Print Download PDF Send Feedback

Previous

Next

Fine Tuning

In This Section:

Setting Rules to Prevent

Defining Data Types

Adding Data Types to Rules

Creating a Fingerprint Repository

Creating a Whitelist Repository

Whitelist Policy

Defining Email Addresses

Configuring the DLP Watermark

Fine Tuning Source and Destination

Configuring More HTTP Ports

Setting Rules to Prevent

 

 

To set a rule to Prevent:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. In the Action column of the rule to change, right-click and select Prevent.
  4. Click Save and then close SmartDashboard.
  5. From R80 SmartConsole, install the policy.

Defining Data Types

The optimal method for defining new data type representations is to use the Data Type Wizard.

To add a new data type:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Data Types.
  3. Click New.

    The Data Type Wizard opens.

  4. Enter a name for the new data type.
  5. Choose an option that defines the type of traffic that will be checked against a rule containing this data type.
  6. Fill in the properties as required in the next step (each step is relevant to the option selected in the previous step).
  7. Click Finish.
  8. Click Save and then close SmartDashboard.
  9. From R80 SmartConsole, install the policy.

Adding Data Types to Rules

Defining Data Type Groups

You can create a Data Type representation that is a group of existing Data Types.

To create a Data Type group:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. Click New > Data Type Group.

    The Group Data Type window opens.

  4. Enter a Name for the group.
  5. In the Group Members section, click Add.
  6. Select the Data Types that are included in this Data Type group.
  7. If necessary, add Data Owners to the group.
  8. Click OK.
  9. Click Save and then close SmartDashboard.
  10. From R80 SmartConsole, install the policy.

Defining Advanced Matching for Keyword Data Types

You can add CPcode script files for more advanced match criteria to improve accuracy after a keyword, pattern, weighted keyword, or words from a dictionary are matched. If the CPcode script file has a corresponding value file (for constants values) or CSV file, add it here.

 

 

To add advanced matching Data Type CPcode script:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Data Types.
  3. Select a Data Type and click Edit.

    The Data Type window opens.

  4. Click the Advanced Matching node.
  5. In Run these CPcode for each matched keyword to apply additional match criteria, add the CPcode scripts to run on each of the Data Type matches.
    • Add - Click to add CPcode scripts. The default file type is cpc. See the R80 CPcode DLP Reference Guide.
    • View - Click to view a CPcode script in a text editor.
    • Remove - Click to remove CPcode scripts.
  6. Click OK.
  7. Click Save and then close SmartDashboard.
  8. From R80 SmartConsole, install the policy.

Defining Post Match CPcode for a Data Type

For all Data Type representations, you can add CPcode scripts that run after a data type is matched.

To add a post match Data Type CPcode script:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Data Types.
  3. Select a Data Type and click Edit.

    The Data Type window opens.

  4. Click the Advanced Matching node.
  5. In Run these CPcode scripts after this Data Type is matched to apply additional match criteria, add the CPcode scripts to run on each of the Data Type matches.
    • Add - Click to add CPcode scripts. The default file type is CPC.
    • View - Click to view a CPcode script in a text editor.
    • Remove - Click to remove CPcode scripts.
  6. Click OK.
  7. Click Save and then close SmartDashboard.
  8. From R80 SmartConsole, install the policy.

Exporting Data Types

You can export to a file the Data Types that you have created or that are built-in. This allows you to share Data Types between DLP Gateways, when each is managed by a different Security Management Server.

To export a Data Type:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Data Types.
  3. Select the Data Type to export.
  4. Click Actions > Export.
  5. Save it as a file with the dlp_dt extension.
  6. Click Save and then close SmartDashboard.

Importing Data Types

You can share Data Types with another Security Management Server or recover a Data Type that was deleted but previously exported. You can also obtain new Data Types from your value-added reseller or from Check Point and use this procedure to add the new Data Types to your local system.

