Print Download PDF Send Feedback

Previous

Next

Data Loss Prevention Policies

The DLP policy defines which data is to be protected from transmission, including: email body, email recipients, email attachments (even if zipped), FTP upload, web post, web mail, and so on. The policy determines the action that DLP takes if a transmission is captured.

Manage the rules of the policy in the Data Loss Prevention > Policy page.

Overview of DLP Rules

A Data Loss Prevention rule is made up of:

The rule base of the DLP gateway should look familiar if you have experience with the Check Point Firewall rule base, but there are differences.

DLP and Identity Awareness

When Identity Awareness is enabled, you can create access role objects and use them in the DLP policy. When Identity Awareness is enabled, in DLP:

Email Notifications for FTP and HTTP DLP violations

In addition to email notifications on SMTP DLP violations, you can configure notifications to be sent when the violation occurs using the FTP or HTTP protocols. To send these notifications, you must:

  1. Enable Identity Awareness.
  2. In Data Loss Prevention Additional Settings Advanced > Email Notifications, select:
    • Web
    • FTP

When you select Web or FTP in the Email Notifications area, the Web and FTP options are also selected in the Learn User Actions area. This lets DLP learn how the user decides to handle a DLP incident and apply the same decision for subsequent messages.

Access Roles in the Source or Destination of a Rule

Access role objects can be used in the Source or Destination column of a DLP rule. The presence of access roles makes DLP user aware. The access role object identifies users, computers, and network locations as one object. You can select specified users, user groups, or user branches as the object.

Redirection to an Authentication Captive Portal

Captive Portal redirection only applies to the HTTP and HTTPS protocols. Redirection occurs when the sender is unknown (the IP address does not map to any user in the AD) and the Action of the DLP rule is Identity Captive Portal and one of these conditions is also met:

  1. No access role objects are in the Source or Destination column of the policy rule but the Source and Destination do match those of the HTTP connection being examined by the DLP gateway.
  2. The Source column of the DLP rule contains an access role.

Redirecting to the Captive Portal lets DLP:

To Redirect HTTP traffic to the Captive Portal:

  1. Right-click the Action and select Identity Captive Portal.
  2. Select Redirect HTTP connections to an authentication Captive Portal.
  3. Click OK.

    The Action column shows Identity Captive Portal.

Identifying Users Behind a Proxy

If your organization uses an HTTP proxy server behind the gateway, the identities of users behind the proxy will remain hidden unless you configure:

You can also configure the DLP gateway to strip the X-Forward-For header in outgoing traffic. Without the header, internal IP addresses are not be shown in requests to the internet.

To use X-Forwarded-For HTTP header:

  1. Configure your proxy server to use X-Forwarded-For HTTP Header.
  2. In SmartConsole, on the Identity Awareness page of the DLP gateway object, select Detect users located behind HTTP proxy using X-Forward-For header.
  3. To configure the DLP gateway to stop the X Forwarded-For header showing internal IP addresses in requests to the internet, select Hide X Forward-For header in outgoing traffic.
  4. Install the policy.

Example DLP rule with Identity Awareness

These three rules show how Identity Awareness works with DLP:

Rule 1

Data

Source

Destination

Protocol

Action

PCI – Credit Card Numbers

Finance_Dept

(Access Role)

Outside My Org

Any

Prevent

In this rule:

Rule 2

Data

Source

Destination

Protocol

Action

PCI – Credit Card Numbers

My Organization

Outside My Org

Any

Prevent

Identity Captive Portal

In this rule:

Rule 3

Data

Source

Destination

Protocol

Action

PCI – Credit Card Numbers

Finance_Dept

(Access Role)

Outside My Org

Any

Prevent

Identity Captive Portal

In this rule:

DLP Rule Matching Order

The DLP rule order does not matter. In this rule base, each transmission is checked against each rule.

Because the rule order does not matter, you can change the display of the DLP policy for your convenience.

DLP Rule Matching with Exceptions

If data matches a rule, and the rule has exceptions, the exceptions to a rule are checked. If the data matches any exception, DLP allows the transmission.

For example, consider a rule that captures emails containing more than fifteen employee names in the body of a message. If a user in the HR department sends a list of twenty employees to an outside address (such as their contractor), the email will be allowed without incident logging or any Data Loss Prevention action taken - because the same rule has an exception that allows users in the HR group to send lists of employee names outside your organization.

If the data matches multiple rules, one with an exception and one without exceptions, the rule without exceptions is used.

DLP Rule Matching with Multiple Matches

If the data matches multiple rules, the most restrictive rule is applied.

For example, if a user sends an email with an attached unencrypted PDF, the email can match two rules. One rule is Detect: detect emails to an external destination that contain PDF files. A second rule is Ask User: delay emails with PDF files that are unencrypted, until the user specifies that it is good to send. This rule will also inform the Marketing and Technical Communications manager that the PDF was released from the company to an external destination.

