A Conservative Techie

Thoughts from a Conservative point of view in regards to technology

Configuring a detection server for an Endace card

After installing DLP as a Network Detection server there are additional configuration options that must be done both on the detection server and within the Enforce UI.

Installing the Endace card on the detection server

The first problem to be aware of is to make sure the Endace drivers and software is installed in a folder that has no spaces, c:\endace instead of the default: c:\program files\endace

From the Enforce server copy the dagextraconfig.bat from c:\vontu\protect\bin to c:\endace\dag-3.3.1\bin. Do not worry that this bat file is commented out, an error will be generated if this file is missing

Change the boot.ini to enable the /3GB switch

If you are running Windows Server 32-bit on the detection side the 3GB switch needs to be enabled in the boot.ini file. The following steps need to be done:

  • Change the attributes on the file from the command type: attrib.exe –s –h –r c:\boot.ini
  • Open the boot.ini in notepad
  • Copy the line that reads like: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /noexecute=alwaysoff
  • At the end of the line add /3GB /userva=3030 so it will look like this: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /noexecute=alwaysoff /3GB /userva=3030
  • Restart the detection server

Once the span port is connected to the Endace card traffic can be verified by opening a command line, navigating to the c:\Endace\dag-3.3.1\bin directory and type: dagsnap –d0 –v –o tracefile, traffic should be displayed in the window.

Changing settings on the Enforce UI

The following settings need to be changed within the Enforce UI in order for Network Monitor to work correctly with an Endace card.

In the UI for Enforce navigate to System -> Overview and then select the correct detection server. Click on the Server Settings button and make changes to the following items::

  • PacketCapture.IS_ENDACE_ENABLED from false to true
  • PacketCapture.ENDACE_BIN_PATH to the location you installed the software to (c:\endace\dag-3.3.2\bin)
  • PacketCapture.ENDACE_LIB_PATH to the location you installed the software to (c:\endace\dag-3.3.2\lib)
  • PacketCapture.ENDACE_XILINX_PATH to the location you installed the software to (c:\endace\dag-3.3.2\xilinx)

After making the above changes, restart the Vontu services on each detection server using an Endace card. Once the services are back from restarting, select Configure, dag0 should be then select the Endace card

November 22, 2010 Posted by | DLP, Symantec | Leave a Comment

Enabling Live LDAP Lookup for Symantec DLP

I recently spent several days bashing my head against configuring LDAP lookup within the Symantec Enforce UI for a customer and ran into several problems. In fact I posted a forum post on Symantec Connect (https://www-secure.symantec.com/connect/forums/problems-live-ldap-lookup) discussing some of the problems that I was having. The following article is based on the pain and also some holes in the existing documentation. There are several guides on the Vontu Knowledge base (kb-vontu.altiris.com) specifically KB 42831

Note: Spelling countsas the files are case sensitive

The following steps need to done in the following order:

  1. Configure the Plugins.Properties file in c:\vontu\protect\config
  2. Configure the LiveLdapLookup.Properties file in c:\vontu\protect\config
  3. Add the custom attributes in the Enforce UI
  4. Reload the custom attributes in the Enforce UI
  5. Profit

Configure the Plugins.Properties file

This file enables the different plugin files that can be used by Symantec DLP. As mentioned in the KB article the following lines need to be added: com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup and also com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties. These settings determine which plugins are being used.

Another item that needs to be configured is the attribute lookup parameters. Editing this section of the file is not included in the knowledge base entries. The default attribute lookup parameter is sender-email, which is commented out, uncomment it. If there are other items you will be searching (example: file-owner for Data at Rest items), uncomment them out. Save your changes.

Note: I have attached my working plugins.properties file

Configure the LiveLdapLookup.properties file

This section can be the most challenging to configure, remember this file is case sensitive, what is in Active Directory needs to be matched in this file along with what is configured in the Enforce UI. In looking at the knowledge base entry the common search criteria is email, however in most Active Directory environments the field is actually mail, if that is true the setting will look like the following: (mail=$sender-email$).

The next part that can cause the most trouble is configuring the base dn in the first part of the file. In my test lab my file looks like the following:

servername = dc.itslab.local

port = 389

basedn = DC=ITSLAB,DC=local

How did I determine my basedn? The kb article recommends Softera’s LDAP Browser, though I have used ADSI Edit from Microsoft (a part of the Windows 2003 Server tools). The following screenshot shows ADSI Edit for my test domain:

NOTE: The server is dc.itslab.local and then under DC=itslab,DC=local is what I put as my basedn. Remember spelling counts, the lookup will fail if you put in ITSLAB or LOCAL.

Once we have the basedn configured we need to configure the attribute lookup. Remember we need to make sure the attributes we are searching match both Active Directory and the attributes in the Enforce UI.

The default properties file contains the following example: attr.Company = cn=user:(mail=$sender-email$):Company. However in my environment we need to make changes based on how Active Directory is configured in your company. In the above example I need to search the OU ITS_Partners, which changes my search to attr.Company = OU=ITS_Partners:(mail=$sender-email):company. When I look in ADSI Edit I see the following screenshot:

Notice the lower case c for company matches what I am using in my attribute search. Save your changes and restart the Vontu Services.

Add the attributes in the Enforce UI

Once the text files are configured, we need to configure the attributes in the Enforce UI. Navigate in the console to System -> Attributes and click on the Custom Attribute tab as the following screenshot shows:

To add a custom attribute click on Add and then add the corresponding attribute you are looking for. Once all of your attributes are configured, click on the Reload Lookup Plugins button and verify things work correctly.

Testing Attribute Lookup

Now that we have our attributes configured in Enforce, let’s test them . Navigate to an existing incident in the Enforce UI and select Lookup. If you are successful the attributes should populate from Active Directory.

As you can see from the screenshot, I have populated First Name, Last Name, Title, Department, Location, and Company from Active Directory

Troubleshooting Tips

Some small troubleshooting tips:

  1. Make sure spelling on all attributes and lookups match
  2. Don’t forget to restart the Vontu services after making changes to one of the .properties file
  3. Change the logging level for the plugin framework:
    1. In the ManagerLogging.properties edit com.vontu.logging.ServletLogHandler.level to FINER
    2. Add (if it doesn’t exist) com.vontu.lookup.script.level = FINER
  4. Change the logging for LDAP lookup
    1. In the ManagerLogging.properties file add a line: com.vontu.diretory.ldap.LdapLookup.level = FINER
  5. Review VontuManager.log and tomcat\localhost.[date].log for more information

November 11, 2010 Posted by | DLP, Symantec | 1 Comment

Adding more space to the Users.DBF file

Problem: Errors in the console about clicking on invalid links, link timing out or corrupted incidents, also in the log files references to errors updating the User tablespace

 

Solution: Oracle has a hard limit of file sizes to 33GB and once that limit is hit and there are no other files available the system will stop writing to the database. In order to solve this problem we needed to create additional DBF files for the user field. By default the installation creates only one USERS01.DBF file.

To create additional files follow these steps:

  1. Open up a command prompt
  2. Launch SQLPLUS by typing the following command sqlplus /nolog and hit enter
  3. From the SQL> prompt type connect sys as sysdba and hit enter
  4. Provide the password for sys:
  5. From the SQL> prompt type: alter tablespace “USERS” ADD DATAFILE ‘d:\oracle\product\10.2.0\oracdata\protect\users02.dbf’ size 138240k reuse autoextend on next 10240k maxsize 32767M
    1. Provide the full path to the location of the database
    2. Change USERS02.dbf to a different name
  6. Repeat as needed
  7. Restart Oracle and Vontu Services

Data will begin to flow into the DLP system after the restart

August 10, 2010 Posted by | DLP, Symantec | Leave a Comment

Two Quick DLP Links

Just clearing some things from my web browser:

 

http://thera.ilikehandbag.com/2010/07/18/why-you-must-have-a-data-loss-prevention-strategy/ 

http://www.brighttalk.com/summit/1541

July 30, 2010 Posted by | DLP, Symantec | Leave a Comment

New Webcast: Symantec DLP, SEP and Workflow

On August 24, 2010 I will be presenting a webcast for work as a part of our normal webcast series. This time I will be presenting on Symantec DLP, SEP and Workflow and an example on how you can use Workflow as a product to tie two other Symantec products together that do not necessarily connect. If you are interested feel free to sign up here: https://www1.gotomeeting.com/register/543228689. The text below is from our marketing guy

In this webcast the experts at ITS Partners will discuss how you can use Symantec’s Workflow Solution to

trigger a SEP lockdown of a device.

A DLP incident triggers a workflow which locks down an environment and also notifies your IT staff.

We will cover the pre-built workflow that ships w/ DLP 10.5 and talk about how you can integrate multiple Symantec products together using Symantec Workflow Solution.

Symantec Workflow optimizes efficiency, enforces processes and policies, and automates redundant tasks. It accelerates the delivery of IT and business process without process experts having to know or write complicated code or adding undue costs. Symantec Workflow ties together Symantec and other environments to connect people, process and information and to automate and enforce procedures all within an easy to use and comprehensive product.

Symantec Data Loss Prevention (DLP) delivers a unified solution to discover, monitor, and protect confidential data wherever it is stored or used. With DLP, Symantec continues to shift the focus of security from locking down infrastructure to protecting the information itself.