 

 

To import Data Types:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Data Types.
  3. Click Actions > Import.
  4. Select the dlp_dt file holding the Data Type that you want.
  5. Click Save and then close SmartDashboard.
  6. From R80 SmartConsole, install the policy.

Creating a Fingerprint Repository

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Repositories.
  3. Click New > Fingerprint.

    The Data Type wizard opens with Fingerprint selected as the Data Type.

  4. Enter a name for the Data Type.
  5. Click Next.
  6. In the Fingerprint window:
    1. Click the Gateways arrow button to select gateways with the DLP blade enabled.

      By default, The DLP Blades object shows. This object represents all gateways that have the DLP blade enabled. Only gateways selected here scan the repository and enforce the fingerprint data type.

    2. Define a network path to the repository
    3. If the repository defined in the network path requires a username and password to access it, enter the relevant authentication credentials.
  7. Click Test Connectivity.

    This tests that DLP gateways defined in the gateways list (step 4a) can access the repository using the (optional) assigned authentication credentials.

  8. Click the Match Similarity arrow.

    This option matches similarity between the document in the repository and the document being examined by the DLP gateway. You can specify an exact match with a document in the repository, or a partial match based on:

    • A percentage value or
    • Number of matched text segments.
  9. Click Next.

    Select Configure additional Data Type Properties after clicking Finish if you want to configure more properties.

  10. Click Finish.

    The New data type wizard closes. The data type shows in the list of data types and also on the Repositories page.

  11. Click Save and then close SmartDashboard.
  12. From R80 SmartConsole, install the policy.

Creating a Whitelist Repository

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Repositories
  3. Click New > Whitelist Repository.

    The Whitelist Repository window opens.

    Enter a name and informative comments for the repository type.

  4. In the Whitelist Repository section:
    1. Click the Gateways arrow button to select gateways with the DLP blade enabled.

      By default, The DLP Blades object shows. This object represents all gateways that have the DLP blade enabled. Only gateways selected here scan the repository.

    2. Define a Network Path to the repository.
    3. If the repository defined in the network path requires a username and password to access it, enter the related authentication credentials. (Domain/Username).
  5. Click Test Connectivity.

    This tests that DLP gateways defined in the gateways list can access the repository using the (optional) assigned authentication credentials.

  6. To ignore text segments that are in the whitelist and fingerprint repository, click Do not include a text segment in the fingerprint match if the segment is in both the fingerprint and whitelist repositories.
  7. Click OK.

    The Whitelist shows in the list of repositories.

    To manually start a scan of the whitelist repository, click Start in the Scan now area on the summary pane.

  8. Click Save and then close SmartDashboard.
  9. From R80 SmartConsole, install the policy.

Whitelist Policy

There are two ways to create a list of files that will never be matched by the DLP Rule Base:

To add files to the Whitelist:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Whitelist Policy.
  3. In the Whitelist Files section, click Add.
  4. Browse to the file.
  5. Click Open.

    The file is uploaded to a folder on the Security Management Server.

    Note - For a file not to be included in the DLP match, it must exactly match a file in the whitelist.

  6. Click Save and then close SmartDashboard.
  7. From R80 SmartConsole, install the policy.

Defining Email Addresses

In DLP administration you may need to define email addresses or domains that are outside of your network security management.

 

 

To define email addresses and domains for use in rules:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings> Email Addresses.
  3. Click New.

    The Email Addresses window opens.

  4. Enter a Name for this group of email addresses (even if it includes only one address) or domain.
  5. Enter the email address or domain.
  6. Click Add.

    Add the necessary email addresses and domains for this object.

  7. Click OK.
  8. Click Save and then close SmartDashboard.
  9. From R80 SmartConsole, install the policy.

Configuring the DLP Watermark

Watermarking works by introducing custom XML files that contain the watermarking data. Only documents in these Office Open XML formats can be watermarked:

To watermark documents:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Policy.
  3. For the Data Type, right-click the Action cell, and select a restrictive Action such as Ask, Inform User or Detect.
  4. Right-click the Action cell and select the Watermark profile.

