Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files, release notes, and the latest version of the applicable user documentation, which are available from the Trend Micro website at: http://www.trendmicro.com/download Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Copyright 2010 Trend Micro Incorporated. All rights reserved. Document Part No.: LPEM24476/100607 Release Date: November 2010 U.S. Patent No. 7,516,130.
The user documentation for Trend Micro Data Loss Prevention Network Monitor is intended to introduce the main features of the software and installation instructions for your production environment. You should read through it prior to installing or using the software. Detailed information about how to use specific features within the software are available in the online help file and the online Knowledge Base at Trend Micro s Web site. Trend Micro is always seeking to improve its documentation. Your feedback is always welcome. Please evaluate this documentation on the following site: http://www.trendmicro.com/download/documentation/rating.asp
Contents Contents Preface Chapter 1: Chapter 2: Chapter 3: Data Loss Prevention Network Monitor Documentation...viii Audience...ix Document Conventions...ix Installing Data Loss Prevention Network Monitor System Hardware Requirements... 1-2 Installing DLP Network Monitor... 1-2 Configuring Data Loss Prevention Network Monitor Configuring Network Settings... 2-2 Network Monitor CLI Commands... 2-4 Network Monitor Deployment Guidance DLP Network Monitor Solutions... 3-2 v
Trend Micro Data Loss Prevention Network Monitor Installation Guide vi
Preface Preface Welcome to the Trend Micro Data Loss Prevention Network Monitor 2.0 Installation Guide. This document contains information about product settings and service levels. This preface discusses the following topics: Data Loss Prevention Network Monitor Documentation on page viii Audience on page ix Document Conventions on page ix vii
Trend Micro Data Loss Prevention Network Monitor Installation Guide Data Loss Prevention Network Monitor Documentation The Data Loss Prevention (DLP) Network Monitor documentation consists of the following: Data Loss Prevention Endpoint Online Help Helps you configure all features through the Data Loss Prevention Endpoint and Network Monitor user interfaces. You can access the online help by opening the Data Loss Prevention Endpoint web console and then clicking Help in the menu bar. Data Loss Prevention Endpoint Administrator s Guide Helps you configure data loss monitoring settings for DLP Network Monitor through the DLP Endpoint web console. Data Loss Prevention Network Monitor Installation Guide Helps you plan for deployment and configure product settings. Data Loss Prevention Network Monitor QuickStart Guide Helps you get up and running with DLP Network Monitor. Readme File Contains late-breaking product information that might not be found in the other documentation. Topics include a description of features, installation tips, known issues, and product release history. The Administrator s guide, Installation guide, and readme are available at: http://www.trendmicro.com/download TrendEdge The TrendEdge program works with Trend Micro employees, partners, and other interested parties to provide information on unsupported innovative techniques, tools, and best practices for Trend Micro products. TrendEdge is available at: http://trendedge.trendmicro.com viii
Preface Audience Data Loss Prevention documentation is written for IT administrators. This document assumes that the reader has in-depth knowledge of email messaging networks. The documentation does not assume the reader has any knowledge of data loss prevention technology. Document Conventions To help you locate and interpret information easily, this document uses the following conventions. CONVENTION ALL CAPITALS Bold Italics Monospace Note: DESCRIPTION Acronyms, abbreviations, and names of certain commands and keys on the keyboard Menus and menu commands, command buttons, tabs, options, and ScanMail tasks References to other documentation Examples, sample command lines, program code, Web URL, file name, and program output Configuration notes Tip: Recommendations WARNING! Reminders on actions or configurations that should be avoided ix
Trend Micro Data Loss Prevention Network Monitor Installation Guide x
Chapter 1 Installing Data Loss Prevention Network Monitor This chapter explains how to install Trend Micro TM Data Loss Prevention Network Monitor. This chapter includes the following topic: Installing DLP Network Monitor on page 1-2 1-1
Trend Micro Data Loss Prevention Network Monitor Installation Guide System Hardware Requirements Data Loss Prevention (DLP) Network Monitor appliance hardware specifications: TABLE 1-1. Hardware Specifications COMPONENT Appliance Operating System CPU Memory Hard Disk NIC SPECIFICATION Dell R710 Purpose-built 1U rack-mountable appliance CentOS version 5.3 operating system 2 x Intel Quad Core X5550 Xeon CPU, 2.66Ghz, 8M Cache, 6.40 GT/s QPI, Turbo 8GB Memory (4x2GB), 1066MHz, Dual Ranked RDIMMs for 1 Processor 300GB 15K RPM SAS 3.5" Hot Plug Hard Drive Intel PRO 1000PT 1GbE Dual Port NIC, PCIe-4 Installing DLP Network Monitor The DLP Network Monitor appliance comes with the DLP Network Monitor application pre-installed. If you have to re-install the Network Monitor application, use this installation procedure. Note: Only new installs are supported. Upgrading an existing DLP Network Monitor installation is not supported. 1-2
