Skip to content

Data Loss Prevention (DLP)

In the previous sections we looked into how Valtix Gateway can perform FQDN filtering. When traffic is being proxied, another consideration is to enable Data Loss Prevention (DLP). These profiles enable the Valtix Gateway to detect if any sensitive data is egressing and allow you to take action on that traffic.

Some of the use cases are:

  1. There are 10 SSNs (Social Security Numbers) in the outgoing traffic to date. It appears like a data leak -> Requirement to stop this session
  2. 25 Credit Number patterns are in traffic -> Requirement to receive an alert

Configure custom patterns to look for, and in addition to a set of predefined patterns provided by Valtix.

Step 1: Create DLP Profile

  1. Go to Manage -> Profiles -> Network Threats.
  2. Click Create Intrusion Profile
  3. Select Data Loss Prevention
  4. Provide a name (e.g dlp-tutorials)
  5. In the DLP Filter List table, type US Social Security Number in the Patterns text column/field
  6. Set 2 in the Count (sending more than 2 SSNs in the traffic would trigger the action)
  7. Select Drop as the Action
  8. Save the profile

Step 2: Create IPS Profile

DLP Profile requires an IPS Profile to be present as DLP uses the IPS engine.

  1. Go to Manage -> Profiles -> Network Threats.
  2. Click Create Intrusion Profile
  3. Select Network Intrusion
  4. Provide a name (e.g ips-tutorials)
  5. In the Talos Ruleset Version choose the latest rule set
  6. Click "+" on the Balanced policy from the Profile Builder
  7. Save the profile

Step 3: Attach DLP Profile to Policy

  1. Click Manage -> Security Policy -> Rules
  2. Find the Ruleset name that's associated with the Egress Gateway
  3. Click the Ruleset name
  4. From the earlier sections there are two (2) rules in the ruleset:
    1. any-egress-http
    2. any-egress-https
  5. We will be testing the DLP profile with TLS (https) traffic
  6. Click the table row any-egress-https and click Edit
  7. Delete any other profiles not required from the previous tutorials (e.g fqdn-tutorials)
  8. In the editor panel, set the Network Intrusion to ips-tutorials
  9. In the editor panel, set the Data Loss Prevention to dlp-tutorials
  10. CLick Save to save the rule
  11. Click Save to save the ruleset
  12. The rules now show dlp-tutorials and ips-tutorials as a profile in the rules table

Step 4: Traffic Test

  1. SSH to the EC2 instance created in the spoke1-vpc
  2. curl -kv -d "613-63-6333 613-63-6333 613-63-6333" -o /dev/null
  3. Check that you get a 502 Bad Gateway error
  4. Go to Investigate -> Flow Analytics -> Network Threats
  5. You will note logs for the DLP dropped requests with a message: Sensitive Data was Transmitted Across the Network