Today, many firewalls on the market go beyond just filtering traffic between networks. With continuing advancement, they can now combine multiple security appliances into one unit. These devices are known as UTM, or Unified Threat Management, devices. One such company that produces a UTM device is Fortinet, Inc. One of the great features of such an appliance is known as DLP or Data Loss Prevention. DLP is very useful in preventing sensitive data from leaving or gaining access to your network whether intentional or not. DLP inspects traffic that leaves or enters a network and identifies pre-configured controls that will take certain actions depending on the severity. This post will focus on configuring DLP on a FortiGate UTM device to prevent that have a specific keyword in the body, subject or attachment from gaining access to or leaving the network. DLP can be configured to do this on the SMTP, IMAP and POP3 protocols.
Examples of use
After defining certain parameters dependent on customer needs, DLP can stop data such as social security and credit card numbers from leaving the network, as well as prevent certain instant messaging protocols, like AOL Instant Messenger. Parameters can be set to be very granular; for instance, the DLP can be configured to prevent emails that contain certain key words in the body, subject, or attachments with one rule. This option is very useful to insure that no sensitive data is accidentally emailed to a distribution list of people that do not have authorization to view such information. This will not only protect customers but also employees.
Step 1 – Defining DLP Rules
The first step is to configure a DLP rule. Rules are the backbone of the DLP feature. Each rule specifies a type of sensitive data and uses the information to detect any violations. In this case I have created separate rules to define a key word to look for in the body, subject, and attachment of an email. When trying to match key words, you can either use wildcard or regular expression entries.
Step 2 – Compound Rules
Although this is an optional step, DLP compound rules can be configured to essentially combine any of the individual rules into one compound rule. When any number of individual rules is combined into a compound rule, all the rules must be met for the compound rule to be triggered. For example, the first rule detects a key word in the email body and the second detects it in the attachment. When used together in one compound rule, if an email is sent with the keyword in the body or the attachment the compound rule will be triggered and the configured action will be taken. Actions are configured in the DLP sensor.
Step 3 – DLP Sensors
DLP sensors allow you to combine the previously configured rules or compound rules, so that the sensor can be applied to a firewall policy rule.
First, create the sensor name to enable logging for the sensor. Once created, add the individual or compound rules to the sensor and choose to block the traffic, ban the sender or IP address or quarantine the firewall interface it came in on. Specify the severity of the event and choose how to archive it.
Step 4 – Applying DLP Sensor
Once the DLP sensor is configured, go into the firewall rules you wish to apply it to, for instance the WAN to Internal policy, and enable the DLP UTM feature by selecting the sensor and applying it.
Optionally, if you have a reporting appliance such as a FortiAnalyzer or a Syslog server that collects all of the firewall logs for reporting purposes, you can choose to log DLP violations.
With so many regulatory agencies and policies on the market, it is very important to make sure that your network meets all requirements. DLP is a great way to stay ahead and meet these demands while protecting your employees and customers. Data Loss Prevention prevents sensitive data from leaving or entering a network. With proper configuration, companies can greatly reduce accidental sensitive data loss and prevent malicious content from gaining access to their network.
Stay tuned for a follow-up post about how we have utilized DLP to assist highly critical ITAR compliance.