DLP Deploy
DLP Deploy
DLP Deploy
DLP
10.0
Deployment Guide
Revision A
© 2023 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.
All other trademarks used in this document are the property of their respective owners.
Every effort has been made to ensure the accuracy of this document. However, Forcepoint
makes no warranties with respect to this documentation and disclaims any implied
warranties of merchantability and fitness for a particular purpose. Forcepoint shall not
be liable for any error or for incidental or consequential damages in connection with the
furnishing, performance, or use of this manual or the examples herein. The information in
this documentation is subject to change without notice.
Forcepoint DLP 10.0 | Deployment Guide
Contents
1 Overview................................................................................................................................................................5
Deployment options........................................................................................................................................6
System requirements for Forcepoint DLP components.................................................................................8
What is the protector?................................................................................................................................... 8
3
Forcepoint DLP 10.0 | Deployment Guide
4
Chapter 1
Overview
Contents
Forcepoint DLP can protect organizations from information leaks and data loss at the perimeter and inside the
organization, as well as in certain Infrastructure as a Service (IaaS) platforms.
■ Forcepoint Data Discovery can be used to learn the location of sensitive data both on-premises an in supported
cloud-based applications. It can be used to scan data on file servers, email servers, and databases, as well as in
content collaboration applications, such as Microsoft SharePoint and Box.
■ Forcepoint DLP Network can be used to prevent data loss through email and over web channels (HTTP, HTTPS
and FTP). It supports the scanning of content supplied by third-party solutions, such as Citrix FileShare, via the
ICAP protocol.
■ With Forcepoint DLP Endpoint, an endpoint agent can be used to prevent data loss over endpoint channels such
as removable storage devices, mobile devices, browser uploads, and email clients and applications (such as IM
and file share clients). It can also discover and remediate sensitive data stored on laptop and desktop systems. The
endpoint agent lets administrators analyze content within a user’s working environment and block or monitor policy
breaches as defined by the endpoint profiles.
The basic components of Forcepoint DLP solutions are:
■ Management server
The management server hosts both the Forcepoint Security Manager (the graphical interface used to manage
Forcepoint DLP and other Forcepoint security solutions) and core Forcepoint DLP components. It also acts as the
primary Forcepoint DLP server.
Although there is only one management server, additional Forcepoint DLP servers may be deployed for load
balancing.
■ Protector (requires a Forcepoint DLP Network subscription)
The protector intercepts and analyzes traffic on SMTP, HTTP(S), and FTP channels, among others. It also supports
DLP content scanning with third-party proxies and data sharing solutions via ICAP.
■ Agents
A variety of agents extend Forcepoint DLP functionality to work with cloud applications (CASB service) and so on.
■ Endpoint clients
Endpoint client software runs on end user desktop and laptop machines
Related concepts
What is the protector? on page 8
Overview | 5
Forcepoint DLP 10.0 | Deployment Guide
Deployment options
A basic deployment might have just one management server and an analytics server. To extend enforcement
capabilities, it might add a protector.
The high-level illustration shows a basic deployment ideal for a smaller- to medium- sized organization with a
single Internet egress point. (The illustration is intended to show the general distribution of components and does
not include network details, such as segmenting, internal firewalls, routing, switching, and so forth.)
■ The analytics server is used for Incident Risk Ranking reports.
■ The protector can protect several channels, including SMTP, HTTP, FTP, and ICAP.
The servers can be configured to either monitor or monitor and protect sensitive data.
The following illustration is a high-level diagram of a larger Forcepoint DLP deployment:
Overview | 6
Forcepoint DLP 10.0 | Deployment Guide
This shows the extended capabilities of Forcepoint DLP incorporated into a more complex network environment.
It includes an extra Forcepoint DLP server and several additional agents to support larger transaction volumes
and numbers of users. Very large deployments can have multiple Forcepoint DLP servers and protectors.
Related concepts
Most common deployments on page 17
Overview | 7
Forcepoint DLP 10.0 | Deployment Guide
Refer to the following resources for general information on public cloud deployment:
■ Microsoft Azure documentation
■ Amazon AWS documentation
Overview | 8
Forcepoint DLP 10.0 | Deployment Guide
Service Function
HTTP Monitoring
In monitoring mode, the protector is connected off the network via the SPAN/mirror port of a switch (or via a
network TAP), as shown in the following diagram. This allows the protector to monitor and analyze traffic, but not
block it.
