ESA Partner Training 2016 V2

Email Security :: Appliance,
Cloud, Virtual
Manish Behal
Security Solutions Architect
mbehal@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Presented by: Manish Behal - CCIE#22198
•  ~20 years industry experience

•  15 years in Networking and Security
•  Many roles: 1st line Support, engineer, consultant to Architect
•  Big and small networks

•  I’ve broken it too!!
At the end of the session, the participants should be able to:
•  Describe the Security Threats posed by a customer’s Email
system
•  List and Describe Cisco’s Email Security Solutions
•  Suggest a Security Solution that Fits your Customer’s needs
•  Demonstrate a PoC
•  Use best practices during an appliance install so that customer
satisfaction is assured
•  Threat Landscape - Why it’s important
•  Introduction to Email Security
•  Email Form Factors - Picking the right box
•  Email Architecture - Getting it working
•  Mail Flow Pipeline & Processing
•  Inbound Features
•  Outbound Features
•  LDAP
•  Centralized Reporting & Message Tracking
•  PoC
•  What’s New in 9.x
Introduction to Email Security
Customers can be curious about Cisco’s acquisition of
IronPort, LLC. IronPort was known for innovation.
What has Cisco done to carry the torch for email security?
First, let’s look at IronPort’s innovations that made is a market

leader from the start
IronPort Engineering
Dedicated to Development and Innovation
IronPort Virus IronPort

Outbreak Filter™ Bounce
Verification™
IronPort
SenderBase™
IronPort
AsyncOS™
Now let’s look at what Cisco
IronPorthas
Web accomplished
Reputation IronPort DVS™
IronPort
Reputation Engine
Filters™
IronPort Email
Security Appliances Domain Keys Cisco Acquires
Integrated IronPort Systems,
LLC
2001 2002 2003 2004 2005 2006 2007
Cisco Engineering
Dedicated to Continuing Development and Innovation
Cloud Email Data Center Launched in Sourcefire AMP integration

EU
Cloud Email Services RSA Enterprise Manager

Intelligent MultiScan for
Launched Integration
Antispam
Unwanted Marketing
IronPort Spoof Message Detection SAML Support for
Checker Encryption
URL
Global IPS Reputation Outbreak Filters
Classification
WBRS
Control
AMP
FIPS and Common Criteria IPv6 Support Integration
Deep Integration of RSA DLP
Engine Support
2014
2008 2009 2010 2011 2012
•  Cisco continuously develops new features that
solves complex mail management issues
•  9.x is a prime example, cutting edge features

are being introduced
•  ‘Intra Business’ Unit integration in constantly

happening: ISE (WSA), AMP, ThreadGrid etc
•  Traffic flow and installation connectivity will
depend on the customer’s security policy needs
•  Engaging with the right people early on can

ensure the solution does what it should and
demonstrates it’s capabilities to the full
•  Poor architecture and policy configuration can

result in little value add - Get it right early on by
keeping it simple where possible
•  SMTP - Simple Mail Transfer Protocol
•  MTA - Message Transfer Agent.
•  ESA - Email Security Appliance (a.k.a C-Series)
•  CASE - Context Adaptive Scanning Engine
•  SMA - Security Management Appliance (a.k.a M-Series)
•  TLS - Transport Layer Security, a.k.a. Gateway-to-Gateway Encryption
•  CES - Cisco Email Services – a.k.a. “hosted services”
•  IPAS - IronPort Anti-Spam
•  HAT - Host Access Table
•  RAT - Recipient Access Table
•  SBNP - SenderBase Network Participation
•  SBRS - SenderBase Reputation Score
Email Terms and Flow
You send an email to a customer… how does it get there?
Q. Is it instant? Yes or no?
Q. If yes, how? If no, why not?
MTA Relay
sends it to
DNS the server
Type and
send email
Groupware
Server
Groupware LDAP Processes it
Server
Processes it
•  Groupware? SMTP?
•  Relay? LDAP? Customer
MTA Relay •  MTA? DNS? receives it
Relay if sends it to
external the customer Where does all of this live?
On-Premises Cloud Hybrid Managed Virtual
Award-Winning Dedicated Best of Both Fully Managed Fully Virtualized
Technology SaaS Instances Worlds on Premises
Vmware ESXi
Same Award Winning Technology
Email Security Appliance
Form Factors
Model Hard Disks RAID CPU / RAM NIC Fiber
Level Option
C680 6 x 300Gb 10 2X6 (2 hexa cores) 32GB 4 Yes
C380 2 x 600Gb 10 1X6 (1 hexa core) 16GB 4
C170 2 x 250Gb 1 (Software) 1X2 (1 dual core) 4GB 2
•  The x70 and x60 series appliances are no longer sold, but are currently supported.
•  x90 planned for Q3/4 2015
•  Due to resource constraints, the older x60 series appliances will not be supported on 9.0. AsyncOS
versions through 8.x will be the last versions supported
•  Always check the Datasheets on cisco.com for latest information
http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-729751.html?cachemode=refresh
Model Physical HW Disk (GB) RAM (GB) Cores
Equivalent
C000V C170 200 4 1
C100V C170 200 6 2
C300V C380 500 8 4
C600V C680 500 8 8
•  The C000v is recommended for evaluation use only as it is only a single core appliance
•  Virtual Machines have many possibilities, even if customer WANTS hardware
Why migrate?
•  Lower operational cost vs. on- premises

