Enabling ICAP Cient Support for Connectivity with Network DLP Tool Integrated with Flexible Inline SSL (6.4)

Introduction

The enterprises are required to protect and safeguard their intellectual property from being exfiltrated from their network. Additionally, they also need to support Regulatory Compliance around data protection.

The Data Loss Prevention (DLP) is a set of tools and processes that enables enterprises to detect and prevent data breaches and data exfiltration. Network DLP provides the ability to prevent an individual user session that violates policy to prevent data leaks across all network traffic by blocking users when activity is determined to be risky based on data content and event context.

The DLP identifies sensitive data by performing pattern matching on the textual data contained within the files that flow through the network. The DLP solution requires that the information or the data in motion be scanned and importantly that data need not be encrypted. Since almost 90% of Web traffic is transmitted through encrypted methods that is, HTTPS using TLS/SSL protocols, DLP needs to be integrated with Inline SSL Decryption solution that decrypts the files prior to the inspecting of data by the DLP. The ICAP protocol serves as a communication and policy interface for DLPs. The packets are encapsulated by an ICAP client and passed to an ICAP server that is DLP in this case.

The following Gigamon Validated Design (GVD) illustrates deploying Inline SSL for decryption along with our inbuilt ICAP client solution (both deployed on same HC Series Node) that performs the encapsulation and forwards queries to an DLP ICAP server for content inspection.

Topology Diagram

Figure 1: Inline-SSL Deployment with DLP using DLP

Design Overview

In the following scenario, an enterprise network consists of :

An Intrusion Prevention System (IPS) tool deployed Inline in the network
Data Loss Prevention (DLP) is deployed to protect the company’s sensitive data against threats, comply with data regulations, and minimize risk to organization's finances and reputation.

Gigamon's Inline SSL solution is deployed in hybrid mode for decrypting the Inbound as well as Outbound traffic and forwarding the decrypted data to IPS and DLP enabling them to have visibility into the encrypted traffic.

The ICAP Client application integrates Inline SSL with the DLP ICAP server by deploying the ICAP Client application as an Inline tool. The decrypted traffic from the Inline SSL GS Engine is sent to the ICAP Client GS Engine through the configured nested inline network. The decrypted traffic is then forwarded to the DLP tool acting as an ICAP server over the IP Interface for content inspection without the need for having any Forward Proxy or Reverse Proxy solution in between the HC Node and the DLP server.

In this deployment, the ICAP client application and Inline SSL are deployed on the same HC Series node, but they are running on two independent GS engines. This type of deployment is referred to as Inline SSL: Same Node. See Figure 1.
When the ICAP Client application and Inline SSL application are integrated but they are deployed on different HC nodes, that deployment is referred to as Inline SSL: Different Node.
The ICAP Client application can also be deployed independently that is without integrating with Inline SSL application or traffic to ICAP from 3rd party solution, that deployment is referred to as Standalone mode.
You must have Nested Inline Network connectivity established for ICAP source ports with ICAP-Inline tool ports as shown in the topology diagram before you start with the configuration steps. This is applicable for all the types of ICAP deployment types mentioned above.

Refer to the Configure Internet Content Adaptation Protocol (ICAP) section of the GigaVUE Fabric Management Guide for details.

To learn more about this solution, read complete details on the Gigamon Community:

Enabling_ICAP_Client_Support_for_Connectivity_with_Network_DLP_Tool_Integrated_with_Flexible_Inline_SSL