Symantec Data Loss Prevention for Mobile connects to your corporate network through Wi-Fi access or through cellular 3G connectivity. Network traffic for Webmail, third-party applications such as Yahoo and Facebook, and corporate email applications including Microsoft Exchange ActiveSync,IBM Lotus Notes Traveller, is sent through the HTTP/S protocol. Corporate email can be sent through Microsoft ActiveSync as either HTTP or HTTPS protocol information. Microsoft ActiveSync receives the information from the corporate proxy server after it has gone through detection; then, sends the message to the corporate Exchange Server. Messages that are sent through applications such as Facebook or Dropbox can be blocked from the message, depending on your policies.
The above graphic illustrates the connections necessary to enable Symantec Data Loss Prevention for Mobile:
Mobile devices must connect to the corporate network through a virtual private network (VPN) to send corporate messages or access the corporate network. The Mobile Prevent solution requires that mobile devices use the VPN On Demand feature to create a constant, protected VPN connection. If you are not connected to the corporate network, Mobile Prevent cannot detect any policy violations.
Your mobile device connects to the VPN server to gain access to your corporate network.
The VPN server assigns an IP address to each mobile device that connects to it. These IP addresses form a VPN subnetwork. The VPN subnetwork lets your mobile devices access the corporate network and the corporate proxy server. You can specify a range of IP addresses that your VPN server can assign to other devices. All of the IP addresses that the VPN server assigns to your mobile devices are within this range. If a range of addresses were not specified for your VPN server, the network could randomly assign IP addresses to your mobile devices. A specific range of IP addresses lets Symantec Data Loss Prevention identify which IP addresses are assigned to mobile devices and which addresses are not connected. Using a range of IP addresses assists in identifying which mobile device generated an incident.
If you deploy Mobile Prevent and Network Prevent together, the IP address identifies Network and Mobile incident types.
On the Mobile Prevent side, VPN On Demand ensures that the VPN connection is not interrupted. Apple mobile devices use VPN On Demand to dynamically create a VPN session. VPN on Demand starts the VPN session when connecting to a specific list of configured domains (for example .com, .net, or .org). Certificate-based authentication is required to configure the VPN On Demand feature. By configuring how VPN On Demand automatically enables VPN on an iOS mobile device, you can ensure that all traffic goes through your corporate network. You need a Web proxy that is deployed in transparent mode to route traffic from the mobile devices in your corporate network to Symantec Data Loss Prevention. The network traffic is routed uses the ICAP service.
You can use a mobile device management (MDM) solution to apply the network and VPN configuration.
VPN configuration can be specified in a configuration profile by your mobile device management (MDM) solution. The MDM solution applies a configuration profile to each mobile device that you want to connect to your corporate network.
Use a mobile device management (MDM) solution to manage and apply a wide variety of configuration settings to multiple mobile devices. You can load user profiles where corporate mail settings, VPN settings, security certificates, and proxy server settings are preconfigured onto the mobile devices. To access the Mobile Prevent for Web Server, you must use an MDM solution to apply the VPN server configuration profile. The VPN server configuration profile sets the conditions for VPN On Demand to route all network traffic through the VPN and into your corporate network. Only network traffic flowing in your corporate network can be monitored for violations.
Implementing Mobile Prevent :
The Mobile Prevent for Web Server integrates with a VPN server, an MDM solution, and a Web proxy server using ICAP. If it detects confidential data in Web content, the proxy will reject requests or remove HTML content as specified in your Mobile Prevent policies.
First, you need to know the high-level steps that are required for implementing Mobile Prevent. You can check the cross-referenced sections for more details. There are two deployment scenarios for Mobile Prevent: the Mobile Prevent as a standalone product, and Mobile Prevent installed in combination with Network Prevent. The following procedure assumes that you are implementing Mobile Prevent as a standalone product. If you want to implement Mobile Prevent and Network Prevent, you must also follow the implementation instructions for Network Prevent.
About deploying Mobile Prevent as a standalone solution :
When you deploy Mobile Prevent as a standalone solution, no other detection server is deployed with the Mobile Prevent for Web Server. The Mobile Prevent for Web Server interacts with the Enforce Server and the corporate proxy server to monitor and prevent incidents on mobile devices. The following diagram describes how the Mobile Prevent solution fits into your corporate infrastructure:
In this deployment, mobile devices connect to the corporate network through your VPN server. The VPN server assigns each mobile device an IP address. This address lets the device access the internal corporate network. After the device is assigned a unique IP address, all HTTP, HTTPS, and FTP traffic is monitored by the Mobile Prevent for Web Server. Each device must be connected to the corporate network through the VPN. If the VPN connection to the corporate network is lost, Mobile Prevent cannot detect any violations.
iPads and iPhones use a native feature called VPN On Demand to create a secure VPN connection automatically without user intervention. VPN On Demand requires certificate-based authentication to create the connection to the VPN Server.
