1523 - Protecting Email with DLP and Encryption
Hands-On Lab
Description
At the end of this lab,
you should be able to
Notes
Email is at once a critical staple of modern business communication and
one of the most popular targets for cybercriminals. In this lab you
perform key configuration steps integrating Symantec Messaging
Gateway with Symantec Data Loss Prevention and Symantec encryption
solutions. You will see first-hand how Symantec provides easy,
centralized management of data loss incidents and email quarantine
and you will take away a working knowledge of how to protect your
sensitive information using policy-based encryption.

Understand the threat vector that email represents

Learn how messages containing malicious URLs can be detected
and blocked

Discuss the flexible policy system in Symantec Messaging
Gateway

Understand Policy-Based Encryption and Content Controls

Define how Symantec Data Loss Prevent and Symantec
Messaging Gateway interoperate

A brief presentation will introduce this lab session and
discuss key concepts.

The lab will be directed and provide you with step-by-step
walkthroughs of key features.

Feel free to follow the lab using the instructions on the
following pages. You can optionally perform this lab at
your own pace.

Be sure to ask your instructor any questions you may
have.

Thank you for coming to our lab session.
Introduction to the Environment
Throughout this laboratory exercise, you will use the Endpoint-7 client workstation. At power
up, the Endpoint-7 workstation will automatically login to the desktop session. Should you need
to login manually, use these credentials:



