McAfee Data Loss Prevention 9.2.2 Product Guide
McAfee Data Loss Prevention 9.2.2 Product Guide McAfee Data Loss Prevention 9.2.2 Product Guide
13Managing McAfee DLP systemsUsing capture filtersTask1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration |Capture Filters.• On your McAfee DLP appliance, select System | System Administration | Capture Filters.2 Click Create Content Filter.3 Enter a Filter Name and optional Filter Description.4 Select the devices on which the capture filter is to be deployed.5 Select a capture filter action.For example, you might drop all traffic containing the addresses from the Application or Transportlayers, or you might store only the metadata defining the addresses.6 Open the Source/Destination category.7 Select IP Address and add a condition.For example, you might define all of the IP addresses, all but the defined addresses, or addressesmoving in one direction only.8 Type one or more IP addresses in the value field.9 Click Save.Manage data capture with network capture filtersManage data capture using multiple capture filters that instruct the capture engine to ignoresuccessive levels of traffic, while making an exception for a subset of traffic within a defined flow. Youcan use port numbers to filter specific types of traffic.The order in which you deploy capture filters is significant, so planning the process is essential.For example, if you want McAfee DLP Manager to ignore encrypted data, it could easily be done byeliminating traffic transported through port 443 on McAfee DLP Monitor. But if you have to captureAIM (AOL Instant Messaging) traffic to monitor chat, you must add an exception, because AOL alsouses port 443.You cannot save sessions or data that have already been eliminated, so the filtering sequence is crucial.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration |Capture Filters.• On your McAfee DLP appliance, select System | System Administration | Capture Filters.2 Click Create Network Filter.3 Type a filter name (for example, AOL_Chat) and an optional description.4 From the Action menu, select Store to capture AOL chat traffic.5 Open the Protocol category.6 Select Protocol | is any of and click ?.250 McAfee Data Loss Prevention 9.2.2 Product Guide
Managing McAfee DLP systemsUsing capture filters 137 From the Protocol pop‐up menu, select Chat Protocols | AOL_Chat and Apply.8 Click Save to complete the AOL chat filter.9 Click Create Network Filter to create another filter.10 Type a filter name (for example, SSH_traffic) and an optional description.11 From the Action menu, select Ignore.12 Open the Protocol category and select Port | source is any of, then type 443 into the value field.This stores incoming encrypted data. Traffic through ports and port ranges is bidirectional, so youmust define source and destination transmissions separately. You will have capture both sides ofexcluded transmission to capture both sides of the chat within it.13 Click + to add a parameter.14 Repeat the process, but select Port | destination is any of and type 443 into the value field.This stores outgoing encrypted data.15 Select the checkbox of the device on which you want the filter deployed.To decide later, click None.16 Click Save.A new Ignore filter, which excludes encrypted data from processing by the capture engine, is addedto the existing capture filter list.17 In the Network Filters list, use the Priority icons to reorder the filters.When a network capture filter is applied to the network data stream, its position in the list indicatesits priority. Because the BASE filter instructs the system to store all data that has not been droppedfrom the data stream, it must always run last.The AOL_chat Store filter must run first, because the SSH_traffic Ignore filter will eliminate whatremains of the port 443 traffic.18 Let the system run. After some time, you can search for AIM chats in the captured data on theIncidents page.Exempt users from detectionEven network administrators might not be privileged to peruse certain information found in networkdata streams.Before you beginEndpoint features require deployment of McAfee DLP Endpoint and an added evidenceserver.This case helps you to ensure absolute security for one or more endpoints that have access to topsecret information by protecting them from detection by the capture engine.Alternately, use this procedure with a user or group name, or an email address.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | Data Loss Prevention | DLP Sys Config | System Administration.• On your McAfee DLP appliance, select System | System Administration.McAfee Data Loss Prevention 9.2.2 Product Guide 251
- Page 200 and 201: 9Managing policies and rulesHow pol
- Page 202 and 203: 9Managing policies and rulesTypical
- Page 204 and 205: 9Managing policies and rulesTypical
- Page 206 and 207: 9Managing policies and rulesManagin