After the VPN connection is established, traffic is sent through the proxy server and analyzed by Mobile Prevent for Web Server. Traffic between the proxy server and the Mobile Prevent for Web Server is done over the ICAP protocol. If no violations are discovered, the traffic is sent to its destination either internally or externally. If violations are discovered, an incident is created and response actions are implemented. Incidents are recorded on the Enforce Server.
When a mobile device sends an email through Microsoft Exchange ActiveSync, the HTTP/HTTPS packets are sent to the ActiveSync server. The packets are then sent to the Exchange Server. Any corporate email should go through Microsoft Exchange ActiveSync. Mobile Prevent does not support the SMTP protocol.
Note: Mobile Prevent does not support response mode (RESPMOD).
Below implementing procedures assume that you already have your VPN and proxy servers running in your environment.
Procedure Step 1 : Add a new Mobile Prevent Server.
Adding a detection server
Add the detection servers that you want to your Symantec Data Loss Prevention system from the System > Servers > Overview screen.
You can add the following types of servers:
Network Monitor Server, which monitors network traffic.
Network Protect Server, which inspects stored data for policy violations (Network Discover).
Network Prevent Server, which prevents SMTP violations.
Network Prevent Server, which prevents ICAP proxy server violations such as FTP, HTTP, and HTTPS.
Mobile Prevent for Web Server, which monitors and prevents HTTPS, HTTPS, and FTP violations over mobile devices.
If your Symantec Data Loss Prevention license includes both Mobile Prevent for Web and Network Prevent for Web Servers you add a single detection server called Network and Mobile Prevent for Web Server.
Endpoint Server, which controls Symantec DLP Agents that monitor endpoint computers.
Classification Server, which analyzes email messages that are sent from a Symantec Enterprise Vault filter, and provides a classification result that Enterprise Vault can use to perform tagging, archival, and deletion as necessary.
Procedure Step 2: Configure your Mobile Prevent Server.
Configuring the Mobile Prevent for Web Server
You can use a number of configuration options for Mobile Prevent for Web Server. For example, you can configure the server to:
Ignore small HTTP/S requests or responses.
Ignore requests to or responses from a particular host or domain (such as the domain of a business subsidiary).
Ignore user search engine queries.
To modify your Mobile Prevent for Web Server configuration
Go to System > Servers > Overview and click the Mobile Prevent for Web Server.
On the Server Detail screen that appears, click Configure.
You can verify or modify settings on the ICAP tab as described in subsequent steps. The tab is divided into several sections: Request Filtering, Response Filtering, and Connection.
Verify or change the Trial Mode setting.
Verify or modify the filter options for requests from HTTP clients (user agents). The options in the Request Filtering section are as follows:
Ignore Requests Smaller Than
Specifies the minimum body size of HTTP requests to inspect. (The default is 4096 bytes.) For example, search-strings typed in to search engines such as Yahoo or Google are usually short. By adjusting this value, you can exclude those searches from inspection.
Ignore Requests without Attachments
Causes the server to inspect only the requests that contain attachments. This option can be useful if you are mainly concerned with requests intended to post sensitive files.
Ignore Requests to Hosts or Domains
Causes the server to ignore requests to the hosts or domains you specify. This option can be useful if you expect a lot of HTTP traffic between the domains of your corporate headquarters and branch offices. You can type one or more host or domain names (for example, www.company.com), each on its own line.
Ignore Requests from User Agents
Causes the server to ignore requests from user agents (HTTP clients) you specify. This option can be useful if your organization uses a program or language (such as Java) that makes frequent HTTP requests. You can type one or more user agent values (for example, java/6.0.29), each on its own line.
Note: The Response Filtering options are not supported for Mobile Prevent.
Verify or modify the filter options for responses from Web servers. The options in the Response Filtering section are as follows:
Ignore Responses Smaller Than
Specifies the minimum size of the body of HTTP responses that are inspected by this server. (Default is 4096 bytes.)
Inspect Content Type
Specifies the MIME content types that Symantec Data Loss Prevention should monitor in responses. By default, this field contains content-type values for Microsoft Office, PDF, and plain text formats. To add others, type one MIME content type per line. For example, type application/wordperfect5.1 to have Symantec Data Loss Prevention analyze WordPerfect 5.1 files.
Note that it is generally more efficient to specify MIME content types at the Web proxy level.
Ignore Responses from Hosts or Domains
Causes the server to ignore responses from the hosts or domains you specify. You can type one or more host or domain names (for example, www.company.com), each on its own line.
Ignore Responses to User Agents
Causes the server to ignore responses to user agents (HTTP clients) you specify. You can type one or more user agent values (for example, java/1.4.2_xx), each on its own line.
Verify or modify settings for the ICAP connection between the HTTP proxy server and the Mobile Prevent for Web Server. The Connection options are as follows:
Specifies the TCP port number over which this server listens for ICAP requests. This number must match the value that is configured on the HTTP proxy that sends ICAP requests to this server. The recommended value is 1344.
Maximum Number of Requests
Specifies the maximum number of simultaneous ICAP request connections from the HTTP proxy or proxies. The default is 25.
Maximum Number of Responses
Specifies the maximum number of simultaneous ICAP response connections from the HTTP proxy or proxies. The default is 25.
