cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
256
Views
1
Helpful
0
Comments
roipaz
Cisco Employee
Cisco Employee

This integration enables you to integrate Secure Access with your existing DLP solution for centralized event management and remediation workflows.

What problem is this integration solving?
This integration addresses the need for customers who have deployed an on-premises Data Loss Prevention (DLP) server to gain visibility into web traffic managed by Cisco Secure Access. By integrating with Cisco Secure Access, the on-premises DLP solution can now monitor and detect data violations within the web channel, enhancing overall data security and compliance.

How do we integrate Secure Access with On-Premises DLP Servers?
Integration is done via a standard protocol called ICAP, which is typically used by network devices to offload tasks to specialized systems for content filtering, virus scanning, and data loss prevention. In our case, we use Secure ICAP to pass HTTP/S traffic that violates our DLP policy to your on-premises DLP server for additional DLP analysis and centralized event management.

How can you secure this communication channel?
First, we use Secure ICAP, which adds a layer of security to the communication channel by encrypting the traffic using TLS. Using the on-premises DLP server’s certificate that the admin uploads via our dashboard, we authenticate the server before passing traffic to it to eliminate the potential of man-in-the-middle eavesdropping. Secondly, you can configure your inbound firewall to only allow traffic from Secure Access to the on-premises DLP server to mitigate the potential of someone attacking your security infrastructure, i.e., the on-premises DLP server’s open ICAP port.

Which IPs do customers need to whitelist in their firewall?

  • 50.18.191.74
  • 54.153.85.86
  • 54.90.48.200
  • 3.234.7.118

How can I integrate my on-premises DLP server ?
You need to take two steps. First, you need to onboard your on-premises DLP server, and then you need to configure your Realtime DLP rules to forward traffic to that server. Configuration is done on a per-rule basis.

For onboarding in Secure Access dashboards, go to Admin > Authentication > ICAP.

After onboarding the on-premises DLP server via the ICAP section in the authentication management panel, you can enable traffic forwarding within Realtime DLP rules through a rule section titled: ICAP.

Which information is sent over ICAP to the On-Premises DLP server?
Secure Access will send the entire HTTP/S message including body and headers. We also add custom headers to share the user and user-group identities and client-IP associated with the request. These will be X-Authenticated-User, X-Authenticated-Groups, and X-Client-IP respectively.

Does it send both monitored and blocked Realtime DLP violation events?
Yes, both monitored and blocked violation events are sent over the Secure ICAP API.

How do I get the ICAP server enabled in the on-premises DLP?
You should consult their DLP solution documentation and/or support to learn how to enable the embedded ICAP server in your DLP solution. If the solution only supports ICAP and not Secure ICAP, you would need to deploy a TLS termination component in front of your On-Premises DLP Server, for example, Stunnel, a widely popular open-source solution.

Where can I find more information? 
Refer to Secure Access documentation for guidance.

Manage Secure ICAP 
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: