Documentos de Académico
Documentos de Profesional
Documentos de Cultura
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
http://www.tagesanzeiger.ch/sonntagszeitung/dny/hacker-erpressen-hoteliers/story/12093156
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
http://www.tagesanzeiger.ch/sonntagszeitung/dny/hacker-erpressen-hoteliers/story/12093156
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
A note about Best Practices
Throughout the material we will present
options for tuning your environment
These are meant to be general guidelines,
and as each environment is unique, it is
recommended that settings be set in monitor
mode first
After a determined time, perform analysis
and tuning of rules and settings to achieve
the desired result
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Nicole
Nicole Wajer
Consulting Systems Engineer
@vlinder_nl
EMEAR (North)
Joined Cisco Dec 2007
Now Content Security & IPv6
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
For Your Reference
There are (many...) slides in your print-outs that will not be presented.
They are there For your Reference
For Your
Reference
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Agenda
Per-Policy Scanning
LDAP RCPT Accept Advanced Malware (AMP) Global Unsubscribe
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
HAT, Blacklist/WhiteList
Host Access Table (HAT) Structure
SMTP SERVER
HATs are associated per listener, defined as being
Public or Private. Once a listener is defined they cannot Host Access Table (HAT)
used for outbound facing mail traffic. No restrictions for Domain Map
domains Recipient Access Table (RAT)
The structure of the HAT is defined by the listener type, Alias Table
once created a default configuration is loaded. LDAP RCPT Accept
Mail Flow Policies (MFP) are also created based on the SMTP Call-Ahead
listener type, thus a MFP such as Relayed would not be DKIM / SPF Verification
created until a Private Listener is defined, or created
DMARC Verification
manually
S/MIME Verification
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Host Access Table Structure
IPs and Hosts are evaluated in the HAT Top Down, First Match
SenderGroups are containers that define the policy based on match
Inclusion into a SenderGroup is defined by Reputation Score, DNS, or explicit match
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
SenderGroup Options
SenderBase score can be attached to the
SenderGroups, ensure that the neutral and
no score ranges are addressed
Within the settings you define the Name,
Mail Flow Policy
Nomenclature is important as it will be
displayed in logs and reports
SBRS scores can be assigned to the group
Thu Jun 9 13:40:34 2016 Info: New SMTP ICID 8 interface Management (10.10.10.90) address 94.46.249.12
Thu Jun 9 13:40:34 2016 Info: ICID 8 ACCEPT SG SUSPECTLIST match sbrs[-3.0:-1.0] SBRS -2.1
Thu Jun 9 13:40:34 2016 Info: Start MID 410 ICID 8
Note that SBRS uses multiple sources including honeypots and DNSBLs
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
SenderGroup Options
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Understanding Email Reputation
IP Reputation Score
-10 0 +10
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
HAT Host Access Table
Systems are added to the various Sender Groups manually by adding the
senders IP address, host name, or partial host name, or they fall into a
particular sender group due to their reputation score.
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
How to Configure Block/White List just 1 Sender?
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
How to Configure Block/White List - 2
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
How to Configure Block/White List - 3
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Block/Whitelist FULL Domain/IP = HAT
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Block/Whitelist FULL Domain/IP = HAT
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
DNS / Relay Considerations
Reputation: DNS and caching
DNS is the most critical external service for the ESA
By default there are 4 DNS lookups per request: Reverse DNS, 2 SBRS
lookups and a Number of requests per connection default
With SPF, DKIM and DMARC 3 or more DNS TXT record lookups
At least 7 possible DNS lookups per connection (excluding any caching)
Now factor in outbound destination DNS resolution, LDAP, internal hosts, etc.
More resolvers in high connection environments
So what if I use the Cisco Umbrella DNS Resolvers?
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
ESA Relay host Not First Hop
If you allow another MTA to sit at your networks perimeter and handle all
external connections, then the Email Security appliance will not be able to
determine the senders IP address
The solution is to configure your appliance to work with incoming relays. You
specify the names and IP addresses of all of the internal MX/MTAs connecting
to the Cisco appliance, as well as the header used to store the originating IP
address
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Relay Host Configure
Network Incoming Relays
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Receive header for Relay List
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Anti-Spam (IPAS)
Types of Spam
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Antispam
Mail Policies -> Incoming Mail Policies
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Spam Options
Positively-Identified spam is email that is known spam.
