Email Security with Cisco IronPort

Email Security with Cisco IronPort thoroughly illuminates the security and performance challenges associated with today’s messaging environments and shows you how to systematically anticipate and respond to them using Cisco’s IronPort Email Security Appliance (ESA). Going far beyond any IronPort user guide, leading Cisco expert Chris Porter shows you how to use IronPort to construct a robust, secure, high-performance email architecture that can resist future attacks.   Email Security with Cisco IronPortpresents specific, proven architecture recommendations for deploying IronPort ESAs in diverse environments to optimize reliability and automatically handle failure. The author offers specific recipes for solving a wide range of messaging security problems, and he demonstrates how to use both basic and advanced features-–including several hidden and undocumented commands.   The author addresses issues ranging from directory integration to performance monitoring and optimization, and he offers powerful insights into often-ignored email security issues, such as preventing “bounce blowback.” Throughout, he illustrates his solutions with detailed examples demonstrating how to control ESA configuration through each available interface. Chris Porter,Technical Solutions Architect at Cisco, focuses on the technical aspects of Cisco IronPort customer engagements. He has more than 12 years of experience in applications, computing, and security in finance, government, Fortune® 1000, entertainment, and higher education markets.   ·Understand how the Cisco IronPort ESA addresses the key challenges of email security ·Select the best network deployment model for your environment, and walk through successful installation and configuration ·Configure and optimize Cisco IronPort ESA’s powerful security, message, and content filtering ·Understand the email pipeline so you can take full advantage of it–and troubleshoot problems if they occur ·Efficiently control Cisco IronPort ESA through its Web User Interface (WUI) and command-line interface (CLI) ·Implement reporting, monitoring, logging, and file management ·Integrate Cisco IronPort ESA and your mail policies with LDAP directories such as Microsoft Active Directory ·Automate and simplify email security administration ·Deploy multiple Cisco IronPort ESAs and advanced network configurations ·Prepare for emerging shifts in enterprise email usage and new security challenges This security book is part of the Cisco Press® Networking Technology Series. Security titles from Cisco Press help networking professionals secure critical data and resources, prevent and mitigate network attacks, and build end-to-end self-defending networks.    

Table of Contents:
    Introduction xxiii Chapter 1 Introduction to Email Security 1     Overview of Cisco IronPort Email Security Appliance (ESA) 1         AsyncOS 3         Security Management Appliances (SMA) 3     History of AsyncOS Versions 4         Software Features 5     Email Security Landscape 6         Email Spam 6         Viruses and Malware 7         Protecting Intellectual Property and Preventing Data Loss 8         Other Email Security Threats 9     Simple Mail Transfer Protocol (SMTP) 9         SMTP Commands 14         ESMTP Service Extensions 15         SMTP Message Headers and Body 16         Envelope Sender and Recipients 17         Transmitting Binary Data 18         MIME Types 20         Character Sets 21         Domain Name Service (DNS) and DNS MX Records in IPv4 and IPv6 22         Message Transfer Agents (MTA) 23         Abuse of SMTP 24         Relaying Mail and Open Relays 24         Bounces, Bounce Storms, and Misdirected Bounces 25         Directory Harvest Attacks 26     Summary 27 Chapter 2 ESA Product Basics 29     Hardware Overview 29         2U Enterprise Models 30         1U Enterprise Models 31         Selecting a Model 31     Basic Setup via the WUI System Setup Wizard 31         Connecting to the ESA for the First Time 31         Running the System Setup Wizard 32         Reconnecting to the WUI 38         LDAP Wizard and Next Steps 39         Examining the Basic Configuration 41         Next Steps 41         Setup Summary 42     Networking Deployment Models 43         Interfaces, Routing, and Virtual Gateways 43         Single Versus Multinetwork Deployment 47         Routing on Multinetwork Deployments 48         DNS Concerns 49         Firewall Rules 50         