Networking: Data Leak Prevention System (DLP)
A system that will identify, monitor, and protect data through deep content inspection. This will be a must have system to detect and prevent the unauthorized use and transmission of confidential information.
Track and report HTTP and FTP file uploads as well as outgoing email attachments in order to trace data leakage and unauthorised data transfers
Add the ability to enable content filtering for outbound SMTP emails; emails would be blocked, or forced to be encrypted, depending on policies set by an administrator. The engine would look for patterns such as SSN, CC #, etc. (just about any pattern.. use of PCRE, etc. would work) and either force the email to be encrypted (if there was a S/MIME or PGP key available for the receipient) or returned (optionally with or without a notification being sent to a designated email address or group) to the sender. Email Data Leakage prevention is becoming more of a hotbutton issue lately...
It would be great if the IDS could search network packets for Non- Public Information, like credit cards, social security numbers and things of that nature. No institution allows that type of information to be passed on their network un-encrypted. Having the IDS be able to capture packets like this and block them can prove extremely useful.
Possibility to control (block) upload via web / email.
(HTTP POST method and outgoing email attachments)
This is a security feature to prevent exposure of sensitive information of an organization.
Any update from Astaro/Sofos?
Adrian Baxter commented
In addition to generic blocking that others have mentioned, it would be worth putting in much of the same features as the endpoint protection client to catch violations from devices that don't have endpoint protection installed (mobile devices, for example).
This would also make the product more competitive. I could even see making a more comprehensive package available as an add-on.
Mirza Nasir commented
It is very important feature and I would highly recommended to include this feature in Astaro
Hello. as said, other competitors already implemented dlp. it would be nice if astaro did also. for example controlling file transfers for social networking site or applications like msn and skype.
Palo Alto networks allredy implemented this and other application control features
Scott Klassen commented
I'm all for this, especially since a competing vendor has already implemented this functionality into a utm.
Simon Powell commented
Hi there - we have a client interested in limiting specific attachment types sent outbound (possibly also to specific hosts but I am praying not....) . Is there a development branch working on this at all or am I going to have to start thinking differently?
Gert Hansen commented
Hi all, thanks for your feedback.
DLP is a VERY big area of features and there are many ways to implement it.
Please take 5minutes and share with us what your are seeking for and what you would expect from a DLP system developed by us.
Sudhir Sharma commented
Very Important... Please do it asap !!
Tobias Frank commented
Not only the webmails pages!!!
Look the hundred and more filehosters in the internet!
This will be a big Security Feature.
I want to be able to allow users to access 'online' content so they can download information that other third parties have shared, but prevent them from 'uploading' content to the same site. We are getting numerous requests from staff asking for access to sites like dropbox, etc and I want users to be able to download shared content but remove the ability for them to upload
Bob Alfson commented
There's another, similar suggestion: http://feature.astaro.com/forums/17359-astaro-gateway-feature-requests/suggestions/343874-gateway-data-leak-prevention-system?ref=title
William Warren commented
you already can. Leave astaro in it's block by default configuration and only allow the sites folks are allowed to goto. Another way is to run your http proxy in AD authentication mode. Setup an http proxy profile for those folks who aren't allowed to upload and restrict them to only sites that provide no upload and have the other profile be less restrictive for others. since you can leverage AD you can make a profile for every OU if you wish.They won't be able to upload if you restrict them to sites that don't provide uploads. Otherwise the solution isn't an easy one.
Jerry Wein commented
I have searched all over the internet for this functionality and there are only a limited number of vendors that provide solutions, most are applications that must be installed on a users machine. For an enterprise solutions, it is much better to have this funcationality at the gateway.
Sergio Bollini commented
I think 2 features are critical
1- to be able to block mails with attachments sent to generic email providers (gmail, hotmail, etc).
2- scan for regular expressions in email body and attachments.
I think that just having this two will be of enormous help. And also, I guess it should be relatively easy to implement.
Christopher Amatulli commented
isadalvi - DLP is not a product, its a teamed solution between file /print/ client/ server/ network and a few other access points which controls what data can go where. Their is no single product on the market (or will ever be) that is a DLP solution. Some products excell in identifying data, some excell in how they control that content... I beleive the best way for Astaro to jump into the market is to integrate with a few of those solutions with a lower price point. Just to give an example, the Orchestria product has ICAP and a SOCKET API which Astaro can comunicate with to utilize their engine rather than making their own. Once they have the integration established, they now have a strong in to the top 10 financial companies in the US, as well as several of the top manufacturing and insurance companies.
May be DLP is a product itself... but if this feature accomplished in future, it will make Astaro a Unique UTM
Christopher Amatulli commented
While DLP is an excelent market to get into, their are several products that this one could interface with which would add the DLP option. between McAfee, RSA, CA DLP... all of them have ICAP integration. just adding that one option would add in the DLP market. and given my dealings with companies like symantec that already have a linux DLP appliance, you could crush them in the market by knocking there 3 hardware solutions to a single astaro VM.
I agree with all of you. There is no single DLP framework or a standard today. But, since ASG does multi-fold inspection of various traffics already, having a DLP feature to enforce corporate policy is a must have. I also agree that it should sit it its own box, but, technically, DLP should be a joint effort of all data escape channels; which makes it a gateway feature on a firewall like Astaro. Having some control is better than having nothing at all. I am confident that it will make ASG a preventive, deterrent and detective control from a Data Leakage perspective.
William Warren commented
i'm not sure this should be a gateway feature. This is going to increase the system requirements exponentially. I think this is one thing that needs to stay in it's own box.