1. Obtaining credit card numbers for testing

2. Creating the DLP profile

3. Configuring the Proxy Options

4. Configuring the firewall policy

5. Results

Preventing credit card numbers from escaping your networkThe following recipe describes how to configure your FortiGate to use DLP (Data Loss Prevention) so that credit card numbers cannot be sent out of your network using FTP, SMTP email, or by posting to a webpage.

Consumer transactions over the Internet is based upon the idea that the consumer trusts the vendor not to allow their credit card number into the possession of any unintended persons. If you deal with anyone’s credit cards you may be legally responsible for their security. Having the firewall prevent their loss through digital channels may give both you and your customers some added piece of mind.

CreditCard

Numbers

Protocols

OtherData

DLP

Internet

SMTP

FTP

HTTP

Fortinet

Obtaining credit card numbers for testingIn order to test the validity of the profile you will need to use a credit card number in the traffic. A test number (will not work for purchasing) can be obtained from one of these pages:

http://www.paypalobjects.com/en_US/vhelp/paypalmanager_help/credit_card_numbers.htm

http://www.crazysquirrel.com/finance/test-cc.jspx

http://www.getcreditcardnumbers.com/

Create a text file that contains some of these sample credit card numbers.

Creating the DLP ProfileCreating the SensorGo to Security Profiles > Data Leak Prevention > Sensors.

Create a new profile by either selecting the Create New icon or the View List Icon. If using the View List option you will then need to select the Create New option from the menu bar in the next window.

Once the New Sensor Window is open, type into the Name field whatever name you want for the the name of the profile.

Creating FiltersUse the Create New option to create new individual filters.

For the first sensor, choose the Messages filter type, set it to messages Containing Credit Card #, select the services you wish to examine, and set Action to Block.

For the second filter choose the Files filter type set it to messages Containing Credit Card #, select the services you wish to examine, and set Action to Block.

In this case we are going to choose both HTTP-POST and HTTP-GET. This will prevent not only the posting of credit card information to a web page, but the downloading of them as well.

Check the listing of the filters in the sensor to make sure that the correct protocols are selected and the action in each is set to Block.

Configuring the Proxy OptionsProtocols don’t always use the standard ports, so proxy options will be configured to scan any port that is carrying traffic from the targeted protocol.

Go to Policy > Policy > Proxy Options.

Create a new Proxy Option profile.

In the Protocol Port Mapping section change the inspection ports from Specify to Any for the protocols HTTP, SMTP, and FTP.

In the other option areas, select options that match up with the normal settings used by your organization.

Configuring the Firewall PolicyGo to Policy > Policy > Policy.

As this policy is designed to prevent specific information from leaving the network the direction of the policy is from the internal interface, in this case LAN, to the external interface, wan1.

In the Security Profiles section, enable the DLP Sensor and choose the sensor created for blocking the credit card numbers as well as the appropriate Proxy Option profile.

You can also include the use of SSL/SSH Inspection if you have that configured to your satisfaction. This will help prevent loss of data through SSL connections.

ResultsTesting SMTPUsing your favorite email client, send a control email to an email server on the other side of the FortiGate unit to verify everything is working. Then try sending two emails; one with the credit card numbers in the body of the email message and one with the text document as an attachment.

The control email makes it through, but the emails with the credit card information are not received at their destination.

Go to Log & Report > Traffic Log > Forward Traffic. You should be able to find a log entries showing that the traffic was blocked. The logs even states that the reason they were considered threats had to do with credit-card information.

Because secure SMTP may not use port 25, don’t filter too narrowly when searching the logs.

Also depending on your logging configuration, the logs may not show up in real-time.

Testing FTPUsing your preferred FTP client, upload a control file that shouldn’t be stopped to an FTP server on the other side of the FortiGate unit.

To be as generic as possible, this example uses the command line.

ftp ftp.example.com 1121

Connected to ftp.example.com.

220 (vsFTPd 2.3.5)

Name (ftp.example.com:): talesian

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

229 Entering Extended Passive Mode (|||61875|).

150 Here comes the directory listing.

<Various files and directories>

226 Directory send OK.

ftp> put /<path to file’s directory>/DLP_test_file.doc DLP_test_file.doc

local: /<path to file’s directory>/DLP_test_file.doc remote: DLP_test_file.doc

229 Entering Extended Passive Mode (|||61874|).

150 Ok to send data.

100% |********************************************************************| 27136 580.79 KiB/s 00:00 ETA

226 Transfer complete.

27136 bytes sent in 00:00 (130.76 KiB/s)

ftp>

Once you have verified that your FTP session is working properly, try to upload the text file with the credit card numbers to the FTP server.

Using the command line, everything progresses the same as the previous example until after the “put” command has been entered. At this point there is a delay while the client tries to upload the file. After a number of attempts the client gives up.

GUI FTP clients will show that it cannot proceed past the queueing process. Depending on the client, the connection to the FTP server will time out waiting for the upload to occur.

Testing HTTPHTTP can be tested in two directions; posting a credit card number and getting a credit card number.

Try visiting one of the sites that you received the test credit card number from. You will receive a replacement message about the transfer.

229 Entering Extended Passive Mode (|||61879|).

Abort trap: 6

<local system prompt>$

To test posting a credit card number, go to a site on the far side of the firewall that you can edit. In this example, a wiki test page was started on a remote site and the test credit card numbers were entered in to the page. They were allowed onto the editing screen because that was on the local computer’s browser.

The content is not actually sent over the network until the Save page button is selected. At this point a warning message is displayed to indicate that the transfer appeared to contain a data leak.