•  Guaranteed scalability / capacity assurance
•  Service Level Agreements
-  99.999% uptime
-  99% inbound spam catch rate
-  1/1 million FP rate
-  100% known virus catch rate
-  99.999% CRES uptime
•  Hybrid model: Best of both worlds

-  Cloud for inbound, on-premises for outbound
Data Centers
1
Email SaaS
Inbound Hygiene:
Removes spam
and viruses
Outbound Control:
Cisco Email Security Services Apply DLP and 3
Providing industry-leading email encryption policies
security in the cloud
§  99.999% Uptime
§  99+% Spam catch rate
Pass Clean Email 2
§  <1 in 1M false positives
§  100% known virus catch rate
Key Service Attributes

§  Co-managed access
§  Capacity assurance
Customer
Data Centers
1
Hybrid SaaS
Inbound Hygiene:
Removes spam
and viruses
Cisco Email Security Services

Combining industry-leading email
security inbound in the cloud with
outbound control in the customer’s
network
§  Scan and control content before Pass Clean Email 2
it exits the network
§  Encryption happens before the
message hits the customer’s
network border
Key Service Attributes

Outbound Control:
§  Greater control for customers 3
Apply DLP and
who need or desire it encryption policies Customer
•  Threat Landscape
•  Introduction to Email Security
•  Email Form Factors
•  Email Architecture
•  LDAP
Email Architecture
Email is simple. We want to be the:
§  First Hop In

§  Last Hop Out
There are many ways to install the Email Security

Appliance
Traffic flow and installation connectivity will

depend on the customer’s security policy needs.
The ESA fits in nicely into almost any network topology, with minimal re-
design - mail solution customer side does not matter, Exchange, Domino,
anything!
Single ISP Topology Dual ISP Topology
•  Work closely with the security and network
domains to work out how to get this into the
network so the solution demonstrates its
value
Lets take a look at how you can install this

into an existing network………
§  Easy to configure
§  Security Nightmare: No protection for
inside network or outside interfaces
Internet
§  The ESA is hardened;
§  but this is a DO NOT DO scenario
Outside interface
Inside interface
Mail Server
§  Easy to configure
§  No protection for the outside interface
Internet §  The ESA is hardened, however, generally is a
DO NOT DO scenario
Outside interface
Inside
interface
Mail Server
§  Both interfaces are protected by the firewall
Internet
§ Traffic can be buffered during an interface failure
or NIC pairing can be applied
§  Can filter and control traffic to/from the internet
Outside
interface and to/from the internal network
Inside §  Offers protection of all resources

interface
§  Firewall represents a possible single point of
failure or bottleneck
Mail Server
§  System protected by firewall
§  Simplifies firewall configuration for passing traffic
§  Single interface represents a “possible” traffic bottleneck
Internet
§  Preferred and THE most common method of installation
for customers
Mail Server
§  System is well protected
§  Traffic can be buffered during an interface failure
Internet §  Configure redundant firewalls for maximum uptime
and to reduce single points of failure
Outside
interface
Inside
interface
Mail Server
§  Meets the most stringent customer connectivity
needs
§  Requires a larger appliance with 3 interfaces
Internet
§  Can be done in multi-firewall DMZ or with a single
interface installation
§  Use the route command on CLI to configure traffic
Outside
interface
flows for the 3rd interface
Inside
interface
Management
Network Link
Mail Server
•  MX records are easiest and most common way to do redundancy
•  Relies on the robust nature of communications on the internet
•  If one server cannot be contacted, fail over to the next on the list
company.com MX preference = 10, mail exchanger = west.mail.company.com

