Presentation is loading. Please wait.

Presentation is loading. Please wait.

Course 201 – Administration, Content Inspection and SSL VPN

Published byThomasine Horton Modified over 9 years ago

Similar presentations

Presentation on theme: "Course 201 – Administration, Content Inspection and SSL VPN"— Presentation transcript:

1 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Data Leak Prevention RTOL

2 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Module Objectives By the end of this module participants will be able to: Identify the data types that can be monitored through FortiGate DLP Define regular and compound rules Define DLP sensors Define firewall policies using DLP sensors RTOL

3 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Data Leak Prevention Filter 1 Filter 2 Filter 3 DLP Sensor Perform Action FortiGate Data Leak Prevention stops sensitive information from leaving the organization. Define sensitive data patterns and traffic matching the pattern will be blocked by FortiGate unit. DLP inspection can be applied to the following traffic types: , HTTP, HTTPS, FTP, NNTP, and Instant Messaging. Create filters to define data patterns to match, then combine the filters into sensors. Assign the sensors to a policy. Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it can also be used to prevent unwanted data from entering your network and to archive content passing through the FortiGate unit. Click here to read more about FortiGate Data Leak Prevention RTOL

4 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Data Leak Prevention Filter 1 Filter 2 Filter 3 DLP Sensor FortiGate Data Leak Prevention prevents sensitive information from leaving the organization Filters define finger print, file filter, file size, regular expression and rules (advanced and compound) Filters collected into sensors Sensors assigned to a firewall policy Action performed when sensor is triggered Perform Action Click here to read more about FortiGate Data Leak Prevention RTOL

5 DLP Inspection Methods
Course 201 – Administration, Content Inspection and SSL VPN Data Leak Prevention DLP Inspection Methods Proxy-based Data content is examined in detail providing the highest level of analysis as it flows through the FortiGate unit Increased use of system resources due to high memory and CPU requirements Flow-based Flow-based scanning inspects the session in chunks, as opposed to the whole session as in proxy-based inspection Data cannot be examined in full, so results may not be as accurate or reliable Inspection is faster with a lower impact on system resources compared to proxy-based inspection RTOL

6 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Flow-based DLP Uses IPS engine to perform Data Leak Prevention Select inspection method when editing DLP Sensors CLI example: config dlp sensor edit “default” set flow-based enable end RTOL

7 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Monitored Data Types Text content Text HTML PDF MS Word (pre-2007) MS Office (2007) File types monitored include: Text Includes HTML and content Plaintext content of PDF files Pre-2007 MS Word files Office 2007 files RTOL

8 Data Leak Prevention Sensors
Course 201 – Administration, Content Inspection and SSL VPN Data Leak Prevention Data Leak Prevention Sensors Actions: DLP Sensor Filters Log Only Block Exempt Finger Print File Type Advanced Rule Compound Rule Quarantine User Quarantine IP address Quarantine interface Archive: Full Summary A DLP sensor is made of one or more DLP filters (regular and compound rules). The filters control which actions will be applied to matching traffic. DLP is configured by creating individual filters that can be based on: DLP fingerprints files of a particular type or name files larger than a specified size data matching a specified regular expression traffic matching an advanced rule or compound rule. Actions that can be applied to matching traffic include: Log Only The FortiGate unit will take no action on matching network traffic however, the filter match is logged. Other matching filters in the same sensor may still operate on matching traffic. Block Traffic matching a rule with this action will not be delivered and a replacement message is delivered. Exempt Prevents any DLP filters from taking action on matching traffic. This action overrides the action assigned to other matching filters. Quarantine User If the user is authenticated this action blocks all traffic to or from the user using the protocol that triggered the rule. The user is added to the banned user list. If the user is not authenticated, this action blocks all traffic of the protocol that triggered the rule from the user’s IP address and a “Banned by data leak prevention” replacement message is displayed. Quarantine IP address This action blocks access from any IP address that sends traffic matching a filter with this action. The IP address is added to the banned user list and a replacement message is displayed for all connection attempts from this IP address. Quarantine interface This action blocks access to network traffic for all users connecting the interface that receive traffic matching a filter with this action. A replacement message is displayed for all connection attempt to the interface. Quarantine User, Quarantine IP and Quarantine Interface, provide functionality similar to NAC Quarantine however, DLP blocks users and IP addresses at the application layer while NAC Quarantine blocks IP addresses and interfaces at the network layer. Sensitivity: Critical Private Warning Click here to read more about FortiGate DLP sensor actions RTOL 8

