Email Security with Cisco IronPort
- By Chris Porter
- Published Apr 23, 2012 by Cisco Press.
Book
- Sorry, this book is no longer in print.
- Copyright 2012
- Dimensions: 7-3/8" x 9-1/8"
- Pages: 576
- Edition: 1st
- Book
- ISBN-10: 1-58714-292-9
- ISBN-13: 978-1-58714-292-5
Email Security with Cisco IronPort thoroughly illuminates the security and performance challenges associated with today’s messaging environments and shows you how to systematically anticipate and respond to them using Cisco’s IronPort Email Security Appliance (ESA). Going far beyond any IronPort user guide, leading Cisco expert Chris Porter shows you how to use IronPort to construct a robust, secure, high-performance email architecture that can resist future attacks.
Email Security with Cisco IronPortpresents specific, proven architecture recommendations for deploying IronPort ESAs in diverse environments to optimize reliability and automatically handle failure. The author offers specific recipes for solving a wide range of messaging security problems, and he demonstrates how to use both basic and advanced features-–including several hidden and undocumented commands.
The author addresses issues ranging from directory integration to performance monitoring and optimization, and he offers powerful insights into often-ignored email security issues, such as preventing “bounce blowback.” Throughout, he illustrates his solutions with detailed examples demonstrating how to control ESA configuration through each available interface.
Chris Porter,Technical Solutions Architect at Cisco, focuses on the technical aspects of Cisco IronPort customer engagements. He has more than 12 years of experience in applications, computing, and security in finance, government, Fortune® 1000, entertainment, and higher education markets.
·Understand how the Cisco IronPort ESA addresses the key challenges of email security
·Select the best network deployment model for your environment, and walk through successful installation and configuration
·Configure and optimize Cisco IronPort ESA’s powerful security, message, and content filtering
·Understand the email pipeline so you can take full advantage of it–and troubleshoot problems if they occur
·Efficiently control Cisco IronPort ESA through its Web User Interface (WUI) and command-line interface (CLI)
·Implement reporting, monitoring, logging, and file management
·Integrate Cisco IronPort ESA and your mail policies with LDAP directories such as Microsoft Active Directory
·Automate and simplify email security administration
·Deploy multiple Cisco IronPort ESAs and advanced network configurations
·Prepare for emerging shifts in enterprise email usage and new security challenges
This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.
Online Sample Chapter
Cisco IronPort ESA Web User Interface
Table of Contents
Introduction xxiii
Chapter 1 Introduction to Email Security 1
Overview of Cisco IronPort Email Security Appliance (ESA) 1
AsyncOS 3
Security Management Appliances (SMA) 3
History of AsyncOS Versions 4
Software Features 5
Email Security Landscape 6
Email Spam 6
Viruses and Malware 7
Protecting Intellectual Property and Preventing Data Loss 8
Other Email Security Threats 9
Simple Mail Transfer Protocol (SMTP) 9
SMTP Commands 14
ESMTP Service Extensions 15
SMTP Message Headers and Body 16
Envelope Sender and Recipients 17
Transmitting Binary Data 18
MIME Types 20
Character Sets 21
Domain Name Service (DNS) and DNS MX Records in IPv4 and IPv6 22
Message Transfer Agents (MTA) 23
Abuse of SMTP 24
Relaying Mail and Open Relays 24
