thegreek1 Posted October 6, 2021 Share Posted October 6, 2021 These are my own notes based on theoffiial Cisxo course 1.2 - Cisco Email Security Appliance Overview: - Talos scans and tracks on the internet along with threats on the internet as well as mail. SMTP Conversation & ESA PIPEline (1.5 and 1.6) MTA = EMAIL gateway or software agent sending mail from one to another, ESA is an MTA Groupware Servers = accepts, forwards, delivers, and stores messages on behalf of the users (MS Exchange/POST) SMTP Server = receives connection requests SMTP CLIENT = initializes connections to the server Mail User Agent = software client applications such as outlook MX record = located on the DNS and how emails are routed, points to the servers receiving emails A record = host record DNS entry specifying the IP address of the MTA 1) MTA does an DNS lookup to find the domain (MX Record), followed with the A record request 2) MTA receives the email and sends it out to the destination MTA server - perform a 3 way handshake (syn, syn ack, ack) at layer 4 ) - at layer 7 you have 2 envelopes a) envelope - introdues the 2 MTA to each other, and introduces the sender hostname, and the from and to email addresses - the header and body are basically the actually email but seperate items b) headers - data gives you the source email, destination email, subject, and date - you could also add x-headers to further id the email such as search for anything with antivirus c) bodies - has the email content, followed by a dot on its own line - codes 2xx = go on, 3xx = pending/temp problem, 5xx perm error/give up - code 220 means service is ready - code 221 means service closing - code 250 means everything has worked and email was delivered EMAIL PIPELINE: Literal SMTP SERVER WORK QUEUE SMTP CLIENT Host Address Table LDAP RCPT Accept (WQ) Encryption Received Headers Masquerading (Table/LDAP) Virtual Gateways Default Domain LDAP routing Delivery Limits Domain MAP Message Filters Received: Header Receipt Access Table (per policy Scanning) Domain Based Limits Alias Table Anti-spam/virus Domain-based Routing LDAP RCPT Accept Adv Malware (AMP) Global Unsubscribe SMTP Call Ahead greymail, safe unsub S/MINE Ecncryption dkim /spf verfi content filtering DKIM SIGnaling dmark verify outbreak filtering Bounced Profiles S/MINE Verify DLP filtering (outbound) Message delivery ACCEPT MAIL => SMTP => PROCESS MAIL => Quarantine => SMTP Delivery => Delivery MAIL 1.7 Installation Scenarios: Overview: - Behind the FW (listeners are smtp daemon) 1) one listener configuration 2) two listener configurations (inbound and outbound interfaces) - Multiple ESA via Custering - redundancy with NICs - incoming email: accept for local domains - outbound email: routed by internal server to ESA and to the internet - only one working interface is required!! Internet <=> FW <=> ESA <=> GROUPWARE SRVS <=> Client and best practices are to place the ESA on the DMZ - use OOB mgmt, mgmt port would handle config & reporting and Data1 would handle the mail flow. - on the SMTP Delivery has different queues for each domain instead of listing the email in the queues - configurable for oob, ssh, or into the webGUI to run the wizard (192.168.42.42/24 for mgmt or data1 port) - Cisco Content Security mgmt appliance (SMA), external off box to centralize spam, message, and reporting tracking. - centralized configuration is done via clustering. - can have 2 sperate listeners on 2 logical ipv4 or ipv6 on seperate physical interfaces. segregates incoming and outgoing traffic. you will need have 1 port facing inbound to MTA and 1 port facing outbound (internet) - must configure a OOB/Management interface for configuration (Data1) - all inbound connections pass through the work queue (filters/spam/etc) and then onwards to direct queues for each domain ------------------------------------- 2.2 administration of ESA - Monitor. That is where you're going to go to get your monitoring the device, getting your reports, tracking messages, and also, as an administrator, to look at your quarantines. - Security Services. With Security Services, that's where you're going to go and start the big feature. Go and enable a feature. So let's say, antivirus. You would go under Security Services, under Antivirus, and from there, you would enable Sophos and/or McAfee. - Mail Policy menu is where you will go and fine-tune those features that you would have enabled under Security Services. For example, after you enabled antivirus, you come back to the policy menu and specify either McAfee or Sophos - Network menu, set up the interface, routing, and dns (cli etherconfig) ** l2 and l3 are seperate ** a) we have layer 2 - actual interface/physical port b) we have layer 3 - the ip interface (ipv4/ipv6 address) c) we have layer 4 - the listener to configure the ESA to send email (smtp), associates interfaces to smtp (eg inside will be private and for outbound emails) and inbound email will listen on port 25 and be a public interface d) we have 3 types of interfaces, data1, data2, management. - System admin, use the trace tool, logging, upgrades, backups, etc a) start / stop proceses b) users means your admins for the ESA, 6 levels of roles or you can customize c) system setup / Wizard d) license and software upgrades. updates comes directly from Cisco or get it from a SCCP server e) use plain passwords/phrases for the backup files as in the case of an RMA device it will not understand the salted hash ------------------------------------- 2.4 Administrating the Cisco ESA appliance ( manging and monitoring via CLI) - use the cli to monitor the email pipeline, tail/grep messsages as well as system resources.. ** tophosts shows list of 20 recipients in the outbound queue ** - suspend receiveing email suspendlistener, good for tshooting ** this is a manual command and won't enable itself after reboot ** - etherconfig: a) pairing - joining multiple ethernet ports. almost like a failover with the vlan connecting to the primary interface. b) vlan - connects to more subnets that physical ints c) loopback - great for stuff behind a load balancer d) media - port settings e) mtu - mtu interface adjustments f) multicast - accept/reject ARP replies with MCast addresses - in order for changes to take effect, you must commit the changes you submitted (save changes on the cfg) - to revert changes, you must click on the commit changes and on the next window you revert the changes ------------------------------------- 2.4 Administrating the Cisco ESA appliance Using Email Security Monitor - create reports in csv or xml format and monitor all the domains you host. - track messages => check to see if the when or where to find out if the email was received and sent out. (to find out why the client is refusing connected) and you could get more granular), in adv options you could drill down even further (eg anti-virus) - can be done locally or centrally on the SMA, ESAs sends all the metadata to the sma - log subscriptions (mail log is the most important) as you could get inbound, message queue, and outbound logs - can forwarded to a SIEM which you can use ftp/scp push to remote server - mail log is a great place to start your tshoot by using the tail or the grep command. you see the IP and reverse dns on the IP view if it is a good/bad actor. Accept the tcp session - connection ID refers to the conversation and message id is the message itself, then then the message is looked at the work queue to which the icid 143 connection to the smtp server is closed ---------------------------------------- 3.2 Controlling Sender and REcipients Domains - Public and Private Listeners - Listeners to port 25 (smtp daemon/server) which are part of the network configuration that are reference by the port data1, data2. Basically naming the interface such as inside/private vs outside/public etc. - all l3 interfaces are refered the ip interface/ this binds the ip to a physical interface, all l2 are physical interfaces, all l4 are listenrs - basically to be used to as granuality on your security policies a) public: receives emails typically from the internet. execeptions are when you have 1 physical interfaces which acts as both b) private: receives emails from the internal email servers - alias tables are used for redirecting messages to one or more recipients. - virtual gateways ensures reverse dns lookups will always match the sender's ip address ---------------------------------------- 3.4 Controlling Sender and REcipients Domains - (HAT) Host Access Table Part I: Sendergroup - basically controlling who can send you email, in the sender reputation section at layer 4 - each listener has its own HAT table a) public: block, accept, trottle (would relay in a 1 listener scenario) b) private: relay traffic (points to internal email server (postgre, exchange, etc) by default the only restriction is ANTIVIRUS, but others can be enabled. - the HAT includes sender reputation, connection throttling, spf/dkim/dmarc, and DNS verification - happends at the start of the incoming tcp session (mail policy menu), during the 3 tcp session and traffic will be assigned to a sender group - 2 parts of the HAT table, sender groups which associates senders