9 Data Leak Prevention Sensors
Course 201 – Administration, Content Inspection and SSL VPN Data Leak Prevention Data Leak Prevention Sensors DLP Sensor: Classroom Sensor Firewall policy Once a Sensor is configured it is applied to network traffic through a firewall policy. Any traffic handled by the Firewall policy will be examined according the DLP sensor configuration. RTOL 9

10 Data Leak Prevention Sensors
Course 201 – Administration, Content Inspection and SSL VPN Data Leak Prevention Data Leak Prevention Sensors DLP Sensor: Classroom Sensor Data leak filters (file type, file size, compound rule etc.) collected into a sensor Sensor in turn applied to firewall policy Any traffic being examined by the policy will have the DLP operations applied to it Firewall policy RTOL RTOL 10 10

11 File Type Filtering File Type Filters JPEG image BMP image Cab archive
Course 201 – Administration, Content Inspection and SSL VPN Antivirus File Type Filtering File Type Filters JPEG image BMP image Cab archive Zip archive Executable File types are a means of filtering based on the file contents, regardless of the file name. If you were to block the file type ZIP, all zip archives would be blocked even if they were renamed with a different extension The FortiGate examines the file contents to determine what type of file it is and then acts accordingly. Only supported file types can be used in the filter To filter based on file type, select the required file type from the predefined list. The Ignored Filetype is used for traffic that the FortiGate unit typically does not scan including streaming audio and video The Unknown Filetype is used for any file type that is not listed in the table Before the FortiGate unit can filter files by type, a file filter list must created. Block or Allow RTOL RTOL 11 11

12 File Type Filtering File Type Filters JPEG image
Course 201 – Administration, Content Inspection and SSL VPN Antivirus File Type Filtering File Type Filters JPEG image Filter based on file contents, regardless of file name Can be blocked even if extension changed Supported file types listed on FortiGate unit BMP image Cab archive Zip archive Executable Block or Allow RTOL RTOL 12 12

13 Course 201 – Administration, Content Inspection and SSL VPN
Antivirus File Type Filtering Archive arj, cab, lzh, rar, tar, zip, bzip, gzip, bzip2 Batch File bat Common Console Document msc Encoded Data uue, mime, base64, binhex Executable elf, exe HTML Application hta HTML File html Java Application Descriptor jad Java Compiled Bytecode cod Javascript File javascript Microsoft Office msoffice Packer fsg, upx, petite, aspack Palm OS Application prc Symbian Installer System File sis Windows Help File hlp activemime Images jpeg, gif, tiff, png, bmp Ignored Filetype Used for traffic the FortiGate unit does not typically scan Unknown Filetype Used for any file type not listed in the table The ignored type is the traffic the unit typically does not scan. This includes primarily streaming audio and video. RTOL RTOL 13 13

14 File Name Pattern File Name Pattern Filters mona.jpg painting.jpg
Course 201 – Administration, Content Inspection and SSL VPN Antivirus File Name Pattern File Name Pattern Filters mona.jpg painting.jpg nicepainting.png nicepainting.jpg nicepainting.jpg Block or Allow *.jpg Block or Allow Once the full file is received, the FortiGate unit verifies the file against the file name pattern filter. File name patterns are a means of filtering based purely on the names of files. The file pattern can be an exact file name or can include wildcards (*). Full or partial files name, full or partial file extension or any combinations can be used to set the match criteria. File pattern entries are not case sensitive The filter will check file names or extensions to identify a built-in or custom pattern. For example, *.exe Actions on files that match a configured pattern can be set to block or allow: Block If the filename includes a defined blocked pattern then it is stopped and a replacement message is sent to the end user. No other levels of protection are applied. Allow Files are compared to enabled file name patterns from top to bottom: If the file filter action is set to Allow, the matching file passes to antivirus scanning Files are allowed unless explicitly blocked Using the allow action, this behavior can be reversed with all files being blocked (using *.* for example) except for patterns specifically defined (example *.jpeg) If the filename is not a blocked pattern the next level of protection is applied Before the FortiGate unit can filter files by pattern, a file filter list must be created. nice*.jpg Block or Allow RTOL RTOL 14 14

15 File Filter List

16 File Size Filter Action applied to files larger than the specified size

17 Regular Expression Filter
Checks network traffic for the regular expression For example, the regular expression file.com not only matches file.com but also file followed by any single character such as fileA.com, fileB.com etc.