- Page 208 and 209: 9Managing policies and rulesAdd, mo
- Page 210 and 211: 9Managing policies and rulesAdd, mo
- Page 212 and 213: 9Managing policies and rulesManage
- Page 214 and 215: 9Managing policies and rulesManage
- Page 216 and 217: 9Managing policies and rulesManage
- Page 218 and 219: 9Managing policies and rulesIdentif
- Page 220 and 221: 9Managing policies and rulesIdentif
- Page 222 and 223: 10Managing action rulesHow McAfee D
- Page 224 and 225: 10Managing action rulesAdd, modify,
- Page 226 and 227: 10Managing action rulesAdd, modify,
- Page 228 and 229: 10Managing action rulesAdd, modify,
- Page 230 and 231: 10Managing action rulesAdd, modify,
- Page 232 and 233: 11Managing conceptsTypical scenario
- Page 234 and 235: 11Managing conceptsAdd, apply, rest
- Page 236 and 237: 11Managing conceptsAdd, apply, rest
- Page 238 and 239: 11Managing conceptsAdd, apply, rest
- Page 240 and 241: 12Using templatesTypical scenariosT
- Page 242 and 243: 12Using templatesAdd, modify, and d
- Page 244 and 245: 12Using templatesAdd, modify, and d
- Page 246 and 247: 13Managing McAfee DLP systemsConfig
- Page 248 and 249: 13Managing McAfee DLP systemsConfig
- Page 252 and 253: 13Managing McAfee DLP systemsUsing
- Page 254 and 255: 13Managing McAfee DLP systemsUsing
- Page 256 and 257: 13Managing McAfee DLP systemsUsing
- Page 258 and 259: 13Managing McAfee DLP systemsAdding
- Page 260 and 261: 13Managing McAfee DLP systemsAdding
- Page 262 and 263: 13Managing McAfee DLP systemsAdding
- Page 264 and 265: 13Managing McAfee DLP systemsAdding
- Page 266 and 267: 13Managing McAfee DLP systemsAdding
- Page 268 and 269: 13Managing McAfee DLP systemsAdding
- Page 270 and 271: 13Managing McAfee DLP systemsAdding
- Page 272 and 273: 13Managing McAfee DLP systemsUsing
- Page 274 and 275: 13Managing McAfee DLP systemsManagi
- Page 276 and 277: 13Managing McAfee DLP systemsManagi
- Page 278 and 279: 13Managing McAfee DLP systemsManagi
- Page 280 and 281: 13Managing McAfee DLP systemsTechni
- Page 282 and 283: 13Managing McAfee DLP systemsTechni
- Page 284 and 285: 14Disaster recovery backup and rest
- Page 286 and 287: 14Disaster recovery backup and rest
- Page 288 and 289: 14Disaster recovery backup and rest
- Page 290 and 291: 15Technical supportCreate a technic
- Page 292 and 293: Indexdevice class (continued)status
- Page 294 and 295: Indexuser groupscreating 275deletin
13Managing <strong>McAfee</strong> DLP systemsUsing capture filtersTask1 Select one of these options:• In ePolicy Orchestrator, select Menu | <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> | DLP Sys Config | System Administration |Capture Filters.• On your <strong>McAfee</strong> DLP appliance, select System | System Administration | Capture Filters.2 Click Create Content Filter.3 Enter a Filter Name and optional Filter Description.4 Select the devices on which the capture filter is to be deployed.5 Select a capture filter action.For example, you might drop all traffic containing the addresses from the Application or Transportlayers, or you might store only the metadata defining the addresses.6 Open the Source/Destination category.7 Select IP Address and add a condition.For example, you might define all of the IP addresses, all but the defined addresses, or addressesmoving in one direction only.8 Type one or more IP addresses in the value field.9 Click Save.Manage data capture with network capture filtersManage data capture using multiple capture filters that instruct the capture engine to ignoresuccessive levels of traffic, while making an exception for a subset of traffic within a defined flow. Youcan use port numbers to filter specific types of traffic.The order in which you deploy capture filters is significant, so planning the process is essential.For example, if you want <strong>McAfee</strong> DLP Manager to ignore encrypted data, it could easily be done byeliminating traffic transported through port 443 on <strong>McAfee</strong> DLP Monitor. But if you have to captureAIM (AOL Instant Messaging) traffic to monitor chat, you must add an exception, because AOL alsouses port 443.You cannot save sessions or data that have already been eliminated, so the filtering sequence is crucial.Task1 Select one of these options:• In ePolicy Orchestrator, select Menu | <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> | DLP Sys Config | System Administration |Capture Filters.• On your <strong>McAfee</strong> DLP appliance, select System | System Administration | Capture Filters.2 Click Create Network Filter.3 Type a filter name (for example, AOL_Chat) and an optional description.4 From the Action menu, select Store to capture AOL chat traffic.5 Open the Protocol category.6 Select Protocol | is any of and click ?.250 <strong>McAfee</strong> <strong>Data</strong> <strong>Loss</strong> <strong>Prevention</strong> <strong>9.2.2</strong> <strong>Product</strong> <strong>Guide</strong>