Installing Data Loss Prevention Network Monitor The DLP Network Monitor appliance installation formats your existing system and installs DLP Network Monitor. It includes both the CentOS operating system and DLP Network Monitor. WARNING! Any existing data or partitions are removed during the installation process. Back up any existing data on the system (if any) before installing Data Loss Prevention Network Monitor. To install DLP Network Monitor: 1. Insert the DLP Network Monitor (DLPNM) installation DVD into the DVD drive of the server. Tip: The Data Loss Prevention DLPNM-2.0.xxxx-i386-DVD.iso file is on the DVD ROM provided with the R710 appliance. 2. Power on the server. The Trend Micro Data Loss Prevention Network Monitor Installation menu appears. FIGURE 1-1. DLP Network Monitor Installation Menu 1-3
Trend Micro Data Loss Prevention Network Monitor Installation Guide These are the options on the DLP Network Monitor Installation menu: Install Trend Micro DLP Network Monitor 2.0 VA: Installs DLP Network Monitor onto the server. Run System Recovery: Recovers a DLP Network Monitor system if the administrative passwords cannot be recovered. Run System Memory Test: Performs memory diagnostic tests to rule out memory issues. Exit Installation: Exits the installation process to boot from the local disk. 3. Click Install Trend Micro DLP Network Monitor 2.0 VA. The license agreement screen appears. FIGURE 1-2. DLP Network Monitor License Agreement Screen 1-4
Installing Data Loss Prevention Network Monitor 4. Click Accept to continue. The keyboard language selection screen appears. FIGURE 1-3. DLP Network Monitor Keyboard Language Screen 1-5
Trend Micro Data Loss Prevention Network Monitor Installation Guide 5. Select the keyboard language for the system and click Next. The DLP Network Monitor installer scans your hardware to determine if the minimum specifications have been met and displays the results. FIGURE 1-4. DLP Network Monitor Hardware Results Screen Note: If the host hardware contains any components that do not meet the minimum specifications, the installation program highlights the non-conforming components and the installation stops. 1-6
Installing Data Loss Prevention Network Monitor 6. Click Next. The DLP Network Monitor installer detects and displays all available hard disk drives. FIGURE 1-5. DLP Network Monitor Hard Drive Screen 1-7
Trend Micro Data Loss Prevention Network Monitor Installation Guide 7. Click Next. If the hard drive requires partitioning, a warning appears above the list of available hard drives. 8. Click Yes to continue with the partitioning or cancel the installation. The network settings screen appears. FIGURE 1-6. DLP Network Monitor Network Settings Screen 9. Type the Interface Settings (IPv4/Netmask) of the DLP Network Monitor management interface. Note: Although the Dell R710 has multiple network interface ports, for management purposes, you must configure the eth0 interface as the management port to connect to the DLP Server. 1-8
Installing Data Loss Prevention Network Monitor Note: Hostname must be unique so that you can identify DLP Network Monitor when registering it with the DLP management server. 10. Type General Settings for DLP Network Monitor and click Next: Hostname: type the FQDN hostname for the DLP Network Monitor host. Gateway: type the IP address for the DLP Network Monitor gateway. Primary DNS: type the IP address for the primary domain name server. Secondary DNS: type the IP address for the secondary domain name server. The NTP server time and clock settings screen appears. FIGURE 1-7. DLP Network Monitor Regional Screen 1-9
Trend Micro Data Loss Prevention Network Monitor Installation Guide 11. Specify the DLP Network Monitor server time and clock settings and click Next. The Account Settings screen appears. FIGURE 1-8. DLP Network Monitor Password Settings Screen 1-10
Installing Data Loss Prevention Network Monitor 12. Specify passwords for the root, enable, and admin accounts. The DLP Network Monitor uses three different levels of administrator types to secure the system. The password must be a minimum of eight characters and a maximum of 32 characters. Tip: For the best security, create a highly unique password using upper and lower case alphabetic characters, numbers, and special characters. Root Account: Accesses the operating system shell and has all rights to the server. This is the most powerful user on the system. Enable Account: Accesses the command line interface (CLI) - privilege mode. This account has all rights to execute any CLI command. Admin Account: Accesses the Data Loss Prevention Network Monitor command line interface (CLI). It has all rights to the Data Loss Prevention Network Monitor application but no access rights to the operating system shell. 13. Click Next. The Summary screen appears. FIGURE 1-9. DLP Network Monitor Password Settings Screen 1-11