    DLP has 3 built-in profiles:

    • Classified. Places the word Classified in the center of the page.
    • Invisible only. Contains only hidden text.
    • Restricted. Places the word Restricted at the bottom of the page, and these inserted fields: sender, recipient, and send date.
  5. If there are no exiting watermark profiles, click New and create one.

    Note - You can also modify a built-in profile.

  6. Click Save and then close SmartDashboard.
  7. From R80 SmartConsole, install the policy.

To create a new watermark profile:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings > Watermarks.
  3. Click New.

    The Watermark Profiles window opens.

  4. In the General page, enter the Name for the watermark profile.
  5. Click Advanced.

    The Advanced Settings window opens.

  6. Clear the Use the same configuration for all supported file types option to create different watermarks for Word, Excel, or PowerPoint files.

    Note - A watermark in Excel cannot exceed 255 characters. The 255 character limit includes the visible watermark text and formatting data. If you exceed the 255 character limit, the watermark feature makes a best effort to show as much text as possible.

    The 255 limit is per document.

  7. Set if watermarks are added to:
    • All pages
    • First page only
    • Even pages only
    • Odd pages only

    The actual placement of watermarks depends on:

    • If the document contains Section Breaks on the page.
    • The version of MS Word used to create the document.
  8. Click OK.

Watermark option

Section Break

In Word 2007

In Word 2010

All pages

 

Yes

All pages get watermark

All pages get watermark

No

All pages get watermark

All pages get watermark

First page only

 

Yes

All pages get watermark

First page only gets watermark

No

All pages get watermark

First page only gets watermark

Even pages only

 

Yes

All pages get watermark

All pages get watermark

No

Only even pages get watermark

Only even pages get watermark

Odd pages only

 

Yes

All pages get watermark

All pages get watermark

No

Only odd pages get watermark

Only odd pages get watermark

To configure settings on the General Page:

  1. To configure the location of the watermark:
    1. Click the watermark graphic.

      The Select text location on page window opens.

    2. Click the location for the watermark.
  2. To configure the watermark text:
    1. Click the field with the watermark text.

      To create a new watermark, click Add watermark text to another location.

      The text formatting tools are shown.

    2. Click Insert Field, to add a dynamic field to the watermark.
    3. Click the Diagonal button, to show the text on a 45 degree diagonal.

    Note - Watermark rotation is only available for:

    • PowerPoint presentations in MS Office 2007 and 2010
    • Word documents in MS Office 2010
    1. To change the text to seventy-percent transparency, click the Transparency button.
  3. Click OK.

To add a shadow behind Watermark text in Word and PowerPoint:

  1. On the gateway, run: cpstop
  2. On the gateway, open for editing: $DLPDIR/config/dlp.conf.
  3. Search for the attribute: watermark_add_shadow_text(0).
  4. Change the value of the attribute from 0 to 1.
  5. Set percentages for watermark transparency and size, for DOCX and PPTX files.

    Change the watermark_text_opacity_percentage property from 30 (70% transparency) to the new value.

  6. Save and close the file.
  7. Run: cpstart

    Note - Before the changes to dlp.conf take effect, you must run cpstop and cpstart.

To configure settings on the Hidden Text page:

  1. Select Add the following hidden text to the document.
  2. Click Add, and select which fields should be inserted as encrypted hidden text into the document.
  3. For the purpose of forensic tracking, hidden text can be viewed using the DLP watermark viewing tool.
  4. Click OK.

    If Microsoft Office 2007 (or higher) is installed on the same computer as R80 SmartConsole, a preview of the watermark shows on a sample file in the preview pane.

    Note - The preview pane is not available if you create or edit a watermark from the DLP policy rule base. To see a preview, create a watermark from Additional Settings > Advanced > Watermarks > New.