in a group and mail flow policies (paramenters) to the groups - matches the ip address of the MTA to a sender group - relay, white, and blacklist is a list of domain names, IP addresses which are manually added to each list - blacklist can have both domain and IP addresses listed in them. they also include suspect lists backed on their reputation score from TALOS. - from -10 to -3 we reject, -3 to -1 and add limitation, -1 to +10 we generally accept. and this is done during the 3 way handshakes - with emails coming in that are suspect, the esa checks the actual domain to see if it is one of our own managed domain. - sender verficiation features recipient's address, and connection hosts. ---------------------------------------- 3.4 Controlling Sender and REcipients Domains - (HAT) Host Access Table Part II: Mail Flow Policies - after the email gets into the sender group, mail will be tossed into the email pipeline for actioning - IP/email server consoles with Talos to determine the mail flow policy and assign it a connection controlling - mail polices => mail flow policies - part I desals with associating the senders into a group, part II will assign the Mail flow policies - direction of email accept = incoming relay = outgoing - 2 listeners incoming and outbound listerner (relays emails from the exchange box) MAIL FLOW POLICY score HAT (PUBLIC) HAT (PRIVATE) inbound trottled antispam antivirus sender group Policy This group use this policy SENDER GROUP MAIL Policy RELAYLIST RELAYED no no yes WHITELIST TRUSTED ALL BLOCKED no no yes -10 -3 BLACKLIST BLOCKED (Talos) (cannot deleted default entries but edit them) -3 -1 SUCPECTLIST THROTTLED yes yes yes -1 +10 UNKNOWNLIST ACCEPTED -1 to 10 no yes yes ALL ACCEPTED no yes yes - if you have 1 relayed in the HAT (sendergroup) it usually means that you have 1 listener - HAT is processed from top 2 bottem - nothing should fall in the "all" expection is when a new mailserver goes live, talos assign them as a No Score typically you would put them in the suspect list. - You have a bad reputation and you have their emails blocked, you need to adjust the HAT and add the IP/domain name to the whitelist if you have 2 listeners you will need to add ip/domain names to the relaylist including all internal email servers. 3.5 Controlling Sender and Recipients Domains - Recipient Access Table Overview - previous we always were talking about receiving emails, and now we are checking the tcp handshakes and it checks the sender group or relay server to see where the email is coming from. - The Recipient Access Table is about delivering to decide if they should talk to the sender email. - the envelope is sent to the receiptient and checks to see if the email should be send to the end users - gui mail polices > redcipient access table or cli listernerconfig - you need to update the RAT with the domain name and all internal email servers/domains that are allowed. - afterwards, you need to smtp route the email, the route table is configured domain_name/route (network/smtp routes) - priority is how to send the email to the servers, in round robin mode (same priority), and DR site can have a higher priority - destination control to usie rate limitiing, this is the prefered to pass emails to older MTA servers - need to configure a rat on the public facing email and accept the emails and have an smtp route to the dst email server ONLY FOR THE PUBLIC LISTENER. - for outbound emails we will be using the HAT on the public and private HAT. the HAT isn't needed and it will just relay the traffic THIS WILL ONLY BE ON THE PRIVATE LISTENER. 4.2 CONTROLLING SPAM WITH TALOS SENDERBASE AND ANTI-SPAM TALOS SenderBase: (spammer list - control spam at the begining with senderbase reputation scores between minus 10 to plus ten - we are actually controlling who can connect, establish a TCP port 25 connection on our listener. - TALOS also look at the message for malware or viruses - Also intergrates spam complaints received by spamcop server and other DNS based blocked lists. - keeps a list of ip addresses of the senders, they also ask the customers for the telemetry which sends the metadata of the sender, timestamp, location, virus name. - minus 10 to minus 3 condisered spammers > do not accept their connection by default | block/black list - minus 3 to minus 1 considered suspect > accept by default but adds throttling | suspect list - minus 1 to plus 10 is considered unknown > doesn't mean the email is clean and filtered av and dynamic spam | - whitelist where you put a list of trusted senders, it will not do any dynamic spam but AV is always active. - lookup to the TALOS DB starts with the first tcp syn packet requesting the score. - you can adjust the senderbase reputation score within the HAT - by default a no score, the ESA will accept the email, this will fall under the ALL, only use AV / AS(antispam) - edit the suspectlist within the HAT and check of SBRS scores of none. - SBRS strategies a) conservative. block meessages with lover that -7 and -2, default is -2 to +6 b) moderate: loser than -4 and 0, defauilt is 0 and +6 c) aggressive: -1 and 0, default is 0 and +4 4.3 CONTROLLING SPAM WITH TALOS SENDERBASE and Anti-Spam - Anti Spam. - what happens when you are the first victim of the spammer where the spammer's IP has not been documented - the Anti-Spam is assigned to the work queue inside the CASE (content adaptive security engine) which is is actually one engine this will do 3 checks on the blade CASE checks for a, graymail, and outbreak filter - CASE is a dynamic spam filter. - 2 places where to control the spam, 1) senderbase rep score (HAT) 2) - The anti-spam here is a dynamic spam trying to read. It's also referred to as IPAS. Sometimes depending on the documentation you're reading, they might talk about IPAS, which stands for IronPort Anti-Spam. So it's a dynamic analysis and trying to deduce if that email is spam or not. - If the email has not been flagged to skip spam, the email, let's say the email arrive and it's throttled, then the email will then be checked by my message filter - So when we're dealing with anti-spam, when you go under your Security Services, there's two things you can turn on. There is the IPAS that I mentioned earlier, anti-spam filtering. And there's also an additional feature, which is the Cisco Intelligent Multi-scan Filtering. - must turn on spam under security, and enable ironport antispam. - tweak the mail flow policies to add the ironport psam list. by defining the anti-spam policies (postive/spspect spam is set to drop. and be dynamically discovered. - do not change the threshold to avoid skewing the results. 4.4 CONTROLLING SPAM WITH TALOS SENDERBASE and Anti-Spam - Greymail - graymail is in the workqueue after case, av, as. and it is part of CASE (one engine) - comes from a legitimate sender with an unsubscribe link the body of the message. (detect is free unsubscribe is a paid service) when the message is 'marketting, social network, and or bulk email... it will be delivered. - need to enable the policy and fine tune the graymail settingS - how to make the unsubscribe to be safe. it must be turned in the graymail settings (paid service) and prepend the email with a subject line - unsubscribe is enabled, it will have the unsubscribed button from the original email and the cisco button, the unsubscribe is checked against a good or final list and the ESA will take care of the remove of the subscription - if unsubscribed email is maliscious, then the link is removed 4.4 CONTROLLING SPAM WITH TALOS SENDERBASE and Anti-Spam - Protecting Against Malicious or Undesirable URLs 12 - CASE also checks for malicious content and the URLs within those contents via the outbreak filters for in/outbound emails - outbreak filters are further down on the workqueue list, this is based on URL category lists - for unknown clickable links that bypass the outbreak filtering categories and content filters based on business needs (e.g. hacking) - this is applied to the incoming mail polices - url filtering evaluated - http, https, www, domain, or IP address. - you could also use a WSA (proxy server) which gets updates from TALOS for reputation score. this will also prevent users from going to valid servers that has been infected/compromised. - actions on the messasge as a whole - drop/quarantine - modify urls: in the message with text and disable url 4.5 CONTROLLING SPAM WITH TALOS SENDERBASE and Anti-Spam - File Reputation filtering and file analysis - AMP overview (advance malware protection) which is after AV and AS and queries the cloud is check the file against other attachments - The file reputation service is in the cloud. The file analysis service has options for either public- or private-cloud (on-premises). - AMP is offered in a cloud or internal server which is a sandbox environment. file will turned into a sha-256bit hash - 2 parts of AMP, a) file reputation; file is checked against the cloud for a reputation score. answers is clean, malware infected, and unknown. unknown is then run against the clamAV enguinesis part of your ESA and run against the file to check for malware if the results are unknown. the clamAV will check for known malware