Securing Network Interfaces 51     Security Filtering Features 52         SenderBase and Reputation Filters 53         IronPort Anti-Spam 54         Antivirus Features 55     Summary 58 Chapter 3 ESA Email Pipeline 59     ESA Pipeline 59         Listeners 61         Host Access Table (HAT) and Reputation Filters 63         Rate Limiting with Mail Flow Policies 65         DNS and Envelope Checks 67         Sender Authentication 67         Recipient Access Table and LDAP Accept 67     Recipient and Sender Manipulation 70         Default Domain, Domain Map, and Aliases 70         Masquerading 71     LDAP Operations 72         LDAP Accept 72         LDAP Routing and Masquerading 73         Groups 73     Work Queue and Filtering Engines 73         Work Queue Overview 74         Incoming and Outgoing Mail Policies 74         Message Filters 75         Anti-Spam Engine 75         Antivirus Engines 76         Content Filtering 77         Virus Outbreak Filters 78         DLP and Encryption 78     Delivery of Messages 79         Selecting the Delivery Interface (Virtual Gateways) 80         Destination Controls 81         Global Unsubscribe 81         SMTP Routes 82         Selecting Bounce Profiles 83         Handling Delivery Errors with Bounce Profiles 84         Final Disposition 85     Summary 85 Chapter 4 ESA Web User Interface 87     Overview 87     Connecting to the WUI 87     WUI Tour 88         Monitor Menu 88         Overview 89         Incoming Mail 89         Outgoing Destinations 90         Outgoing Senders 90         Delivery Status 90         Internal Users 90         DLP Incidents 91         Content Filters 91         Outbreak Filters 91         Virus Types 92         TLS Connections 92         System Capacity 92         System Status 92         Scheduled Reports 93         Archived Reports 93         Quarantines 93         Message Tracking 94         Mail Policies Menu 94         Incoming Mail Policies 95         Incoming Content Filters 95         Outgoing Mail Policies 96         Outgoing Content Filters 96         Host Access Table (HAT) Overview 96         Mail Flow Policies 97         Exception Table 97         Recipient Access Table (RAT) 97         Destination Controls 97         Bounce Verification 98         DLP Policy Manager 98         Domain Profiles 99         Signing Keys 99         Text Resources 99         Dictionaries 99         Security Services Menu 100         Anti-Spam 100         Antivirus 101         RSA Email DLP 101         IronPort Email Encryption 101         IronPort Image Analysis 101         Outbreak Filters 102         SenderBase 102         Reporting 103         Message Tracking 103         External Spam Quarantine 103         Service Updates 103         Network Menu 104         IP Interfaces 105         Listeners 105         SMTP Routes 105         DNS 106         Routing 106         SMTP Call-Ahead 106         Bounce Profiles 106         SMTP Authentication 107         Incoming Relays 107         Certificates 107         System Administration Menu 108         Trace Tool 108         Alerts 109         LDAP 109         Log Subscriptions 109         Return Addresses 110         Users 110         User Roles 111         Network Access 111         Time Zone and Time Settings 111         Configuration File 112         Feature Keys and Feature Key Settings 112         Shutdown/Suspend 112         System Upgrade 113         System Setup Wizard 113         Next Steps 114         Options Menu 114         Active Sessions 115         Change Password 115         Log Out 115         Help and Support Menu 115         Online Help 116         Support Portal 116         New in This Release 116         Open a Support Case 117         Remote Access 117         Packet Capture 118     WUI with Centralized Management 118         Selecting Cluster Mode 119         Modify CM Options in the WUI 121         Modifying Cluster Settings 121     Other WUI Features 122         Variable WUI Appearance 122         Committing Changes 123     Summary 123 Chapter 5 Command-Line Interface 125     Overview of the ESA Command-Line Interface 125     Using SSH or Telnet to Access the CLI 125         PuTTY on Microsoft Windows 127         Simple CLI Examples 129     Getting Help 132         Committing Configuration Changes 133     Keeping the ESA CLI Secure 134         SSH Options on the ESA 135         Creating and Using SSH Keys for Authentication 136         Login Banners 140         Restricting