted text preview: Product Guide Revision E McAfee Data Loss Prevention 9.3.0 For use with ePolicy Orchestrator 4.5, 4.6, 5.0 Software COPYRIGHT Copyright © 2014 McAfee, Inc. Do not copy without permission. TRADEMARK ATTRIBUTIONS McAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource, VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other names and brands may be claimed as the property of others. Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features. LICENSE INFORMATION License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND. 2 McAfee Data Loss Prevention 9.3.0 Product Guide Contents Preface 13 About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction to McAfee Data Loss Prevention 13 13 13 14 15 Understanding McAfee DLP products . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP product suite . . . . . . . . . . . . . . . . . . . . . . . . . . . McAfee DLP data vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP handles data . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP acts on data . . . . . . . . . . . . . . . . . . . . . . . . . . Integrating multiple McAfee DLP products . . . . . . . . . . . . . . . . . . . . . 15 15 16 16 16 19 20 Deployment 2 Deployment options 25 Types of installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using McAfee DLP with other McAfee products . . . . . . . . . . . . . . . . . . . . . . 3 Deployment scenarios 25 25 26 27 Deployment scenario: McAfee DLP Monitor . . . . . . . . . . . . . . . . . . . . . . . 27 Deployment scenario: McAfee DLP Discover and McAfee DLP Prevent . . . . . . . . . . . . . 28 Deployment scenario: Full product suite integration . . . . . . . . . . . . . . . . . . . . 29 4 Plan your deployment 31 Product-specific requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network integration requirements for McAfee DLP Monitor . . . . . . . . . . . . . . Requirements for configuring MTA servers with McAfee DLP Prevent . . . . . . . . . . Supported repositories with McAfee DLP Discover . . . . . . . . . . . . . . . . . . Network placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Default ports used in McAfee DLP communications . . . . . . . . . . . . . . . . . . . . Order of deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 31 33 33 34 34 36 Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Installation 5 Set up the hardware 41 Check the shipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rack mount the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identify network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure SPAN or tap mode for McAfee DLP Monitor . . . . . . . . . . . . . . . . . . . McAfee Data Loss Prevention 9.3.0 41 41 42 43 Product Guide 3 Contents Integrate the appliance using a SPAN port . . . . . . . . . . . . . . . . . . . . . 43 Integrate the appliance using a network tap . . . . . . . . . . . . . . . . . . . . 43 Connect the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 6 Install or upgrade the system 45 Installing or upgrading the software on 4400 and 5500 appliances . . . . . . . . . . . . . . Download the 4400 or 5500 archive . . . . . . . . . . . . . . . . . . . . . . . Install a new image on 4400 or 5500 appliances . . . . . . . . . . . . . . . . . . Upgrading appliances in a managed environment . . . . . . . . . . . . . . . . . . Upgrade the products on 4400 or 5500 appliances . . . . . . . . . . . . . . . . . Boot options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Set the next boot image . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing or upgrading the software on 1650 and 3650 appliances . . . . . . . . . . . . . . Download the 1650 or 3650 archive . . . . . . . . . . . . . . . . . . . . . . . Install a new image on 1650 or 3650 appliances . . . . . . . . . . . . . . . . . . Upgrading appliances in a managed environment . . . . . . . . . . . . . . . . . . Upgrade the products on 1650 or 3650 appliances . . . . . . . . . . . . . . . . . Applying hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Re-imaging an appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Complete post-installation tasks 45 45 46 47 47 49 50 50 50 51 52 52 54 54 55 Configure McAfee DLP Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add McAfee DLP Manager to ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . Install the network extension . . . . . . . . . . . . . . . . . . . . . . . . . . Add an ePolicy Orchestrator database user . . . . . . . . . . . . . . . . . . . . Register McAfee DLP Manager on ePolicy Orchestrator . . . . . . . . . . . . . . . . Install the host extension . . . . . . . . . . . . . . . . . . . . . . . . . . . Required ePolicy Orchestrator registration information . . . . . . . . . . . . . . . . Register ePolicy Orchestrator on McAfee DLP Manager . . . . . . . . . . . . . . . . Add McAfee DLP devices to McAfee DLP Manager . . . . . . . . . . . . . . . . . . . . . Configure standalone McAfee DLP appliances using the Setup Wizard . . . . . . . . . . . . . Configure servers for McAfee DLP Prevent . . . . . . . . . . . . . . . . . . . . . . . . Link negotiation for McAfee DLP appliances . . . . . . . . . . . . . . . . . . . . . . . Testing the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 56 56 56 56 57 57 58 58 59 60 60 61 61 System configuration 8 Integrating network servers 65 Using external authentication servers . . . . . . . . . . . . . . . . . . . . . . . . . OpenLDAP and Active Directory server differences . . . . . . . . . . . . . . . . . How directory server accounts are accessed . . . . . . . . . . . . . . . . . . . How directory servers are used with DLP systems . . . . . . . . . . . . . . . . . How LDAP user accounts are monitored . . . . . . . . . . . . . . . . . . . . . . Monitoring LDAP users . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add Active Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . . Add Active Directory or OpenLDAP users . . . . . . . . . . . . . . . . . . . . . Export certificates from Active Directory servers . . . . . . . . . . . . . . . . . . How ADAM servers extend McAfee DLP Manager . . . . . . . . . . . . . . . . . . Mapping default to custom attributes . . . . . . . . . . . . . . . . . . . . . . . Using Active Directory attributes . . . . . . . . . . . . . . . . . . . . . . . . Viewing Active Directory incidents . . . . . . . . . . . . . . . . . . . . . . . . Search for user attributes in LDAP data . . . . . . . . . . . . . . . . . . . . . . Find user attributes in LDAP data . . . . . . . . . . . . . . . . . . . . . . . . LDAP columns available for display . . . . . . . . . . . . . . . . . . . . . . . Add columns to display user attributes . . . . . . . . . . . . . . . . . . . . . . 4 McAfee Data Loss Prevention 9.3.0 65 65 65 66 66 67 67 69 69 70 70 71 71 72 72 73 73 Product Guide Contents Using McAfee Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connect McAfee Logon Collector to McAfee DLP Manager . . . . . . . . . . . . . . . How McAfee Logon Collector enables user identification . . . . . . . . . . . . . . . How McAfee DLP uses SIDs . . . . . . . . . . . . . . . . . . . . . . . . . . Using DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add DHCP servers to DLP systems . . . . . . . . . . . . . . . . . . . . . . . . Using NTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Correct time in the McAfee DLP Manager interface . . . . . . . . . . . . . . . . . Synchronize McAfee DLP devices with NTP servers . . . . . . . . . . . . . . . . . Reset time manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Administrator accounts 74 74 75 75 75 76 76 76 77 78 78 81 Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure primary administrator accounts . . . . . . . . . . . . . . . . . . . . . Activate a failover account . . . . . . . . . . . . . . . . . . . . . . . . . . . Customize logon settings . . . . . . . . . . . . . . . . . . . . . . . . . . . Customize password settings . . . . . . . . . . . . . . . . . . . . . . . . . . Managing user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Delete user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Managing permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Assign incident permissions . . . . . . . . . . . . . . . . . . . . . . . . . . Assign task and policy permissions . . . . . . . . . . . . . . . . . . . . . . . Check user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . Check group incident permissions . . . . . . . . . . . . . . . . . . . . . . . . 81 81 82 82 82 83 83 84 84 84 85 85 85 Policy configuration and data use 10 Policies and rules 89 How policies and rules can be used . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Analyzing trends in data matching . . . . . . . . . . . . . . . . . . . . . . . . 89 Use Chart and Compare to prioritize policies . . . . . . . . . . . . . . . . . . . . 90 Use Chart and Compare to tune policies and rules . . . . . . . . . . . . . . . . . 90 Managing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Policy inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91 Policy activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Activate or deactivate policies . . . . . . . . . . . . . . . . . . . . . . . . . 92 Add, modify, and deploy policies . . . . . . . . . . . . . . . . . . . . . . . . 92 Managing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Add rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Find rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 View rule parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Copy rules to policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Disable rule inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Reconfigure rules for web traffic . . . . . . . . . . . . . . . . . . . . . . . . . 99 Delete rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Modify rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Refining rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Tune rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Identify false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Define exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Add new rules with exceptions . . . . . . . . . . . . . . . . . . . . . . . . . 103 Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Protect intellectual property by customizing a standard policy . . . . . . . . . . . . 103 Identify insider threats by deploying a standard policy . . . . . . . . . . . . . . . 104 McAfee Data Loss Prevention 9.3.0 Product Guide 5 Contents Block data containing source code . . . . . . . . . . . . . . . . . . . . . . . Block transmission of financial data . . . . . . . . . . . . . . . . . . . . . . . Modify alphanumeric patterns in rules that produce false positives . . . . . . . . . . Track intellectual property violations . . . . . . . . . . . . . . . . . . . . . . 