Suspected Spam is email that has characteristics of spam, but has not been
confirmed as spam yet.
Emails identified as positively identified spam and suspected spam can be
delivered, dropped, sent to spam quarantine, or bounced with an additional
option to send to an alternate host.
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Cisco IronPort Anti-Spam (IPAS)
Conservative: Unchanged
Moderate: Aggressive:
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Graymail (Detection)
Graymail
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Graymail
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Graymail
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Graymail
Marketing Message Detection is off by default.
Recommendation for each incoming mail policy,
Mark the message subject line with the text [MARKETING], and deliver it to the end user is
company policy permits.
Marketing messages make up a large percentage of the complaints regarding missed spam. Tagging them allows
email administrators to do what they feel is best for their organisation: drop, quarantine, or deliver marketing
messages. Alternatively, the email administrator could create a rule to place such messages in the users Outlook
Junk Mail folder or simply allow the end users to create their own rules for handling those messages.
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Spam vs Graymail - 1
Spam is an email that the recipient didnt opt to choose (unsolicited) and generally
has embedded links, pictures and other documents that may be disguised to look legit, but
are actually malicious in nature. Spam emails are intended to fool the recipient and cause
harm to the end users environment. For more information on Spam, please refer to the
CAN-SPAM Act of 2003.
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Spam vs Graymail - 2
In short: Graymail is an email that the recipient opted to receive, but dont really
want them in their inbox. A good example is when you go shopping and provide your
email address to receive coupons/discounts and other notifications from that
vendor. These emails are known as graymail, you opted to receive them, but after a while
you grow tired of how much of the annoying emails the vendor sends and thus ends up
being reported as spam, which it isnt at all.
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Graymail Tunning Checklist
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Advanced Malware Protection
Why Advanced Malware Protection?
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
AMP on ESA with Threat Grid Public Cloud Poke File in
AMP Cloud
Detailed Flow Chart Threat Score
>= 95
analysis completed Quarantine
quaratine timer expired
& Track
Reputation yes, analysis
Filtering running
yes, analysis
Calculate Send File no Query TG completed
Upload to
Anti SPAM SHA256 Reputation File
Threat Grid known?
SPERO Check
Mail attachments
send to AMP Yes
Disposition Disposition Upload Action
= good = unknown Check =1
Anti Virus Check Upload
Pre
Disposition Class.
Action
Disposition Upload
No
= malware Action
AMP 1
Drop or
Deliver Mail
Content
Filters Queue Mail
for Delivery
Outbreak
Filters Poke File in = Threat Grid cloud marks the SHA256 of the file with
AMP Cloud disposition = malicious almost instantaneous
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
AMP on ESA Pre-Classification
Before an unknown file is submitted there is a pre-classification engine to select
only files with active or suspicious content
Pre-classification signatures
Byte code rules that detect suspicious indicators such as
Embedded Macros, EXEs, Flash.
PDF within PDF, Corrupt Headers, Invalid XREF etc.
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Advanced Malware Protection (AMP)
Advanced Malware Protection is integrated
on the ESA
Provides the ability for File Reputation, File
Sandboxing, and File Retrospection
Combined with native URL filtering ESA
provides full malware and phishing detection
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
AMP on ESA with Threat Grid Public Cloud
Considerations
If the file was submitted to Threat Grid cloud and got a Threat Score >= 95 then
the Threat Grid cloud will update the file disposition in the AMP cloud for this
SHA256 instantaneously
ESA does not act on a Threat Score from Threat Grid Cloud directly
ESA only waits for the analysis to finish and then sends the file through AV and
AMP again
Malware will be convicted by AMP due to the adjusted disposition !!