Access to SSH 140     ESA Setup Using the CLI 141         Basics of Setup 142         Next Setup Steps 142     Commands in Depth 146         Troubleshooting Example 146         Status and Performance Commands 146         Command Listing by Functional Area 156         Mail Delivery Troubleshooting 156         Network Troubleshooting 156         Controlling Services 157         Performance and Statistics 158         Logging and Log Searches 159         Queue Management and Viewing 160         Configuration File Management 161         AsyncOS Version Management 162         Configuration Testing Commands 163         Support Related Commands 163         General Administration Commands 165         Miscellaneous Commands 166         Configuration Listing by Functional Area 167         Network Setup 167         Listeners 168         Mail Routing and Delivery 175         Policy and Filtering 176         Managing Users and Alerts 177         Configuring Global Engine and Services Options 177         CLI-Only Tables 179         Configuration for External Communication 179         Miscellaneous 180         Batch Commands 181         Hidden/Undocumented Commands 183     Summary 186 Chapter 6 Additional Management Services 187     The Need for Additional Protocol Support 187     Simple Network Management Protocol (SNMP) 188         Enabling SNMP 188         SNMP Security 189         Enterprise MIBs 189         Other MIBs 190         Monitoring Recommendations 191     Working with the ESA Filesystem 193     ESA Logging 196         ESA Subsystem Logs 196         Administrative and Auditing Logs 197         Email Activity Logs 198         Debugging Logs 199         Archive Logs 201         Creating a Log Subscription 202         Logging Recommendations 202         Transferring Logs for Permanent Storage 203         HTTP to the ESA 204         FTP to the ESA 204         FTP to a Remote Server 204         SCP to a Remote Server 205         Syslog Transfer 205     Understanding IronPort Text Mail Logs 206         Message Events 206         Lifecycle of a Message in the Log 207         Tracing Message History 209         Parsing Message Events 211         A Practical Example of Log Parsing 212         Using Custom Log Entries 215     Summary 217 Chapter 7 Directories and Policies 219     Directory Integration 219         The Need for Directory Integration 220         Security Concerns 220     Brief LDAP Overview 221     LDAP Setup on ESA 223         Advanced Profile Settings 225         Basic Query Types 226         Recipient Validation with LDAP 227         Recipient Routing with LDAP 229         Sender Masquerading 230         Group Queries 231         Authentication Queries 233         AD Specifics 233         Testing LDAP Queries 234         Advanced LDAP Queries 234         Troubleshooting LDAP 239     Incoming and Outgoing Mail Policies 241         Group-Based Policies 241         Group Matches in Filters 241     Other LDAP Techniques 242         Using Group Queries for Routing 242         Per-Recipient Routing with AD and Exchange 244         Using Group Queries for Recipient and Sender Validation 244     Summary 245 Chapter 8 Security Filtering 247     Overview 247     The Criminal Ecosystem 248     Reputation Filters and SenderBase Reputation Scores 248         Enabling Reputation Filters 249         Reputation Scores 250         Connection Actions 250         HAT Policy Recommendations 250     IronPort Anti-Spam (IPAS) 251         Enabling IPAS 252         IPAS Verdicts 253         IPAS Actions 254         Content Filters and IPAS 255     Recommended Anti-Spam Settings 257         Spam Thresholds 257         Actions for the Bold 258         Actions for the Middle-of-the-Road 258         Actions for the Conservative 258         Outgoing Anti-Spam Scanning 259     Sophos and McAfee Antivirus (AV) 259         Enabling AV 260         AV Verdicts 262         AV Actions 263         AV Notifications 263         Content Filters and AV 264     IronPort Outbreak Filters (OF) 266         Enabling OF 267         OF Verdicts 267         OF Actions 268         Message Modification 269         Content Filters and OF 270     Recommended AV Settings 270         Incoming AV Recommendations 271         Outgoing AV Recommendations 272     Using Content Filters for Security 273         Attachment Conditions and Actions 273         Filtering Bad Senders 276         Filtering Subject or Body 277     Summary 278 Chapter 9 Automating