The protector must connect both to the SPAN/mirror port or TAP, and the Forcepoint DLP management server.
Overview | 9
Forcepoint DLP 10.0 | Deployment Guide
Related concepts
Forcepoint DLP protector with ICAP on page 19
Related tasks
Planning a phased approach on page 23
Overview | 10
Chapter 2
Planning Forcepoint DLP
Deployment
Contents
Before installing Forcepoint DLP, analyze the existing resources to make a comprehensive security plan, using the
following steps:
■ Determine whether changes to the network directory structure are needed to group documents differently for
security purposes.
In most organizations, user rights have been determined and built into the network directory structure. The
existing configuration may be fine as it is. On the other hand, internal network definitions may need to change to
accommodate current, higher security needs.
Structural guidelines
It is possible to configure the system so that a particular user cannot access specified documents through
the network, but can receive them by email. For example, a manager would not want employees to access
documents in his or her personal folder, but would want to be able to send the documents to them by email. It is
therefore important to perform this analysis with a network administrator, so that changes are implemented in a
smooth, logical fashion.
Typically, network directories are organized functionally, according to the different business units in the company.
Within this structure, functional groups are usually entitled to look at documents within their business unit.
The recommended process is:
■ Take a network map of all the directories, and look at how the network access is organized.
■ Determine what types of classified documents the organization has, and where they are located.
■ Determine whether documents of similar confidentiality are together in similar directories.
■ Organize/group information that is critical to the organization and information whose security is legally
mandated.
For example, financial institutions may start by considering customer data (such as Social Security
numbers or account numbers) and highly confidential business information.
■ Organize/group important proprietary and confidential information with medium or low change-frequency
■ Arrange all major information assets so that data locations, relationships, and security-value hierarchies
are well understood.
The result of this analysis should be a table identifying the directories in the network that need to be protected,
indicating what types of users should be able to receive those files. This should provide insight into access
issues.
It may be desirable to rearrange some areas of network access, and set the data security accordingly. See below
for recommended procedures.
Modify disk space settings after installation using the Forcepoint Security Manager. Instructions can be found in
the Forcepoint DLP Administrator Help.
On endpoint client
Type Description Default Setting Max Disk Space
Endpoint client incident The disk space that each 100 MB 100 MB
storage endpoint client should
allocate for incident
storage when the endpoint
host is disconnected from
the Management Server.
Distributing resources
Forcepoint DLP supports multi-site, distributed deployments. Among other examples:
■ In addition to the management server, there can be one or more supplemental Forcepoint DLP servers to
balance the load.
■ The Web Content Gateway includes its own local policy engine to supplement the policy engine on other
servers.
■ It is possible to have distributed (primary and secondary) fingerprint repositories.
■ The crawlers on the Forcepoint DLP servers can be used for fingerprint and discovery scans, or standalone
instances of the crawler agent can be added to improve performance.
Network architecture and geographical factors of the organization contribute to determining the best way to
distribute Forcepoint DLP resources.
Related concepts
Most common deployments on page 17
Load balancing
Load balancing allows administrators to configure how each Forcepoint DLP module sends its data to specified
policy engines for analysis. This both distributes the load and, more importantly, ensures that the organization’s
email and HTTP performance are never harmed.
For example, designate 1–2 dedicated servers to analyze HTTP traffic (where analysis latency is critical), and use
another set of servers to analyze other channels.
An agent or a protector service can have its traffic analyzed by all listed policy engines, or by specifically selected
policy engines. (Protector traffic can be analyzed only by local or Windows-based policy engines.) Administrators
can specify which policy engine analyzes a specific agent or service of the protector.
Note
Forcepoint recommends that you do not distribute the load to the management server.
Load balancing is configured in the Data Security module of the Security Manager. See the Forcepoint DLP
Administrator Help for instructions.
■ SMTP blocking
■ HTTP blocking via built-in Content Gateway
■ Cloud email inspection
■ Policy enforcement for all channels
■ Destination policy controls
It also includes data monitoring for:
■ Mail
■ Web / FTP
Forcepoint DLP Network also includes support for:
■ User-defined protocols
■ Destination awareness
Steps
1) Enable regulatory compliance, regional, and industry-related predefined policies in order to:
■ Deploy solid, first stage DLP.
