cancel
Showing results for 
Search instead for 
Did you mean: 

SWG 7.X DLP Capabilities

Hi all,

Does anyone knows something about the DLP capabilities of the web appliance ?

Cause I've only seen few options under malware engine about network behavior and dlp.. and I don't really understand what does it do,  is that it ?

I was thinking about build a wildcard filtering rule making it mach to any "contect" and if it mach -> block.. and so..

But I can't figure out how to make it work, and also, can it track a document content or only a http/ftp/https information post or none of them ?

At the end I need to understand if this appliance may act as a dlp device and in what terms.

Many thanks.

9 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 10

Re: SWG 7.X DLP Capabilities

Hi,

generally MWG has all the required tools on board, we have archive openers, document openers, can extract text, check inside POSTS, even in SSL, etc.


The thing we don't have is simply a lexicon/template that contains stuff like special phrases for HIPAA, PCI, SOX and the like.

What you can do is creating a rule that will match extracted text against a list. You need to have the composite opener enabled.

If Media.Type ensured matches at least one in list

AND

Body.Text matches in list

then block.

This was tested with MS Office Documents.

Attaching a rule.

best,

Michael

Message was edited by: Michael Schneider on 04/11/2010 12:22:22 CET
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 10

Re: SWG 7.X DLP Capabilities

In addition, here are my test docs. The Test URL I used is http://www.csm-testcenter.org/test?do=show&subdo=common&test=file_upload

best,

Michael

Re: SWG 7.X DLP Capabilities

Many Thanks!

Very explicative and exaustive..

I've done my custom policy for DLP!

bperez
Level 10
Report Inappropriate Content
Message 5 of 10

Re: SWG 7.X DLP Capabilities

Hi Michael,

How can i import the dictionary of HIPAA, SOX, Etc, from "Email and Web Security 5.6 Appliances", if another McAfee products has the lexicon/templates, why not import to mwg?

Regards

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: SWG 7.X DLP Capabilities

Hello,

the best answer would be 'please be patient'. For more info, contact me per PM on the this forum.

best,

Michael

geek
Level 10
Report Inappropriate Content
Message 7 of 10

Re: SWG 7.X DLP Capabilities

Greetings!

I am testing DLP Capabilities in Webgateway 7.2 and I`ve got some questions. May be someone can help me with them?

1.Using the criterion DLP.Dictionary.BodyText.Matched <TEST Dictionary>  for blocking  it is necessary that all the terms of the dictionary  (TEST Dictionary) have been in the POST message. How to set up the rule so that the presence of any term from the dictionary should perform blocking?

2. How to receive reports on the Users for which the block was performed according to DLP politicies?

Thanks in advance.

alexott
Level 11
Report Inappropriate Content
Message 8 of 10

Re: SWG 7.X DLP Capabilities

When you're using DLP.Dictionary property, it will match if any of the specified terms is present in the Body.Text property. But don't forget to enable Composite Openers before using any of property that use Body.Text

Regarding reporting, I think, that you can write al necessary data into log file and then analyze it

geek
Level 10
Report Inappropriate Content
Message 9 of 10

Re: SWG 7.X DLP Capabilities

WG.jpg

Hi. Thanks for your replay.

When I use DLP.Dictionary.Body.Text.Matched I can choose only equals or does not equal operator.

Message was edited by: geek on 7/19/12 4:58:23 PM GMT+03:00
alexott
Level 11
Report Inappropriate Content
Message 10 of 10

Re: SWG 7.X DLP Capabilities

Yes, this is by design - the DLP in MWG 7.2 is working following way:

  • You create your own dictionary or select classifications from lists
  • You create rule "DLP.XXXX.Matched equal true" and this rule will be fired when DLP Engine will find something from selected classifications or your dictionary
  • If value of DLP.XXXX.Matched is true, then properties "DLP.XXXX.MatchedTerms" and "DLP.Classification.XXXX.MatchedClassifications" will be filled with information about matched data - you can use information from these properties for logging