Thus ESA heavily relies on Threat Grid poking file dispositions into AMP cloud
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tell me more about AMP&TG
BRKSEC-2890
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Web Reputation Filters
and URL Filtering
URL Filtering
Security Services -> URL Filtering
By default, the URL Filtering goes across all URL, but you have the possibility to whitelist
certain URL. This can be useful for internal domains and URL, that will of course not have
a reputation score or a URL Category
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
URL Rewriting
Outbreak Filter has the option to rewrite a URL. URL is no longer pointing
directly to the destination but will now be redirected over the Cisco Cloud Web
Security Proxy
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Outbreak Filter URL Rewrite
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
URL Rewriting - continued
It is recommended to rewrite only URLs that are not signed.
If a URL is digitally signed, the rewriting would make the signature no longer valid.
If the user clicks on the URL he will be redirected to the Cloud Web Security
Proxy:
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
URL with Content Filter - Condition
URL filtering in two places (CASE & Outbreak Filter) but can also pro-actively be
scanned by Content Filter
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
URL with Content Filter - Action
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Mallicious URL - Outbreak Filters in action
Outbreak Filter can still stop Malicious URLs no rewrite needed
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Turn on URL scores in Message Tracking
Default no URL score in Message Tracking
On CLI this must be turned ON
<hostname-esa> outbreakconfig
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Turn on URL scores in Message Tracking
Default no URL score in Message Tracking
On CLI this must be turned ON
<hostname-esa> outbreakconfig
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
URL Filtering Checklist
Enable URL Filtering on the ESA
Enable Web Interaction Tracking (if permitted by policy)
Enable certain admin users URL visibility in Message Tracking if permitted
by policy)
Enable Threat Outbreak Filtering and message modification warn your
users!
Whitelist your partner URLS, use the scores to create filter for others
Combine the reputation rules and leverage language detection as part of
the logic
Use the policies to define the level of aggression for rule sets
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Spoofing (FED)
Forged Email Detection (New for 10.0)
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Forged Email Filters
In this example, we took the from header and
stripped it from the message if the match was 70
or above
Combined with a warning disclaimer this would
expose the bad sender while warning the end
user
Idea here is that for names that are low threshold
matches, you can use the strip header to expose
envelope sender if it is legitimate, it wont
disrupt mail flow
If all else fails, warn the user of a potential issue
by using a disclaimer text on top of the message
Info: MID 2089 Forged Email Detection on the From: header with score of 100, against the dictionary entry Han Solo
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Spoofing Checklist
Know who your allowed external spoofs are by tracking them via filters and policies
Build the list as the exception, trap all others
With 10.0 use the Forged Email Detection Feature to look for matches on the display name, if too close
to call, drop the From header
Send a copy of suspected spoofs to a quarantine for review and then tune your rules to start blocking
messages
Make a plan to enable SPF, DKIM and DMARC
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
What about SPF/DKIM & DMARC?
BRKSEC-3540
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Attachment Control and Defense
Overview
Macro Enabled Attachment Handling
While macros enable extended functionality in documents, spreadsheets, and
more, they are of concern to customers since they can be an infection vector.
This feature gives customers the ability to identify macros in PDF, Office, and
OLE file types and several options for handling them including:
Strip Attachment with Macro
Quarantine message
Drop message
Change Recipent
Send Copy (BCC)
And more
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
Macro Detection
New Content Filter Detection
The Content Filter Condition sets the
file types to be scanned for macros
and can include:
Adobe PDF
Microsoft Office files
OLE file types
This Condition is available for both
inbound and outbound Content Filters
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Strip Attachment with action
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Macro Detection
Using Message Filters
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Tips and Tricks
The use of Telemetry
Why is Telemetry important
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Telemetry What it send to Talos?