markers. b) file analysis: CALUCATES THE FILE SHA-254 HASH. PX Threat Grid if it is still remains unknow it is passed to the cloud sandboxing environment and run against multiple scanners. a score is returned afterwards and the email is placed into quarantine until the check is done this will be done automatically. - RETROSPECTIVE VERDICT - when a previous good file is found to be malware then it the repuation score is updated and sends an admininstrative alert - file upload criteria meets the file upload. attachment size <= 100mb and supported file types. attachment contains dynamic conent (macros in excel) - is the queue full? is threat pxgrid reachable? is file uploaded already, and attachement goes into quarantine? a score is returned back to the ESA. - once we receive the score back from threat grid it is the verdict and the file is rescanned 4.6 CONTROLING SPAM WITH TALOS SENDERBASE and Anti-Spam - Configuring AMP - it is applied on a per policy basis using Cisco Threat Grid (email security manager) - takes action against all the unknown files and quarantine space while it is processed - verdicts are either clean or malware and the local esa rescans the file - 1st check for the license, and which threat grid either locally or in the cloud, and file size - file repuation filtering configurtion is enabled in the security menu. specify the file types to be sent to the sandbox. (pdf, open xml, ole, exe, and others. - configure the score time to which the score is kept in the cache - apply the actions basded on unscannable emails, prefer to drop and quarantine the file - RETROSPECTIVE VERDICT, esa queries the AMP cloud every 15m, admin can get email from esa and AMP disposdition chnages system admin, alert, alert recip, add reci, under amp, set level to info 4.7 CONTROLING SPAM WITH TALOS SENDERBASE and Anti-Spam - Bounce verfication: - it is some protection from overwhelming ESA with bounced email errors. - this is within the SMTP client and it is tied to connection throttling. - ESA adds a watermark (tag) to the msg and if we got a bounce message, we look for it when we get it back ESA inserts the tag and creates a (hash is going to insert after the name and the @domain.name outbound mail: <cr> From: [email protected] then the bounce message Bounce Message: RCPT: [email protected] - it is a flood protection mechanism and helps prevents a threat actor from launching a DoS attack (bounce attack) one form of the attack is a hacker using a spoofed email header. - need a valid tag on outbound message and if a message comes back and the watermark/tag is valid (delivered) or invalid (dropped) inside the envelope after the xxx code from source MTA hosts MAIL FROM: <[email protected]> WATER MARKS 250 sender <[email protected]> WATER MARKS RCPT TO: <[email protected]> HEADERS will include: - from: joe dude <[email protected]> To: Sam Snakeskin <[email protected]> subject: overslept again! data ........ BODY OF THE MESSSAGE - message . (ends email message) 250 ok. 4.8 LAB Advanced Malware in Attachments - via the GUI: check the features keys installed => admin => featurekeys go to mail policies => incoming mail polcies select the feature and then enable - via CLI: SHOWLICENSE - Always enable any dormant / Notvailable - step 1: Description: mail Policy > Incoming Content Filters and click Add Filter. Conditions: configure the filter Conditions and Actions: add file types (e.g. MS Office and OLE File types) ACtion: strip attachment by micro - step 2: enable content filters customized settings inside of mail policies => incoming mail policies - step 3: - validate that the device is processing the messages using the tail mail_logs - send a test email - review the monitor => macro detection and show details 5.0: USING ANTI-VIRUS AND OUTBREAK FILTERS - AV Scanning overview. - either sophos or mcafee done after anti-spam and puts on a temp hold on the message while placing it in quarantine. - These are focused rules published on what is in quarantine a) mcafee supports encryption and polymorphism, detects particular and types of viruses and unwanted software, does not support heuristic b) sophos: uses classifiers (where to look) and virus DB, pattern matching, heuristics, emulation detection methods. c) both can repair (disinfect the infected file) - ESA supports multiple scanning engines and dual scanning - IPAS scans it first and looks for any dynamic content and done on the first tcp syn packet. any new messages that are not in the database will also pass this markers - can be applied on a per the incoming mail policies - scan settings include, - scan, scan and repair, drop attachment, and or add a header - results include, could not scan (encrypted, unscannable, and unable to repair) - actions drop, deliver, deliver with attachment, and quarantine. - default unscanable timeout is 60sec o force and update (sophos) *** SOPHOS SENDS DB TO TALOS AND THEN FROM TALOS TO THE ESA *** *** ALWAYS TRY TO SCAN AND REPAIR RATHER THAN DELIVERY *** - Quarantine messages can be used and an email is sent to the admin 5.6: USING ANTI-VIRUS AND OUTBREAK FILTERS - OUTBREAK FILTERS - last step in the email pipeline work queue and are published by Cisco SIO where they monitor global traffic patterns to determine if the message is a threat or not. - VIRAL threats are never published until a filter is ready to deploy. - when nothing gets caught by all other scanners or a new MTA ip address - often used for Cisco Zero-hour and Malware protection, and Talos notifies the ESA and asks you to quarantines the message - it uses 4 categories *** UPDATES EVERY 5MINUTES *** a) virus b) phising c) malware distribution d) non-viral threats - tactics to protect the users a) dely b) redirect c) modify - rules to detect outbreaks a) adpative rule: based on past outbreaks where they are not updated as often as outbreak rules - mismatches, spaces in filename, multi extenstions, suspect headers, and sendorBased virus score b) outbreak rule: updated more often - based on attachement file type, file keywords, file size, encrypted files, urls and sophos av engines. - working with updates filters. msg does not matching a signature, appliance release rulev1 to raise the treat level rule-v2 match all file size over 36kbs and quarantine it, rule-v3 says that rule between 50-55 kb with price in the filename the ESA will quarantine the msg. sophos and mcafee release matching virus patterns, rule-v4 the file will be redirected to be rescanned. - threat levels are none, low, low/medium, medium, high, and extreme 5.7 USING ANTI-VIRUS AND OUTBREAK FILTERS - HOW THE OUTBREAK FILTERS FEATURE WORKS - under the mail policies, you can specify the length of time in quarantine, default is 24hrs/1 day. and gets released after 24hrs. - outbreak filters will always take note if a messsages are bypassed by AV and AS - by default AV is enabled and CASE (one its 3 blades) is recommending the default times. - CASE kicks in with what is called here Enable Message Modification. But actually what it is actually it's threat outbreak. it will look at the content of the body of the email (URL) - to check if oubreak filters to security->outbreak filters and look at what updates you got. always note that a level 3 and file extension - quarantine retention length is based on viral outbreaks and non-viral updates - updates are automatically via outbreak filters reports, overview and rule listing, quarentine under the monitor menu. 6.2 Using Mail Policies - Cisco Email Security Manager Overview - this is part of the per policy scanning witin the bottom half of the work queue. case, av, file reputa6tion, file analysis, grayware, content, outbreak, amp, and graymail, and DLP - monitores incoming and outgoing mail policies and content filters. via the gui or policyconfig on the CLI and are defined based on email addresses, email domains (send and receive, or LDAP quries - each department can have their own unique email policies - can be a sender or recipient and policies are run from top to bottom, and from left to right in the order, note per-recipient msg, messages will splinter if msg needs seperate policies. - outgoing and incoming email will have different actions applied a) incoming applies to match an ACCEPT connection behaviour in the HAT mail policies => incoming mail policies and match the user group. outgoing mail policies need a RELAY within the HAT OR SMTP AUTH - TCP-REFUSE IS BASED FROM GEOGRAPHICAL LOCATION (COUNTRIES) and for inbound mail - RECIPIENT MATCHES RCPT TO: SENDER MATCHES MAIL FROM, FROM, REPLY-TO: 6.6 Using Mail Policies - Matching Users to a Mail Policy - traffic will be filtered by the policies and each group will have a different policy profiles. - user matching: will need to list all the users in the sales department, or use AD to manage the lists. this will be done by the policy matching based on the envelope's RCPT TO: (user) this could be on the sender's envelopE MAIL FROM, HEADER FROM, HEADER REPLY TO: based on define ldap groups, in/outbound amil polcies, default mail policies, group of users, and content security - define the senders are full email partial email, full or part domain or ldap queiry - MUST HAVE ONE SENDER AND RECEIPIENT