11 Rule elements 109 Action rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP Prevent uses action rules . . . . . . . . . . . . . . . . . . . . How McAfee DLP Endpoint uses action rules . . . . . . . . . . . . . . . . . . . How McAfee DLP Discover uses action rules . . . . . . . . . . . . . . . . . . . Add, modify, or delete action rules . . . . . . . . . . . . . . . . . . . . . . . Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How content concepts work . . . . . . . . . . . . . . . . . . . . . . . . . . Regular expression syntax for concepts . . . . . . . . . . . . . . . . . . . . . Add, apply, restore, and delete concepts . . . . . . . . . . . . . . . . . . . . Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How templates work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Add, modify, and delete templates . . . . . . . . . . . . . . . . . . . . . . . Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advanced documents content types . . . . . . . . . . . . . . . . . . . . . . Apple application content types . . . . . . . . . . . . . . . . . . . . . . . . Binary content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chat content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Compressed and archive formats . . . . . . . . . . . . . . . . . . . . . . . Desktop content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . Engineering drawing and design content types . . . . . . . . . . . . . . . . . . Executable content types . . . . . . . . . . . . . . . . . . . . . . . . . . . Image content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . Language classification content types . . . . . . . . . . . . . . . . . . . . . . Mail content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Microsoft content types . . . . . . . . . . . . . . . . . . . . . . . . . . . Multimedia content types . . . . . . . . . . . . . . . . . . . . . . . . . . . Office application content types . . . . . . . . . . . . . . . . . . . . . . . . Peer-to-peer content types . . . . . . . . . . . . . . . . . . . . . . . . . . Protocol content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . Source code content types . . . . . . . . . . . . . . . . . . . . . . . . . . Unclassified content types . . . . . . . . . . . . . . . . . . . . . . . . . . UNIX content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Policy configuration options Integrating McAfee DLP Endpoint McAfee Data Loss Prevention 9.3.0 139 140 140 141 142 142 143 143 145 How McAfee DLP Endpoint works with McAfee DLP Manager . . . . . . . . . . . . . . . . Setting up McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . 6 109 110 110 111 112 117 117 117 117 118 123 124 125 126 127 129 129 130 130 130 130 131 131 132 132 132 133 133 134 134 135 135 136 136 137 139 Policy definition options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Action rule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Template options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Concept options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Document property options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Registered document options . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policy setting options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 105 105 106 107 145 146 146 Product Guide Contents Configure McAfee Agent on ePolicy Orchestrator . . . . . . . . . . . . . . . . . . Add an evidence folder on ePolicy Orchestrator . . . . . . . . . . . . . . . . . . Configuring McAfee DLP Endpoint on McAfee DLP Manager . . . . . . . . . . . . . Working with a unified policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unified policy content strategy . . . . . . . . . . . . . . . . . . . . . . . . . Integration into the unified workflow . . . . . . . . . . . . . . . . . . . . . . How McAfee DLP Endpoint rules are mapped . . . . . . . . . . . . . . . . . . . Adding endpoint parameters to rules in McAfee DLP Manager . . . . . . . . . . . . Using protection rules in McAfee DLP Manager . . . . . . . . . . . . . . . . . . Extending McAfee DLP Discover scans to endpoints . . . . . . . . . . . . . . . . . . . Applying tags by scanning . . . . . . . . . . . . . . . . . . . . . . . . . . How signatures used at endpoints are stored . . . . . . . . . . . . . . . . . . . Scanning local drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tagging and tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application-based tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . Location-based tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . Controlling devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Classifying devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Controlling devices with device definitions . . . . . . . . . . . . . . . . . . . . Using device rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Device parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Working with endpoint events . . . . . . . . . . . . . . . . . . . . . . . . . . . . View endpoint events . . . . . . . . . . . . . . . . . . . . . . . . . . . . Events reported to McAfee DLP Manager . . . . . . . . . . . . . . . . . . . . Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Keep data from being copied to removable media . . . . . . . . . . . . . . . . . Keep data from being cut and pasted . . . . . . . . . . . . . . . . . . . . . . Protect data with Document ...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture