Symantec Connect Posts Round Up #4

This is week #4 of clearing out the various Symantec Connect Posts that I’ve found interesting (Week #3, Week #2, and Week #1).  If you have found these interesting or like reading them, please let me know.  Hope you are finding these interesting and learning something, maybe even answering some of these questions/posts yourself.

So without further ado here’s this weeks (actually last week but got a little behind):

• Register for Vision 2013 and get a discount and Connect posts:  Are you going or interested in going to Symantec Vision, if you sign up using the Connect code get a discount off it and some points.  I’ve enjoyed the couple of times I’ve been to Vision and have learned a lot.  Hope to see you there
• ITA ports for SEP 11 SQL Database:  IT Analytics seems to be a pretty popular discussion point around Symantec Connect and this person is looking for specific ports and configuration information.  Drop me a note if you are interested in learning more about IT Analytics and how it can help you with reporting around Symantec Security products
• An Illustrated Guide to Installing Symantec Mobile Security 7.2: So I haven’t wrapped my brain around Symantec Mobile Security and need to.  This article covers installing/configuring the product.  Great article, give this dude lots of votes on this post
• 2 Tier Install of DLP 11.6 needs more than 2 servers?: This is an interesting article about how to setup a 2 Tier install of Symantec DLP and what type of servers are needed.  I’ve been doing a lot of work (consulting and architecture) around Symantec DLP so drop me a note if you need any help.
• DLP false positive incident: This is a common question when it comes to Symantec DLP.  How can I reduce the # of false positives that I’m getting within the system.  You will spend your entire DLP life working on incident count and how many you have.  A lot of time it comes to just changing the breadth of an incident or adding additional keyword requirements.  This might become a separate blog post in and of itself
• PGP Desktop and DLP Scanning: Yet something else I haven’t quite figured out… The person would like to scan encrypted SMTP traffic when the keys are stored at the Universal Server.  I have heard there is further integration coming along between DLP and Universal Server that might help the person out.  Also there is a KB article that might help out as well.  Will have to spend sometime figuring this out
• Do I have to use the Enterprise version of SQL for CSP?: No you don’t have to use SQL Enterprise for Critical Systems Protection.  There is an embedded Database that can be used but then you will not have access to IT Analytics for reporting.  SQL Standard edition is a supported database version as well.
• Migrating SCSP and DB:  This link is more of a place holder for me in case I ever have to deal with this.  The associated KB’s and links within the answers are the best place to get started.
• SEPM alerts if GUP is unreachable:  This Connect question is looking for a report for notification if the GUPs are unreachable and is a pretty interesting question.  The good part is the tool linked out of the comment created by the SEP product team (will be looking into it as well) found at this article.  Also one of the answers has a report that might be useful to do what the poster is asking for
• Embedded to SQL: A lot of people when they install SEP and the SEP Manager use the default install of the embedded database and then want to move to full SQL.  We at ITS always recommend using a full SQL database when doing an install.  This allows for better performance and also use of IT Analytics for reporting.  There a lot of links within this forum question on the best way to transition from the embedded database to a full SQL db.  Also this is something that we can help out from a services opportunity.  Drop me a note if you need help or interested.

Symantec Connect Posts Round Up #3

I’ve really enjoyed writing these posts and hope you are finding something interesting from the various Symantec Connect posts that I’ve been linking to.  IF you are wondering why most of them (if not all) focusing on the Security Community within Symantec Connect it is because that is the focus of my job.

So here’s week #2 and week #1 and without further ado, here is week #3

• Update the DLP system from version 10.5 to version 11.5 – This one goes on the record for longest connect post that I’ve seen in a long time (I actually shortened it for this blog post).  But it covers the process for updating your DLP system as you move from version 10.5 to 11.6 along w/ updating the server that everything runs on.  Remember if you are using 10.5 Windows Server 2008 R2 was not supported for hosting the Enforce platform on it.  Now with the latest version (11.6.1) Server 2008 R2 is supported and recommended for running the DLP Product on.  Read along with how to set this up.
• Choice of Symantec product for business security — what programs – While this is not as long as the other post listed above it i interesting.  What we have hear is someone who uses Backup Exec and is looking to understand what security products Symantec has to help him/her out
  • This is something I help out my customers with each day.  Let’s sit down and have a conversation about how Symantec can help you out and advance your security posture.  What is the real question or goal of your organization as it becomes more mature in your security practice.  Drop me an email, would love to help you out.
• SCCM (Systems Center Configuration Manager) – In this post the customer is looking to understand the best way to deploy Symatnec Endpoint Protection (SEP) by leveraging System Center for the deployment solution. Take a look at this article for a more complete answer to the question.  I know that my company will have a video up shortly about deploying SEP w/ both Altiris and Systems Center.
• Implementing change management and configuration management for vontu – So this is going to be a full article/blog post and once I post it I’ll link it here as well.  Stay tuned but this is VERY IMPORTANT to handle and take care of
• How to install DLP Client – This person is looking for help on deploying the Endpoint Agent on various machines in his/her organization.  There are numerous links in the comment section that can help out.  Also my company will putting up a video on this shortly as well.
• Comparing Symantec cMobile Security 7.2 and Norton Mobile Security   – This one fascinates me and I haven’t spent any time reading or digging into the differences between the products.  This article is more of an FYI to myself so I can further figure out what the two products are
• DLP – Let the User Decide – This post is still looking for answer, so if you can help awesome…  The end user is looking to see if there is a way to allow the end user to decide if an email that is blocked should be released or not.  I’m not quite sure if this is the best way to setup DLP but if you can help out this questioner let me know and I’ll try to give you extra Connect points.
• GnuPg PGP Desktop Email – This is a question that I have long wondered about as well and the answer is MAYBE.  That is it depends on the version of GnuPGP and PGP Desktop.  Try it out it should work.

So that’s that… I hope you are finding these links interesting and maybe can help some people out still looking for support.

Drop me a note and let me know if you find them worthwhile or not.

Configuring a detection server for an Endace card

After installing DLP as a Network Detection server there are additional configuration options that must be done both on the detection server and within the Enforce UI.

Installing the Endace card on the detection server

The first problem to be aware of is to make sure the Endace drivers and software is installed in a folder that has no spaces, c:\endace instead of the default: c:\program files\endace

From the Enforce server copy the dagextraconfig.bat from c:\vontu\protect\bin to c:\endace\dag-3.3.1\bin. Do not worry that this bat file is commented out, an error will be generated if this file is missing

Change the boot.ini to enable the /3GB switch

If you are running Windows Server 32-bit on the detection side the 3GB switch needs to be enabled in the boot.ini file. The following steps need to be done:

• Change the attributes on the file from the command type: attrib.exe –s –h –r c:\boot.ini
• Open the boot.ini in notepad
• Copy the line that reads like: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /noexecute=alwaysoff
• At the end of the line add /3GB /userva=3030 so it will look like this: multi(0)disk(0)rdisk(0)partition(1)\WINDOWS=”Windows Server 2003, Enterprise” /fastdetect /noexecute=alwaysoff /3GB /userva=3030
• Restart the detection server

Once the span port is connected to the Endace card traffic can be verified by opening a command line, navigating to the c:\Endace\dag-3.3.1\bin directory and type: dagsnap –d0 –v –o tracefile, traffic should be displayed in the window.

Changing settings on the Enforce UI

The following settings need to be changed within the Enforce UI in order for Network Monitor to work correctly with an Endace card.

In the UI for Enforce navigate to System -> Overview and then select the correct detection server. Click on the Server Settings button and make changes to the following items::

• PacketCapture.IS_ENDACE_ENABLED from false to true
• PacketCapture.ENDACE_BIN_PATH to the location you installed the software to (c:\endace\dag-3.3.2\bin)
• PacketCapture.ENDACE_LIB_PATH to the location you installed the software to (c:\endace\dag-3.3.2\lib)
• PacketCapture.ENDACE_XILINX_PATH to the location you installed the software to (c:\endace\dag-3.3.2\xilinx)

After making the above changes, restart the Vontu services on each detection server using an Endace card. Once the services are back from restarting, select Configure, dag0 should be then select the Endace card

Enabling Live LDAP Lookup for Symantec DLP

I recently spent several days bashing my head against configuring LDAP lookup within the Symantec Enforce UI for a customer and ran into several problems. In fact I posted a forum post on Symantec Connect (https://www-secure.symantec.com/connect/forums/problems-live-ldap-lookup) discussing some of the problems that I was having. The following article is based on the pain and also some holes in the existing documentation. There are several guides on the Vontu Knowledge base (kb-vontu.altiris.com) specifically KB 42831

Note: Spelling countsas the files are case sensitive

The following steps need to done in the following order:

1. Configure the Plugins.Properties file in c:\vontu\protect\config
2. Configure the LiveLdapLookup.Properties file in c:\vontu\protect\config
3. Add the custom attributes in the Enforce UI
4. Reload the custom attributes in the Enforce UI
5. Profit

Configure the Plugins.Properties file

This file enables the different plugin files that can be used by Symantec DLP. As mentioned in the KB article the following lines need to be added: com.vontu.api.incident.attributes.AttributeLookup.plugins=Vontu Directory Classes,Vontu Live LDAP Lookup and also com.vontu.lookup.liveldap.LiveLdapLookup.properties = LiveLdapLookup.properties. These settings determine which plugins are being used.

Another item that needs to be configured is the attribute lookup parameters. Editing this section of the file is not included in the knowledge base entries. The default attribute lookup parameter is sender-email, which is commented out, uncomment it. If there are other items you will be searching (example: file-owner for Data at Rest items), uncomment them out. Save your changes.

Note: I have attached my working plugins.properties file

Configure the LiveLdapLookup.properties file

This section can be the most challenging to configure, remember this file is case sensitive, what is in Active Directory needs to be matched in this file along with what is configured in the Enforce UI. In looking at the knowledge base entry the common search criteria is email, however in most Active Directory environments the field is actually mail, if that is true the setting will look like the following: (mail=$sender-email$).

The next part that can cause the most trouble is configuring the base dn in the first part of the file. In my test lab my file looks like the following:

servername = dc.itslab.local

port = 389

basedn = DC=ITSLAB,DC=local

How did I determine my basedn? The kb article recommends Softera’s LDAP Browser, though I have used ADSI Edit from Microsoft (a part of the Windows 2003 Server tools). The following screenshot shows ADSI Edit for my test domain:

NOTE: The server is dc.itslab.local and then under DC=itslab,DC=local is what I put as my basedn. Remember spelling counts, the lookup will fail if you put in ITSLAB or LOCAL.

Once we have the basedn configured we need to configure the attribute lookup. Remember we need to make sure the attributes we are searching match both Active Directory and the attributes in the Enforce UI.

The default properties file contains the following example: attr.Company = cn=user:(mail=$sender-email$):Company. However in my environment we need to make changes based on how Active Directory is configured in your company. In the above example I need to search the OU ITS_Partners, which changes my search to attr.Company = OU=ITS_Partners:(mail=$sender-email):company. When I look in ADSI Edit I see the following screenshot:

Notice the lower case c for company matches what I am using in my attribute search. Save your changes and restart the Vontu Services.

Add the attributes in the Enforce UI

Once the text files are configured, we need to configure the attributes in the Enforce UI. Navigate in the console to System -> Attributes and click on the Custom Attribute tab as the following screenshot shows:

To add a custom attribute click on Add and then add the corresponding attribute you are looking for. Once all of your attributes are configured, click on the Reload Lookup Plugins button and verify things work correctly.

Testing Attribute Lookup

Now that we have our attributes configured in Enforce, let’s test them . Navigate to an existing incident in the Enforce UI and select Lookup. If you are successful the attributes should populate from Active Directory.

As you can see from the screenshot, I have populated First Name, Last Name, Title, Department, Location, and Company from Active Directory

Troubleshooting Tips

Some small troubleshooting tips:

1. Make sure spelling on all attributes and lookups match
2. Don’t forget to restart the Vontu services after making changes to one of the .properties file
3. Change the logging level for the plugin framework:
   1. In the ManagerLogging.properties edit com.vontu.logging.ServletLogHandler.level to FINER
   2. Add (if it doesn’t exist) com.vontu.lookup.script.level = FINER
4. Change the logging for LDAP lookup
   1. In the ManagerLogging.properties file add a line: com.vontu.diretory.ldap.LdapLookup.level = FINER
5. Review VontuManager.log and tomcat\localhost.[date].log for more information

Adding more space to the Users.DBF file

Problem: Errors in the console about clicking on invalid links, link timing out or corrupted incidents, also in the log files references to errors updating the User tablespace

 

Solution: Oracle has a hard limit of file sizes to 33GB and once that limit is hit and there are no other files available the system will stop writing to the database. In order to solve this problem we needed to create additional DBF files for the user field. By default the installation creates only one USERS01.DBF file.

To create additional files follow these steps:

1. Open up a command prompt
2. Launch SQLPLUS by typing the following command sqlplus /nolog and hit enter
3. From the SQL> prompt type connect sys as sysdba and hit enter
4. Provide the password for sys:
5. From the SQL> prompt type: alter tablespace “USERS” ADD DATAFILE ‘d:\oracle\product\10.2.0\oracdata\protect\users02.dbf’ size 138240k reuse autoextend on next 10240k maxsize 32767M
   1. Provide the full path to the location of the database
   2. Change USERS02.dbf to a different name
6. Repeat as needed
7. Restart Oracle and Vontu Services

Data will begin to flow into the DLP system after the restart

Two Quick DLP Links

Just clearing some things from my web browser:

 

http://thera.ilikehandbag.com/2010/07/18/why-you-must-have-a-data-loss-prevention-strategy/ 

http://www.brighttalk.com/summit/1541

New Webcast: Symantec DLP, SEP and Workflow

On August 24, 2010 I will be presenting a webcast for work as a part of our normal webcast series. This time I will be presenting on Symantec DLP, SEP and Workflow and an example on how you can use Workflow as a product to tie two other Symantec products together that do not necessarily connect. If you are interested feel free to sign up here: https://www1.gotomeeting.com/register/543228689. The text below is from our marketing guy

In this webcast the experts at ITS Partners will discuss how you can use Symantec’s Workflow Solution to

trigger a SEP lockdown of a device.

