Transcription
Product GuideRevision AMcAfee Data Loss Prevention 9.3.1For use with ePolicy Orchestrator 4.5, 4.6, 5.0 Software
COPYRIGHTCopyright 2014 McAfee, Inc. Do not copy without permission.TRADEMARK ATTRIBUTIONSMcAfee, the McAfee logo, McAfee Active Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundscore, Foundstone, PolicyLab, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee Total Protection, TrustedSource,VirusScan, WaveSecure are trademarks or registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Othernames and brands may be claimed as the property of others.Product and feature names and descriptions are subject to change without notice. Please visit mcafee.com for the most current products and features.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOUHAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.2McAfee Data Loss Prevention 9.3.1Product Guide
ContentsPreface13About this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Find product documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1Introduction to McAfee Data Loss Prevention1313131415Understanding McAfee DLP products . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee DLP product suite . . . . . . . . . . . . . . . . . . . . . . . . . . .McAfee DLP data vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP handles data . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP acts on data . . . . . . . . . . . . . . . . . . . . . . . . . .Integrating multiple McAfee DLP products . . . . . . . . . . . . . . . . . . . . .15151616161920Deployment2Deployment options25Types of installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Management options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using McAfee DLP with other McAfee products . . . . . . . . . . . . . . . . . . . . . .3Deployment scenarios25252627Deployment scenario: McAfee DLP Monitor . . . . . . . . . . . . . . . . . . . . . . .27Deployment scenario: McAfee DLP Discover and McAfee DLP Prevent . . . . . . . . . . . . . 28Deployment scenario: Full product suite integration . . . . . . . . . . . . . . . . . . . . 294Plan your deployment31Product-specific requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Network integration requirements for McAfee DLP Monitor . . . . . . . . . . . . . .Requirements for configuring MTA servers with McAfee DLP Prevent . . . . . . . . . .Supported repositories with McAfee DLP Discover . . . . . . . . . . . . . . . . . .Network placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Default ports used in McAfee DLP communications . . . . . . . . . . . . . . . . . . . .Order of deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31313333343436Deployment Checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Installation5Set up the hardware41Check the shipment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rack mount the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Identify network ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure SPAN or tap mode for McAfee DLP Monitor . . . . . . . . . . . . . . . . . . .McAfee Data Loss Prevention 9.3.141414243Product Guide3
ContentsIntegrate the appliance using a SPAN port . . . . . . . . . . . . . . . . . . . . .Integrate the appliance using a network tap . . . . . . . . . . . . . . . . . . . .Connect the management port . . . . . . . . . . . . . . . . . . . . . . . . . . . .Serial console settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Install or upgrade the system45Installing or upgrading the software on 4400 and 5500 appliances . . . . . . . . . . . . . .Download the 4400 or 5500 archive . . . . . . . . . . . . . . . . . . . . . . .Install a new image on 4400 or 5500 appliances . . . . . . . . . . . . . . . . . .Upgrading appliances in a managed environment . . . . . . . . . . . . . . . . . .Upgrade the products on 4400 or 5500 appliances . . . . . . . . . . . . . . . . .Boot options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Set the next boot image . . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing or upgrading the software on 1650 and 3650 appliances . . . . . . . . . . . . . .Download the 1650 or 3650 archive . . . . . . . . . . . . . . . . . . . . . . .Install a new image on 1650 or 3650 appliances . . . . . . . . . . . . . . . . . .Upgrading appliances in a managed environment . . . . . . . . . . . . . . . . . .Upgrade the products on 1650 or 3650 appliances . . . . . . . . . . . . . . . . .Applying hotfixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Re-imaging an appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .743444444Complete post-installation tasks454546474749505151515253545455Add NAT IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure McAfee DLP Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add McAfee DLP Manager to ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . .Install the network extension . . . . . . . . . . . . . . . . . . . . . . . . . .Add an ePolicy Orchestrator database user . . . . . . . . . . . . . . . . . . . .Register McAfee DLP Manager on ePolicy Orchestrator . . . . . . . . . . . . . . . .Install the host extension . . . . . . . . . . . . . . . . . . . . . . . . . . .Required ePolicy Orchestrator registration information . . . . . . . . . . . . . . . .Register ePolicy Orchestrator on McAfee DLP Manager . . . . . . . . . . . . . . . .Add McAfee DLP devices to McAfee DLP Manager . . . . . . . . . . . . . . . . . . . . .Configure standalone McAfee DLP appliances using the Setup Wizard . . . . . . . . . . . . .Configure servers for McAfee DLP Prevent . . . . . . . . . . . . . . . . . . . . . . . .Link negotiation for McAfee DLP appliances . . . . . . . . . . . . . . . . . . . . . . .Testing the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Additional tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .555656565757585859596061616262System configuration8Integrating network servers67Using external authentication servers . . . . . . . . . . . . . . . . . . . . . . . . .OpenLDAP and Active Directory server differences . . . . . . . . . . . . . . . . .How directory server accounts are accessed . . . . . . . . . . . . . . . . . . .How directory servers are used with DLP systems . . . . . . . . . . . . . . . . .How LDAP user accounts are monitored . . . . . . . . . . . . . . . . . . . . . .Monitoring LDAP users . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add Active Directory servers . . . . . . . . . . . . . . . . . . . . . . . . . .Add Active Directory or OpenLDAP users . . . . . . . . . . . . . . . . . . . . .Export certificates from Active Directory servers . . . . . . . . . . . . . . . . . .How ADAM servers extend McAfee DLP Manager . . . . . . . . . . . . . . . . . .Mapping default to custom attributes . . . . . . . . . . . . . . . . . . . . . . .Using Active Directory attributes . . . . . . . . . . . . . . . . . . . . . . . .Viewing Active Directory incidents . . . . . . . . . . . . . . . . . . . . . . . .Search for user attributes in LDAP data . . . . . . . . . . . . . . . . . . . . . .Find user attributes in LDAP data . . . . . . . . . . . . . . . . . . . . . . . .4McAfee Data Loss Prevention 9.3.1676767686869697171727273737474Product Guide
ContentsUsingUsingUsingUsing9LDAP columns available for display . . . . . . . . . . . . . . . . . . . . . . .Add columns to display user attributes . . . . . . . . . . . . . . . . . . . . . .McAfee Logon Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Connect McAfee Logon Collector to McAfee DLP . . . . . . . . . . . . . . . . . .How McAfee Logon Collector enables user identification . . . . . . . . . . . . . . .How McAfee DLP uses SIDs . . . . . . . . . . . . . . . . . . . . . . . . . .DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add DHCP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .NTP servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure time settings . . . . . . . . . . . . . . . . . . . . . . . . . . . .Synchronize McAfee DLP devices with NTP . . . . . . . . . . . . . . . . . . . .Reset the hardware clock . . . . . . . . . . . . . . . . . . . . . . . . . . .syslog servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Administrator accounts7575757676777777787879798081Managing user accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Configure primary administrator accounts . . . . . . . . . . . . . . . . . . . . .Activate a failover account . . . . . . . . . . . . . . . . . . . . . . . . . . .Customize logon settings . . . . . . . . . . . . . . . . . . . . . . . . . . .Customize password settings . . . . . . . . . . . . . . . . . . . . . . . . . .Managing user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Delete user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Managing permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Assign incident permissions . . . . . . . . . . . . . . . . . . . . . . . . . .Assign task and policy permissions . . . . . . . . . . . . . . . . . . . . . . .Check user permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . .Check group incident permissions . . . . . . . . . . . . . . . . . . . . . . . .81818282828383848484858585Policy configuration and data use10Policies and rules89How policies and rules can be used . . . . . . . . . . . . . . . . . . . . . . . . . . 89Analyzing trends in data matching . . . . . . . . . . . . . . . . . . . . . . . . 89Use Chart and Compare to prioritize policies . . . . . . . . . . . . . . . . . . . . 90Use Chart and Compare to tune policies and rules . . . . . . . . . . . . . . . . .90Managing policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91Policy inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Policy activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92Activate or deactivate policies . . . . . . . . . . . . . . . . . . . . . . . . .92Add, modify, and deploy policies . . . . . . . . . . . . . . . . . . . . . . . .92Managing rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96Add rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Find rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97View rule parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Copy rules to policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Disable rule inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98Reconfigure rules for web traffic . . . . . . . . . . . . . . . . . . . . . . . . . 99Delete rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99Modify rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Refining rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Tune rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100Identify false positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Define exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101Add new rules with exceptions . . . . . . . . . . . . . . . . . . . . . . . . . 102Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103McAfee Data Loss Prevention 9.3.1Product Guide5
