You could also look at something like the Ironport, which includes some very basic DLP capabilities.
Broadly speaking, DLP is not a quick project. It could easily take a year to properly scope, evaluate, plan, test, and deploy. On Fri, Jan 27, 2012 at 11:01 AM, Kurt Buff <[email protected]> wrote: > For an email gateway to protect your Exchange infrastructure > (including antispam and antivirus), and which can be put in the DMZ, > there's an open source project called Maia Mailguard. Commercial > alternatives include Barracuda's offerings. > > On Fri, Jan 27, 2012 at 07:32, [email protected] <[email protected]> wrote: > > I am figuring on putting somekind of smtp/owa forwarding device in the > dmz. Leave Exchange 2003 or even 2010 out of the DMZ but off my core > tellering (SQL server) LAN as well just to apease them. > > > > VPN is currently Cisco anyconnect. I am going to add some kind of multi > factor and ACL to the firewall for those that do get access. As well the > software or agent that verifies windows updates and virusscan patching > prior to authentication. > > > > Looking at DLP now. Currently all I do is look at outgoing emails. So > anything more will be better. > > > > > > > > -----Original Message----- > > From: Kurt Buff [mailto:[email protected]] > > Posted At: Friday, January 27, 2012 10:04 AM > > Posted To: [email protected] > > Conversation: DLP, SIEM, Network Access Control, VPN multi factor > authentication, Moving Exchange into a DMZ > > Subject: Re: DLP, SIEM, Network Access Control, VPN multi factor > authentication, Moving Exchange into a DMZ > > > > DLP is way more than just restricting access to removable devices. > > http://code.google.com/p/opendlp/ > > > > VPN access restrictions such as you mentioned are a good thing. There > are open source two factor auth solutions. > > > > Exchange doesn't go in a DMZ > > > > On Fri, Jan 27, 2012 at 06:46, [email protected] <[email protected]> > wrote: > >> > >> > >> Ok, so we have had a NCUA IT audit and some of the recommendations are > >> as > >> follows: > >> > >> > >> > >> Data Loss Prevention (DLP) > >> > >> The Credit Union should have the the ability to use USB storage > >> devices, DVD, and CD drives turned off unless required. With some for > >> of alerting if a user is trying to use those devices without permission. > >> > >> > >> > >> Security Information and Event Management (SIEM) system > >> > >> The Credit Union should have a SIEM system in place to consolidate > >> logs from all devices and applications, encrypt those logs, have real > >> time alerting, and compliance reporting. > >> > >> > >> > >> VPN access > >> > >> The Credit Union should have Network Access Controls such as scanning > >> the connecting machine for correct configuration prior to allowing > >> access to the network, some kind of multi factor token or device, and > >> a more detailed access list on the VPN client area of the firewall. > >> > >> > >> > >> DMZ > >> > >> The Credit Union should move the Microsoft Exchange server into a DMZ > >> of the firewall or industry best practice for proxing email traffic > >> into and out of the DMZ to protect the Credit Union's internal network > >> if a breach occurs on the email system. > >> > >> > >> > >> With all of this being said, can you get me some vendor information > >> about about each of these areas. It can be freeware, it can be > >> appliances, it can be anything that is easily managable. > >> > >> And Management is looking for a quick turn around on this so > >> whitepapers and recommendations first. > >> > >> > >> > >> This is what I sent my software vendors. Did I ask the right questions? > >> > >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >> <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >> --- > >> To manage subscriptions click here: > >> http://lyris.sunbelt-software.com/read/my_forums/ > >> or send an email to [email protected] > >> with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