  5. In Additional Settings > Advanced > Watermarks section:
    1. Make sure Apply watermarks on Data Loss Prevention rules is selected.
    2. Set how existing watermarks are handled on documents that pass repeatedly through DLP gateways. Existing watermarks can be kept, or replaced.

    Note - Hidden encrypted text is not removed, only added to by each DLP gateway. Hidden text can later be used for forensic tracking.

To complete the watermark profile:

  1. Click Save and then close SmartDashboard.
  2. From R80 SmartConsole, install the policy.

Fine Tuning Source and Destination

In the Rule Base, you can change the default Source (My Organization) and the default Destination (Outside My Org) to any network object, user, or group that is defined in R80 SmartConsole, and you can fine tune user definitions specifically for DLP.

 

 

 

 

To create a domain object:

  1. In R80 SmartConsole, click Objects > Object Explorer (Ctrl+E).
  2. Click New > Network Object > More > Domain.

    The New Domain window opens.

  3. In Enter Object Name, enter the URL of the domain.
  4. Clear FQDN.
  5. Click OK.
  6. Publish the changes.

Isolating the DMZ

To ensure that data transmissions to the DMZ are checked by Data Loss Prevention, define the DMZ as being outside of My Organization.

For example, the PCI DSS Requirement 1.4.1 requires that a DMZ be included in the environment to prevent direct Internet traffic to and from secured internal data access points.

To ensure traffic from My Organization to the DMZ is checked for Data Loss Prevention:

  1. Make sure that the DLP gateway configuration includes a definition of the DMZ hosts and networks.
  2. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  3. From the navigation tree, click My Organization.
  4. In the Networks section, make sure that:
    • Anything behind the internal interfaces of my DLP gateways is selected
    • Anything behind interfaces which are marked as leading to the DMZ is NOT selected
  5. Click Save and then close SmartDashboard.
  6. From R80 SmartConsole, install the policy.

Defining Strictest Security

You may choose to define the strictest environment possible. Using these settings ensures that data transmissions are always checked for Data Loss Prevention, even if the transmission is from and within your secured environment.

Important - You must ensure that legitimate transmissions are not blocked and that Data Owners are not overwhelmed with numerous email notifications. If you do use the settings explained here, set the actions of rules to Detect until you are sure that you have included all legitimate destinations in this strict definition of what is the internal My Organization.

To define a strict My Organization:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click My Organization.
  3. In the Email Addresses section, remove the defined items.
  4. Configure the VPN settings:
    1. In the VPN section, click All VPN traffic.
    2. Click Exclusions.
    3. In the VPN Communities window, add the communities that are NOT checked by DLP.
    4. Click OK.
  5. Configure the Networks settings:
    1. In the Networks section, click Select specific networks and hosts.
    2. Click Edit.
    3. In the Networks and Hosts window, select the defined Check Point network objects to include in My Organization.
    4. Click OK.
  6. Configure the Users settings:
    1. In the Users section, click These users, user groups and LDAP groups only.
    2. Click Edit.
    3. In the User Groups and Users window, select the defined users, user groups, and LDAP groups that you want to include in My Organization.
    4. Click OK.
  7. Click Save and then close SmartDashboard.
  8. From R80 SmartConsole, install the policy.

Configuring More HTTP Ports

To scan transmissions on HTTP running on any port other the standard HTTP ports (80, 8080), you must define the non-standard ports to be included in the HTTP protocol.

To add ports to HTTP:

  1. In R80 SmartConsole, click Objects > Object Explorer (Ctrl+E).
  2. Click New > Service > TCP.

    The New TCP window opens.

  3. Enter the name for the TCP object.
  4. In Protocol, select HTTP.
  5. If necessary, click Customize and enter the port or port range.
  6. Click OK.
  7. Install the policy.
31 March 2016 © 2016 Check Point Software Technologies Ltd. All rights reserved.