■ Get a good picture of what information is being sent out, by whom, to where, and via which methods.
2) If the organization has unique data identification needs that are not covered by a predefined policy, request
custom policies from Forcepoint.
■ Data types requiring a custom policy might be items like coupons or catalog numbers.
■ To request a policy, contact Forcepoint Technical Support. They will escalate the request and engage a
research team. The usual turnaround is approximately 3 weeks. (The research team can typically provide
an estimated time to completion within 3 days of reviewing the request).
Next steps
Phase 2: Monitoring with notifications
In the second stage, enable email notifications to relevant members of the organization when a policy breach is
discovered. The options are:
Forcepoint DLP is an integral piece of the network architecture, and can be combined with existing systems to ensure
seamless web and email protection.
Pre-installation checklist
The figure below shows a common topology in which the protector is installed inline. The checklist refers to the
numbers in this figure.
Before installation:
■ Verify that the required hardware is available. Check the Deployment and Installation Center for the list of
certified hardware.
■ Have valid IP addresses for the Forcepoint DLP server and the protector management port
■ Make sure the following IP addresses are known prior to installation. They are required in order to complete
the procedure:
■ The complete list of internal networks (IP ranges and subnet masks)
If there is more than one site, the internal networks list should include the networks of all sites:
■ A list of the mail server’s IP addresses (in all sites)
■ The IP addresses of the mail relay, if one exists
■ The IP address of the outbound gateway for the protector (this will typically be the internal leg of the
firewall)
■ The IP address of the inbound gateway for the protector (this will typically be the external leg of the
backbone switch or router)
■ The HELO string the protector will use when identifying itself. This is relevant for the SMTP channel only.
■ If customized notifications will be displayed when content is blocked, these should be prepared
beforehand.
Limitations
■ The solution does not support the FTP GET method for request modification.
■ The solution does not support the HTTP GET method for request modification.
■ The solution can only scan files 12 MB or smaller. The system can generate an error if a file exceeds that size.
■ The described deployment does not include caching (Blue Coat SG does not cache PUTs and POSTs).
Nonetheless, exercise care if a response mode configuration is used.
Deployment
This deployment recommendation describes a forward proxy: a Blue Coat SG appliance connected to a
Forcepoint protector using ICAP. The Blue Coat SG appliance serves as a proxy for all HTTP, HTTPS, and FTP
transactions. It is configured with rules that route data to the Forcepoint ICAP server.
The Forcepoint protector receives all traffic directed to it from the Blue Coat appliance for scanning,
The following diagram outlines the recommended deployment:
■ In monitoring mode, the transactions that are redirected by the Blue Coat SG appliance are analyzed by
Forcepoint DLP, which can then generate incidents for confidential information and send notifications to
administrators and information owners. In this mode, the Forcepoint DLP ICAP server universally responds to
all redirected transactions with Allow.
Network integration
The solution includes of 3 components:
■ Forcepoint DLP protector
■ Forcepoint management server
■ Blue Coat SG appliance
The ICAP integration component resides on the protector, and acts as a relay between the Blue Coat SG
appliances and the management server as shown below:
Deployment
The recommended deployment uses a forward proxy: a Squid web proxy server connected to a Forcepoint
protector using ICAP. Squid serves as a proxy for all HTTP, HTTPS, and FTP transactions. It is configured with
rules that route data to the Forcepoint ICAP server.
The Forcepoint DLP protector receives all traffic directed to it from the Squid server for scanning, and, in
enforcement mode, returns a response indicating whether to block or allow the transaction. In monitoring mode,
the response is always allow.
System setup
Refer to the Forcepoint DLP Installation Guide for instructions on installing Forcepoint DLP, and refer to the
relevant Squid documentation for more information on installing the Squid Web proxy.
After connecting the systems, follow instructions to configure network parameters and other properties.
2) Grant the account one of the following roles. This is necessary so that the system can discover messages
and display results.