Bounces, Bounce Storms, and Misdirected Bounces 25
Directory Harvest Attacks 26
Summary 27
Chapter 2 ESA Product Basics 29
Hardware Overview 29
2U Enterprise Models 30
1U Enterprise Models 31
Selecting a Model 31
Basic Setup via the WUI System Setup Wizard 31
Connecting to the ESA for the First Time 31
Running the System Setup Wizard 32
Reconnecting to the WUI 38
LDAP Wizard and Next Steps 39
Examining the Basic Configuration 41
Next Steps 41
Setup Summary 42
Networking Deployment Models 43
Interfaces, Routing, and Virtual Gateways 43
Single Versus Multinetwork Deployment 47
Routing on Multinetwork Deployments 48
DNS Concerns 49
Firewall Rules 50
Securing Network Interfaces 51
Security Filtering Features 52
SenderBase and Reputation Filters 53
IronPort Anti-Spam 54
Antivirus Features 55
Summary 58
Chapter 3 ESA Email Pipeline 59
ESA Pipeline 59
Listeners 61
Host Access Table (HAT) and Reputation Filters 63
Rate Limiting with Mail Flow Policies 65
DNS and Envelope Checks 67
Sender Authentication 67
Recipient Access Table and LDAP Accept 67
Recipient and Sender Manipulation 70
Default Domain, Domain Map, and Aliases 70
Masquerading 71
LDAP Operations 72
LDAP Accept 72
LDAP Routing and Masquerading 73
Groups 73
Work Queue and Filtering Engines 73
Work Queue Overview 74
Incoming and Outgoing Mail Policies 74
Message Filters 75
Anti-Spam Engine 75
Antivirus Engines 76
Content Filtering 77
Virus Outbreak Filters 78
DLP and Encryption 78
Delivery of Messages 79
Selecting the Delivery Interface (Virtual Gateways) 80
Destination Controls 81
Global Unsubscribe 81
SMTP Routes 82
Selecting Bounce Profiles 83
Handling Delivery Errors with Bounce Profiles 84
Final Disposition 85
Summary 85
Chapter 4 ESA Web User Interface 87
Overview 87
Connecting to the WUI 87
WUI Tour 88
Monitor Menu 88
Overview 89
Incoming Mail 89
Outgoing Destinations 90
Outgoing Senders 90
Delivery Status 90
Internal Users 90
DLP Incidents 91
Content Filters 91
Outbreak Filters 91
Virus Types 92
TLS Connections 92
System Capacity 92
System Status 92
Scheduled Reports 93
Archived Reports 93
Quarantines 93
Message Tracking 94
Mail Policies Menu 94
Incoming Mail Policies 95
Incoming Content Filters 95
Outgoing Mail Policies 96
Outgoing Content Filters 96
Host Access Table (HAT) Overview 96
Mail Flow Policies 97
Exception Table 97
Recipient Access Table (RAT) 97
Destination Controls 97
Bounce Verification 98
DLP Policy Manager 98
Domain Profiles 99
Signing Keys 99
Text Resources 99
Dictionaries 99
Security Services Menu 100
Anti-Spam 100
Antivirus 101
RSA Email DLP 101
IronPort Email Encryption 101
IronPort Image Analysis 101
Outbreak Filters 102
SenderBase 102
Reporting 103
Message Tracking 103
External Spam Quarantine 103
Service Updates 103
Network Menu 104
IP Interfaces 105
Listeners 105
SMTP Routes 105
DNS 106
Routing 106
SMTP Call-Ahead 106
Bounce Profiles 106
SMTP Authentication 107
Incoming Relays 107
Certificates 107
System Administration Menu 108
Trace Tool 108
Alerts 109
LDAP 109
Log Subscriptions 109
Return Addresses 110
Users 110
User Roles 111
Network Access 111
Time Zone and Time Settings 111
Configuration File 112
Feature Keys and Feature Key Settings 112
Shutdown/Suspend 112
System Upgrade 113
System Setup Wizard 113
Next Steps 114
Options Menu 114
Active Sessions 115
Change Password 115
Log Out 115
Help and Support Menu 115
Online Help 116
Support Portal 116
New in This Release 116
Open a Support Case 117
Remote Access 117
Packet Capture 118
WUI with Centralized Management 118
Selecting Cluster Mode 119
Modify CM Options in the WUI 121
Modifying Cluster Settings 121
Other WUI Features 122
Variable WUI Appearance 122
Committing Changes 123
Summary 123
Chapter 5 Command-Line Interface 125
Overview of the ESA Command-Line Interface 125
Using SSH or Telnet to Access the CLI 125
PuTTY on Microsoft Windows 127
Simple CLI Examples 129
Getting Help 132
Committing Configuration Changes 133
Keeping the ESA CLI Secure 134
SSH Options on the ESA 135
Creating and Using SSH Keys for Authentication 136
Login Banners 140
Restricting Access to SSH 140
ESA Setup Using the CLI 141
Basics of Setup 142
Next Setup Steps 142
Commands in Depth 146
Troubleshooting Example 146
Status and Performance Commands 146
Command Listing by Functional Area 156
Mail Delivery Troubleshooting 156
Network Troubleshooting 156
Controlling Services 157
Performance and Statistics 158
Logging and Log Searches 159
Queue Management and Viewing 160
Configuration File Management 161
AsyncOS Version Management 162
Configuration Testing Commands 163
Support Related Commands 163
General Administration Commands 165
Miscellaneous Commands 166
Configuration Listing by Functional Area 167
Network Setup 167
Listeners 168
Mail Routing and Delivery 175
Policy and Filtering 176
Managing Users and Alerts 177
Configuring Global Engine and Services Options 177
CLI-Only Tables 179
Configuration for External Communication 179
Miscellaneous 180
Batch Commands 181
Hidden/Undocumented Commands 183
Summary 186
Chapter 6 Additional Management Services 187
The Need for Additional Protocol Support 187
Simple Network Management Protocol (SNMP) 188
Enabling SNMP 188
SNMP Security 189
Enterprise MIBs 189
Other MIBs 190
Monitoring Recommendations 191
Working with the ESA Filesystem 193
ESA Logging 196
ESA Subsystem Logs 196
Administrative and Auditing Logs 197
Email Activity Logs 198
Debugging Logs 199
Archive Logs 201
Creating a Log Subscription 202
Logging Recommendations 202
Transferring Logs for Permanent Storage 203
HTTP to the ESA 204
FTP to the ESA 204
FTP to a Remote Server 204
SCP to a Remote Server 205
Syslog Transfer 205
Understanding IronPort Text Mail Logs 206
Message Events 206
Lifecycle of a Message in the Log 207
Tracing Message History 209
Parsing Message Events 211
A Practical Example of Log Parsing 212
Using Custom Log Entries 215
Summary 217
Chapter 7 Directories and Policies 219
Directory Integration 219
The Need for Directory Integration 220
Security Concerns 220
Brief LDAP Overview 221
LDAP Setup on ESA 223
Advanced Profile Settings 225
Basic Query Types 226
Recipient Validation with LDAP 227
Recipient Routing with LDAP 229
Sender Masquerading 230
Group Queries 231
Authentication Queries 233
AD Specifics 233
Testing LDAP Queries 234
Advanced LDAP Queries 234
Troubleshooting LDAP 239
Incoming and Outgoing Mail Policies 241
Group-Based Policies 241
Group Matches in Filters 241
Other LDAP Techniques 242
Using Group Queries for Routing 242
Per-Recipient Routing with AD and Exchange 244
Using Group Queries for Recipient and Sender Validation 244
Summary 245
Chapter 8 Security Filtering 247
Overview 247
The Criminal Ecosystem 248
Reputation Filters and SenderBase Reputation Scores 248
Enabling Reputation Filters 249
Reputation Scores 250
Connection Actions 250
HAT Policy Recommendations 250
IronPort Anti-Spam (IPAS) 251
Enabling IPAS 252
IPAS Verdicts 253
IPAS Actions 254
Content Filters and IPAS 255
Recommended Anti-Spam Settings 257
Spam Thresholds 257
Actions for the Bold 258
Actions for the Middle-of-the-Road 258
Actions for the Conservative 258
Outgoing Anti-Spam Scanning 259
Sophos and McAfee Antivirus (AV) 259
Enabling AV 260
AV Verdicts 262
AV Actions 263
AV Notifications 263