FOR THE MAIL POLICIES - RECIPIENT WILL MATCH ON THE - The envelope MAIL FROM will always precidence e.g. gmail / yahoo and goes to the CEO/VIPs will have different rules the finance group will have their own list as well and it will query AD or LDAP - order is important eg. julie sends an email to sam but the message is dropzip filter or whatever is in the rules (as, av, content filters) - message splintering: when an email goes to 2 different users that are in different groups/policies (e.g. one cfo and another finance) - ESA will be copied/cloned and each email will go to the different users. - to see if any messages were splintered look inside the message tracking system you will see that the email was a message XX was split creating 7.2 USING CONTENT FILTERS - CONTENT FILTERS OVERVIEW - Content filters to customize handling of messages beyond the standard routine handling by the other content security features such as anti-virus scanning or DLP - applied on the incoming/outbound messages before anything else This is done presplintering. you could also filter based on message body or attachments. - 2 step process 1) incoming 2) incoming. you need to crea5te it and apply it to the policies. - ESA has a seperate primary list of content filters and determines the order the appliance will execute - must be done on a per policies basis, and you must create the filter and then apply it to each policy. The 3 terminal or final actions (drop, bounce, deliever) - Content filters have the following components - Conditions: that determine when the appliance uses a content filter to scan a message (optional) THEN (body of the message) - Actions: that the appliance takes on a message (required) IF - Action variables: that the appliance can add to a message when modifying it (optional) - 1 action must be defined for each content filter and only 1 final action may be defined and listed last on the filter EXAMPLE CONTENT FILTERING - NAME OF POLICY CONDITIONS - Message body/Attachments rule = body-contains "ssn",1(at least 1x) OR CONFIDENTIAL etc. Actions - ADD disclaimer text - notify < copy to email addresses/groups - quarantine < set message in penalty box> <<<< THIS IS THE FINAL ACTION - Well, first notable difference that comes to mind to me is that the message filter, as you will see in a later recording, is done by the CLI only, where content filter, we usually do it at the GUI. Could be done at the CLI, but usually we do it at the GUI. - msg arrives on the reciever, and checked the email for reputation, the IP addresses, then moved into the work queue 7.6 Using Content Filters - Text REsources Overview. Content Diciontary: - define 100 contenet dictionaries (dictionaryconfig) - group of words oor entries to work with body scanning features. - scan messages, message headers, and message attachment - for profanity words contain in the list, drop, archive, or quarantine message - for image analysis it may show as enabled but you must edit settings and accept the disclaimer Dictionary Contenet: - builtin dictinaries profanity, proprietary_content, sexual_content. the entries contant alphanumeric chars, email addresses, and domain names - import or create a dictionary that must include: the weight value in your own proprietary content reference dictionary in content filter includes attached file, embedded zip, word/text file - For each term, you specify a “weight,” so that certain terms can trigger filter conditions more easily. “scores” the message by multiplying the number of term instances by the weight of term - Smart identifiers are algorithms that search for patterns in data that correspond to common numeric patterns, SSN, OR BANK ROUTING #S/MINE Importing and Exporting Dictionaries as Text Files - Include config.dtd, profanity.txt, proprietary_content.txt, and or sexual_content.txt - create your own and import as a new dictionary ** does not keep match whole words or Case-sensitive settings) - can import, delete, and export tesxt resources with the txt of html file extension Message Disclaimer Stamping - add stamp on all outgoing email messages such as promo items, copyright, and disclaimer - predefined notificaiton templates as well as encryption notification Testing: - trace funciton can provide quick feedback that use dictionary-match(), quarantine() to test filters, - 8.1 Using Message Filters - Overview - this is only done via the CLI and order of the queue is extremly important. - message filters are at the begining while content filtering is at the end - powerful combinations of features available for policy enforcement: a content scanning engine, message filters, attachment filters, and content dictionaries. - this is done before the email security manager and provides a flexible way to customize the behavoir of the ESA and scans all incoming msgs using regex - filter contains a rule and an action and the syntaX IS LABEL, RULES,ACTION - FOLLOWING AREAS OF A MESSAGE FILTER: - componets: special rules to describe how to handle the msg they receive, - based on attachment, content, info about the network, envelope/message body/headers - filter actions: drop, bounce, archived, bcc, or altered - using and, or, and NOT, expressions may also be grouped using parentheses - Processing Filters: - processing of the message filters, scans the order - actions taken on message filter order (inactive invalid superseded), prior processing with altered content, the MIME structure, threshold score and structured query - Message filter rules: - collection of messages that filters act upon - Message filter actions: - if the rule evaltues to true then the final actions (delievering, dropping, and bouncing a message) - non-final actions - stripping or instering a headers - the message to be further processed. - Attachment scanning message filters: - allows you to strip attachments and filter on file type, fingerprint or contant - scan image attachment to measure skin color, body size, curvature to determine any inappropriate content Example Syntax expedite: Filter name if (recv-listener == 'InboundMail' or recv-int == 'notmain') Rule specification { alt-src-host('outbound1'); skip-filters(); } Action specification else { alt-src-host('outbound2'); } Optional alternative action specification You Can Omit Any Alternative Actions: Example Syntax Purpose expedite2: Filter name if ((not (recv-listener == 'InboundMail')) and (not (recv-int == 'notmain'))) Rule specification { alt-src-host('outbound2'); skip-filters(); } Action specification 8.7 Using Message Filters - Attachment Scanning - used contenet scanner to strip attachments, inconsistent with your policies, and reain the ability the original email - You can filter attachments based on their specific file type, fingerprint, or based on the content of the attachment. embedded files: .exe, .dll, .bmp, .tiff, .pcx, .gif, .jpeg, .png, and Photoshop images. - Image scanning allows you to scan the following types of attached files: BMP, JPG, TIF, PNG, GIF, TGA, and PCX. 0 score = clean, suspect, or inappropriate - Cisco recommends you do not drop or bounce messages with inappropriate or suspect verdicts. Instead, send copies of violations to a quarantine for later review and better understanding of trend analysis. 9.1 Preventing Data Loss - Overview & SCanning PROCESS - last item on the list assuming it has been enabled, and it is applied to outbound mail policies. outbound filter ONLY!! - DLP is supported on all supported C-Series and X-Series appliances except appliances using D-Mode licenses. - enforces compliance with government, propriority/intellectual property. - tries to prevent employees from email out sensitive information. - matched content logging needs to be enabled to track down the violation. - to start the DLP process you will need the folowing steps a) enable the service (secuirty => Data Loss Prevention) b) prepare the text resources such as notifications to HR (Mail Policies => Text Resources). this applies to words, phrases, predefine patterns such as SSN, or a regular expression that you identified as sensitive content in an applicable DLP policy. to minimize false positive matches. For example, a number matching a credit card number pattern is only a violation if it is accompanied by an expiration date, credit card company name or a person’s name and address. c) define the action (mail policies => data lose prevention = DLP policy customizations this is based on the severity of the actions d) define what constitutes a DLP violation and how to react (mail policies => DLP policy manager.) this includes encryption messages. e) apply the policy to the outbound mail policies filter and configure storage of sensitive messages. - scans the message header, body, and attachments. - multiple severity levels and actions defined on what the ESA will do. - Ricks Factores Rating Remediation 0 - 9 ignore no violation 10 - 34 low inherit medium 35 - 59 Medium inherit high 60 - 89 high inherit critical 90 - 100 critical quarantine (delivery is the defualt setting) and must be changed to your org std) - Classifiers can use one or more detection rules, including matching words or phrases, a regular expression to define a search pattern for a message or attachment, or a dictionary of related words and phrases. Cisco DLP comes with dictionaries that are created by RSA, but you can create your own. - specify values used to determine a score a) proximity: how close the rule matches, e.g. SSN at the top of the email and signature and address in the signature at the bottom, these are not related. b) minimum total score: if it doesn't meet the mim, there is nothing to consider. c) weight: classifiers scores are based by multiplying the # of violites of the rule d) Maximum score: many matches will default to the max value. 