Using external authentication servers

McAfee DLP appliances can work with registered LDAP servers and McAfee Logon Collector to retrieve user information and logon data. The data helps identify users responsible for data loss incidents using their name, group, department, city, or country.

McAfee DLP appliances can:

  • Get information from Active Directory servers and OpenLDAP directory servers that are registered with McAfee ePO.
  • Communicate with registered LDAP servers over SSL.
  • Synchronize with LDAP servers daily at the configured time.
  • Act on email and web protection rules which apply to specific users and groups.
  • Act on network communication protection rules which apply to specific users and groups (McAfee DLP Monitor).
  • Connect to Global Catalog ports instead of standard LDAP ports to retrieve user and group information when querying Active Directory.
  • Include user information in incidents so that you can see all incidents generated by a user, regardless of the McAfee DLP product that detected them.

McAfee Logon Collector records Windows user logon events and communicates the information to McAfee DLP appliances. McAfee DLP appliances can map an IP address to a Windows user name if no other authentication information is available.

What happens if the LDAP server is unavailable?

McAfee DLP appliances cache LDAP information. The cache updates every 24 hours, so temporary unavailability of the LDAP server does not affect McAfee DLP appliances service availability. If the cache update fails, McAfee DLP appliances use the previous cache. If a previous cache is not available, it performs an LDAP lookup to get the information.

When McAfee DLP Prevent needs LDAP group information to evaluate rules for a request or message, and LDAP is not configured or the server is unavailable:

  • For SMTP traffic — A temporary failure code (451) is returned so the message is queued on the sending server and retried.
  • For ICAP traffic — An ICAP status 500 code is returned that indicates the server encountered an error and was unable to analyze the request. You can configure your web gateway to fail open or closed when it receives an error from the McAfee DLP Prevent server.

For McAfee DLP Monitor, if McAfee Logon Collector or the LDAP information is unavailable, rules which refer to user and group information cannot be matched and incidents are not created. Your traffic flow is unaffected.

OpenLDAP and Active Directory servers

  • OpenLDAP and Active Directory produce different user schemas. Active Directory has a constrained set of parameters, but OpenLDAP is customizable.
  • OpenLDAP and Active Directory servers identify users by using different means of identification. Active Directory uses sAMAccountName, and OpenLDAP uses UID. LDAP queries for sAMAccountName are handled by using the UID property on OpenLDAP systems.
  • OpenLDAP and Active Directory servers also identify user classes by using different user attributes. Instead of the User object class, OpenLDAP uses inetOrgPerson, which does not support country or memberOf attributes.

Additional web protection authentication

When applying web protection rules, McAfee DLP Prevent can get user information from:

  • X-Authenticated-User ICAP request header sent from the web gateway.
  • McAfee Logon Collector

If a user name is supplied in the X-Authenticated-User ICAP header, it is used in preference to data from McAfee Logon Collector.

Tip: Using the X-Authenticated-User header is the recommended authentication method because it indicates that the web gateway has positively authenticated the end user. To set it up, you must perform some additional configuration on the web gateway. For more information, see your web gateway product documentation.

If the X-Authenticated-User header is not available, you can configure McAfee Logon Collector to provide additional authentication. McAfee Logon Collector is another McAfee product that monitors Windows logon events and maps an IP address to a Security Identifier (SID). To use McAfee Logon Collector, you must have at least one LDAP server configured: The McAfee DLP appliance can query it to convert a SID to a user name.

When applying email or web protection rules, McAfee DLP Prevent evaluates group information from the user information. It ignores any X-Authenticated-Groups header value from the web gateway.

To select rules based on users and groups for McAfee DLP Monitor, you must configure McAfee Logon Collector.

Important: To obtain user or group information, you must have at least one LDAP server configured. The McAfee DLP appliance queries LDAP servers to get required attributes. For example, for McAfee Logon Collector, the McAfee DLP appliance uses the LDAP server to convert the SID to a user DN.

Supported authentication schemes

The McAfee DLP Prevent appliance supports the WINNT, NTLM, and LDAP authentication schemes to process the X-Authenticated-User header from the web gateway.

The McAfee DLP Prevent appliance expects the format for the X-Authenticated-User header to be in one of these formats for Active Directory:

  • NTLM — NTLM://<NetBIOS_name/sAMAccountName>
  • WINNT — WINNT://<NetBIOS_name/sAMAccountName>

Note: NTLM with OpenLDAP is not supported.

With LDAP, McAfee DLP Prevent expects the X-Authenticated-User header to be in the format LDAP://<LDAP_servername/distinguished-name> for Active Directory and OpenLDAP.

Note: McAfee DLP Prevent uses the distinguishedName LDAP attribute to retrieve user details for web protection rules. Verify that your LDAP server exposes this attribute to ensure that the LDAP authentication scheme works correctly.

Use case

You want to configure a web protection rule that blocks uploads of PCI data for all users in a department apart from one.

  1. Register an Active Directory server with McAfee ePO that contains the user account of the employee that you suspect.
  2. Set up McAfee Logon Collector.
  3. Create a web protection rule that looks for web requests from users in the group GROUPNAME matching a classification.
  4. Create an exception for user USERNAME.
  5. Set the reaction to Block.
  6. Monitor the DLP Incident Manager for incidents sent by the user that contain the component name.