18 Advanced Rule Includes a single condition and the type of traffic in which the condition is expected to appear Can only be created using the CLI Specify the protocol, sub‑protocol (if any), the field, and any remaining options as required Many built-in Advanced Rules are included Example: Large-HTTP-Post, Large-FTP-Put etc. Can be modified to suit specific needs

19 Advanced Rule Example config dlp rule edit "Large-HTTP-Post“
set protocol http set sub-protocol http-post set field transfer-size set value 5120 set operator greater-equal next end

20 Compound Rule Group multiple advanced rules to create a compound rule
Conditions in each advanced rule must be TRUE before the compound rule is triggered Built-in compound rules are included (can modify if required) For example, block HTTP-GET and HTTP-POST operations on MP3 files that exceed 1MB Create 2 advanced rules: Rule 1 sets the file transfer size for HTTP-GET and HTTP-POST operations to 1 MB Rule 2 sets the file type to the integer value of the file pattern table (for example “2” for user-defined “No_MP3s” etc.) Use set file-type ? to verify value to use for file pattern rule Add the advanced rules as ‘members’ of the compound rule

21 Compound Rule Example edit "MY_HTTP_MP3_Compound_Rule“
set protocol http set sub-protocol http-get http-post set member "MP3“ "My_Large_HTTP_Advanced_Rule" next end

22 Document Fingerprinting
Course 201 – Administration, Content Inspection and SSL VPN Data Leak Prevention Document Fingerprinting Document fingerprinting can be used to protect specific documents from leakage Method of uniquely identifying documents Files are broken into chunks, checksums are taken of those chunks and the checksums used as the fingerprint The fingerprint is then applied to a filter rule within a sensor for DLP scan activities Checksum generated for files appearing in network traffic and compared to fingerprint database RTOL

23 Document Fingerprinting
Course 201 – Administration, Content Inspection and SSL VPN Data Leak Prevention Document Fingerprinting The FortiGate unit can be pointed to a document repository (example: Windows Share) or documents can be downloaded manually RTOL

24 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention DLP Archiving DLP can also be used to record network use through DLP archiving FortiGate unit records all occurrences of these traffic types when by the sensor Summary archiving records information about the traffic type Full archiving provides more detailed records Full Archives are far more detailed than a summary and require more storage space and processing Because DLP Archiving requires additional resources, DLP archives must be saved to a FortiAnalyzer unit DLP is typically used to prevent sensitive information from getting out of your company network, but can also be used to record network use through DLP Archiving. Enabling Archiving for filters when you add them to the Sensor directs the FortiGate unit to record all occurrences of these traffic types when they are detected by the Sensor. Since the Archive setting is configured for each Filter in a Sensor, you can have a single Sensor that archives only the things an administrator requires. Summary Archiving records information about the Traffic Type: For example, with the sender, recipient, message subject and total size are recorded The result is a summary of all activity the Sensor detected Full Archiving provides more detailed records: For example, with the message itself including any attachments, is archived Full Archives are far more detailed than a summary and require more storage space and processing Because DLP Archiving requires additional resources, DLP Archives must be saved to a FortiAnalyzer unit. RTOL

25 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Labs Lab - Data Leak Prevention Blocking Encrypted Files Blocking Leakage of Credit Card Information Blocking Oversize Files by Type DLP Banning and Quarantining DLP Fingerprinting Click here for step-by-step instructions on completing this lab RTOL

26 Course 201 – Administration, Content Inspection and SSL VPN
Data Leak Prevention Student Resources Click here to view the list of resources used in this module RTOL

Download ppt "Course 201 – Administration, Content Inspection and SSL VPN"

Similar presentations

What’s New in Fireware XTM v11.3.2

What’s New in Fireware XTM v11.3.2
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
Course 201 – Administration, Content Inspection and SSL VPN Filtering

Course 201 – Administration, Content Inspection and SSL VPN Filtering
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Lesson 13 PROTECTING AND SHARING DOCUMENTS

Lesson 13 PROTECTING AND SHARING DOCUMENTS
Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.

Diagnostics. Module Objectives By the end of this module participants will be able to: Use diagnostic commands to troubleshoot and monitor performance.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
Introduction to Fortinet Unified Threat Management

Introduction to Fortinet Unified Threat Management
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Nine Managing File System Access.
1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 7 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
Fortinet Single Sign On

Fortinet Single Sign On
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.

What’s New in WatchGuard XCS 10.0 Update 3 WatchGuard Training.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
AN OVERVIEW OF MAC PDF TOOLS 1. PDF Tools for Mac PDF files can be used either in Windows, Unix or Apple’s Mac OS operating system commonly. It still.

AN OVERVIEW OF MAC PDF TOOLS 1. PDF Tools for Mac PDF files can be used either in Windows, Unix or Apple’s Mac OS operating system commonly. It still.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google