Content Filters and AV 264
IronPort Outbreak Filters (OF) 266
Enabling OF 267
OF Verdicts 267
OF Actions 268
Message Modification 269
Content Filters and OF 270
Recommended AV Settings 270
Incoming AV Recommendations 271
Outgoing AV Recommendations 272
Using Content Filters for Security 273
Attachment Conditions and Actions 273
Filtering Bad Senders 276
Filtering Subject or Body 277
Summary 278
Chapter 9 Automating Tasks 279
Administering ESA from Outside Servers 279
CLI Automation Examples 280
SSH Clients 281
Expect 281
Perl 283
CLI Automation from Microsoft Windows Servers 285
WUI Automation Examples 287
Polling Data from the ESA 287
Retrieving XML Data Pages 287
Using XML Export for Monitoring 290
Pushing Data to the ESA and Making Configuration Changes 292
Changing Configuration Settings Using the CLI 293
Committing Changes Using the CLI 295
Changing Configuration Settings Using the WUI 296
Committing Changes Using the WUI 298
Retrieving Reporting Data from the WUI 298
Data Export URLs 299
Other Data Export Topics 302
Example Script 305
Summary 308
Chapter 10 Configuration Files 309
ESA and the XML Configuration Format 309
Configuration File Structure 310
Importing and Exporting Configuration Files 313
Exporting 314
Importing 315
Editing Configuration Files 316
Duplicating a Configuration 317
Partial Configuration Files 318
Automating Configuration File Backup 320
Configuration Backup via CLI 320
Configuration Backup via WUI 321
Configuration Files in Centralized Management Clusters 323
Summary 325
Chapter 11 Message and Content Filters 327
Filtering Email Messages with Custom Rules 327
Message Filters Versus Content Filters 328
Processing Order 331
Enabling Filters 332
Combinatorial Logic 332
Scope of Message Filters 333
Handling Multirecipient Messages 334
Availability of Conditions and Actions 334
Filter Conditions 334
Conditions That Test Message Data 335
Operating on Message Metadata 336
Attachment Conditions 337
System State Conditions 339
Miscellaneous Filter Conditions 340
Filter Actions 340
Changing Message Data 340
Altering Message Body 341
Affecting Message Delivery 343
Altering Message Processing 344
Miscellaneous Filter Actions 344
Action Variables 345
Regular Expressions in Filters 347
Dictionaries 350
Notification Templates 351
Smart Identifiers 352
Using Smart Identifiers 353
Smart Identifier Best Practices 354
Content Filter and Mail Policy Interaction 354
Filter Performance Considerations 359
Improving Filter Performance 360
Filter Recipes 362
Dropping Messages 362
Basic Message Attribute Filters 363
Body and Attachment Scanning 364
Complex Combinatorial Logic with Content Filters 366
Routing Messages Using Filters 367
Integration with External SMTP Systems 368
Cul-de-Sac Architecture 369
Inline Architecture 371
Delivering to Multiple External Hosts 371
Interacting with Security Filters 373
Reinjection of Messages 375
Summary 376
Chapter 12 Advanced Networking 377
ESA with Multiple IP Interfaces 377
Multihomed Deployments 378
Virtual Gateways 380
Adding New Interfaces and Groups 381
Using Virtual Gateways for Email Delivery 382
Virtual Gateways and Listeners 385
Multiple Listeners 386
Separating Incoming and Outgoing Mail 386
Multiple Outgoing Mail Listeners 386
Separate Public MX from Submission 387
ESA and Virtual LANs 388
Other Advanced Configurations 390
Static Routing 390
Transport Layer Security 392
Using and Enforcing TLS When Delivering Email 393
Using and Enforcing TLS When Receiving Email 396
Certificate Validation 397
Managing Certificates 398
Adding Certificates to the ESA 399
TLS Cipher and Security Options 402
Split DNS 405