Tasks 279     Administering ESA from Outside Servers 279     CLI Automation Examples 280         SSH Clients 281         Expect 281         Perl 283         CLI Automation from Microsoft Windows Servers 285     WUI Automation Examples 287     Polling Data from the ESA 287         Retrieving XML Data Pages 287         Using XML Export for Monitoring 290     Pushing Data to the ESA and Making Configuration Changes 292         Changing Configuration Settings Using the CLI 293         Committing Changes Using the CLI 295         Changing Configuration Settings Using the WUI 296         Committing Changes Using the WUI 298     Retrieving Reporting Data from the WUI 298         Data Export URLs 299         Other Data Export Topics 302         Example Script 305     Summary 308 Chapter 10 Configuration Files 309     ESA and the XML Configuration Format 309     Configuration File Structure 310     Importing and Exporting Configuration Files 313         Exporting 314         Importing 315     Editing Configuration Files 316         Duplicating a Configuration 317         Partial Configuration Files 318     Automating Configuration File Backup 320     Configuration Backup via CLI 320     Configuration Backup via WUI 321     Configuration Files in Centralized Management Clusters 323     Summary 325 Chapter 11 Message and Content Filters 327     Filtering Email Messages with Custom Rules 327         Message Filters Versus Content Filters 328         Processing Order 331         Enabling Filters 332         Combinatorial Logic 332         Scope of Message Filters 333         Handling Multirecipient Messages 334         Availability of Conditions and Actions 334     Filter Conditions 334         Conditions That Test Message Data 335         Operating on Message Metadata 336         Attachment Conditions 337         System State Conditions 339         Miscellaneous Filter Conditions 340     Filter Actions 340         Changing Message Data 340         Altering Message Body 341         Affecting Message Delivery 343         Altering Message Processing 344         Miscellaneous Filter Actions 344     Action Variables 345     Regular Expressions in Filters 347     Dictionaries 350     Notification Templates 351     Smart Identifiers 352         Using Smart Identifiers 353         Smart Identifier Best Practices 354     Content Filter and Mail Policy Interaction 354     Filter Performance Considerations 359         Improving Filter Performance 360     Filter Recipes 362         Dropping Messages 362         Basic Message Attribute Filters 363         Body and Attachment Scanning 364         Complex Combinatorial Logic with Content Filters 366         Routing Messages Using Filters 367         Integration with External SMTP Systems 368         Cul-de-Sac Architecture 369         Inline Architecture 371         Delivering to Multiple External Hosts 371         Interacting with Security Filters 373         Reinjection of Messages 375     Summary 376 Chapter 12 Advanced Networking 377     ESA with Multiple IP Interfaces 377         Multihomed Deployments 378         Virtual Gateways 380         Adding New Interfaces and Groups 381         Using Virtual Gateways for Email Delivery 382         Virtual Gateways and Listeners 385     Multiple Listeners 386         Separating Incoming and Outgoing Mail 386         Multiple Outgoing Mail Listeners 386         Separate Public MX from Submission 387     ESA and Virtual LANs 388     Other Advanced Configurations 390         Static Routing 390         Transport Layer Security 392         Using and Enforcing TLS When Delivering Email 393         Using and Enforcing TLS When Receiving Email 396         Certificate Validation 397         Managing Certificates 398         Adding Certificates to the ESA 399         TLS Cipher and Security Options 402         Split DNS 405         Load Balancers and Direct Server Return (DSR) 408     Summary 411 Chapter 13 Multiple Device Deployments 413     General Deployment Guidelines 413     Email Availability with Multiple ESAs 415     Load-Balancing Strategies 415         SMTP MX Records 415         Domains Without MX Records 416         Incoming and Outgoing Mail with MX Records 417         Single Location with Equal MX Priorities 417         Multiple Locations with Equal MX Priorities 417         Unequal MX Priorities 418         Disaster Recovery (DR) Sites 419         Third-Party DR Services 419         Limitations of MX Records 420         