Symantec Data Loss Prevention Blue Coat ProxySG ...

Symantec Data Loss Prevention

Blue Coat ProxySG Configuration

Guide

For Symantec Data Loss Prevention Version 9.0

1-1100-0900-2009-03-16

Symantec Data Loss Prevention Blue Coat ProxySG Configuration Guide

The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.

Documentation version 9.0

Legal Notice

Copyright © 2009 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.

THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 “Commercial Computer Software - Restricted Rights” and DFARS 227.7202, “Rights in Commercial Computer Software or Commercial Computer Software Documentation”, as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014

http://www.symantec.com

3Blue Coat ProxySG Configuration Guide

Introduction

Blue Coat ProxySG Configuration

Guide

This guide covers the following topics:

■ “Introduction” on page 3

■ “Request Modification (REQMOD)” on page 4

■ “Response Modification (RESPMOD)” on page 9

IntroductionSymantec Data Loss Prevention supports integration with Blue Coat ProxySG version 5.2.4.x, expanding

the proxies supported for Network Prevent (Web) and adding the capability to prevent HTTPS and FTP

traffic that violates configured policies. This capability is achieved by integrating with HTTP proxies

through Internet Content Adaptation Protocol (ICAP).

This integration is supported with forward-proxy mode deployments, request modification (REQMOD) and

response modifications (RESPMOD) mode of ICAP only. Other deployment options are not supported. See

the appropriate Installation Guide to install Network Prevent before configuring the Blue Coat ProxySG.

Instructions for correctly configuring Blue Coat ProxySG are provided below.

Figure 1-1 Preferred Deployment

4 Blue Coat ProxySG Configuration Guide

Request Modification (REQMOD)


Create ICAP Service

To create the ICAP request modification service on the ProxySG server:

1 Log in to the Blue Coat ProxySG.

2 Click Management Console.

3 Click External Services on the left navigation menu.

4 Click ICAP.

5 Click New.

6 Fill in a name of choice for the ICAP server.

7 Click Edit and configure the ICAP service:

Figure 1-2 External Services Creation

8 Click the Sense Settings button to test the connection to Network Prevent. The ICAP server tag should

display Vontu 9.0 after sensing the settings.

9 Repeat steps 5 – 8 for each Network Prevent server.

10 After all the ICAP services have been configured, click the Apply button in the main UI pane.

11 Click Service-Groups under External Services menu.

12 Click New.

13 Fill in a name of choice for the service group (for example, Vontu).

14 Click Edit to edit the service group just created.

15 When the Service Group Entries screen appears, click New.

16 When the Add Service-Group Entry screen appears, select List ICAP services and select the ICAP

services configured in previous steps. Then click OK.

17 Click OK to exit the Edit Service-Group screen.

18 Click Apply on the main UI screen.



Configuration for HTTP Prevent

To configure HTTP prevent on the ProxySG server:

1 Click Policy on the left navigation menu.

2 Click Visual Policy Manager.

3 On the main UI pane, click Launch.

4 When the Blue Coat Visual Policy Manager appears, go to the Policy menu and select Add Web Access

Layer. Give it an appropriate name.

5 Select the Action cell and right click the cell.

6 Select Set on the context menu.

7 In the Set Action Object panel, click New.

8 Select Set ICAP Request Service.

9 Give it an appropriate name and select Use ICAP request service.

10 Select the service group created in previous section.

Figure 1-3 Add ICAP Request Service for HTTP

11 When the Add ICAP Request Service Object screen appears, click the OK button.

12 When the Set Action Object screen appears, select the ICAP service object just created, and click OK.

13 Select the Service cell, and right click it. Select Set on the context menu.

14 Click New in the Set Service Object panel.

15 Select Protocol Methods Give it an appropriate name.



Figure 1-4 Add Methods Object

16 Select HTTP/HTTPS from the dropdown menu of the Protocol field.

17 Configure it according to the screen above. Select PUT as well if it is desired. This will help reduce the

traffic to ICAP server, so that bandwidth is not spent on requests such as GETs.

18 Click OK.

19 When the Set Service Object screen appears, make sure the protocol methods object just created is

selected, and click OK.

Configuration for HTTPS Prevent

To configure HTTPs prevent on the ProxySG server:

1 In the Visual Policy Manager, go to the Policy menu and select Add SSL Intercept Layer. Give it an

appropriate name.

2 Select the Action cell and right click it.

3 Select Set.

4 When the Set Action Object screen appears, click New, and select Enable HTTPS Interception.

5 Give it an appropriate name, and configure according to the following screen:



Figure 1-5 SSL Forward Proxy Object for HTTPS

6 Click OK.

7 When the Set Action Object screen appears, select the Enable HTTPS Interception object just created

and click OK.

Configuration for FTP Prevent

To configure FTP prevent on the ProxySG server:

1 Go to Policy menu and select Add Web Access Layer. Give it an appropriate name.


3 When the context menu appears, select Set.

4 If you created an ICAP action object by following the instructions in the Configuration for HTTP

Prevent section, you can simply select that action object, click OK, and move directly to step 11 of this

section. Otherwise, follow steps 5—10.


