Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
6285 Views 31 Replies Latest reply: Apr 7, 2014 9:51 AM by mdnramos RSS 1 2 3 4 Previous Next
smalldog Champion 616 posts since
Nov 12, 2009
Currently Being Moderated

Jul 2, 2012 9:42 PM

Config NDLP Prevent

Hi All, have you got any guides about mode and config NDLP Prevent in monitor (span port)? Thanks All!


- - - - - - - - - - - - - - -
McAfee Customer
Smalldog
  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    1. Jul 4, 2012 2:47 AM (in response to smalldog)
    Re: Config NDLP Prevent

    for monitor/span port you have to use the NDLP Monitor.

  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    3. Jul 4, 2012 3:04 AM (in response to smalldog)
    Re: Config NDLP Prevent

    If you just want to monitor, you can install NDLP Monitor on the appliance and you'll have visiblity in a lot more protocols - this is the easiest way. Just install it, and the 2 separate additionals NICS can be connected in a mirrored port where they'll start indexing traffic immediately.

    For preventing, you need a web proxy that supports being an ICAP client and an e-mail gateway that can inspect and take actions based on custom headers.

     

    George

  • georgec Champion 244 posts since
    Sep 9, 2010
    Currently Being Moderated
    5. Jul 4, 2012 3:16 AM (in response to smalldog)
    Re: Config NDLP Prevent

    I'm not sure there's such guide and I had to find out things by trial and error. When in prevent mode, it will be using the management interface (the one you're using to access the web gui) for icap, e-mail relaying and management and I don't believe you can chage this. You will need connectivity for the interface for SMTP traffic, ICAP and https for administration.

    For http/s, you'll need to add on the proxy the following icap server address:

    icap://>IP address of mgmt. port of Prevent>:1344/reqmod

     

    for e-mail, you need to configure your e-mail system to send all outgoing e-mail to NDLP Prevent, then the NDLP Prevent will be sending messages to an e-mail gateway. The e-mail gateway needs to inspect the headers for actions. I can't find out now how the e-mail headrs look like, but you can just send an e-mail through it and check the header.

     

    George

     

    Message was edited by: georgec on 7/4/12 3:16:53 AM CDT
  • Regis Champion 457 posts since
    Oct 6, 2010
    Currently Being Moderated
    7. Jul 5, 2012 4:02 PM (in response to smalldog)
    Re: Config NDLP Prevent

    DLP is complex.     EVen with McAFee certified help under the McAfee banner, our deployment of exactly what you're describing has been a bit of a nightmare if I'm being honest.     I fear for your customer smalldog, and I think you're in for one heck of a time yourself because McAfee really struggles at putting all these pieces together aside from one SE I've met.    Even their own contracted pro services folks... no one knows the breadth of this stuff nearly well enough it seems.

     

    Yes, monitor may give you more asareness to additional protocols, but if email is headed out encrypted, or there's https involved as there is in any chat or social networking site anywhere, Monitor is going to be nearly useless because it won't be in the middle of encrypted web sessions.   That' where an SSL middling web proxy that pushes upload requests off to DLP prevent for analysis is useful, and  Prevent getting int he middle of outbound mail as an smtp relay is useful.   

     

    The mail path can be    exchange -> MEG -> prevent -> MEG -> out        or some environments will do exchange -> prevent -> MEG and out or ... there are many ways to do it.  A lot depends on what email servers you're on, and whether they can be configured to do things with X-RCIS headers such as allow/block/quaratine or not.

     

    Oh, and good luck finding any training for NDLP.  There isn't any, at least last I checked.

1 2 3 4 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points