Archive for the ‘Data Loss Prevention’ Category

DLP again

Friday, August 20th, 2010

Well, some thoughts about DLP were in my mind for some time and I want to write them down.

First, DLP is about unintentional data loss. There are always ways to get data out of a secure area, if it’s by USB drives, HTTPS upload, CD-Rs, steganography or what so ever. It’s nearly impossible to prevent data leaks completely.

But that’s not what DLP is aiming for… it’s for the user that accidental chooses the wrong email-adress or picks the wrong file for uploading on a website. And for that purpose, it’s totally sufficient.

The underlaying engine which does the processing is amazing and you can do all kinds of stuff with the data types. For most of your requirements Check Point brings build-in datatypes, if it’s credit card numbers or social security numbers.

Second: the hard part with DLP is to define a company policy and a list of data that should not leave the company. This is were technical and organizational security meet and the biggest challenge.

Concerning the DLP-1 appliances that I mentioned before, I have some information about the hardware.

The DLP-1 2571 has Dual Core CPU, 4 GB RAM and 500 GB HDD, so it’s pretty much a UTM-1 3070 series appliance with more memory and HDD.

The DLP-1 9571 is based on the Power-1 9075 and comes with 2x QuadCore CPU, 8 GB RAM and 2x 1 TB HDD.

Internal Check Point sources say that by now it’s safe to assume that for real live traffic you have to divide the performance numbers by 4. This will change with the next releases that improve performance.

If you haven’t noticed, DLP-1 appliances come with UserDirectory blade to allow easy connectivity to Activce Directory domains or LDAP directories.

DLP-1 will be able to scan also HTTPS traffic in the near future (Q1/11) and I’m really looking forward to that feature.

If someone has solid hands-on experience with a DLP implementation, please share them with me: blog@lachmann.org

Tobias Lachmann

Posted in Data Loss Prevention | Comments Off

Behaviour of Data Loss Prevention

Thursday, August 5th, 2010

Mmmh…. the DLP software acts as a proxy between internal mail server and external mail server.

It accepts the mail from the internal system and in the same time sends the data out to the external system besides the last package to complete the mail. When the mail is received by the DLP gateway from the internal server completely, it is scanned for compliance to the DLP policy and if the check is ok, the last packet is transmitted to the external mail server, finishing mail delivery.

If the check is not ok, the last packet is withheld and the gateway shuts down the connection to the external mail server. So basically the mail has left the company, but because of the interrupted transfer, the external mail server is discarding the temp mail that has been deliverd by now.

I’m not sure at the moment that I like this behaviour… I’m thinking about better ways to handle this…. not finished thinking it through by now…. will let you know my thougts.

Tobias Lachmann

Posted in Data Loss Prevention | Comments Off

Details on Data Loss Prevention (DLP) blade licensing

Monday, May 10th, 2010

It has taken a long time to get information from Check Point how to license the DLP blade, but now I got an answer:

For the 500 and 1500 user DLP blade a 2-Core-Container is needed. For the unlimited user DLP blade you need a 8-Core-Container.
The size of the blade is determined by the number of users behind the gateway!

So that would mean you need an SG201 container (included: gateway for up to 500 users) for the CPSB-DLP-500 blade.

For the CPSB-DLP-1500 blade a SG203U pre-defined system is needed, to allow more than 500 users.

For the CPSB-DLP-U blade a SG801 container is needed.

So the solution for 500 users will cost $3000 for the blade and $6500 for the container, so $9500 in total.

The solution for 1500 users will cost $7000 for the blade, $14000 for the container, so $21000 in total.

The unlimited solution will cost $12000 for the blade and $18000 for the container, so $30000 in total.

This is the pure software side, you will also need hardware, for example an open server for additional $4000.

If we look at the appliance solution DLP-1 2571 we’ll find that it is limited to 1500 users but costs only $14990.

In case your organization need DLP protection for up to 500 users, a solution with software running on an open server is about $1500 cheaper. If you need up to 1500 users, you pay $10000 more with an open server solution than for the DLP-1 2571. Lot’s of money….. but still worth thinking about it because of the higher performance you will get from an open server.

More easy with the DLP-1 9571 that you need for unlimited users, as the appliances costs $49900. The software solution on an open server is only $34000, that is about $16000 cheaper.

What’s the baseline here? Well, carefully think about your setup before you buy. Think about performance limitations you may encounter with an appliance. Think about the cost for the 2nd and 3rd year… and then make your decision!

Tobias Lachmann

Posted in Content Inspection, Data Loss Prevention, Software Blades | Comments Off