In this case:

  1. The email is quarantined.
  2. The user gets a notification and has to make a decision relating to what to do.
  3. The data owner gets a notification.
  4. The rule violations (one for Detect and one for Ask User) are logged.

Rule Actions

For each DLP rule that you create for a Data Type, you also define what action is to be taken if the rule matches a transmission.

Action

Description

Detect

The transmission is passed. The event is logged and is available for your review and analysis in the Logs & Monitor view. The data and the email itself, or the properties of the transmission if not email, are saved in storage for future reference.

You can choose to notify Data Owners of the event. This is true for all the following actions as well.

Inform User

The transmission is passed, but the incident is logged and the user is notified.

Ask User

The transmission is held until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision itself is logged in the Logs & Monitor Logs view under the User Response category.

Administrators with full permissions or with the View/Release/Discard DLP messages permission can also decide whether the transmission should be completed or not from the Logs & Monitor view. This can be useful in the event that a user is not available to make sure if it should be sent.

Prevent

The data transmission is blocked.

Best Practice - Check Point does not recommend using the Prevent action as a first choice. The action may prove disruptive. To improve the accuracy of rule matches, set rules to Prevent only when you have tested them with the less strict actions over a reasonable amount of time.

Watermark

Tracks outgoing Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) by adding visible watermarks or invisible encrypted text.

  • By default, all rules are created without a watermark action.
  • Watermarks can be created and edited without having to apply them.
  • Once a watermark object is created, it can be reused in multiple rules.

Note - If data matches multiple rules, the rule of the most restrictive action is applied. The order from most restrictive to least is: Prevent, Ask User, Inform User, Detect.

Managing Rules in Detect

The Detect action is set to rules by default because it is the least disruptive of the action options. When Data Loss Prevention discovers a transmission containing protected data, an incident is logged in the Logs & Monitor Logs view and other logging actions (if any) are taken.

You might want to leave all your rules in Detect at first. Then you can review the logs and decide which rules are needed according to your organization's actions. This could save you and your users a lot of time and make your explanations of what they need to know and what to do much more specific to their needs.

Setting Rule Tracking

A primary consideration for creating Data Loss Prevention rules is how to audit incidents.

In the rule base of the Data Loss Prevention policy, the Track column offers these options:

Option

Meaning

Email

Sends an email to a configured recipient

Log

Records the incident in the Logs & Monitor view (All the other tracking options also log an incident).

Alert

Opens a pop-up window in the SmartView Monitor.

SNMP Trap

Sends an SNMP alert to the SNMP GUI. This uses the fwd process, to run the internal_snmp_trap script that sends an ID, the trap type, source port, community, and host name.

User Defined (alert)

Sends one of three possible customized alerts. The alerts are defined by the scripts specified in the main Menu > Global Properties > Log and Alert > Alert Commands. The alert process on the Log server runs the scripts.

Store Incident

Determines how the data should be stored and deleted (if at all). The options are:

  • Yes
  • Only as text
  • Don't store (depending on other conditions)
  • Delete

Store Incident

Store Incident tracking options determine how data that matches a DLP rule is stored (or not stored). These options are available:

Store Option

Meaning

Yes

  • Email data is stored as an .eml file
  • FTP data is stored in the .zip format
  • HTTP
    • Text entered onto a web page is saved as HTML and viewed in the default browser when the data is opened through a link in the Log Details window.
    • An uploaded file is stored in the .zip format

Note: For FTP and HTTP, only those elements of the message that violate DLP rules are stored.

Only as Text

  • Textual data extracted from the email (header and body) and the attachment is stored as HTML, but only those sections that triggered the violation.
  • FTP data is stored as HTML.
  • HTTP text entered onto a web page is saved as HTML and viewed in the default browser when the data is opened through a link in the Log Details window.

Note: For FTP and HTTP, only those elements of the message that violate DLP rules are shown in the HTML page which stores the information.

Don't Store

When the rule is matched, the incident is logged and the data deleted so that it cannot be viewed in the Logs & Monitor view.

Note: The deletion of the data can be prevented by other store options. If a scanned message matches a number of store incident options, the option with highest priority has precedence:

  • Delete - Priority 1
  • Yes - Priority 2
  • Only as Text - Priority 3
  • Don't Store - Priority 4

Delete

Logs the incident and immediately deletes the data. Select this example for sensitive data such as credit card numbers.

Note: If the email that contains the sensitive data also has an attachment that must be watermarked, the email is not deleted. The email is saved but you cannot view it with the Logs & Monitor view.