Username:
Password:
Domain:
joe
Symc4now!
ACME
Your lab steps will involve using the Thunderbird Email Client and web-based administrative
consoles. The following graphic should help you understand how written navigation instructions
translate to your actions.
Your messaging environment is configured to simulate both inbound and outbound messaging
traffic. The internal domain, acme.com, can send messages to two “outside” domains
(anothercompany.com and trustedpartner.net). These domains are not real and they are hosted
all within the virtual infrastructure. This allows you to simulate a large range of messaging
scenarios without any external dependencies.
2 of 12
Figure 1: Message flow
Exercise 1 – Configure a PCI Message Quarantine folder
in the Messaging Gateway
The Symantec Messaging Gateway can withhold messages from delivery in message
quarantines. This feature is useful when suspect content may need to be retained, assessed and
dispatched. Multiple quarantine folders can be configured and each supports unique access and
retention policies. The goal of this exercise is to setup a dedicated quarantine folder in the
Messaging Gateway to contain messages that contain sensitive credit card data.
1. Start Internet Explorer and open a tab to https://smg.acme.com
2. Login to the SMG Control Center using the credentials
a. Username:
admin
b. Password:
Symc4now!
3. Navigate to Content > Settings > Content Incident Folders
4. In the Content Incident Folders workspace, click the Add button
5. In the Content Incident folder name textbox, type PCI Quarantine
6. In the Content Incident folder type dropdown, select Hold for Review (Content
Quarantine)
7. In the Expunger settings, check the box Days to store before default action occurs to
enable automatic quarantine purge
8. Click the Save button
3 of 12
Exercise 2 – Configure a DLP response policy in the
Messaging Gateway
In this exercise, you will prepare a special processing rule (or policy) in the Messaging Gateway
to move messages that have been flagged by Symantec Data Loss Prevention into the
quarantine folder that you created in the first exercise. The flag will be an SMTP message header
in the format of “X-DLP-Quarantine: PCI”.
Procedure:
1.
2.
3.
4.
Continuing in Control Center, open Content > Policies > Email
Check the box next to Symantec Data Loss Prevention – Quarantine
Click the Copy button; a policy editor dialog will open
Rename the policy to Symantec Data Loss Prevention – PCI
Quarantine
5. In the Conditions area, click the Add button to add a new condition
6. The Content Filtering Policy Condition dialog will open
a. Check the box for Text in this specific part of the message
b. In the adjoining dropdown, select Message Header
c. In the Header Name textbox, type X-DLP-Quarantine
d. Check the box for Contains
e. Enter 1 in the textbox adjacent to or more occurences of
f. Type PCI in the text box
7. Click the Add Condition button
4 of 12
8. In the Actions work area, check the box next to the action Create quarantine incident in
“Quarantine Incidents” folder
9. Click the Edit button just above
A popup dialog for Configure An Action will open
10. In the quarantine incident folder drop down, select PCI Quarantine
11. Click Update Action and the popup dialog will close
A policy consistents of conditions, actions and policy groups. Policy groups control the scope
of a policy based on sender or recipient email addresses. Policy groups can be associated
with LDAP groups so that your policy applicability can be managed at the directory level. In
order for a policy to be effective, it must be enabled and be assigned to at least one policy
group.
12. In the Policy Groups section, check the box next to default
13. Click the Save button at the bottom of the policy editor
Content policies are executed in the order they are listed. You may have noticed that the
policy you copied, Symantec Data Loss Prevention – Quarantine, used less specific criteria
and is listed first which means the policy would apply in all the same cases as the PCI
Quarantine policy. Therefore the new PCI quarantine policy will not work as intended until
you change the policy ordering.
14. Click-and-drag the new policy to the top of the policy list
Exercise 3 – Enable DLP integration in the Messaging
Gateway
In this exercise, you will configure the Messaging Gateway to deliver all outbound messages to
the Network Prevent for E-mail detection server deployed in the Symantec DLP installation. The
Network Prevent for E-mail service acts as an SMTP message transfer agent (MTA) receiving
email messages, processing those messages against DLP policies, rendering a verdict and
delivering message to the next MTA.
Procedure:
1.
2.
3.
4.
5.
6.
7.
8.
9.
Continuing in the Content workspace of Control Center, open Settings > DLP Connect
Check the box Enable DLP for the outbound Scanner host
In the Route Outbound Mail to DLP Servers pane, click the Add button
A new line in the DLP servers table will be created. Enter the following values:
a. Host or IP Address: 192.168.127.10
b. Port: 10025
c. MX Lookup: Unchecked
d. Preference: 1
In the Accept Scanned Mail from DLP Server pane, click the Add button
A new link in the DLP servers table will be created; enter 192.168.127.10
While still in the Connection Settings pane, click the Enforce Server Access tab
Check the box Enable connection with Enforce Server
Enter the following settings