9.4 Preventing Data Loss - Policies for Data Loss Prevention - includes: a) the conditions - whether or not the msg contains sensitive data, this will include the text resource files b) actions - what is to be done with these violations Primary action deliever, drop, and quarantine secondary actions, send copy to policy quaratine, encrypt msg, alter subject header, disclaimer text, send msg to alternat destinations sending dlp violation to sender, not mutally exclusive: combined with different DLP policies - you have a list of predetermined policy templates; a) regulataroy compliance: personal info, cc, and all non public records. b) acceptable use: restrict info sent to competitors c) privacy protection: fiancial records, tax records, d) intellectual property protection: e) company confidential: corp accounting information, mergers, f) custom policy: define your own specs. - you have the option to use the wizard to define your policies. - content matching classifiers define what content cannot exit the network upon detection of a policy an action will be taken - classifiers use list of words or phrases, regular expression, dictionary words, entity, (cc#s aba routing #s) list of attachment file types, - if no policies exist then the DLP protection wizard default settings is deliever regardless of severity - policy policy customization you must specify major or minor action - DLP deployment offers the option to log the content that violates your DLP policies - updates to the predefined are done automatically and you could also initate it you must enable the feature in the DLP settings!! - To display sensitive DLP data in message tracking, select Security Services > Data Loss Prevention. Click Edit Settings. Select the Enable Matched Content Logging check box. Submit and commit your changes. - You cannot enable automatic DLP updates for appliances in clustered deployments. - DLP updates are always performed at the machine level 10.1 - .4 Using LDAP - Overview and LDAP Quries. - used as an LDAP client can use either LDAP or LDAPS. it also does not cache results - often used with group memberships and it is dynamically assign a policy based on the membership/group - AD integration advantages: lowers message volumes, ease of mgmt, and security - When integrating LDAP directories, an LDAP directory server is consulted to accept recipients, route messages, and/or masquerade headers. - Understanding LDAP Queries: a) acceptance - how msg is handled b) routing(alias) - send to user/MTA, if no cert is defined, local one is used` c) cert authentication - validates client cert between mail client and esa d) masquerading - manipulate envelop senders for outbound mail (eg remove lotus notes). this feature is virtual domains, which allows you to host multiple domains from a single site. Another typical implementation is hiding your network infrastructure by stripping the subdomains from strings in email headers. e) group queries - perform actions based on group memberships / message filters f) domain-based queries - query different domains and accept or reject. g) chain queries - create server profile for each queries. perform a query in sequence and run until ldap returns a positive results using attributes maillocaladdress and mail to store user email addresses. enabled on the private or public. H) SMTP Authen - authenticate clients connected to the SNMP srv. good for home/travel A token specifies the user (user login) and token a specifies the user's email address SMTP will not be strippped smtp from the address, it is the task of the asyncOS Steps to validate recipients using an external SMTP server are: I) Determine how the appliance connects to the SMTP server and interprets the server’s responses. ii) Configure a public listener to use the SMTP server to validate recipients iii) Update your LDAP Routing query to determine the SMTP server to use when routing mail to a different host (optional). iv) Configure the appliance to bypass call-ahead validation for certain recipients (optional). i) external authen - remote users logging into the AD. i) create a query for a user accounting ii) create a query for a membership accounting iii) set up extern authen to use LDAP J) spam quarantine end user auth - validates users k) spam quaratine alias consolidations - end users don't receive quarantine notices - steps to configure AysncOS for acceptance, routing, aliasing, and masqurading: a) configure ldap srv profiles and where to query information along with port numbers b) enable ldap srv profile - has to be enabled on a listener whether public or private - authenticating end users of spam quaratine - testing LDAP: - ensure you use the correct ports (3268/389), AD uses 3268, ldaps uses 636 - ensure ldap accept, masqurading or touign is enabled in the work queue - if ldap accept is not enabled but other queries used in filters, set the filters to false - failover features are available based on error codes (unavailable or busy) and goes to the next server in syquential order - load balancing - distributes connections to mtulple ldap servers up to the max times of retries 10.8 Using LDAP - Directory Harvest Attack Prevention - malicious sender tries to validate email addresses wihin the company - can leverage LDAP acceptance valdiate queries as a prevention inside the SMTP conversations within the work queue - you first configure an LDAP server profile, and enable LDAP Accept. Once you have enabled LDAP acceptance queries, configure the listener to use the accept query, and to bounce mail for non-matching recipients: - mail flow policy associated with the listener, configure the following DHA prevention settings: a) max invalid recipents per hour. defualt for a public listerner is 25. b) drop connection within SMTP: drop connections after a threshold is metadata c) max recipients per hour code. default is 550 error message d) max recipients per hour text - too many invalid recipients - enter domains only inside the RAT tables, this prevents the sender from knowing if the recipient is valid during the smtp conversation need to configure the mail flow policy to define the # of invalid recipients addresses alloweed per sender IP address within a given time frame. - Rate limiting on how many invalid emails per hour are sent. 10.9 Using LDAP - Spam Quarantine Alias Consolidation Queries - recipients do not receive quarantine notices for each alias - end user will only get the spam for their primary email box. - if you have multiple LDAP servers, you must ensure all have the same info. - You can use SMTP call-ahead recipient validation to reduce processing on messages for invalid recipients. this allows the msg to be dropped before extra processing in the ESA. - if the message for a given recipient is rejected by the RAT, then the SMTP call-ahead recipient validation will not occur. - SMTP call-ahead server profile settings are: i) delivery host: specify the host for deviliery email addresses. if you use smtp routes or LDAP queries then the esa will choose between them. ii) create a static list assuming that the data doesn't change often on the ldap server 11.1 SMTP Session Authentication - SMTP Auth is a mechanism for authenticating clients connected to an SMTP server. remotely. you will also need to configure the relayed policy on the public listeners - MUAs can issue an authentication request (challenge/response) when attempting to send a piece of mail. The appliance negotiates the Simple Authentication and Security Layer (SASL) mechanism with the MUA before getting the passphrase MUA decide on what method (LOGIN, PLAIN, MD5, SHA, SSHA, and CRYPT SASL mechanisms are supported). can support certificates - SMTP authentication allows the appliance to make a secure connection to a relay server - use LDAP directory, or a different SMTP server (SMTP Auth forwarding and SMTP Auth outgoing). - credentails authen against i) ldap directory, different smtp server, - Authe queries: i) passphrase (passphrase field in LDAP) - login: ldap bing: esa logs into ldap using the user's credetials - remote user authentication steps includes (relay email) 1) ldap query - checked against ldap (username/password). 