|
Fortunately, this can be a pretty straightforward operation, though potentially time consuming. For starters, gather diagrams of the portions of the network that you are intending to protect. These diagrams should include all relevant routers, switches and servers, as well as their IP addresses and netmasks. Ideally the security team already has access to this information, or this project will take a lot longer. These diagrams are important so the company and the vendor have the necessary documentation in order to find the optimal place to install the DLP servers.
In addition to the network documentation, network access is necessary. The exact nature of the access will depend on how the company is deploying the DLP sensor. For a passive/monitoring-only deployment, you will need access to either a span port or network tap on the appropriate VLAN(s). This will enable the DLP sensor to monitor traffic without interfering with the traffic's flow across the network.
Alternately, for an active deployment, you will need a slightly different architecture. In this case, the network will actually be routing traffic through the DLP sensor. As such, work with the vendor and the networking team to find an agreeable routing protocol. In most cases, static routes will suffice.
Preparing the documentation and planning the network architecture ahead of time will not only speed up the deployment but also make it, ultimately, a more successful one.
For more information:
|