Load Balancers and Direct Server Return (DSR) 408
Summary 411
Chapter 13 Multiple Device Deployments 413
General Deployment Guidelines 413
Email Availability with Multiple ESAs 415
Load-Balancing Strategies 415
SMTP MX Records 415
Domains Without MX Records 416
Incoming and Outgoing Mail with MX Records 417
Single Location with Equal MX Priorities 417
Multiple Locations with Equal MX Priorities 417
Unequal MX Priorities 418
Disaster Recovery (DR) Sites 419
Third-Party DR Services 419
Limitations of MX Records 420
Dedicated Load Balancers 422
Load Balancers for Inbound Mail 422
Load Balancers for Outgoing Mail 423
Multitier Architectures 424
Two-Tiered Architectures 425
Three-Tiered Architectures 426
Functional Grouping 427
Large Message Handling 429
Architectures with Mixed MTA Products 431
Integration with External Systems 431
External Email Encryption 432
External Data Loss Prevention (DLP) Servers 433
Email Archiving Servers 435
Archiving Inline or Cul-de-Sac 435
Archiving Through BCC 436
Other Archiving Ideas 437
Introducing, Replacing, or Upgrading ESA in Production 439
Adding the First ESA to the Environment 439
Replacing an ESA for Upgrade 440
Management of Multiple Appliances 443
Centralized Management Overview 443
Creating a CM Cluster 444
Joining an Existing CM Cluster 444
Creating and Managing CM Groups 446
Using CM in the WUI 450
Using CM in the CLI 453
Centralized Management Limitations and Recommendations 457
Size of CM Clusters 457
Configuration Files in Clusters 457
Upgrading Clustered Machines 457
Summary 459
Chapter 14 Recommended Configuration 461
Best Practices 461
Redundancy and Capacity 461
Securing the Appliance 462
Security Filtering 464
HAT Policy Settings 464
Whitelisting and Blacklisting 466
Spam Quarantining 468
Deciding to Quarantine or Not 468
End-User Quarantine Access 469
Administrative-Only Quarantine Access 469
Automated Notifications 470
Being a Good Sender 471
Being Rate Limited 471
Outbound Sending Practices 472
Handling Bounces 473
Variable Envelope Return Path 474
DNS and Sender Authentication 475
Dealing with Blacklisting 475
Compromised Internal Sources 477
Bounce Verification 479
Recommendations for Specific Environments 482
Small and Medium Organizations 483
Large or Complex Organizations 483
Service Providers 484
Higher Education 485
Email “Front End” to Complex Internal Organizations 486
Summary 487
Chapter 15 Advanced Topics 489
Recent Developments 489
Authentication Standards 490
Path-Authentication Standards: SPF and SIDF 491
Determining the Identity of the Sender 493
Deploying SPF 494
SPF Challenges 495
Using SPF and SIDF Verification on ESA 496
Message Authentication: DKIM 498
Enabling DKIM Signing on ESA 498
The DKIM-Signature Header 499
DKIM Selectors and DNS 499
Other DKIM Signing Options 500
DKIM Signing Performance 501
DKIM Verification on ESA 501
DKIM Challenges 502
DKIM and SPF Recommendations 503
Regulatory Compliance 504
General Concepts 504
Personally Identifiable Information (PII) 504
Payment Card Data 505
Personal Financial Information 505
Mitigation 506
Data Loss Prevention (DLP) 506
Enabling Data Loss Prevention Policies 506
Adding a DLP Policy 507
Taking Action on Matching Messages 507
Classifiers and Entities 509
Custom Classifiers 509
Customizing Policies 512
Customizing Content Matching on Predefined Policies 512
Customizing User and Attachment Rules 513
Integration with Content Filters 514
Summary 515
TOC, 3/23/2012, 9781587142925
Other Things You Might Like
- Securing Enterprise Networks with Cisco Meraki
- Book $55.99
- In Zero Trust We Trust
- eBook (Watermarked) $34.39