■ Organization Management
■ View Only Organization Management
The service account should now be able to access Exchange via Outlook Web App (OWA) and move
between the mailboxes intended to be scanned during the discovery. Log onto OWA with this account and try
switching between mailboxes as shown below:
3) Configure Exchange impersonation. Exchange impersonation needs to be enabled for the service account
used for the discovery.
a) Log into the Microsoft Exchange admin center; for example, https://<server name>/IP/ecp/
d) Under Roles, click the plus sign and add a new role named “ApplicationImpersonation” to the Roles
table.
e) Under Members, click the plus sign and add the Service Account you will be using in the Exchange
discovery task, such as Administrator, to the Members table.
b) Select Main > Policy Management > Discovery Policies > Add Network Task > Exchange Task.
c) Complete the wizard as explained in the Forcepoint DLP Administrator Help. On the Exchange Servers
page, enter the credentials you used in step 1 and 3.
5) Check that Integrated Windows authentication is turned on (it should be on by default). If it is not:
a) In the Exchange admin center, go to servers > virtual directories > EWS (Default Web Site).
As the organization’s network and network security needs grow, Forcepoint DLP can grow with it. The software is
architected for scalability, even for networks with massive traffic and complex topologies.
The sections below address network growth issues such as:
■ Recognizing when the system load demands system expansion.
■ Configuring for single and multi-site deployments.
■ Dealing with the growth of the various information repositories.
Note
Forcepoint recommends that you do not distribute the load to the management server.
This is the most important requirement for determining the number of Forcepoint DLP components needed.
Typically the number of transactions grows as the number of users grows.
In monitoring mode, Forcepoint recommends having 1 protector per 20,000 users. This calculation assumes:
■ The protector is monitoring HTTP and SMTP
■ There are 9 busy hours per day
■ There are approximately 20 million transactions per day with a ratio of 15:1 HTTP:SMTP. (HTTP includes
GETs and POSTs.)
For more users, add an extra Forcepoint DLP server and balance the load between the protector and the extra
server.
In blocking mode, Forcepoint recommends 1 management server, 1 V Series appliance with Forcepoint Email
Security software, and 1 V Series appliance with Content Gateway software. This calculation assumes:
■ There are 9 busy hours per day
■ There are approximately 15 million transactions per day with a ratio of 15:1 HTTP:SMTP. (HTTP includes
GETs and POSTs.)
For more users, add an extra Forcepoint DLP server.
The transaction volume can grow even if the user base does not. If a significant increase in traffic is
anticipated, the system may benefit from adding one or more Forcepoint DLP servers.
■ The number of endpoints grows
With Forcepoint DLP Endpoint, when large numbers of endpoint clients are being deployed, additional
endpoint servers may be required. A general rule of thumb is to add 1 Forcepoint DLP server for every 15,000
endpoint clients.
■ Moving the deployment from monitor to protect
Enforcement requires more resources than monitoring, particularly because load- balancing must be enforced
between policy engines and other Forcepoint DLP modules.
When a deployment is moving from monitor to protect, it may benefit from an additional Forcepoint DLP
server. Note that the Forcepoint DLP Web Content Gateway is required to enforce the HTTP channel; the
protector is required to enforce the SMTP channel.
■ Moving from a single-site to multi-site configuration
Forcepoint DLP supports multi-site, distributed deployments. An organization can have a local policy engine
on the protector, for example, and distributed (primary and secondary) fingerprint repositories. There can be a
management server in one location and one or more supplemental Forcepoint DLP servers in other locations.
Administrators have the option to use the crawlers on the Forcepoint DLP servers alone to do fingerprint and
discovery scans, or to install the crawler agent on additional servers to improve performance.
Many scalable options are available.
Organizations with multiple geographical locations need a protector for each site. A deployment with low
latency between two geographically distributed sites might need two protectors and two supplemental
Forcepoint DLP servers.
■ Adding branch offices
Each branch office requires a protector. When a branch office is added or acquired, add a protector.
■ Adding HTTP, SMTP and FTP egress points
If egress points are being added to the network structure, a protector is needed to monitor each egress point.
Each one also needs a Web Content Gateway instance if HTTP protection is required.
Related concepts
Most common deployments on page 17
Steps
1) Log on to the Security Manager.
3) Select the policy engine instance, then review its “Analysis status” chart.
Red on the chart indicates a heavy load on the policy engine during the corresponding period.
In monitoring mode, a few red bars may not be an issue. The system will process the incidents during a less
busy period.
In blocking mode, even one hour of red is undesirable. If a red bar appears, perform load balancing, and, if
that does not resolve the issue, add a new Forcepoint DLP server.