company.com MX preference = 10, mail exchanger = east.mail.company.com
Internet
west.mail.company.com east.mail.company.com
West Coast
Mail Server East Coast
Mail Server
Resiliency and HA can be offered in multiple ways to
accommodate the business needs:
Internet
•  Use larger appliances with RAID Arrays and redundant PUS’s

•  Use NIC teaming to help protect against network failures
•  Use multiple appliances and MX records
•  Appliances can be load balanced with VIPs on a L4-7 switch or
L4-7 Switch
upstream load balancer
Mail Server
•  Manage a group of ESAs by making changes to one
•  No additional hardware or software required
•  Configuration changes on one machine pushed to the other
•  Can cluster up to 20 machines
•  Centralized reports, message tracking and quarantining on M-Series
Internet
Cluster
West Coast East Coast

Mail Server Mail Server
•  Within a cluster, configuration information is divided into 3 groupings
or levels .
•  The top level describes cluster settings; the middle level describes
group settings; and the lowest level describes machine-specific
settings.
•  Cluster level settings are ‘enterprise wide’, good practice to configure
company wide parameters here
•  Settings that have been specifically configured at lower levels will
override settings configured at higher levels
•  Create and Join cluster from CLI only using clusterconfig
command, changes can be made at GUI later
•  Machine joining a cluster will inherit settings except machine specific
parameters like IP
•  A cluster does not allow the connected machines to have different
versions of AsyncOS.
•  Log files are still local – think SMA!
•  Removing a machine from a cluster ‘flattens’ the config, it becomes

an autonomous unit
Mail Flow Pipeline & Processing
Anti-Spam Compliance
•  SenderBase Reputation Filtering •  Content Filters
•  Cisco Anti-Spam (IPAS) •  RSA DLP (Digital Guardian NOW)
•  Intelligent Multi-Scan •  Weighted Content Dictionaries
•  Envelope Encryption
•  TLS
Inbound Security Cisco Email Outbound Control

Security
Solution
Anti-Virus/Phish Control &
Monitoring
•  Outbreak Filters (OF)
•  McAfee Anti-Virus •  Secure Message Delivery
•  Sophos Anti-Virus •  Transport Layer Security
•  AMP – Anti-Malware •  Outbound client infection
monitoring and control
•  Administrative alerts
•  Outbound reporting
Processing Incoming Mail (Work Queue)
Bad or Good Message Rules: Spam, Not-Spam,
senders? Drop, Bounce, Good BUT Signature AMP Filter on New
Archive, Marketing, Potential based AV Engine Specific Viruses
-10 to -3 ALL Quarantine Spam, types of with no
dropped! content Signatures
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS (IPAS, ISQ, AMP CONTENT OUTBREAK
(Shopos AND or
IMAS) FILTERS FILTERS
McAfee)
ASYNCOS EMAIL PLATFORM
TALOS SANDBOX
Filtering of External Threats
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT OUTBREAK
FILTERS RSA*
FILTERS
DLP
OFF
Enforcing Corporate Compliance
LDAP Recipient Acceptance
Encryption
Host Access Table (HAT) (Work Queue time)
Masquerading or Virtual Gateways

Received Header LDAP Masquerading
Delivery Limits
Default Domain LDAP Routing
Received: Header
Domain Map Message Filters
per-user safelist / blocklist
Domain-based Limits
Recipient Access Table (RAT) Anti-Spam
Domain-based Routing
Per-Policy Scanning
Anti-Virus
Alias Tables
Global Unsubscribe
AMP
Content Filters DKIM Signing
Process Mail
SMTP Call-Ahead
Outbreak Filters
Work Queue Bounce Profiles
DKIM Verification RSA DLP Engine
(outbound)
SPF/SIDF Verification
Work Queue SMTP client
SMTP Server SMTP Process Quarantine SMTP
Receive Mail Delivery
Deliver Mail
Accept Mail
Inbound Email
Cisco® Talos
SenderBase Reputation Filtering Drop
Antispam Drop/Quarantine
Antivirus Drop/Quarantine
Advanced Malware Protection (AMP) Drop/Quarantine
Rewrite
Graymail Detection
Quarantine/Rewrite
Outbreak Filters
Real-Time URL Analysis
Deliver Quarantine Rewrite URLs Drop

•  Reputation Security delivers a numeric score about an object,
which allows a security device to take a policy-based action.
•  Reputation is built on three things:
1.  Our own assessment (e.g., using SensorBase data)
2.  Assessment by trusted 3rd parties
3.  Sophisticated models that produce a score in real-time
SensorBase The
?
IP Address Reputation
23.24.19.29 -3
-10 -5 0 +5 +10
Black List Suspect Unknown
Talos Threat Intelligence
I00I III0I III00II 0II00II I0I000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00
Threat Research
10I000 0II0 00 0III000 II1010011 101 1100001 110
Intelligence
II II0000I II0 101000 0II0 00 0III000 III0I00II
Response
110000III000III0
[Talos]
I00I II0I III0011 0110011 101000 0110 00 I00I II0I III00II 0II00II 101000 0110 00 1100001110001III0
Advanced Industry Disclosures

WWW
Outreach Activities
100 TBEndpoints
Email Web per Day
Networks IPS Devices
Intelligence 3.6PB Monthly Dynamic Analysis

1.6M sensors though CWS
Threat Centric Detection Content
150 million+
SEU/SRU
endpoints
35% Sandbox
email world wide VDB
FireAMP™, 3+
million Security Intelligence
13B web req Email & Web Reputation
AEGIS™ & SPARK
Open Source
Communities
180,000+ Files per
Day
1B SBRS Queries
Cisco Security Intelligence Operations
Three Defense Pillars
SensorBase Threat Operations Dynamic Updates

Center
Comprehensive Threat Researchers and Real-Time Updates and
Intelligence Automated Analysis Best Practices
Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
SensorBase
Depth and Breadth of Coverage
Threat Intelligence Benefits
§  Over 1.6M global devices §  360 degree dynamic threat
visibility
§  Historical library of 40,000 threats
§  Understanding of vulnerabilities
§  35% of global email traffic seen
and exploit technologies
per day
§  Visibility into highest threat
§  13B+ Worldwide web requests
vehicles
seen per day
§  Latest attack trends and
§  200+ parameters tracked
techniques
§  Multi-vector visibility
Over 1,000 servers process over 500GB of threat data per day
Dynamic Updates
Automated Defense
Updates Cisco Security Benefits
Intelligence
§  Automated updates Operations §  Reduces exposure window
delivered to Cisco security
§  Minimizes security
devices every 3–5 minutes
management overhead
§  8M+ Rules per day
§  Reputation updates for
real-time protection
See the latest
threat outbreaks
and where they
are in the world
Enter your
customer’s IP
address to look
up their
reputation in
SenderBase.
Excellent way to show off the power of the solution and how it can help
your customers
REPUTATION MESSAGE
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS
Before During After
Scope
Discover Detect Contain
Enforce Block Remediate
Harden Defend
Cisco
Anti-
Intelligent multiscan (IMS) spam
Engine
Cisco
Anti- Anti-
What spam
Engine B
spam
Engine
Anti-
spam
Engine
SBRS Who When (Future)
Cisco
Powered by Anti-Spam
Cisco® SIO Mail Policies
§  Normal mail is
spam filtered Where How
§  Suspicious emails
Incoming mail are rate limited and
good, bad, and spam filtered
unknown email
Whitelist is spam filtered
Known bad email is §  URL reputation and context

blocked before used in scoring
entering the network §  > 99% catch rate
§  < 1 in 1 million false positives
HOW?
• Message leaves trace of
spamware tool WHO?
•  IP address recently
WHAT?
started sending email
•  All text inside an image •  Message originated from
•  Random dots appear dial-up IP address
within the message •  Sending IP address
•  Nearly identical color located in regions known
scheme in 100,000s for attack.
spamtrap msgs
WHERE?
WWW.FASTMONEY.COM
Verdict
Positive Spam >90

Suspect Spam >50
Clean Message < = 49
Defense-In-Depth Anti Spam
IronPort
Anti-
Spam
Engine
Delivered
Anti- IronPort
Spam Anti- Results
Engine Spam
Incoming Engine
good, bad, B
and
unknown
email Anti-
Spam
Engine Dropped
(Future)
Intelligent Multi-Scan
1
2
Configure Anti-Spam
Settings here Default: Admin can view Quarantine, must enable
Quarantine Notification to allow users to view.
EDITOR'S CORNER
Securing The Web Anticipation
Gateway In The World Of

Big changes are happening at
Websense, and as a loyal subscriber
Web 2.0
to our newsletter,
WebsenseConnect, I want to share
Does Web 2.0 have legitimate business applications? If so, how can business the news with you first. Think you
take advantage of its unique capabilities? In this Q&A, Gene Hodges, CEO of know Websense? If you've been a
Websense, shares his insights on the risks, rewards, and future of Web 2.0 and Websense (or SurfControl) customer
the secure Web gateway. for years, be prepared for a big
MOREsurprise—we are way more than
BUSINESS FOCUS APPLICATION FOCUS
Web security.
Business Blogs, Vapid Web 2.0 Ready for MORE
or Vital? Prime Time? QUICK LINKS
PRODUCT TIP OF THE MONTH
With 40,000 new blogs cropping up Web 2.0 makes many promises, but
CUSTOMER TRAINING
every day, it begs the question—is there managers are stumped about how to use EVENTS
a business benefit to blogging? And with it to drive growth and profits. With SUPPORT
the blogosphere already inconceivably companies like Google, IBM, and Adobe WEBSENSE NEWS
immense, how can one company stand creating software for commercial use ofSUCCESS STORY
out? Learn how enterprises such as Furniture Seller
Web 2.0, businesses are poised to make
General Motors have made their mark, the leap. Learn more about the new Tables Threats
and how you can too, in this applications and how your business can
Furniture retailer WS Badcock
BusinessWeek story about social media get up to speed in this ChannelWeb Corporation is taking aggressive
and business. review. measures against emerging Internet
MORE MORE
threats. Awarethat current attacks
LATEST NEWS
are focused on secretly stealing
OLYMPIANS CONNECT WI TH FANS THROUGH BLOGS
information rather than the highly
visible and public "bring down the
ACQUISITION HELPS READY INTERNET SECURI TY SOFTWARE FIRM FOR WEB 2.0 network" attacks, the company
selected Websense Email Security
THE 2008 SUMMER OLYMPICS: THE MOST DIGITAL OF ALL because of its ability to stop spam
and viruses and prevent confidential
information from leaving the
MANAGING ACCESS TO FACEBOOK: A GOOD IDEA?
organization through email.
Privacy Policy
At Buy.com, your privacy
is a top priority. Please
read our privacy policy
details.
…
X All information collected
from you will be shared
with Buy.com and its
affiliate companies.
§  Not Spam, because of tacit opt-in and working opt-out
§  Full Overview Reporting
§  Config in IPAS settings
Monitor > Incoming Mail
Mail Policies > Incoming Mail Policies > Anti-
Spam

End-user clicks on the
Graymail Detection rewritten un-subscription link
in the banner
Click-time check of the

rewritten link
Marketing If found safe > redirect to

palladium
Palladium service executes

Social Media Rewrites
Unsubscribe
un-subscription on behalf of
the end-user
Bulk
Cisco® Talos
Rewrite
Email Contains URL
Send to Cloud
§  BLOCKEDwww.playb
oy.comBLOCKED
Defang/Block §  BLOCKEDwww.proxy
.orgBLOCKED
“This URL is blocked by

Replace
policy”
URL Reputation and

Categorization
REPUTATION MESSAGE
FILTERS FILTERS
Antispam Engines Antivirus Engines
Cisco
Anti-Spam
Choice of Antivirus Engines

§  Sophos
§  McAfee
§  Or both Sophos and McAfee
Mail Policies > Incoming Mail Policies > AV link in Mail Policy
Click to edit policy
Enable AV for Mail Policy
Action when virus

found: “Scan, or
Scan and Repair”
Attachments Dropped,
Rest delivered
For Encrypted
and
Unscannable,
you can’t be sure
the message is
clean
Advanced settings
provide custom
headers for mail
agents to sort on,
or redirect a
message
REPUTATION MESSAGE
FILTERS FILTERS
Cisco AMP delivers integrated…
Additional Point-in-time
Retrospective Security
Protection
File Reputation & Sandboxing Continuous Analysis
Cisco zero-hour malware protection
Advanced Malware Protection
Reputation
SourceFire update
AMP File File
integration Reputatio Sandboxing
Unknown files are
n uploaded for
Known File sandboxing
Reputation
Advanced Malware Protection Outbreak Filters
Cloud Powered Telemetry Based Zero-

Zero-Hour Malware Hour Virus and
Detection Malware Detection
AMP On-Prem Sandboxing
AMP with ThreatGrid Solution Architecture
Heartbeat
Retrospective
Cisco (Talos, AMP)
ESA Cloud
AMP Client
File Reputation
Query
AMP
Connector Local Cache
PDF AMP verdict

HTML
Email Parallel Query is prioritized
– Clean
SWF Pre-Classification
Malicious
JPG
Disposition
Sandbox Connector Query
Qualified File,
Upload for
Sandboxing
Local AV
PDF Scanners
Cisco On Prem
Sandboxing
§  Quarantine to store potential malware under investigation in sandbox
§  System quarantine with standard functions
-  Release, Delete, Send Copy, and Delay scheduled exit
§  Autorelease and rescan the message when file analysis is complete
REPUTATION MESSAGE
FILTERS FILTERS
Content Filters
•  Executed after the Policy Engine
•  Executed after security engines
•  Nice, easy to use GUI
•  Limited scope of conditions/actions
•  Either “AND” or “OR” logical operators between all conditions
•  Separate set of filters for Incoming and Outgoing mail
Message Filters
•  Executed before the Policy Engine
•  Applies to the entire mail flow
•  More flexible in both capabilities and scripting capabilities; Python
Actions You Can Take Things You Can Look for
Quarantine message (or a copy) Message Body or Attachments
Send copy to (bcc) Message Body
Notify someone Message Size
Strip attachments by type Attachment Content
Redirect message Attachment File Info
Insert or Strip a header Attachment Protected
Add footer Subject Header
Skip Outbreak Filter processing Other Header
AND Envelope Sender
Bounce message, or Envelope Recipient
Drop message, or Receiving Listener
Deliver message Remote IP
Encrypt and Deliver Reputation Score
DKIM Authentication
1 Identify the content that needs a custom action
Build the filter with ‘Conditions & Actions’. Order the filter appropriately
2
in the list.
3 Choose a Mail Policy to apply this Filter to
4 Test the filter with the Trace tool
5 Commit the changes Globally
1
•  Business Needs determine ‘sensitive’ content
•  Content can be tracked on key words
Exchange.cisco.com
172.20.0.10
Content Internet
Filter
If the body contains

"Confidential"
Then
Quarantine
Policy
Quarantine
Human Resources
78
2
Note: Policies are

bi-directional
2
Conditions:
Message Body
-- Subject Header
-- Other Header
Attachment
Attachment File Type
(fingerprint)
Attachment Name
Attachment MIME Type
Envelope Sender
Envelope Recipient
Text comparisons:
Contains
Does not contain
Equals
Does not equal
Begins with
Does not begin with
Ends with
Does not end with
… plus a whole lot of
Multiple conditions can be combined - Exists
Attachment matching
either AND or OR choices… and more!
3
Outgoing Mail Policies > Content Filters >
4
82 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
REPUTATION MESSAGE
FILTERS FILTERS
Before During After
Scope
Discover Detect Contain
Enforce Block Remediate
Harden Defend
Cisco® Talos
Website is clean
Link is clicked
Cisco Security
The requested web page

Website is blocked has been blocked
http://www.threatlink.com
Cisco Email and Web Security protects your
organization’s network from malicious software.
Malware is designed to look like a legitimate email
or website which accesses your computer, hides
itself in your system, and damages files.
Dynamic, real-time
inspection via HTTP
After
Before During
Scope
Discover Detect
Contain
Enforce Block
Remediate
Harden Defend
List of users
Add malicious
Rewritten accessing
URLs to
URL Report rewritten
blacklist
URLs
URL Rewritten The top