a. Registered Enforce administration console host or IP address:
enforce.acme.com
5 of 12
b. Username: Administrator
c. Password: Symc4now!
d. Maximum number of incidents for status update: 5000
e. Synchronize with Enforce server every (minutes): 5
10. Click the Save button
Exercise 4 – Review Network Prevent for E-mail Settings
To save time, the DLP email detection server has been preconfigured for you. Review the
configuration settings before proceeding to the next exercise.
Procedure:
1. Start a new tab in Internet Explorer and open the Symantec Data Loss Prevention
Console at https://enforce.acme.com
2. Login to DLP using the username Administrator (password Symc4now!)
a. Note: The username in DLP is case sensitive! Use a capital A when typing
Administrator
3. Within the DLP console, navigate to Systems > Servers > Overview
4. Click the link for the Local Detection Server
The operational details pane for the Local Detection Server will open. In the DLP
architecture, software agents can be distributed and scaled throughout the enterprise. Each
of these agents performs policy inspection upon data according to the context (aka
channel). For example, this detection server is an inline SMTP inspector.
5. Click the Configure button
Examine the general setting available in Network Prevent for E-mail. One of the key settings
is the next hop configuration. Reflect mode is enabled in this configuration. In reflect mode,
as the messaging gateway sends a message into the DLP service a simultaneous return
connection is established back to the messaging gateway. In forward mode, messages are
inspected by DLP and then passed onto the next, defined MTA.
6. Click the Cancel button
7. Click the Server Settings button
In the server settings window, scroll to the bottom and examine the “RequestProcessor”
settings. In particular take note of the RequestProcessor.ServerSocketPort and how it
correlates to the DLP Connect settings you entered in the prior exercise. Why did we use
10025? In this case, it’s because of the lab setting where the same DLP host is also the
regular groupware (mail) server.
8. Return to the top of the page and click the Cancel button
6 of 12
Exercise 5 – Create a DLP Response Rule
When a policy in DLP is violated, the administrator-configured response rule determines what
actions are taken. The type actions available vary according to the channel (context) that the
violation occurs. For example, on an endpoint a clipboard copy operation may be blocked in real
time. For email messages, there are two basic actions: block the message or modify the
message. In this case, we’ll modify the message adding headers and then allow the messaging
gateway to respond based on headers.
Procedure:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
Continuing in the DLP Console, navigate to Manage > Policies > Response Rules
Click the Add Response Rule button to start the response rule wizard
Use the default response rule type, Automated Response, and click the Next button
Name the response rule Network: Quarantine Email in PCI Container
Click the Add Condition button
Use the dropdowns to build the condition
 Protocol or Endpoint Monitor
 is any of
 SMTP
In the Actions pane, click the drop down and select Modify SMTP Message
Click the Add Action button and the Network Prevent: Modify SMTP Message settings
pane will be added
In the Headers section, enter X-DLP-Quarantine in the Header 1 Name textbox
In the Headers section, enter PCI in the Header 1 Value textbox
Check the box at the bottom labeled Enable Email Quarantine Connect
This last option automatically adds two headers when a policy violation occurs:
 X-dlp-policyid
 X-dlp-uniquemsgid
Within Symantec Messaging Gateway, the built-in rule Symantec Data Loss Prevention is
triggered by the presence of these headers.
12. Click the Save button located towards the top of the page
Exercise 6 – Modify the Symantec DLP Credit Card
policy
A Credit Card policy has already been configured in DLP. This policy will be violated when
content contains credit card numbers. As configured, the credit card policy applies to all
contexts including email but there are no response rules that trigger actions.
Add the new response rule to an existing DLP policy and test out your changes.
Procedure:
1.
2.
3.
4.
Continuing in the DLP Console, navigate to Manage > Policies > Policy List
Click the Credit Card Data policy link to enter edit mode
Click the Response tab in the policy editor
In the Response dropdown box, select the rule Network: Quarantine Email in PCI
Container
7 of 12
5. Click the Add Response Rule button
6. Click the Save button at the top of the dialog
Test the DLP flow and configuration
7. Open the Thunderbird Email Client (
)
8. In the Templates folder of Joe’s mailbox, double-click the message titled How Much
This message contains an attachment with Names and Credit Card numbers and represents
a type of message that is a policy violation
9. Click the Send button
10. Wait about 60 seconds for actions to complete
Exercise 7 – Incident Response
At this point, the message has been processed by Symantec DLP and a policy violation has been
detected. The assigned Response Rule has added message headers and passed the email back to
the Symantec Messaging Gateway. The Content policy configured on the messaging gateway has
quarantined the message. Neither the sender nor the recipient is aware of these actions to this
point. What happens next?