When enabled, the Context Adaptive Scanning Engine (CASE) is used to collect
and report the data (regardless of whether or not Cisco anti-spam scanning is
enabled)
The data is summarized information on message attributes and information on
how different types of messages were handled by Cisco appliances. We do not
collect the full body of the message
http://www.cisco.com/c/en/us/support/docs/security/web-security-appliance/200440-Web-Sender-Base-
Network-Participation-W.html#anc5
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Telemetry
"fullsenderbaseconfig"
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Downloading Log files using your
browser
Use your browser to get the log files
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
The New Protocol
IPv6
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
IPv6
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
In Summary
The days of set it and forget it are long gone continuous monitoring and tuning
are required to keep up with todays threats
Understand what your organizations security posture is and apply it to your
appliances
Keep your appliances updated we are constantly introducing new features that
require upgrades / updates
Check out our Chalktalks on Youtube and Guides on Cisco.com to help with
tuning and setup new features on Cisco Email Security
Enable Senderbase Participation especially useful for targeted attacks
BRKSEC-2131 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
Summary of Recommendations
Security Services CLI Level Changes
IronPort Anti-Spam Web Security SDS URL Filtering
Always scan 1MB and Never scan 2MB websecurityadvancedconfig >
URL Filtering disable_dns=1 , max_urls_to_scan=20 , num_handles=5 , default_ttl=600
BRKSEC-2131 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Summary of Recommendations
Host Access Table Incoming Mail Policies
Additional SenderGroups Anti-Spam thresholds
SKIP_SBRS Place higher for sources that skip reputation Positive = 90, Suspect = 39
SPOOF_ALLOW Part of Spoofing Filter Anti-Virus
PARTNER For TLS Forced connections
Don't repair, Disable Archive Message
In SUSPECTLIST AMP
Include SBRS Scores on None
Add "AMP" to Subject Prepend for Unscannable, Disable Archive Message
Optionally, include failed PTR checks
Graymail
Aggressive HAT Sample Scanning enabled for each Verdict, Prepend Subject and Deliver
BLACKLIST [-10 to -2] POLICY: BLOCKED
Add x-header for Bulk email header = X-BulkMail, value = True
SUSPECTLIST [-2 to -1] POLICY: HEAVYTHROTTLE
GRAYLIST[-1 to 2 and NONE] POLICY: LIGHTTHROTTLE Outbreak Filters
ACCEPTLIST [2 to 10] POLICY: ACCEPTED Enable message modification. Rewrite URL for unsigned message.
Change Subject prepend to: [Possible $threat_category Fraud]
Mail Flow Policy (default)
Security Settings
Outgoing Mail Policies
Set TLS to preferred Anti-Virus
Enable SPF Anti-Virus Virus Infected: Prepend Subject: Outbound Malware Detected:
Enable DKIM $Subject.
Enable DMARC and Send Aggregate Feedback Reports Other Notification to Others: Order form admin contact
Anti-virus Unscannable don't Prepend the Subject
Uncheck Include an X-header with the AV scanning results in Message
BRKSEC-2131 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Summary of Recommendations
Content Filters
Policy Quarantines
Inappropriate Content Filter
Pre-Create the following Quarantines Conditions Profanity OR Sexual dictionary match, send a copy to the
Inappropriate Inbound Inappropriate quarantine.
Inappropriate Outbound
URL Malicious Reputation Content Filter
URL Malicious Inbound
Send a copy to the URL Malicious (-10 to -6) to quarantine.
URL Malicious Outbound
Suspect Spoof URL Category Content Filter with these selected
Malware Adult, Pornography, Child Abuse, Gambling.
Send a copy to the Inappropriate quarantine.
BRKSEC-2131 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Cisco Spark
Ask Questions, Get Answers, Continue the Experience
The Spark Room will be open for 2 weeks after Cisco Live
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Complete Your Online Session Evaluation
Please complete your Online
Session Evaluations after each
session
Complete 4 Session Evaluations &
the Overall Conference Evaluation
(available from Thursday) to receive
your Cisco Live T-shirt
All surveys can be completed via
the Cisco Live Mobile App or the
Dont forget: Cisco Live sessions will be available
Communication Stations for viewing on-demand after the event at
CiscoLive.com/Online
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Continue Your Education
Demos in the World of Solutions Security Area
Meet the Engineer 1:1 meetings
Meet Nicole Wajer
Tweet @vlinder_nl #CLEUR
BRKSEC-2325 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Thank You