Data Loss Prevention

 View Only
  • 1.  Symantec DLP Network Prevent for Mail, Quarantine and Block response rules.

    Posted Nov 07, 2011 09:21 AM

    Hello!

    Need assistance, dont understand how its working..

    We implemented financial pack and there 2 response rules for mail (Qurantine and Block), we have forward mode for Network Prevent, so we have local mail server that sends mail forward to Network Prevent and next hope is our MTA thats sends outbound mail.

    We imagine thats with "Qurantine SMTP Email" if incidents triger email stop proccesing futher and sits on prev hop mta or on network prevent, but we have incident registered and delivered message to recipient with confidental data..

    With block response rule, all going fine. If incident created, email dont going futher, but now we unable to send this mail to recipient if this was false positive.

    So, how to work with network prevent for mail in situations when we would like to stop message from proccesing if there policy violating triger and would like to use smart response rule and mark incident as false positive and send mail futher to next hop MTA?



  • 2.  RE: Symantec DLP Network Prevent for Mail, Quarantine and Block response rules.

    Posted Nov 08, 2011 02:38 PM

    SMTP Prevent never stores or queues a message.  What you see in that Quarantine Mail response rule is simply a rule that adds an x-header to the email message.  The assumption there is that you would need to have some processing on your downstream MTA to read that email header, recognize the x-header that you specified for quarantining the email, and subsequently direct it to a quarantine area based on the mail routing on the downstream MTA.

    ~Keith



  • 3.  RE: Symantec DLP Network Prevent for Mail, Quarantine and Block response rules.

    Posted Nov 09, 2011 04:27 AM

    What about response rule Block SMTP Email? Any details how its work? Its sends back mail to Sender and redirect to some one.. But what actualy going on server side? What he say to MTA thats try to send policy violating mail?



  • 4.  RE: Symantec DLP Network Prevent for Mail, Quarantine and Block response rules.

    Posted Dec 13, 2011 01:48 PM

    As Keith pointed out SMTP Prevent is not an MTA, think of it as an MTA proxy.

    The process is the following:

    Sending MTA connects to SMTP Prevent (Prevent)

    SMTP Prevent connects to forwarding MTA

    Prevent receives the email from the sending MTA and immediately sends it to the forwarding MTA

    When the sending MTA signals the email is complete, Prevent processes the email.

    If the email is not blocked, Prevent completes the process with the forwarding MTA.

    If the email is blocked, Prevent aborts the email with the forwarding MTA and fails the email back to the sending MTA.

    Based on the failure code, the sending MTA does predefined actions on the email, including sending the email back to the sender.

     

    JGT