Trend Micro Data Loss Prevention Network Monitor Installation Guide 14. Confirm that the selected values are correct, and click Next. A prompt warning appears telling you that continuing the installation will destroy all previous information stored on the selected hard disk. WARNING! If you have data on the hard disk that you would like to keep, cancel the installation and back up the information before proceeding. 15. Click Continue. A screen appears with the formatting status of the local drive. When formatting completes, the Data Loss Prevention Network Monitor installation begins. FIGURE 1-10. DLP Network Monitor Installation Status Screen 1-12
Installing Data Loss Prevention Network Monitor After the installation is complete, a summary screen appears. FIGURE 1-11. DLP Network Monitor Installation Success Screen The installation log is saved in the /root/install.log file for reference. 16. Click Reboot to restart the system. The DVD automatically ejects. 1-13
Trend Micro Data Loss Prevention Network Monitor Installation Guide 17. Remove the DVD from the drive to prevent reinstallation. Note: During installation, you might receive the following messages: for crash kernel (0x0 to 0x0) notwithin permissible range powernow-k8: bios error -no psb or acpi_pss objects Both of these messages are normal. The latter message indicates that the system BIOS is not reporting or presenting any PSB or ACPI objects or hooks to the Linux kernel. Either the CPU or BIOS does not support PSB or ACPI objects or hooks, or they are simply disabled. 18. Use the command line interface (CLI) to to register Network Monitor to the DLP management server (configure dglink {DLP Server IP}). Then check the registration using the DLP Endpoint web console. For instructions on how to use the CLI, refer to Network Monitor CLI Commands on page 2-4. 1-14
Chapter 2 Configuring Data Loss Prevention Network Monitor This chapter explains how to configure Trend Micro TM Data Loss Prevention Network Monitor. This chapter includes the following topics: Configuring Network Settings on page 2-2 Network Monitor CLI Commands on page 2-4 2-1
Trend Micro Data Loss Prevention Network Monitor Installation Guide Configuring Network Settings For the first time that DLP Network Monitor is deployed with your appliance, you will logon as admin and configure the IP settings. Use the default password unless you re-installed DLP Network Monitor. If you re-installed DLP Network Monitor, use the credentials that you set up during the installation. Note: The DLP Network Monitor appliance does not include the DLP management server. Set up the DLP management server before you configure DLP Network Monitor. For more information, see Installing Data Loss Prevention VA (Server Program) in the Data Loss Prevention Endpoint Installation Guide. To configure DLP Network Monitor network settings: 1. At the CentOS command line prompt, type admin and press Enter. 2. Type the password and press Enter. The Trend Micro Data Loss Prevention Network Monitor screen appears. FIGURE 2-12. DLP Network Monitor Command Line Interface 3. Type enable and press Enter. 2-2
Configuring Data Loss Prevention Network Monitor 4. Type the Enable account password and press Enter. The CLI enters privileged mode. 5. Configure Network Monitor to work in your environment: configure dglink {DLP management server IP address} - configures the IP address of the DLP management server. configure dns {dns1}[dns2] - configures the primary and secondary domain name servers. configure gateway {gateway} - configures the gateway for the Network Monitor device. configure hostname {hostname} - configures the Network Monitor hostname. Note: Type a unique hostname for DLP Network Monitor, since you will register the hostname with the DLP Management Server. The name will display in the DLP web console. configure interface ip {ip} {mask} - configures the interface running IP address. configure interface mode {inteface}{mode} - configures the interface running mode. configure interface type {type} - configures interface running type. configure password {password} - configures the account password. 2-3
Trend Micro Data Loss Prevention Network Monitor Installation Guide After configuring basic network settings, log on to the DLP Endpoint web console to register the Network Monitor agent with the DLP management server, set up policies, and monitor data loss prevention in network traffic. For more information, refer to the DLP Endpoint 5.5 Administrator s Guide or the DLP Endpoint web console online help. You can continue to use the Network Monitor simple command line interface for basic setup, troubleshooting, and maintenance. Network Monitor CLI Commands Access the DLP Network Monitor command line interface (CLI) using one of the following two access methods: Data Loss Prevention Network Monitor console (keyboard and monitor connected directly to DLP Network Monitor) Remotely using an SSH v2 connection to the DLP Network Monitor IP address CLI commands enable you to perform additional configuration tasks and to perform debug and troubleshooting functions. Note: You must configure system configurations, such as network setttings, through the DLP Network Monitor command line interface. You cannot configure system configurations using Linux commands. If you do, settings are not saved in the configuration file and the DLP Network Monitor will not be able to register with the DLP Management server. 2-4
Configuring Data Loss Prevention Network Monitor DLP Network Monitor CLI commands are separated into two categories: nonprivileged and privileged commands. TABLE 2-2. Network Monitor CLI Commands MODE DESCRIPTION HOW TO ACCESS Nonprivileged Privileged Basic commands to perform simple tasks, such as viewing system information. Full configuration control and advanced monitoring and debugging features. Log on to the Network Monitor CLI as admin. After logging on to the CLI as admin: 1. Type enable and press Enter. 2. Type password and press Enter. The following commands are available with the DLP Network Monitor command line interface. TABLE 2-1. Command Line Interface Commands CLI COMMAND DESCRIPTION NOTES configure dglink {DLP management server IP address} configure dns {dns1}[dns2] configure gateway {gateway} Configures the IP address of the DLP management server. Configures the primary and secondary domain name servers. Configures the gateway for the Network Monitor device. Access in privileged mode. Access in privileged mode. Access in privileged mode. 2-5
Trend Micro Data Loss Prevention Network Monitor Installation Guide TABLE 2-1. Command Line Interface Commands CLI COMMAND DESCRIPTION NOTES configure hostname {hostname} configure interface ip {ip} {mask} configure interface mode {inteface}{mode} configure interface type {type} configure max_file_size {max file size in bytes} Configures the Network Monitor hostname. Configures the interface running IP address. Configures the interface running mode. Configures interface running type. Configures the default maximum file size that DLP Network Monitor can scan. The default is 20MB. Example: configure max_file_size 30000000 Type a unique hostname for DLP Network Monitor, since you will register the hostname with the DLP Management Server. The name will display in the DLP web console. Access in privileged mode. Access in privileged mode. Access in privileged mode. Access in privileged mode. Access in privileged mode. Note: Note: Configuring a larger maximum file size may impact performance. configure password {password} enable exit Configures the account password. Takes you into privileged mode. Exits DLP Network Monitor. Access in privileged mode. 2-6
Configuring Data Loss Prevention Network Monitor TABLE 2-1. Command Line Interface Commands CLI COMMAND DESCRIPTION NOTES help history logout show cpu show hostname show max_file_size show memory show network show product Displays CLI commands and syntax. Displays the current session s command line history. Logs out of the current CLI session. Displays running system CPU statistics. Displays Network Monitor hostname. Displays the maximum file size in bytes that DLP Network Monitor supports. Displays running system memory statistics. Displays network configuration. Displays product information. show syslog Displays the system log. CTRL^C exits the system log. 2-7
Trend Micro Data Loss Prevention Network Monitor Installation Guide 2-8
Chapter 3 Network Monitor Deployment Guidance This chapter offers deployment guidance for the Trend Micro TM Data Loss Prevention Network Monitor appliance. This chapter includes the following topics: DLP Network Monitor Solutions on page 3-2 3-1
Trend Micro Data Loss Prevention Network Monitor Installation Guide DLP Network Monitor Solutions In its most basic scenario, the Network Monitor solution consists of only one Network Monitor appliance to monitor network activities. Single port monitoring: Network Monitor appliance data port is connected to the mirror port of the core switch and mirrors the port to the firewall. FIGURE 3-13. Network Monitor Appliance Single-Port Monitoring Firewall DLP Web Console DLP Management Server Router DLP Network Monitor Switches Switches Switches Endpoints Endpoints Endpoints 3-2
Network Monitor Deployment Guidance Dual port monitoring: Network Monitor can monitor different network segments using its two data ports. In this scenario, Network Monitor data ports are connected to the mirror ports of access or distribution switches. FIGURE 3-14. Network Monitor Appliance Dual-Port Monitoring DLP Management Server Router Router DLP Network Monitor Router Router Router Endpoints Endpoints Endpoints 3-3
Trend Micro Data Loss Prevention Network Monitor Installation Guide Asymetric route: Network Monitor can be deployed in a high availability network environment where asymetric route is possible. In this scenario, both Network Monitor data ports are connected to the mirror ports of the two redundant switches. FIGURE 3-15. Network Monitor Appliance Asymetric Route DLP Management Server Router Router DLP Network Monitor Router Router Router Endpoints Endpoints Endpoints 3-4