2) smtp auth profile - server to send the to 3) listener - smtp authentication profile for the remote user relaying emai. 4) mail flow policy - triggers SMTP auth or TLS (which user is authenticating. - HAT delayed rejection: When HAT delayed rejection is configured, connections that would get dropped based on the HAT Sender Group and Mail Flow Policy configuration can still authenticate successfully and get the RELAY mail flow policy granted. - can configure the appliace to another smtp authen converstation with smtp server - The authenticating server is not the server that transfers mail; rather, it only responds to SMTP authentication request *** smtp authentication profile is dynamic as you configure options. **** *** must add the user's from home need to add static IP addresses of home user *** - SMTP Authentication Via Second SMTP Server (SMTP Auth with Forwarding) - You can configure the appliance to verify the username and passphrase that have been provided to another SMTP authenticated conversation with a different SMTP server. - it only responds to SMTP authentication requests - Select a default encryption method from the drop-down menu. You can select from SHA, Salted SHA, Crypt, Plain, or MD5. - Cisco ESA supports the use of client certificates to authenticate SMTP sessions between the Cisco ESA and users’ mail clients. option to fallback to smtp auth if cert isn't available Outgoing SMTP authentication - the realy needs a user and passphrase using plain and login. also need to create the smtp routes configured. 11.3 SMTP Session Authentication - Using Client Certificates - If the certificate is valid, the Cisco ESA allows an SMTP connection from the mail application over TLS. if no cert then use LDAP as a backup - Cisco ESA to request a certificate that the CAC (common access card) and ActivClient middleware application will provide to the appliance. - To authenticate a user with a client certificate, follow these steps: 1) Define a certificate query for your LDAP server. 2) Create a certificate-based SMTP authentication profile. 3) Configure a listener to use the certificate SMTP authentication profile. 4) Modify the RELAYED mail flow policy to require TLS, a client certificate, and SMTP authentication. - To authenticate a user with an SMTP authenticate LDAP query, follow these steps: 1) Define an SMTP authentication query for your server that uses an allowance query string and Bind for the authentication method. 2) Create an LDAP-based SMTP authentication profile. 3) Configure a listener to use the LDAP SMTP authentication profile. 4) Modify the RELAYED mail flow policy to require TLS and SMTP authentication. - To authenticate a user with a client certificate or an LDAP SMTP authentication query, follow these steps: 1) Define an SMTP authentication query for your server that uses an allowance query string and Bind for the authentication method. 2) Define a certificate-based query for your LDAP server. 3) Create a certificate-based SMTP authentication profile. 4) Create an LDAP SMTP authentication profile. 5) Configure a listener to use the certificate SMTP authentication profile. 6) Modify the RELAYED mail flow policy to use the following settings: TLS Preferred, SMTP authentication required, and Require TLS for SMTP authentication. 12.2 Email Authentication - Email Authentication Overview *** AsyncOS does not support SPF for incoming relays and CPU loads *** - Domainkeys (orig) and DKIM (latest) authentication the sender signs the email with a pki within the header of the email (from or sender) and public a txt msg with an IP address. this is usually outgoing relay policies) - can also validate by the IP address or watermark on the email - sid looks at the header at the from - SPF looks at the envelop at the from field. while sidf - steps defining the work flow. 1) Administrator (domain owner) publishes a public key into the DNS name space. 2) Administrator loads a private key in the outbound MTA. 3) Email submitted by an authorized user of that domain is digitally signed with the respective private key. The signature is inserted in the email as a DomainKey or DKIM signature header and the email is transmitted. 4) Receiving MTA extracts the DomainKeys or DKIM signature from the header and the claimed sending domain (via the Sender: or From: header) from the email. The public key is retrieved from the claimed signing domain which is extracted from DomainKeys or DKIM signature header fields. 5) The public key is used to determine whether the DomainKeys or DKIM signature was generated with the appropriate private key. - SPF publishes the txt field in the dns sderver, then it looks at the from field while use the from field in the header. actions for failed failed validations = dropped added in the mail flow policy and using throttled policy - To support the SIDF framework, you need to publish both “v=spf1” and “spf2.0” records. example.com. TXT "v=spf1 +mx a:colo.example.com/28 -all" smtp-out.example.com TXT "v=spf1 a -all" example.com. TXT "spf2.0/mfrom,pra +mx a:colo.example.com/28 -all" 12.4 Email Authentication - Configuring DomainKeys and DKIM Signing - can create your own DNS txt record - DomainKeys and DKIM signing is enabled on mail flow policies for outbound mail. - On the bounce profile associated with the public listener where you will send signed outbound messages, go to Hard Bounce and Delay Warning Messages. Enable the Use Domain Key Signing for Bounce and Delay Messages option. - On the bounce profile associated with the public listener where you will send signed outbound messages, go to Hard Bounce and Delay Warning Messages. Enable the Use Domain Key Signig for Bounce and Delay Messages option bounced messages is used by both domainkeys and dkim - Domainkeys verifies dns domain, and message integrity dkim detects emails spoofing by echecking the authorized domain as well as the digital signature. - domain & dkim consists of signing and verfication - not an encryption message but only hashing the header with the public/private key - DKIM verfication checks by AsyncOS: checks and failed output i) valid tags/values within permfail signature field ii) public key d/l and txt permfail or tempfial if no response from DNS checked iii) hash valudes permfail POSSIBLE OPTIOHNS ON THE FAILED OUTPUT. part 1 - actions include: delivered, bounced, dropped, or quarantied part 2 - content filters include pass, nutral, temperror, permerror, hardfail or none 12.6 Email Authentication - DMARC Verification - created to reduce potential email abuse, and is the standard policy to receive authentication for both spf & dkim. it must pass at least one. - A DMARC verification profile is a list of parameters, e.g. create a strigent profile that rejects all/less stringent non-compliant meessages from a domain. - AsyncOS fetches the DMARC record for the sender’s domain from the DNS. - If no record is found, AsyncOS skips the DMARC verification and continues processing. If the DNS lookup fails, AsyncOS takes action based on the specified DMARC verification profile. - If sending of aggregate reports is enabled, AsyncOS gathers DMARC verification data and includes it in the daily report sent to the domain owners. - If the aggregate report size exceeds 10 MB or the size specified in the RUA tag of the DMARC record, AsyncOS sends delivery error reports to the domain owners. - The Cisco ESA allows you to: i) Verify incoming emails using DMARC. ii) Define profiles to override (accept, quarantine, or reject) domain owners’ policies. iii) Send feedback reports to domain owners, which help to strengthen their auth deployments. iv) Send delivery error reports to the domain owners if the DMARC aggregate report size exceeds 10 MB or the size specified in the RUA tag of the DMARC record. - DMARC aggregate feedback report incluces, metadata, published DMARC policy, policy disposition like IP address, domain identifiers, results and authen summary 12.7 Email Authentication - Forged Email Detection *** do not configure adv matching and smart id, weight for the terms *** - spoofing email headers to fake the from sender to exploit end users - create a dictionary file with all high value targets, tern on FED, then apply it to the mail policies. - other actions include prepending msg to end users and log with a special logging msg. - by using the condition/rule and action against the spoofed emails - FED results 1) top forged email matches - top 10 users matching the rule based on the header's from field 2) forged email matches - displays all incoming email that were matched agains the rule 13.2 Email Encryption - Overview of Cisco Email Encryption (cisco registered envelope service or CRES) - supported for both in and outbound email by specifying the char of the encrypted messages to the key server - key server can be: 1) CRES or a cisco encryption appliance (local server) - you create content filters, message filters, and DLP policies to determine which messages to encrypt. a) outgoing msg meetings content filter to encrypt msg, then at the end to deliver the encrypted msg. b) after encryption msg, the encrypted key is stored on the key server within the profile c) if any temp cojnditions prevent sending email, the msg are re-queued. - the TLS encryption is between the ESA and MTA, it is the channel will be encrypted - s/mime all messages will be encrypted using private encryption - When a recipient opens an encrypted message in a browser, a password may be required to authenticate the recipient’s identity. The key server returns the encryption key associated with the message. - message size to encrypt. The Cisco recommended message size is 