Specifies the number of waiting connections allowed. A waiting connection is a user waiting for an HTTP response from the browser. The minimum value is 1. If the HTTP proxy gets too many requests (or responses), the proxy handles them according to your proxy configuration. You can configure the HTTP proxy to block any requests (or responses) greater than this number.
In the Mobile IP Ranges fields, enter the range of IP addresses that your VPN server is configured to assign to mobile devices. The IP addresses are used to identify the incidents that were triggered from mobile devices as Mobile incidents.
The IP addresses you enter into this range do not dynamically affect the VPN Server. This range is only to identify your mobile devices in the administration console. You must enter the exact same range of IP addresses when you configure the VPN Server to assign the addresses.
Click Save to exit the Configure Server screen and then click Done to exit the Server Detail screen.
Procedure Step 3: Configure your VPN Server with the IP address range that you want to assign to the corporate mobile devices for the Mobile Prevent sub-network
Procedure Step 4 : Configure your VPN profile with the MDM application.
You must configure the VPN profile before mobile devices can connect to the corporate network. The VPN profile combines security certificates, the VPN server configuration settings, VPN On Demand settings, and any network configuration settings. Normally, the VPN profile is set and applied through your MDM solution. Along with the VPN profile, you can configure other aspects of your mobile device such as Microsoft Exchange ActiveSync, firewall properties, or LDAP settings.
Procedure Step 5 : Define ICAP services on proxy to route traffic to Mobile Prevent Web Server.
Procedure Step 6 : Create and deploy a policy for Mobile Prevent.
Creating policies for Mobile Prevent
You can create the policies that include most standard response rules. The response rules include Add Note, Limit Incident Data Retention, Log to a Syslog Server, Set Attribute, and Set Status.
You can also incorporate the response rules that are specific to Mobile Prevent Server as follows:
Network Prevent and Mobile Prevent: Block HTTP/HTTPS
Blocks the posts that contain confidential data (as defined in your policies). This includes Web postings, Web-based email messages, and files that are uploaded to Web sites or attached to Web-based email messages.
Certain applications may not provide an adequate response to the Network Prevent and Mobile Prevent: Block HTTP/HTTPS response action. This behavior has been observed with the Yahoo! Mail application when a detection server blocks a file upload. If a user tries to upload an email attachment and the attachment triggers a Network Prevent: Block HTTP/HTTPS response action, Yahoo! Mail does not respond or display an error message to indicate that the file is blocked. Instead, Yahoo! Mail appears to continue uploading the selected file, but the upload never completes. The user must manually cancel the upload at some point by pressing Cancel.
Other applications may also exhibit this behavior, depending on how they handle the block request. In these cases a detection server incident is created and the file upload is blocked even though the application provides no such indication.
Network Prevent and Mobile Prevent: Remove HTTP/HTTPS Content
Removes confidential data from posts that contain confidential data (as defined in your policies). This includes Web-based email messages and files that are uploaded to Web sites. Note that the Remove HTTP/HTTPS Content action works only on requests.
Network Prevent and Mobile Prevent: Block FTP Request
Blocks FTP transfers that contain confidential data (as defined in your policies).
For details on setting up any response rule action, open the online Help.
Go to Manage > Policies > Response Rules and click Add Response Rule.
Even if you do not incorporate response rules into your policy, Mobile Prevent captures incidents as long as your policies contain detection rules. You can set up such policies to monitor Web and FTP activity on your mobile device before implementing the policies that block or remove content.
If you have configured your proxy to forward both HTTP/HTTPS requests and responses, your policies work on both. For example, policies are applied to both an upload to a Web site and a download from a Web site.
To create a test policy for Mobile Prevent
In the Enforce Server administration console, create a response rule that includes one of the actions specific to Mobile Prevent. For example, create a response rule that includes the Network Prevent and Mobile Prevent: Block HTTP/HTTPS action.
Create a policy that incorporates the response rule you configured in the previous step.
For example, create a policy called Test Policy as follows:
Include a Content Matches Keyword detection rule that matches on the keyword "secret."
Include a Network Prevent and Mobile Prevent: Block HTTP/HTTPS response rule.
Associate it with the Default policy group.
Procedure Step 7 : Test the system by generating an incident against your test policy.
Testing Mobile Prevent
You can test Mobile Prevent by sending an email that violates your test policy.
To test your system
Connect your mobile device to the Internet and connect to your corporate VPN.
Open your corporate email client and send an email with an attachment containing confidential data. For example, access your Microsoft Outlook client and send an email with an attachment containing the word secret and paragraphs of other text.
In the Enforce Server administration console, go to Incidents > Mobile and click Incidents - All. Look for the resulting incident. For example, search for an incident entry that includes the appropriate timestamp and policy name.
Click on the relevant incident entry to see the complete incident snapshot.
Procedure Step 8 : If required, troubleshoot the implementation.
See the Symantec Data Loss Prevention System Requirements and Compatibility Guide for more details on configuring Mobile Prevent to work within your organization.