DLP (Data Loss/Leak Prevention), IDS/IPS Solutions Discussion

discussion

(watermelon) #1

Hi all,

Perhaps this isn’t the right place to ask, but I feel like there are many security professionals here that may have some thoughts and answers to this.

Has anybody implemented a DLP solution in their environment? This is generally, from what I understand, a centralized server that manages agents installed on endpoints where the agents will prevent actions such as copying a credit card number to the user’s clipboard, executing some program/command, etc.

I’ve tried to find some open source solution for this but have only come up with myDLP from Comodo and openDLP, but they seem sketchy at first glance. Also, it seems like they haven’t been updated for years.

If you’ve implemented this, what DLP solution do you use? I’m thinking this type of thing is more of an enterprise solution.


(Kevin Honka) #2

they do look really outdated. I haven’t really thought about implementing such a thing because I consider it a fools errand, that will never end and never be really secure.

We are using freeIPA for our linux servers to manage user access and sudo rules, which are not complete, but good enough to catch the most common mistakes.


(Michael Friedrich) #3

I haven’t done anything for a long time in these regions. Round about ten years ago I was looking into IDS, specifically Snort. I don’t know if that’s still a thing.

https://www.mydlp.com/features/ reads like a huge proxy black hole. If configured the wrong way, many applications would likely suffer. Similar thing with Riverbed which performs deep packet inspections and attempts to rewrite/optimize TLS headers (that breaks Icinga btw, seen that at a customer).

There’s basic things for security and data loss prevention you can already have on your systems. One of them is a clear user and permission management, be it with SSH keys deployed via cfgmgmt tools, or AD/LDAP controlled logins. Some might also combine that with Kerberos/SSO.

I’ve seen it too in the wild that users are tempted to re-use the CA chain from their cfgmgmt tool (Puppet, Salt) for the Icinga chain. Don’t do that. It opens up a trust level between two sensitive tools which makes it easier to attack and breach information.

It may be worthwhile to ask on Twitter and catch the Infosec people.


(watermelon) #4

Thanks for the replies guys, very insightful.

@KevinHonka

that will never end and never be really secure.

I assume by this you mean that there are inevitable loopholes and workarounds that the software wouldn’t be able to detect/prevent and this is why you wouldn’t want to implement this; I agree with you. I guess this type of thing would only need to be implemented if you didn’t trust your users to not do things like copy credit card numbers, but even so, there are flaws (but surely it’s better to have something rather than nothing).

We are using freeIPA

Thanks for the suggestion, I’ll check it out. We use something called PowerBroker Identity Services Open to connect our Linux servers to AD domains.

@dnsmichi

ten years ago I was looking into IDS

It seems like you and Kevin don’t seem to care too much about IDS/IPS. I looked into it (Snort specifically) and found that most of the functionality from Snort could be handled by my firewall already (which might be why you guys wouldn’t implement an IDS/IPS?). Things that I guess I’d like to do is to start filtering inbound and outbound traffic and perform deep packet inspection (which, I would have to be careful of as you mentioned), web proxying, content filtering, etc. Since my firewall and I’m assuming a lot of other firewalls can handle this, why do individual IDS/IPS solutions even exist?

catch the Infosec people

Would you suggest anyone in particular to follow/ask? I don’t use Twitter currently but I guess I should start.

Thanks all!


(Kevin Honka) #5

You are right with your assumptions. that there will always be loophole and workarounds for such a system, especially in linux. think about sudo man man when you only have limited sudo rights.

Regarding FreeIPA it is really nice, especially because you can create a Trust with your AD and do not have to keep duplicate users around. Also it runs with your default linux tools like sssd


(Michael Friedrich) #6

The main reason is that I lost track of it since my change of jobs. I used to be an administrator, with a slight touch of development and support later on. Then I moved into consulting at NETWAYS, later becoming a developer with partial support challenges. Administration of systems is not my primary focus, still I know a lot of things from my years of experience with and around monitoring stacks.

On Twitter, I read a lot about infosec and such things, but I cannot really recommend a strategy. https://twitter.com/swiftonsecurity is an account to watch for security related stuff (note: that’s not taylor swift).


(watermelon) #7

Ahh, I see. For me, I feel as if IDS & IPS is the next step for me in network monitoring. Icinga provides a good base for everything and now it’s time to add another layer to my monitoring stack.

Thanks for the suggestions and discussion!


(Kevin Honka) #8

do you already have something like graylog running? You could use it to collect logs from all kinds of routers, switches etc and parse them


(watermelon) #9

Yup, log aggregation/analysis is another important part of network monitoring and I do use Graylog to do that.

Is there any thing else besides that that you use?