10 MB. The maximum message size the appliance will encrypt is 25 MB, email address of the encryption account administration, and configure a proxy server. - key server settings specifies the key server and its connection info - Envelope settings - specific details of the envelope and encryption algorithm. - mesg settings - whether or not to enable secure forwarding and secure reply all - notification settings - txt/hmtl notifications upon failurs - Cisco ESA can securely relay a message over a TLS connection instead of encrypting it, if a TLS connection is available - based on the TLS setting in the destination controls (Required, Preferred, or None) and the action defined in the encryption content filter. need to specify on what to do if the tls connections is down - TLS SUPPORTED OPTIONS INCLUDE: DST TLS TLS CONN GOOD TLS CONN BAD A) NONE -> ENCRYPT Envelope AND SEND -> ENCRYPT Envelope AND SEND B) TLS PREFERRED -> Send over TLS -> ENCRYPT Envelope AND SEND c) telus required -> Send over TLS -> retry/bound msg - you to add encryption settings to a message by inserting an SMTP header into a message using either a content filter or a message filter. - allowed to use x.509 certs, or self signed cert and it is. AsyncOS supports the STARTTLS extension to SMTP described in RFC 3207 - syncOS supports separate TLS certificates for public and private listeners, HTTPS management access on an interface, the LDAP interface, and all outgoing TLS connections. - CRES and s/mine do this ona per message basis -You can create a custom of list trusted certificate authorities and import it onto the appliance. The file must be in the privacy-enhanced mail (PEM) format 13.7 Email Encryption - Working with Certificates - done on the outbound eamils using digital certs and encrypts the entire msg - message, content filters, or DLP is requesting it and allows you to send multiple msg using the same TLS session. this is done on a per MTA basis - you need a public listenering, a digital cert, and a mail flow policy - TLS SUPPORTED OPTIONS INCLUDE: DST TLS TLS CONN GOOD TLS CONN BAD A) NONE -> ENCRYPT Envelope AND SEND -> ENCRYPT Envelope AND SEND B) TLS PREFERRED -> Send over TLS -> ENCRYPT Envelope AND SEND c) telus required -> Send over TLS -> retry/bound msg - for outbound TLS, we need to configure desTInation control and specify the specific domains and opt for TLS (default setting) - outbound content filters can also encrypt the messages, specific if tls fails (backup strat). - can be done via the cli or gui 13.11 Email Encryption - S/MIME Security Services - cure/Multipurpose Internet Mail Extensions (S/MIME) is a standards-based method for sending and receiving secure, verified email messaving secure, verified email messages. - all users must have their own certs to sign, for outbound it will sign, encrypt, or sign and encrypt. and in reversed order inbound messages need to be verify, decrypt, or decrypt and verify - usually done on the s/mine security services at the gateway between business partners. this is full encryption email tunnel, s/mine per email on low bandwith sessions, or between the esa and mta 14.2 Using System Quarantines and Delivery Methods - Describing Quarantines - uarantines are special queues or repositories used to hold and process messages. Messages in quarantines can be delivered or deleted, based on how you configure the quarantine. - The following Work Queue features can send messages to quarantines. ther is spam quarantine is everything that is not spam (shared between multiple features) non-spam quarantine (virus, amp, policy, and outbreak) SPAM QUARANTINE: 1) Spam filters - holds till review 2) Message filters - policy based by msg/content filters and dlp actions, - holds msg based on action has been deleted. 3) Anti-virus - holds msg by av engine 4) Outbreak filters - hols msg as spma or malware 5) Content filters - holds msg by filtered admin creates 6) File analysis (AMP) - Held until verdict comes back (on the device) - can be stored locally or externally (SMA) and configured in 2 locations: 1) IP address, so we can look at what is in quarantine by one of the users, and grants access for the users to see the quarantine, but only on the private interface and NOT public. 2) spam, configured by admin when will the msg stay in quarantine, deleted or released this is done under the monitor menu, with either safelist/blocklists - In the Spam Quarantine section, configure settings for access to the spam quarantine. By default, HTTP uses port 82 and HTTPS uses port 83, user roles include operator, read-only operator, HD user, guest, and custom user roles and priviledges - you also need to enable spam scanning inside a mail policy 14.5 Using System Quarantines and Delivery Methods - Using Safelists and Blocklists to Control Email Delivery Based on Sender - Safelists specify senders and domains that are never treated as spam. Blocklists specify senders and domains that are always treated as spam. - you can allow end users to manage the safe/blocklist for their own accounts *** graymail in the safelist ar enot snot scanned by7 the greyware engine. - safelist messages will bypass the iPass, if in the blocklist it can have an action to drop or put into quarantee the blocklist will be flagged in case there are further actions by the scanners - Senders can be added to safelists and blocklists using the following formats: [email protected], server.domain.com domain.com, [10.1.1.0], [ipv6:2001:DB8:1::1], user@[1.2.3.4]], or user@[ipv6:2001:db8::1] you cannot block a range of .domain.com subdomains, but only the specific emails - Safelist/blocklist information is not included in the main XML configuration, you must use the backup wizard - When an email is blocked due to safelist/blocklist settings, the action is logged in the ISQ_log files or the anti-spam log files. X-SLBL-Result-Safelist or X-SLBL-Result-Blocklist header - can use LDAP, IMAP/POP authentication for the end user. - Notifications can be sent to each Envelope Recipient that has quarantined email, including mailing lists and other aliases. or if you use LDAP authentication, you can choose not to send notifications to mailing list aliases. 14.7 Using System Quarantines and Delivery Methods - Managing Messages in the Spam Quarantine ** ICID standsr for injection connection identifiers started with smtp conversation ** - spam quarantine and managing the disk space and optimizing disk usuage, this is at the machine node and not on the cluster. - click subject to view messagte, body, and headers, auto deletion after time expires. - you could also use message tracking to review spam but you need to have some bits of information eg netfliks - can view messages with attachments, html messages, or encoded messages. - LDAP query can be used to query AD for the end users. - tail the mail logs via the cli to see messages - If you disable the spam quarantine: 1) If messages are present in the spam quarantine when it is disabled, you can opt to delete all the messages. 2) Any mail policies set to quarantine spam or suspected spam will instead be set to deliver the message. You may need to adjust mail policies. 3) To completely disable an external spam quarantine, disable it on both the Cisco ESA and the Cisco SMA. - disabling external spam does not delete the quarantine or its messages/data. 14.8 Using System Quarantines and Delivery Methods - Policy, Virus, and Outbreak Quarantines - Examples of how non-spam quarantines can be used in your organization 1) Policy enforcement: Let Human Resources personnel or the Legal department review messages that may contain offensive, confidential, or otherwise disallowed information. 2) Virus quarantine: Store messages that are marked as infected, encrypted, or not scannable by the anti-virus scanning engine to prevent the spread of viruses to your users. 3) Outbreak prevention: Hold messages that are flagged by the Outbreak Filters as possibly being part of a viral outbreak or small-scale malware attack until an anti-virus or anti-spam update is released. 4) File analysis quarantine: Store messages that have attachments that may contain malware, and that have been sent for analysis, until a verdict is reached. - If Outbreak Filters and Centralized Quarantines are both enabled: 1) All disk space on the Cisco ESA that would have been allocated to local policy, virus, and outbreak quarantines, is used instead to hold copies of messages in the outbreak quarantine, to scan those messages each time outbreak rules are updated. 2) The disk space on the Cisco ESA for messages in the Outbreak quarantine from a particular managed 14.9 Using System Quarantines and Delivery Methods - Managing Policy, Virus, and Outbreak Quarantines - Messages are automatically removed from the quarantine under the following circumstances: 1) Normal expiration: The configured retention time is met for a message in the quarantine. You specify a) retention time for messages in each quarantine. b) upon changing the retention time, only new messages will be processed 2) Early expiration: Messages are forced from quarantines before the configured retention time is reached. - If the size limit is reached, the oldest messages, regardless of quarantine, are processed and the default action - configure all quarantines to be exempt, and the disk space reaches capacity, - There are two primary default actions ** MSG CAN BE RESCNARED) 1) Delete: The message is deleted. 