6 Select Set ICAP Request Service.

7 Give it an appropriate name and select Use ICAP request service.

8 Select the service group created in the previous section.



Figure 1-6 Add ICAP Request Service for FTP

9 When the Add ICAP Request Service Object screen appears, click OK.

10 When the Set Action Object panel appears, select the ICAP service object just created, and click OK.

11 Select the Service cell, and right click it. Select Set on the context menu.

12 Click New in the Set Service Object screen.

13 Select Client Protocol, and configure the FTP protocol object according to the following screenshot.

Figure 1-7 Add Client Protocol Object for FTP

14 Select FTP from the dropdown menu.

15 Click OK.

16 When the Set Service Object screen appears, make sure that the protocol object just created is selected,

then click OK.

Deploy Policy to Proxy Server

After configuring all the protocols, you are ready to deploy the policy to the Blue Coat ProxySG server. Click

Install Policy on the Visual Policy Manager to deploy the policy. Exit the Visual Policy Manager after it is

done.


Response Modification (RESPMOD)


Create ICAP service for response modification:

To create the ICAP response modification service on the ProxySG server:

1 Log in to the Blue Coat ProxySG.

2 Click Management Console.

3 Click External Services on the left navigation menu.

4 Click ICAP.

5 Click New.

6 Fill in a name of choice for the ICAP service.

7 Click Edit and configure the ICAP service according to the following screen:

Figure 1-8 Add ICAP Service ICAP Response

8 Click the Sense Settings button to test the connection to Network Prevent. The ICAP server tag should

display Vontu 9.0 after sensing the settings.

9 Repeat steps 5 – 8 for each Network Prevent server.

10 After all the ICAP services have been configured, click the Apply button in the main UI pane.

11 Click Service-Groups under External Services menu.

12 Click New.

13 Fill in a name of choice for the service group (for example, Vontu).

14 Click Edit to edit the service group just created.

15 When the Service Group Entry screen appears, click New.

16 When the Add Service-Group Entry screen appears, select List ICAP services and select the ICAP

services configured in previous steps. Then click OK.

17 Click OK to exit the Edit Service-Group screen.



18 Click Apply on the main UI screen.

Configuration for HTTP prevent

To configure response modification for HTTP prevent on the ProxySG server:

1 Click Policy on the left navigation menu.

2 Click Visual Policy Manager.

3 On the main UI pane, click Launch.

4 When the Blue Coat Visual Policy Manager appears, go to the Policy menu and select Add Web Content

Layer. Give it an appropriate name.

5 Select the Action cell and right click the cell.



8 Select Set ICAP Response Service.

9 Give it an appropriate name and select Use ICAP response service.

10 Select the service group created in previous section.

Figure 1-9 Add ICAP Response Service for HTTP

11 When the Add ICAP Response Service Object screen appears, click the OK button.


Note: The following steps specify the types of content that are sent for inspection based on content MIME

type and disable proxy cache for those content types. This is important for performance as well as

accuracy.

13 Again select the Action cell and right click the cell.



16 Select Combined Action Object.



17 Give it an appropriate name

18 Select ICAP Response Service Object created in Steps 6 -> 12 and press Add.

19 Select Do Not Cache and press Add

Figure 1-10 Add Combined Action Object

20 Once done creating the Combined Action Object, click the OK button.


22 Select the Destination cell and right click the cell.


24 In the Set Destination Object panel, click New.

25 Select HTTP MIME Types.

26 Check the MIME types that need to be monitored.

Figure 1-11 Add HTTP MIME Types Object

27 Once done selecting the HTTP MIME Types Object, click the OK button.

28 When the Set Destination Object screen appears, select the HTTP MIME TYPES Object just created, and

click OK.

If wildcard is needed for the MIME types, then you have to create a policy file and upload the policy file to

Blue Coat proxy server. The policy file should contain the following



<ssl-intercept>

ssl.forward_proxy(https) ssl.forward_proxy.issuer_keyring(default)

<Cache>

condition=HTTPMIMETypes1 response.icap_service([ICAP service name]) cache(no)

; Definitions

define condition HTTPMIMETypes1

response.header.Content-Type="text/*"

response.header.Content-Type="application/pdf"

end

The easiest way to add wildcard is to configure the policy through Visual Policy Manager and then:

1 Go to Policy Files menu

2 Click View button in the View Policy section.

3 Copy the policy text.

4 In Install Local File from section, choose Text Editor from the dropdown menu, and click Install Button.

5 A text editor will show up and paste the policy text copied down from step 3 into the text editor.

6 Modify the Define Condition section of the policy to reflect the desired MIME types, put a asterisk when

wildcard is needed.

Configuration for HTTPS prevent

To configure HTTPs prevent on the ProxySG server:

1 In the Visual Policy Manager, go to the Policy menu and select Add SSL Intercept Layer. Give it an

appropriate name.


3 Select Set.

4 When the Set Action Object screen appears, click New, and select Enable HTTPS Interception.

5 Give it an appropriate name, and configure according to the following screen:

Figure 1-12 SSL Forward Proxy Object for HTTPS



6 Click OK.

7 When the Set Action Object screen appears, select the Enable HTTPS Interception object just created

and click OK.

Deploy policy to proxy server

After configuring all the protocols, you are ready to deploy the policy to the Blue Coat ProxySG server. Click

Install Policy on the Visual Policy Manager to deploy the policy. Exit the Visual Policy Manager after it is

done

Symantec Data Loss Prevention Blue Coat ProxySG ...

Documents

Transcript of Symantec Data Loss Prevention Blue Coat ProxySG ...