Comparison of the Endpoint Prevent (Agent) Web monitoring vs Network Prevent for Web monitoring.

book

Article ID: 170410

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention Network Prevent for Web

Issue/Introduction

Before rolling out Data Loss Prevention (DLP) one might be required to make a comparison of the two types of monitoring when planning their required architecture.

Resolution

   Endpoint Prevent (Agent) Network Prevent for Web
KEY FEATURES Endpoint Prevent monitors and blocks confidential data from being transferred, sent, copied, or printed by desktop or laptop users.
• Monitors high risk protocols: email (SMTP/TLS), Web
(HTTP/HTTPS), IM, and FTP.
• Monitors nonstandard and proprietary protocols including BitTorrent and FastTrack®.
• Scales to hundreds of thousands of global network users.
Network Prevent for Web provides comprehensive protection for managed and unmanaged endpoints, including mobile devices that access the Web through your Corporate network.
• Corporate web protection for smart phones and tablets running Google Android, Apple iOS, BlackBerry, Windows Mobile.
• Cloud and social media protection for Salesforce.com™, Facebook®, Twitter®, YouTube™, and LinkedIn®.
• Hosted web and security services support for Symantec.cloud, Google Apps™, and Microsoft® Online Services.
• Exclusive enhanced web blocking seamlessly strips sensitive data from web posts.
• Broad integration support for existing enterprise web proxies and gateways.
MONITORS PROTOCOLS HTTP, HTTPS, FTP. HTTP, HTTPS, FTP.
HOW HTTPS traffic is monitored by in the web browser (IE/Firefox/Chrome/Safari) whereas FTP and HTTP traffic is monitored at network layer.
From version 14.6 the following browsers are configured to be monitored automatically once you enable the channel:
■ IE (HTTPS) on Windows endpoints
■ Firefox (HTTPS) on Windows and Mac endpoints
■ Chrome (HTTPS) on Windows and Mac endpoints
■ Safari (HTTPS) on Mac endpoints
Policies are sent from the Endpoint Prevent server (EPS) to Agent.
Traffic is sent from a Web Proxy to the Network Prevent for Web server using Internet Content Adaptation Protocol (ICAP) for in-line active Web request management. If it detects confidential data in Web content, it causes the proxy to reject requests or remove HTML content as specified in your policies.
Symantec Data Loss Prevention supports both the request modification (REQMOD) and response modification (RESPMOD) modes of ICAP. If you want to monitor requests as well as responses, use one Network Prevent for Web Server to monitor requests. Use a second Network Prevent for Web Server to monitor responses.
Policies are sent from the Enforce to the Network Prevent for Web detection server. 
WHEN Can monitor network traffic while on or off the corporate network.
When the endpoint agent is off the enterprise network (without VPN/remote access), the DLP agent will store violations locally in a secure repository that's encrypted and inaccessible to the user. The DLP agent will then connect with the management server next time it's accessible, receiving policy updates and sends incidents back.
Limited to the corporate network traffic.
USER NOTIFICATION Yes, a response rule notification UI pop up can be generated on the user machine by the agent to notify the user for Agent based detections but not for server based Two-Tier detections. Yes, a notification can be configured and send back to the proxy however it depends on the website configuration whether the notification can be displayed in the browser page which was blocked. This is a configurable option but Symantec has no control over the website technology so it is not guaranteed to work all the time.
REQUIREMENTS Agent must be installed and configured on a system meeting the minimum system requirements. Network Prevent for Web detection server must be installed on a server meeting the minimum system requirements.
A proxy must be configured and maintained by the customer to send traffic using ICAP to the server.
IMPACTS Monitoring DIM requires the local system's resources CPU and Memory. Despite constant processor and memory improvements, our endpoint agent is always in a delicate balance between maintenance tools and a user's productivity applications. The types of policies and number of compound exceptions can be resource intensive. Reduces losses on the Enterprise network from both managed and unmanaged systems, and servers and workstations.
POLICY CONSIDERATIONS Certain policy rules and exceptions require Two-Tier detection which must be done on the Endpoint Prevent server therefore this increases the time to completing of a detection as the Agent must send the data to the Endpoint Prevent Server for evaluation.
In all current versions the Endpoint agent cannot perform Exact Data Matching (EDM) due to the size of the EDM indexes therefore this must be performed on the Endpoint Prevent server which is called a Two-Tier detection. However this is being road mapped by Product Management as a longer term goal to achieve on the agent.
Other Two-Tier detection not supported on the agent are Content Matches Document Signature Form, Sender/User based on a Directory Form, Recipient based on a Directory Server Group, Recipient based on a Directory Form, Recipient based on a Directory Server Group. These are noted in KB: TECH220967 - What Rule Conditions Will Cause Two Tier Detection
All policies can be evaluated on the Network Prevent for Web server as it has more processing power and memory than an Endpoint Agent.