Data Loss Prevention Administration Guide R75.40 | 8
Total Page:16
File Type:pdf, Size:1020Kb
Data Loss Prevention R75.40 Administration Guide 6 October 2014 Classification: [Protected] © 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice. RESTRICTED RIGHTS LEGEND: Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19. TRADEMARKS: Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks. Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of relevant copyrights and third-party licenses. Important Information Latest Software We recommend that you install the most recent software release to stay up-to-date with the latest functional improvements, stability fixes, security enhancements and protection against new and evolving attacks. Latest Documentation The latest version of this document is at: (http://supportcontent.checkpoint.com/documentation_download?ID=13946) To learn more, visit the Check Point Support Center (http://supportcenter.checkpoint.com). For more about this release, see the home page at the Check Point Support Center (http://supportcontent.checkpoint.com/solutions?id=sk67581). Revision History Date Description 6 October 2014 Updated Installing the Exchange Security Agent (on page 40) Improved layout and formatting 8 September 2013 Removed references to CPMSI_tool Updated Defining Internal VPNs (on page 62) Updated Setting Rule Tracking (on page 65) 9 May 2012 Updated the export CA certificate command syntax ("Exporting a Certificate from the Security Management Server" on page 45) 16 April 2012 First release of this document Feedback Check Point is engaged in a continuous effort to improve its documentation. Please help us by sending your comments (mailto:[email protected]?subject=Feedback on Data Loss Prevention R75.40 Administration Guide). Contents Important Information ............................................................................................................ 3 Introduction to Data Loss Prevention .................................................................................. 8 The Need for Data Loss Prevention ..................................................................................... 8 DLP and Privacy .................................................................................................................. 8 The Check Point Solution for DLP ....................................................................................... 9 Data Loss Prevention Terminology ............................................................................... 10 How It Works ................................................................................................................ 10 Integrated DLP Security Gateway Deployment ............................................................. 11 Dedicated DLP gateway Deployment ............................................................................ 11 Alternative Gateway Deployments ................................................................................ 12 What Happens on Rule Match ...................................................................................... 13 Role of DLP Administrator ................................................................................................. 13 DLP Administrator Permissions .................................................................................... 14 Installation and Configuration ............................................................................................ 15 DLP Supported Platforms .................................................................................................. 15 Installing the DLP gateway ................................................................................................ 15 DLP Software Blade Trial License ..................................................................................... 15 Configuring a DLP Gateway or Security Cluster ................................................................ 16 Configuring Integrated Deployments ............................................................................. 16 Configuring Dedicated Deployments ............................................................................. 17 DLP-1 Security Cluster Wizard .......................................................................................... 17 Prerequisites ................................................................................................................. 17 Configuring a Locally Managed DLP-1 Security Cluster ................................................ 18 Data Loss Prevention Wizard ............................................................................................ 18 DLP Blade Wizard Options ........................................................................................... 18 Completing the Wizard .................................................................................................. 19 Configuring a Dedicated DLP Gateway in Bridge Mode ..................................................... 19 Required Routing in Bridge Mode ................................................................................. 19 Configuring Bridge IP Address ...................................................................................... 20 Required VLAN Trunk Interfaces .................................................................................. 20 Configuring Active Directory and LDAP for DLP ................................................................ 20 Rerunning the Data Loss Prevention Wizard ................................................................ 21 Configuring a DLP Gateway for a Web Proxy .................................................................... 21 Configuring for a Web Proxy ......................................................................................... 21 Configuring for an Internal Web Proxy .......................................................................... 22 Configuring Proxy Settings after Management Upgrade ............................................... 22 Mail Relay Required Configuration .................................................................................... 23 Configuring the Mail Relay ............................................................................................ 23 Configuring a Dedicated DLP gateway and Relay on DMZ ........................................... 24 Recommended Deployment - DLP Gateway with Mail Relay ........................................ 25 Workarounds for a Non-Recommended Mail Relay Deployment................................... 25 TLS-Encrypted SMTP Connections .............................................................................. 27 Configuring Incident Log Handling ..................................................................................... 27 UserCheck Client .............................................................................................................. 29 UserCheck Client Overview .......................................................................................... 29 UserCheck Requirements ............................................................................................. 29 Enabling UserCheck Client ........................................................................................... 29 Client and Gateway Communication ............................................................................. 30 Getting the MSI File ...................................................................................................... 36 Distributing and Connecting Clients .............................................................................. 36 Helping Users ............................................................................................................... 38 Configuring the Exchange Security Agent ......................................................................... 38 SmartDashboard Configuration ..................................................................................... 38 Exchange Server Configuration .................................................................................... 40 HTTPS Inspection ............................................................................................................. 42 How it Operates ............................................................................................................ 43 Configuring Outbound HTTPS Inspection ..................................................................... 43 Configuring Inbound HTTPS Inspection ........................................................................ 46 The HTTPS Inspection Policy ....................................................................................... 47 Gateways Pane ...........................................................................................................