ContentsProtect intellectual property by customizing a standard policy . . . . . . . . . . . .Identify insider threats by deploying a standard policy . . . . . . . . . . . . . . .Block data containing source code . . . . . . . . . . . . . . . . . . . . . . .Block transmission of financial data . . . . . . . . . . . . . . . . . . . . . . .Modify alphanumeric patterns in rules that produce false positives . . . . . . . . . .Track intellectual property violations . . . . . . . . . . . . . . . . . . . . . .11Rule elements109Action rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP Prevent uses action rules . . . . . . . . . . . . . . . . . . . .How McAfee DLP Endpoint uses action rules . . . . . . . . . . . . . . . . . . .How McAfee DLP Discover uses action rules . . . . . . . . . . . . . . . . . . .Add, modify, or delete action rules . . . . . . . . . . . . . . . . . . . . . . .Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Types of concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How content concepts work . . . . . . . . . . . . . . . . . . . . . . . . . .Regular expression syntax for concepts . . . . . . . . . . . . . . . . . . . . .Add, apply, restore, and delete concepts . . . . . . . . . . . . . . . . . . . .Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .How templates work . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Add, modify, and delete templates . . . . . . . . . . . . . . . . . . . . . . .Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Advanced documents content types . . . . . . . . . . . . . . . . . . . . . .Apple application content types . . . . . . . . . . . . . . . . . . . . . . . .Binary content types . . . . . . . . . . . . . . . . . . . . . . . . . . . .Chat content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Compressed and archive formats . . . . . . . . . . . . . . . . . . . . . . .Desktop content types . . . . . . . . . . . . . . . . . . . . . . . . . . . .Engineering drawing and design content types . . . . . . . . . . . . . . . . . .Executable content types . . . . . . . . . . . . . . . . . . . . . . . . . . .Image content types . . . . . . . . . . . . . . . . . . . . . . . . . . . .Language classification content types . . . . . . . . . . . . . . . . . . . . . .Mail content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Microsoft content types . . . . . . . . . . . . . . . . . . . . . . . . . . .Multimedia content types . . . . . . . . . . . . . . . . . . . . . . . . . . .Office application content types . . . . . . . . . . . . . . . . . . . . . . . .Peer-to-peer content types . . . . . . . . . . . . . . . . . . . . . . . . . .Protocol content types . . . . . . . . . . . . . . . . . . . . . . . . . . . .Source code content types . . . . . . . . . . . . . . . . . . . . . . . . . .Unclassified content types . . . . . . . . . . . . . . . . . . . . . . . . . .UNIX content types . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Policy configuration optionsIntegrating McAfee DLP EndpointMcAfee Data Loss Prevention 9.3.1137138138139140140141141143How McAfee DLP Endpoint works with McAfee DLP Manager . . . . . . . . . . . . . . . 5136136137Policy definition options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Rule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Action rule options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Template options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Concept options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Document property options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Registered document options . . . . . . . . . . . . . . . . . . . . . . . . . . . .Policy setting options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13103104104105106106143Product Guide
ContentsSetting up McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . .Installing McAfee DLP Endpoint . . . . . . . . . . . . . . . . . . . . . . . .Configure McAfee Agent on ePolicy Orchestrator . . . . . . . . . . . . . . . . . .Add an evidence folder on ePolicy Orchestrator . . . . . . . . . . . . . . . . . .Configuring McAfee DLP Endpoint on McAfee DLP Manager . . . . . . . . . . . . .Working with a unified policy . . . . . . . . . . . . . . . . . . . . . . . . . . . .Unified policy content strategy . . . . . . . . . . . . . . . . . . . . . . . . .Integration into the unified workflow . . . . . . . . . . . . . . . . . . . . . .How McAfee DLP Endpoint rules are mapped . . . . . . . . . . . . . . . . . . .Adding endpoint parameters to rules in McAfee DLP Manager . . . . . . . . . . . .Using protection rules in McAfee DLP Manager . . . . . . . . . . . . . . . . . .Extending McAfee DLP Discover scans to endpoints . . . . . . . . . . . . . . . . . . .Applying tags by scanning . . . . . . . . . . . . . . . . . . . . . . . . . .How signatures used at endpoints are stored . . . . . . . . . . . . . . . . . . .Scanning local drives . . . . . . . . . . . . . . . . . . . . . . . . . . . .Tagging and tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Using tags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Application-based tagging . . . . . . . . . . . . . . . . . . . . . . . . . . .Location-based tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . .Controlling devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Device classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Classifying devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Controlling devices with device definitions . . . . . . . . . . . . . . . . . . . .Using device rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Device parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Working with endpoint events . . . . . . . . . . . . . . . . . . . . . . . . . . . .View endpoint events . . . . . . . . . . . . . . . . . . . . . . . . . . . .Events reported to McAfee DLP Manager . . . . . . . . . . . . . . . . . . . .Typical scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Keep data from being copied to removable media . . . . . . . . . . . . . . . . .Keep data from being cut and pasted . . . . . . . . . . . . . . . . . . . . . .Protect data with Document Scan Scope . . . . . . . . . . . . . . . . . . . . .Keep data from being printed to file . . . . . . . . . . . . . . . . . . . . . . .Protect data from screen capture . . . . . . . . . . . . . . . . . . . . . . .Protect data by identifying text in title b
Product Guide Revision A McAfee Data Loss Prevention 9.3.1