A DLP incident triggers a workflow which locks down an environment and also notifies your IT staff.

We will cover the pre-built workflow that ships w/ DLP 10.5 and talk about how you can integrate multiple Symantec products together using Symantec Workflow Solution.

Symantec Workflow optimizes efficiency, enforces processes and policies, and automates redundant tasks. It accelerates the delivery of IT and business process without process experts having to know or write complicated code or adding undue costs. Symantec Workflow ties together Symantec and other environments to connect people, process and information and to automate and enforce procedures all within an easy to use and comprehensive product.

Symantec Data Loss Prevention (DLP) delivers a unified solution to discover, monitor, and protect confidential data wherever it is stored or used. With DLP, Symantec continues to shift the focus of security from locking down infrastructure to protecting the information itself.

Gartner announces Symantec is a leader in three magic quadrants

Saw this come across one of my Google Alerts and wanted to pass it around.  Gartner’s Magic Quadrant is made up of four sections (quadrants):

• Leaders
• Score high on ability to execute and completeness of vision
• Challengers
• Score high on ability to execute and lower on completeness of vision
• Visionaries
• Score lower on the ability to execute and higher on the completeness of vision
• Niche Players
• Score lower on both criteria but are new to additions to the Magic Quadrant

For more information see this Wikipedia entry on the Magic Quadrant.

The three reports are:

• Secure Email Security with Symantec Brightmail Gateway
• Security Information and Event Management with Symantec Security Information Manager
• Content-Aware Data Loss Prevention with Symantec Data Loss Prevention

You can see the press announcement herehttp://www.symantec.com/about/news/release/article.jsp?prid=20100712_01

Upcoming DLP Webcast: DLP 10.5 & Data Insight

One of the things my company does is webcasts hosted twice a month.These are free and provide information about upcoming Symantec products or can provide training on how to use one of the Symantec products.

In June, I am presenting a webcast on DLP 10.5 and the new feature Data Insight.

ITS will answers questions like:
- “Whose Data Is It Anyway?”
-  "Who owns the data?"
- " How is the data used?"
- "How do I protect the data?"
Data Insight and Data Loss Prevention
Data Insight will first be available as part of Symantec Data Loss Prevention and will be the only data loss prevention solution to deliver an integrated data owner and remediation capability. Unstructured data on shared file systems is a large source of critical business information, and over-exposed content presents a significant risk for data breaches. Data Insight with Symantec Data Loss Prevention helps organizations identify their most critical information and enables simplified data clean-up and remediation through automated data owner identification. Data Insight also provides continuous monitoring and auditing of data usage to help ensure adherence with corporate policies and regulatory compliance. In addition, the technology monitors who has accessed or modified individual files, and can notify information security teams and data owners that data has been exposed. Armed with visibility into who is accessing and using the information, organizations can make rule-based ownership inferences and alter access to stored data in order to prevent data breaches.

 

Data Insight provides information on unstructured data, data that sits in a file share and provides information on how that data is used, who is using, etc.

Join us for the webcast and learn about this great product

OpenDLP: A review

I don’t tend to read many Slashdot articles these days, but follow the RSS feed in Google Reader.  A recent article covered a product that caught my eye: OpenDLP.

The code is pretty raw right now, it is at version .1 in the cycle so hopefully a lot of growth and change will come to the product.  From the project’s homepage:

OpenDLP is a free and open source, agent-based, centrally-managed, massively distributable data loss prevention tool released under the GPL. Given appropriate Windows domain credentials, OpenDLP can simultaneously identify sensitive data at rest on hundreds or thousands of Microsoft Windows systems from a centralized web application. OpenDLP has two components: a web application and an agent.

The first thing I notice about this product is that it only deals with one area of potential data loss: the Endpoint.  It might be the maturity of the product that the author hasn’t looked into the other areas: Data in Motion (data traveling over the network) and Data at Rest (data in storage).

The other issue I have is that right now the database is not encrypted which would be a major data loss issue if the DB was compromised.

The good thing is the product does cover the endpoint and seems to cover it very well.   Looking forward to following the development and will try to contribute to it as much as I can.