Dedicated Load Balancers 422         Load Balancers for Inbound Mail 422         Load Balancers for Outgoing Mail 423     Multitier Architectures 424         Two-Tiered Architectures 425         Three-Tiered Architectures 426         Functional Grouping 427         Large Message Handling 429     Architectures with Mixed MTA Products 431         Integration with External Systems 431         External Email Encryption 432         External Data Loss Prevention (DLP) Servers 433         Email Archiving Servers 435         Archiving Inline or Cul-de-Sac 435         Archiving Through BCC 436         Other Archiving Ideas 437     Introducing, Replacing, or Upgrading ESA in Production 439         Adding the First ESA to the Environment 439         Replacing an ESA for Upgrade 440     Management of Multiple Appliances 443         Centralized Management Overview 443         Creating a CM Cluster 444         Joining an Existing CM Cluster 444         Creating and Managing CM Groups 446         Using CM in the WUI 450         Using CM in the CLI 453         Centralized Management Limitations and Recommendations 457         Size of CM Clusters 457         Configuration Files in Clusters 457         Upgrading Clustered Machines 457     Summary 459 Chapter 14 Recommended Configuration 461     Best Practices 461         Redundancy and Capacity 461         Securing the Appliance 462     Security Filtering 464         HAT Policy Settings 464         Whitelisting and Blacklisting 466         Spam Quarantining 468         Deciding to Quarantine or Not 468         End-User Quarantine Access 469         Administrative-Only Quarantine Access 469         Automated Notifications 470     Being a Good Sender 471         Being Rate Limited 471         Outbound Sending Practices 472         Handling Bounces 473         Variable Envelope Return Path 474         DNS and Sender Authentication 475         Dealing with Blacklisting 475         Compromised Internal Sources 477     Bounce Verification 479     Recommendations for Specific Environments 482         Small and Medium Organizations 483         Large or Complex Organizations 483         Service Providers 484         Higher Education 485         Email “Front End” to Complex Internal Organizations 486     Summary 487 Chapter 15 Advanced Topics 489     Recent Developments 489     Authentication Standards 490         Path-Authentication Standards: SPF and SIDF 491         Determining the Identity of the Sender 493         Deploying SPF 494         SPF Challenges 495         Using SPF and SIDF Verification on ESA 496         Message Authentication: DKIM 498         Enabling DKIM Signing on ESA 498         The DKIM-Signature Header 499         DKIM Selectors and DNS 499         Other DKIM Signing Options 500         DKIM Signing Performance 501         DKIM Verification on ESA 501         DKIM Challenges 502         DKIM and SPF Recommendations 503     Regulatory Compliance 504         General Concepts 504         Personally Identifiable Information (PII) 504         Payment Card Data 505         Personal Financial Information 505         Mitigation 506     Data Loss Prevention (DLP) 506         Enabling Data Loss Prevention Policies 506         Adding a DLP Policy 507         Taking Action on Matching Messages 507         Classifiers and Entities 509         Custom Classifiers 509         Customizing Policies 512         Customizing Content Matching on Predefined Policies 512         Customizing User and Attachment Rules 513         Integration with Content Filters 514     Summary 515 TOC, 3/23/2012, 9781587142925  

About the Author :
Chris Porter was one of the first field systems engineers hired by IronPort Systems in 2003, around the time of the launch of the ESA C-series product. He has served as systems engineer, SE manager, and now technical solutions architect at Cisco, who acquired IronPort in June 2007.   Chris has been involved in planning, deploying, and configuring Email Security Appliances (ESA) at hundreds of organizations, with a chief role in both pre-sales engagements and post-sales support. His experience has made him a trusted voice in ESA product design decisions.   Chris holds a bachelor’s and master’s degree in Computer Science from Stevens Institute of Technology in Hoboken, NJ, and a CCNA certification. Chris is currently a technical solutions architect at Cisco, specializing in content security and the IronPort email and web-security products and services.