An incident responder can see the violation in the DLP console
An SMG administrator can see that a message has been quarantined in the Message
Audit Log
With appropriate permissions, it also possible to see the quarantine message in the
SMG Control Center
In 7 days, if no action occurs, the message will be deleted from the quarantine with no
notification
All of these behaviors are configurable based on roles, alerting and other system
settings
In this exercise, you will act as an incident responder and process the scenario in the DLP
console. However, first take a few moments to research the situation using the SMG Control
Center.
Procedure:
1. Return to the SMG Control Center in Internet Explorer
2. Navigate to Status > SMTP > Message Audit Logs
3. In the filter pane, enter a single period (.) in the Mandatory Filter Value textbox
The period represents a universal pattern match.
4. Click the Display Filtered button
5. Click on the message to see more details
6. Navigate to Content > QUARANTINE FOLDERS > PCI Quarantine
You will see each of the quarantine messages. If the messages are missing, check the regular
Quarantine Incidents folder… you may have missed the last step of Exercise 2.
8 of 12
7. Proceed as an incident responder and return to the DLP Console, navigate to Incidents >
Network
The incident corresponding to the email you just sent should appear in the incident list.
8. Click on the How Much incident
Take note of some of the incident features that are critical to a responder
a. In the left pane, you will see that the incident was created by a violation of the
Credit Card Data policy with 40 data points matched
b. The high number of data matches has triggered a High rating on the incident.
The severity rules are established in the policy definition
c. Continuing though the incident details, sender, recipient and additional
message details are listed
d. The incident details include the original message
e. In the center column, sample data matches are listed
f. In the right column, the instigator is correlated to organizational data derived
from Active Directory
9. At the top of the incident, click Reject Email button
This action activates a FlexResponse process dialog
10. There are no selections to make, click the OK button
11. Return to Thunderbird Email Client
12. Refresh Joe’s Inbox
Joe should receive an email entitle Email Policy Violation. This notification is configured in
the SMG Content policy.
Trace back the notification settings in the SMG Control Center and then review how
notifications are configured.
13. First navigate to Content > Policies > Email and open the policy Symantec Data Loss
Prevention – PCI Quarantine
Review the set of Reject actions including send email notification. Message notifications are
configurable and localizable.
14. Navigate to Content > Resources > Notifications
15. Click the Email Policy Violation item
Exercise 8 – Policy-Based Encryption
In the previous exercises, we focused on preventing data loss and creating the architectural
relationship between Symantec Messaging Gateway and Symantec DLP. Equally important are
features to protect legitimate emails that may contain sensitive information.
As you may be aware, the transmissions between Message Transfer Agents are not typically
encrypted. The ESMTP protocol supports TLS encryption between MTA in a manner very similar
to HTTPS connections that you use when you require a secure browser session. When this
feature is enabled and enforced, we refer to it as boundary encryption. Boundary encryption
prevents unintended access while messages transit the network but provides no message
privacy or integrity in the groupware system.
9 of 12
When message integrity and privacy from sender to recipient are required, message (content)
encryption is employed. Message encryption is typically used in select scenarios rather than
universally applying encryption to every message. Thus we typically refer to message encryption
as policy-based encryption.
SMG contains built-in support for content encryption using Symantec .Cloud services. Of course,
SMG supports encryption through other gateway services including the Symantec Encryption
Management Server. In this exercise you will create FlexResponse scenarios with DLP to require
message encryption using a gateway service.
Procedure:
1. Using Internet Explorer, open https://keys.acme.com:9000
2. Login with the following credentials
a. Username: admin
b. Password: Symc4now!
3. Navigate to Mail > Mail Policy
4. Open the Outbound policy chain
5. Click on the last rule SWEP based on DLP Policies
Review the criteria for encryption
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Switch the SMG Control Center
Navigate to Content > Policies > Email
Click to open the policy Symantec Data Loss Prevention – Quarantine
In the Actions pane, select and delete the actions listed in Message Review Custom
Actions section
In the same section, Message Review Custom Actions, click the Add Custom Action
button
A popup will dialog will open, choose the action Add a header
The dialog will adapt to your selection, enter the following values in the appropriate text
boxes
a. Header: X-Encrypt
b. Value: Yes
Click the button Add Custom Action
Using the same process, add the following action:
a. Action: Route the message
b. Host: keys.acme.com
c. Port: 25
d. Use MX Lookup: Unchecked
Using the same process, add the following action:
a. Action: Send notification
b. Notifications: Encrypted Email Delivery
Click the Save button
Wait for the save action to complete and then use the Thunderbird Email Client, send
the message titled Customer Data from Joe’s templates folder
Wait about 30 second, switch to the DLP Console and navigate to Manage > Incidents >
Network
Open the Customer Data incident and click the Encrypt Email option
In the FlexReponse action dialog, click OK
10 of 12
21. Return to the Encryption Management Server console and navigate to Reporting > Logs
You will see that the message has been released from the Symantec Messaging Gateway
and sent to the Encryption Management Server. In this case, the policy option selected uses
the Secure Web Mail feature of Symantec Encryption Management Server.
22.
23.
24.
25.
26.
Using the Thunderbird Email Client, refresh Larry’s inbox
Open the message titled Symantec Encryption Secure Message
Click the link embedded in the message
Enter Symc4now! for the new passphrase when prompted
Take note of the message delivery options and click the Choose Option button to see
the secure message
Thank You!
YOUR FEEDBACK IS VALUABLE TO US!
Please take a few minutes to fill out the short session survey available on the mobile app—the
survey will be available shortly after the session ends. Watch for and complete the more
extensive post-event survey that will arrive via email a few days after the conference.
To download the app, go to https://vision2014.quickmobile.com or search for Vision 2014 in the
iTunes or Android stores.
11 of 12
Appendix – Lab Configuration and Credentials
Roles:
 Student Workstation
 IE 10
 Thunderbird Portable (Email)
Endpoint-7.acme.com
2 vCPU, 2GB RAM
Eth0 - VNET1 - 192.168.127.10
Eth1 - VNET2 – Dynamic NAT
Roles:
 acme.com Domain Controller
 MailEnable (Groupware) for
acme.com,
anothercompany.com,
trustedpartner.net
 Symantec DLP 12
 Network Prevent for E-mail
Roles:
 Encryption Management
Server
Roles:
 Messaging Gateway (MTA) 10.5
Enforce.acme.com
4 vCPU , 6GB RAM
Eth0 - VNET1 - 192.168.127.10
Eth1 - VNET2 – Dynamic NAT
smg.acme.com
2 vCPU, 2GB RAM
Eth0 - VNET1 - 192.168.127.60
Eth1 - VNET2 – 10.10.100.60
keys.acme.com
1 vCPU, 1GB RAM
Eth0 - VNET1 - 192.168.127.20
Eth1 – N/A
Resource
Username
Password
Address
Enforce
Console
ACME\Administrator
Symc4now!
Desktop Console
W7/WXP
Console
ACME\joe
Symc4now!
Desktop Console
SMG Console
admin
Symc4now!
Desktop Console
SMG Control
Center
admin
Symc4now!
https://192.168.127.60
DLP Console
Administrator
Symc4now!
https://192.168.127.10
Encryption
Console
admin
Symc4now!
https://192.168.127.20:9000
12 of 12