Resolving Store Incident Conflicts

If a scanned message matches a number of different DLP rules, and each rule has a different store option, the option with highest priority has precedence. For example, if an email matches these rules:

Rule

Store Incident Option

Priority

Rule_1

Only as text

3

Rule_2

Yes

2

Rule_3

Don't store

4

The store incident option related to Rule_2 has the highest priority. The data will be stored even though the email matched a rule (Rule_3) configured to delete the data.

Changing the Priority

The Only as Text store option can be configured to have a higher priority than Yes. To change the priority:

  1. On the gateway, open: $DLPDIR/config/dlp.conf

    Each message protocol has its own section. For example:

    )

    :ftp (

    :enabled (1)

    :maximum_words_to_log (14)

    :maximum_chars_to_words_in_log (490)

    :cleanup_session_files (1)

    :save_incident_quota_percentage (85)

    :allow_append_cmd (0)

    :view_incident_dispute_option (yes)

    )

  2. Search for: view_incident_dispute_option

    The default value is Yes.

  3. For all protocols (SMTP, FTP, HTTP), change Yes to Text.
  4. Save and close dlp.conf.

Setting a Time Restriction

The Time column in the DLP Rule table holds a time object or group of time objects. The time object is the same time object as used in the Firewall Rule Base.

To create a time object:

  1. Open the Data Loss Prevention tab > Policy page.
  2. Right click in the Time column of a rule.
  3. From the pop-up menu, select Time.

    A window opens showing a list of existing time objects. You can select an existing time or create a new one.

    Note - Existing time object can be reused.

  4. Click New > Time.
  5. The Time Properties window opens.
  6. On the General page, enter a name for the object
  7. On the Time page:
    1. In the Time Period section, configure when the time object activates and expires.
    2. In the Restrict to specific hour ranges section, specify up to 3 ranges when the time object enforces the DLP rule. During these periods, the related DLP rule is enforced. The time specified here refers to the local time on the Security Gateway.
    3. Specify days.

      The days when the time object enforces the DLP rule. The time object can be enforcing the DLP rule each day, specified days of the week, a specified month or all months.

  8. Click OK.

If you have more than one time object, you can merge them into a group. When a condition in one of the time objects in the group is met, the DLP rule is enforced.

To create a time group object:

  1. Open the Data Loss Prevention tab > Policy page.
  2. Right click in the Time column of a rule.
  3. From the pop-up menu, select Group.

    The Time Group window opens.

  4. Enter a name for the group.
  5. Add or Remove time objects from the group.
  6. Click OK.

Supported Archive Types

The DLP blade supports the extraction and scanning of these compressed archive types:

Selective Deployment - Gateways

For any rule in the policy, you can choose that it be deployed on specific Enforcing Gateways.

To deploy a rule on specific Enforcing DLP Gateways:

  1. In SmartConsole, open Data Loss Prevention > Policy.
  2. In the rule you want, click in the plus in the Install On column.

    Defined DLP Gateways appear in a menu.

  3. Select the Gateways on which you want this rule to be deployed.
  4. Install Policy on the DLP gateway.

Selective Deployment - Protocols

Check Point Data Loss Prevention supports various data transmission protocols.

It is recommended that you enable protocols as needed in your deployment. Start with only SMTP. Observe the logs on detected emails and user responses for handling them. Later, add FTP to the policy. For emails and large uploads, users do not expect instant responses. They can handle incidents in the Portal or UserCheck client for emails and uploads without disturbing their work, especially if your users know what to expect and how to handle the incidents.

HTTP, which includes posts to web sites, comments on media sites, blogging, and web mail, is another matter. Users do expect that when they press Enter, their words are sent and received instantly. If an employee uses HTTP for mission-critical work, having to decide whether a sentence is OK to send or not every instance is going to be extremely disruptive. Therefore, it is recommended that you enable HTTP only after you have run analysis on usage and incidents.

You can also enable inspection for Exchange Agent emails and the HTTPS protocol.

To select protocol deployment for all gateways:

  1. In SmartConsole, open Data Loss Prevention.
  2. Expand Additional Settings and click Protocols.
  3. Clear the checkbox of any of the protocols that you do not want to inspect.

Important - If you clear all of the protocol checkboxes, Data Loss Prevention will have no effect.

To select protocol deployment per gateway:

  1. In SmartConsole, open the Firewall tab.
  2. In the Network Objects list, double-click the gateway.

    The properties window of the gateway opens.

  3. In General Properties > Software Blades > Network Security, make sure Data Loss Prevention is selected.
  4. Open the Data Loss Prevention page.
  5. In the Protocols area, select one of the following:
    • Apply the DLP policy on the default protocols - as selected in the Data Loss Prevention tab, according to the previous procedure.
    • Apply the DLP policy to these protocols only - select the protocols that you want this gateway to check for the Data Loss Prevention policy.