July 28, 2010 Posted by | DLP, Symantec | Leave a Comment

Gartner announces Symantec is a leader in three magic quadrants

Saw this come across one of my Google Alerts and wanted to pass it around.  Gartner’s Magic Quadrant is made up of four sections (quadrants):

  • Leaders
    • Score high on ability to execute and completeness of vision
  • Challengers
    • Score high on ability to execute and lower on completeness of vision
  • Visionaries
    • Score lower on the ability to execute and higher on the completeness of vision
  • Niche Players
    • Score lower on both criteria but are new to additions to the Magic Quadrant

For more information see this Wikipedia entry on the Magic Quadrant.

The three reports are:

You can see the press announcement herehttp://www.symantec.com/about/news/release/article.jsp?prid=20100712_01

July 14, 2010 Posted by | DLP, Symantec | Leave a Comment

Upcoming DLP Webcast: DLP 10.5 & Data Insight

One of the things my company does is webcasts hosted twice a month.These are free and provide information about upcoming Symantec products or can provide training on how to use one of the Symantec products.

In June, I am presenting a webcast on DLP 10.5 and the new feature Data Insight.

ITS will answers questions like:
- “Whose Data Is It Anyway?”
-  "Who owns the data?"
- " How is the data used?"
- "How do I protect the data?"
Data Insight and Data Loss Prevention
Data Insight will first be available as part of Symantec Data Loss Prevention and will be the only data loss prevention solution to deliver an integrated data owner and remediation capability. Unstructured data on shared file systems is a large source of critical business information, and over-exposed content presents a significant risk for data breaches. Data Insight with Symantec Data Loss Prevention helps organizations identify their most critical information and enables simplified data clean-up and remediation through automated data owner identification. Data Insight also provides continuous monitoring and auditing of data usage to help ensure adherence with corporate policies and regulatory compliance. In addition, the technology monitors who has accessed or modified individual files, and can notify information security teams and data owners that data has been exposed. Armed with visibility into who is accessing and using the information, organizations can make rule-based ownership inferences and alter access to stored data in order to prevent data breaches.

 

Data Insight provides information on unstructured data, data that sits in a file share and provides information on how that data is used, who is using, etc.

Join us for the webcast and learn about this great product

May 14, 2010 Posted by | DLP, Symantec | , | Leave a Comment

OpenDLP: A review

I don’t tend to read many Slashdot articles these days, but follow the RSS feed in Google Reader.  A recent article covered a product that caught my eye: OpenDLP.

The code is pretty raw right now, it is at version .1 in the cycle so hopefully a lot of growth and change will come to the product.  From the project’s homepage:

OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

The first thing I notice about this product is that it only deals with one area of potential data loss: the Endpoint.  It might be the maturity of the product that the author hasn’t looked into the other areas: Data in Motion (data traveling over the network) and Data at Rest (data in storage).

The other issue I have is that right now the database is not encrypted which would be a major data loss issue if the DB was compromised.

The good thing is the product does cover the endpoint and seems to cover it very well.   Looking forward to following the development and will try to contribute to it as much as I can.

May 4, 2010 Posted by | DLP, Ubuntu/Kubuntu | | Leave a Comment

Catching up on DLP Links

There’s been a lot of discussion on the web these days in regards to DLP and also some of the moves Symantec made in regards to its purchase of PGP Corporation and also GuardianEdge:  Press Release here

Here are some more links that I’ve come across recently:

  1. Cisco Security Services and also Cisco’s Risk Assessment Service:  Didn’t even know that Cisco offered a DLP Solution, but it is based around the IronPort product.  I don’t know anything in regards IronPort but will plan to learn more as we have one customer who is looking at it instead of Symantec DLP
  2. Whitepaper released: Quick Wins with Data Loss Prevention:  This links to a whitepaper sponsored by McAfee and you can download the white paper from that link as well.  It is an interesting white paper and have added it to my collection
  3. How to shape an effective DLP policy:  An Information Week article that talks about how an organziation should write DLP policies.  More on this later.
  4. Breakout session from Symantec Vision:

May 1, 2010 Posted by | DLP, Symantec | , , | Leave a Comment

Getting caught up on links

Have a lot of links in my browser tonight but haven’t had a chance to digest and really understand all of them.

So this post is a dump of a bunch of them, to come back later with more thoughts on

1.  25 Scenes from Symantec Vision:  Missed Vision this year but didn’t hear much about it.  Find it interesting how they comment on things us old Altiris people take for granted, such as Steve Morton’s Keynote style, Usergroup challenge, etc.

2.  DLP: Million Problems – One Solution:  Haven’t read this one yet, but looking forward to it

3.  DLP – Protecting What Matters Most:  Seems to be an overview of DLP, will have to read this one through

4. States’ Rights Come to Security Forefront

5.  DLP Primer

6.  Data Loss Prevention comes of Age

April 26, 2010 Posted by | Altiris, DLP, Symantec | , , | Leave a Comment

« Previous Entries    

Follow

Get every new post delivered to your Inbox.

Join 408 other followers