I were working on Symantec DLP project and had some experience with it. This post is going to review what I have been done and how I managed to install it in my home lab environment. It will not be alike a step by step installation tutorial since Symantec documents have explained details enough. It mostly high level lists all related steps. But I recorded my screen with what I have done and what kind of issues I have met , and how I resolved it. All are in those YouTube videos for future references, which will be helpful if you have same lab project for Symantec DLP products.
The Symantec Data Loss Prevention suite is designed to meets the needs of large enterprises, as well as small and medium-sized enterprises. The product covers a variety of areas, including endpoint data in use, network data in transit, and files and databases at rest. Symantec Data Loss Prevention addresses on-premises, mobile and cloud data and can be deployed on both physical servers -- Windows Server, Red Hat Enterprise Linux and others -- and cloud infrastructures, such as AWS.
1. Download Installation Files from Symantec File Connect
You will need a Serial Number to download all DLP related software from Symantec File Connect web site : https://symantec.flexnetoperations.com/control/symc/registeranonymouslicensetoken
After you log in, you can choose the product and version you want to install.
Symantec DLP 15.5 File Connect Download Page |
2. Decide DLP Installation Tiers
Symantec DLP Architecture Overview |
2.1 Singer Tier
To implement the single-tier installation, you install the database, the Enforce Server, and a detection server all on the same computer. Typically, this installation is implemented for testing purposes.
2.2 Two-Tier
To implement the two-tier installation, you install the Oracle database and the Enforce Server on the same computer. You then install detection servers on separate computers. Typically, this installation is implemented when an organization, or the group responsible for data loss prevention, does not have a separate database administration team.
2.3 Three-Tier
To implement the three-tier installation, you install the Oracle database, the Enforce Server, and a detection server on separate computers. Symantec recommends implementing the three-tier installation architecture as it enables your database administration team to control the database.
In my lab, I choose Two-Tier for my testing since it can distribute computer resources into different machines also make installation easier than three-tier.
3. Install Oracle DB
3.1 Install Oracle 12c SE2.
3.2 Create the Symantec Data Loss Prevention database.
3.3 Create the database listener.
3.4 Configure the local net service name.
3.5 Create the Symantec Data Loss Prevention database user.
4. Install Enforce Server
4.1 Installing the Java Runtime Environment on the Enforce Server
4.2 Installing an Enforce Server
4.3 Verifying an Enforce Server installation
4.4 Installing a new license file ( note: License will not restrict in those numbers you bought)
4.5 Importing a solution pack
5. Install Detection Servers
5.1 Installing the Java Runtime Environment on a detection server
5.2 Installing a detection server : Network Monitor, Network Discover, Network Prevent for Email, Network Prevent for Web, and the Endpoint Prevent and Endpoint Discover detection servers
5.3 Verifying a detection server installation
5.4 Registering a detection server
6. Install Endpoint DLP Agent
6.1 Downloading Endpoint DLP Agent
How Endpoint DLP works? |
6.3 Run the DLP Agent installer batch file
6.4 Confirm that the agent is running
7. Configure Policy and Response Rule
8. Discovery
How Storage DLP works? |
Command line to start and stop both DLP agent services:
sc start edpa && sc start wdp
sc stop edpa && sc stop wdp
Troubleshooting:
The EDPA and WDP services fail to start.
Manual attempts to start the services results in an access denied error.
Manual attempts to start the services results in an access denied error.
| Network.NetworkConnector | Message : Failed to Query BFE service status.
| Network.NetworkConnector | Message : Failed to start BFE service, network connector will not start.
Solution: (https://support.symantec.com/us/en/article.tech246669.html)
The "Base Filtering Engine" (BFE) Service must be running for the DLP agent tofunction. Without it, neither EDPA nor WDP services can start.
For a new install of the Endpoint Agent, the Install.log may not indicate any problems because BFE status is not checked during the installation.
After a successful installation, both the EDPA and WDP services default to the “Automatic” start mode and are running. Without BFE, both services default to the “Manual” start mode. The “Manual” start mode prevents the DLP network drivers from working. In addition, manual attempts to start the services fail with a permissions violation.
Set the Startup type for the "Base Filtering Engine" service to "Automatic" and start it.
Go to Control Pane > System and Security > Administrative Tools > Computer Management > Services. Double click the service. On the general tab change the startup type to automatic.
References:
- Symantec™ Data Loss Prevention Installation Guide for Windows
- Symantec™ Data Loss Prevention Oracle 12c Standard Edition 2 Release 2 Installation and Upgrade Guide
- Data Loss Prevention 12.5: Administration – Training Videos by Kyle Barnard
Appendices:
Symantec ATP (EDR) Appliance 8880 Rear View |
Hello Netsec! Your Job was incredible.
ReplyDeleteI have a question, if I want to move database to another machine?
Is possibile to do?
In the new machine I have to install Oracle Database and DLP or only Oracle Database?
Awesome
ReplyDelete