data leak prevention. module objectives by the end of this module participants will be able to:...
TRANSCRIPT
Data Leak Prevention
Module Objectives
• By the end of this module participants will be able to:• Identify the data types that can be monitored through
FortiGate DLP
• Define regular and compound rules
• Define DLP sensors
• Define firewall policies using DLP sensors
Filter 1
Filter 2
Filter 3
DLP Sensor
Data Leak Prevention
Click here to read more about FortiGate Data Leak Prevention
Perform Action
Filter 1
Filter 2
Filter 3
DLP Sensor
Data Leak Prevention
Click here to read more about FortiGate Data Leak Prevention
Perform Action
• FortiGate Data Leak Prevention prevents sensitive information from leaving the organization• Filters define finger print, file filter, file size, regular expression and rules (advanced and compound) • Filters collected into sensors• Sensors assigned to a firewall policy
• Action performed when sensor is triggered
DLP Inspection Methods
• Proxy-based• Data content is examined in detail providing the highest
level of analysis as it flows through the FortiGate unit• Increased use of system resources due to high memory
and CPU requirements
• Flow-based• Flow-based scanning inspects the session in chunks, as
opposed to the whole session as in proxy-based inspection• Data cannot be examined in full, so results may not be
as accurate or reliable• Inspection is faster with a lower impact on system
resources compared to proxy-based inspection
Flow-based DLP
•Uses IPS engine to perform Data Leak Prevention• Select inspection method when editing DLP Sensors
• CLI example:config dlp sensor
edit “default”
set flow-based enable
end
Monitored Data Types
Text content
Text HTML Email PDF MS Word(pre-2007)
MS Office(2007)
Data Leak Prevention Sensors
Click here to read more about FortiGate DLP sensor actions
DLP Sensor Filters
Finger Print
File Type
Advanced Rule
Compound Rule
Block
Log Only
Exempt
Quarantine User
Quarantine IP address
Quarantine interface
Actions:
Archive:
FullSummary
Sensitivity:CriticalPrivateWarning
Data Leak Prevention SensorsDLP Sensor: Classroom Sensor
Firewall policy
Data Leak Prevention Sensors
DLP Sensor: Classroom Sensor
Firewall policy
•Data leak filters (file type, file size, compound rule etc.) collected into a sensor• Sensor in turn applied to firewall policy• Any traffic being examined by the
policy will have the DLP operations applied to it
File Type Filtering
JPEG image
BMP image
Executable
Cab archive
Block or Allow
File Type Filters
Zip archive
File Type Filtering
JPEG image
BMP image
Executable
Cab archive
Block or Allow
File Type Filters
Zip archive
• Filter based on file contents, regardless of file name• Can be blocked even if extension
changed
• Supported file types listed on FortiGate unit
File Type Filtering
Archive arj, cab, lzh, rar, tar, zip, bzip, gzip, bzip2
Batch File bat
Common Console Document msc
Encoded Data uue, mime, base64, binhex
Executable elf, exe
HTML Application hta
HTML File html
Java Application Descriptor jad
Java Compiled Bytecode cod
Javascript File javascript
Microsoft Office msoffice
Packer fsg, upx, petite, aspack
Palm OS Application prc
Symbian Installer System File sis
Windows Help File hlp
activemime activemime
Images jpeg, gif, tiff, png, bmp
Ignored Filetype Used for traffic the FortiGate unit does not typically scan
Unknown Filetype Used for any file type not listed in the table
File Name Pattern
nicepainting.jpg
mona.jpg
painting.jpg
*.jpg
nicepainting.png
nice*.jpg
Block or Allow
Block or Allow
File Name Pattern Filters
nicepainting.jpg
Block or Allow
File Filter List
File Size Filter
• Action applied to files larger than the specified size
Regular Expression Filter
• Checks network traffic for the regular expression• For example, the regular expression file.com not only matches file.com but also file followed by any single character such as fileA.com, fileB.com etc.
Advanced Rule
• Includes a single condition and the type of traffic in which the condition is expected to appear• Can only be created using the CLI• Specify the protocol, sub‑protocol (if any), the field, and any remaining options as required•Many built-in Advanced Rules are included • Example: Large-HTTP-Post, Large-FTP-Put etc.
• Can be modified to suit specific needs
Advanced Rule Example
config dlp ruleedit "Large-HTTP-Post“
set protocol httpset sub-protocol http-postset field transfer-sizeset value 5120set operator greater-equal
nextend
Compound Rule
• Group multiple advanced rules to create a compound rule• Conditions in each advanced rule must be TRUE before the
compound rule is triggered
• Built-in compound rules are included (can modify if required)• For example, block HTTP-GET and HTTP-POST operations
on MP3 files that exceed 1MB• Create 2 advanced rules: • Rule 1 sets the file transfer size for HTTP-GET and HTTP-POST
operations to 1 MB
• Rule 2 sets the file type to the integer value of the file pattern table (for example “2” for user-defined “No_MP3s” etc.)• Use set file-type ? to verify value to use for file pattern rule
• Add the advanced rules as ‘members’ of the compound rule
Compound Rule Example
edit "MY_HTTP_MP3_Compound_Rule“set protocol httpset sub-protocol http-get http-postset member "MP3“ "My_Large_HTTP_Advanced_Rule" next
end
Document Fingerprinting
•Document fingerprinting can be used to protect specific documents from leakage
•Method of uniquely identifying documents • Files are broken into chunks, checksums are taken of those chunks and the checksums used as the fingerprint
• The fingerprint is then applied to a filter rule within a sensor for DLP scan activities
• Checksum generated for files appearing in network traffic and compared to fingerprint database
Document Fingerprinting
• The FortiGate unit can be pointed to a document repository (example: Windows Share) or documents can be downloaded manually
DLP Archiving
•DLP can also be used to record network use through DLP archiving• FortiGate unit records all occurrences of these traffic types
when by the sensor
• Summary archiving records information about the traffic type• Full archiving provides more detailed records• Full Archives are far more detailed than a summary and
require more storage space and processing
• Because DLP Archiving requires additional resources, DLP archives must be saved to a FortiAnalyzer unit
Labs
• Lab - Data Leak Prevention• Blocking Encrypted Files
• Blocking Leakage of Credit Card Information
• Blocking Oversize Files by Type
• DLP Banning and Quarantining
• DLP Fingerprinting
Click here for step-by-step instructions on completing this lab
Student Resources
Click here to view the list of resources used in this module