We are wondering how the cisco ironport s160 web filter can aid us in data loss prevention. One of the concerns is employee access to third party e-mail services (gmail, yahoo, hotmail, etc...). Now for the most part we have these web based e-mail services blocked. However there are some groups that need access, such as supervisors, executives, HR, etc.. The concern is that when these users are out there using their web based e-mail, there is nothing to stop them from leaking sensitive information. For in house e-mail, we can control that via an Ironport C160 email security appliance.
Is it possible to have web email opened up for certain people, but have the S160 do deep packet inspection on the web based e-mails form posts, and determine wheather or not to allow that http post action to occur, or return a block message? I think it sounds like a long shot, but I know with todays technology some DPI is possible.
Let me know if this is a farfetched idea or option, or if this is something we can easily configure on our current Ironport S160 web security appliance.
The built in Ironport Data Security Filters, which can be enabled under GUI > Security Services > Ironport Data Security Filters,
and then policies configured under GUI > Web Security Manager > Data Transfer Policy - Ironport Data Security, can be used for content block based on File Size, File Types, Custom Mime, and File name for traffic that uses HTTP, HTTPS and FTP.
For more deeper and specialized DLP, you will need to use External DLP Servers that can communicate with the WSA using ICAP protocol, and define under GUI > Network > External DLP Servers, and configure policy in GUI > Web Security Manager > Data transfer Policy - External Data Loss Prevention.
More information on your GUI > Top right side > Support and Help > On Line Help > Search for DLP.
I suggest contacting a Cisco SE, for further guidance on design and recommendations specially for External DLP.
I hope this infomration helps you.
DLP is currently an "off box" facility... You can point your WSA at an external DLP solution that can take an ICAP feed. (RSA, Symantec, McAfee, and I'm sure a host of others have solutions...)
We have a vendor coming in to do a demo of DLP. It's a little bit of everything. PC Client, appliance that ironport webfilter can talk to, IDS, etc...