2) Release: The message is released for delivery and subject to additional scans and updating of the header - Deleting Policy Quarantines a) Before you delete a policy quarantine, see if it is associated with any active filters or message actions. b) You can delete a policy quarantine even if it is assigned to a filter or message action. c) If you delete a quarantine that is not empty, the default action defined in the quarantine will be applied to all messages, even if you have selected the option not to delete messages if the disk is full. d) After you delete the quarantine associated with a filter or message action, any messages with the result quarantined by that filter or message action will be sent to the unclassified quarantine. e) You should customize the default settings of the unclassified quarantine before you delete quarantines. f) You cannot delete the unclassified quarantine. - policy quarantines use system memory in addition to hard-drive space. and more time (20k msg recommended - You can centralize quarantines from multiple Cisco ESA on a Cisco Content SMA. 14.11 Using System Quarantines and Delivery Methods - Delivery Methods - delivery of mail is dependant on the smtp client (leaving the ESA) and this is the final delivery step - The Virtual Gateway technology enables users to separate the appliance into multiple Virtual Gateway addresses. This is under the IP interface and done to protect your domain/score degradation add secondary ip addresses to the interfaces. - Destination controls are good for older SMTP systems and done per domain/IP address - Domain Based limits, often used in a multidomain system. a) Concurrent connections: The number of simultaneous connections to remote hosts that the appliance will attempt to open. b) Maximum messages per connection: The number of messages your appliance will send to a destination domain before the appliance initiates a new connection. c) Recipients: The number of recipients the appliance will send to a given remote host in a given time period. d) Limits: How to apply the limits you have specified on a per-destination and per MGA hostname basis. - Global Unsubscribe used for specific recipients, domains or IP addresses never receive the unscubcritbe feature max limit of 10k of addreses. - Bounce limits controls how the ESA generates outgoing bounces based on incoming mail how aysnch handles hard or soft conversation bounces for each listener - bounce verfification to inbound msgs based on outgoing per interface 15.2 Centralized Management Using Clusters - Overview of Centralized Management Using Clusters *** do not exceed more than 20 devices inside the same cluster *** *** disable 2FA before joining a cluster *** - allows you to manage and configure multiple appliances at the same time, reducing administration time and ensuring a consistent configuration across your network - this is a mesh archetecture and all need to connect to each other via peer2peer - LB cluster by using the same mx values on each ESA - all devices are constanting communicating each 1m with a heartbeat to see who's around - A cluster is defined as a set of machines that share configuration information, has 2 groups and each cluster has one group. a) cluster level: this is where most configuration takes place such as content filters, HAT, RAT, SMTPROUTES b) group: is the distribution level where you could configure things like NTP, DNS, TIMEZONE c) machine: the local/access level where you have the individual machine. INTERFACE AND HOSTNAMES *** ip addresses are done all at the machine level *** *** changes done at machine takes precedence over group and group overrides cluster levels *** - joining or leaving a cluster can ONLY be done on the ClI. machine joining the cluster only keeps the hostname, ip address, local routing tables, local spam queue, policy queue configuration a) validate the ssh host key of the machine b) know the ip address in the cluster (port 22 or 2222) c) know the admin passphrase - when you remove the device from the cluster it does not lose it's configuration. the config will be flatten and the machine comes back as a standalone. - managing clusters: a) clustermode command to switch modes (copy settings or move resets b) experiment with new configurations (machine level only) c) must have the same AsyncOS d) ESA need to disconnect from cluster to upgrades e) all cli commands are cluster-aware. communites bia port 22 (ssh) and 2222 (CCS) - with the cluster you can experiment with new configuration settings and test them before appplying them on the cluster level. - The most common example of an interdependent setting involves a select field on a page that pulls data from a different cluster section. For example, the following features can be configured in different modes: such as ldap, dicstionaries, ounce or smtp auth profiles. 15.8 Centralized Management Using Clusters - Best practices: - If only one machine in the cluster needs a different setting, copy that cluster setting to the machine level for that machine. Do not move that setting. - To have that machine re-inherit the cluster setting, manage the CM settings and delete the machine setting. You will only know if a machine is overriding the cluster setting when you see this display: - When to copy: when you want the cluster to have a setting, and a group or machine to also have no settings or to have different settings. - When to move: when you want the cluster to have no setting at all, and for the group or machine to have the settings. - To avoid overburdening your SMA's resources, you can access the spam or policy quarantines by logging into the respective appliances. - Changing the SMTPROUTES on this independent copy of the table will not affect other groups, machines inheriting the cluster settings, or machines where the setting is defined at the individual machine level. 16.2 Testing and Troubleshooting - Debugging Mail Flow Using Test Messages: Trace ** CLI ** - Isolating the problem: a) networking problems: not getting the emails (status or status details) b) listener problems: this is the server. you have the port name, ip interface, and the listener. l2, l3, l4. Traffic is arriving on port 25, and telnet to port 25 c) work queue problems: AV, amp, quarantine queues. listenerconfig checks the allowed hosts. d) delievery problems: SMTP CLIENT - use the following commands to diagnose issues a) status - check if the listener is suspended, counters were reset b) mailconfig - config settings on thei appliance, (ip address) human readable file from the appliance c) netstat - state of the NIC card or routing table, look at sockets, listen queues, and packet traffic information d) packetcapture - capturing the packets to review in wireshark e) nslookup - test dns, dns ptr, a record, helo match, mail server accptiong delayed bounced msgs. (smtp helo) f tophosts: - the 20 recipients along for the top 20 domains can be internal or external (more so) domain specific issues g) hostatus - find top 20 domains, and use the domain.name - the trace command (cli or gui): debug the flow of messages through the system by emulating sending a test message. - prints a summary of features that would have been “triggered” or affected by the current configuration of the system (including uncommitted changes). - tlsverify - can we do a 3 way handshake and establish a connection. - rate - to review performance issues, all stats are in real time. 16.3 Testing and Troubleshooting - Using the Listener to Test the Appliance - Two types of black hole listeners are: a) queuing - saves the msg to the queue but deletes it. this is a good performance test b) non-queueing - accepts the msg and deletes without saving, this is to test connection from your msg generation system to the appliance. - A queuing version tests that same path and the appliance’s ability to enqueue messages and prepare them for delivery via SMTP. - check the mail log for any messages ensure that hte logging has been enabled, there is a log rollover and you could tweak the output due to the size and name. can retrieve the mail logs via ftp: via the webgui - system status - to check various resources - Check firewall permissions. The appliance may need all the following ports to be opened to function properly: ports 20, 21, 22, 23, 25, 53, 80, 123, 443, and 628. 6 4 Link to comment Share on other sites More sharing options...
martek Posted February 12, 2022 Share Posted February 12, 2022 thanks for your notes Link to comment Share on other sites More sharing options...
wakuncar Posted January 17, 2023 Share Posted January 17, 2023 This cool, is there any information for clustering ESA Link to comment Share on other sites More sharing options...
Abas Posted March 24, 2023 Share Posted March 24, 2023 thx Link to comment Share on other sites More sharing options...
aas Posted August 27, 2023 Share Posted August 27, 2023 Good job ! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now