Based on
malicious Stop 0-Day
Email ID
URLs
Based on
Users Dynamic
LDAP
clicked Intelligence
group
Date/time,
rewrite Based on
Users Click Educate users
Rewritten URL reason, IP Address
URL action
(Work Queue time)
Masquerading or
LDAP Masquerading
LDAP Routing
SenderBase Network
Message Filters
Anti-Spam
Per-Policy Scanning
Anti-Virus
Content Filters
VirusVirus
Outbreak Filter
Outbreak Filters
“I normally see Outbreak Filters Work Queue
10 .pif files per hour” apply SenderBase

threat level
Got “I see 90% increase 1 Low
information to
it in .pif files” 2 Low / Med
incoming mail
3 Med
Watch out 4 High

for .pif
files” 5 Extreme
Threat =
3
Calculate change
in threat level
SenderBase data collection allows statistical
analysis to spot virus outbreak trends - on average
13 hours before the signature is released!
Outbreak Filter
V3R
: Zu
R
RIle
Puu(le Quarantine
le
.V
E1VV:E42Q
X )::,5IuZ
D
0a< IE
P
rsa(iz
#n
.E
1tin
e 1
<X57e
E5)r,Z,ne>Iale
P
3ma
(6.esK
E=eB
X
*spE ) e*
ric
SOPHOS IronPort
McAfee Virus Outbreak
Anti-Virus Filters
Anti-Virus
r n # 117
Patte
Message passes through Anti-Virus because it did not match a signature.
IronPort releases RULE-V1 raising threat level for all ZIP files containing .EXE parts. Message
hits Outbreak Filters and is quarantined.
IronPort releases RULE-V2, matching only ZIP files with .EXE parts that are larger than 36KB.
Any message quarantined by RULE-V1 but not by RULE-V2 is released and delivered.
IronPort releases RULE-V3, matching ZIP files with .EXE parts that are between 50 & 55KB
with “price” in the filename match. Any message quarantined by RULE-V2 but not by RULE-V3
is released and delivered.
Sophos & McAfee release patterns matching virus. IronPort releases RULE-V4, directing all
files to be released (and rescanned) after rule updates are loaded.
Mail Policies > Incoming Mail Policies > Outbreak Filter hyperlink in Policy
Click link to edit policy – you can

Remember there is a separate Mail Exempt extension for files critical to your
Policy for Outgoing Mail business.
Enable Message Modification
•  LDAP
Outbound Features
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT OUTBREAK
FILTERS RSA
FILTERS
DLP
OFF
Enforcing Corporate Compliance
Outbound
Content Filters DLP Remediation Encryption
Automatic
Encryption / Decryption
Easy Setup 100+ Policies Severity-based Easy for

Robust Conditions Industry-leading Remediation Sender + Recipient
and Actions Accuracy Business Class
Email
Part of a comprehensive DLP solution with RSA – Accurate, Easy, Extensible
Email Security Data Loss Prevention
Policies
Incidents
•  Email Uptime •  Risk Policy

Definition
•  Threat Prevention
•  Incident
•  Policy Enforcement
Management
•  Compliance
Integrating the ESA into an Enterprise-wide DLP Deployment
In the RSA Enterprise

DLP solution, the ESA
replaces:
Cisco Email Security
Appliance •  SMTP Interceptor
•  Encryption Server
•  SMTP Smart Host
Enterprise Manager
integration brings:
•  Additional Policies
•  Fingerprinting
•  Policy Management
•  Remediation
•  Investigation, and more
DLP Assessment
Wizard streamlines the
setup but not all filter
options shown
Security Services > RSA Email DLP to enable
Mail Policies > DLP Manager > Add DLP Policy
Choose a
Template
Category
Add a Template
from the Category
list
•  The default is to monitor only – the Deliver action
You may Choose Action for Each Severity:

•  Deliver •  Critical
•  Quarantine •  High
•  Drop •  Medium
•  Encrypt •  Low
(if encryption is configured)
Add custom header,
modify subject, or add
disclaimer
Copy admins or
supervisors
Notify sender or
recipient with custom
message
Commit Changes
Results of Sample Payment Card Industry (PCI) Violation:
Visa 4999999999999996
track DLP Policies with “tail mail_logs”.
Wed Dec 16 20:04:29 2009 Info: MID 174 interim AV verdict using Sophos CLEAN
Wed Dec 16 20:04:29 2009 Info: MID 174 antivirus negative
Wed Dec 16 20:04:30 2009 Info: MID 174 DLP violation
Wed Dec 16 20:04:30 2009 Info: MID 174 queued for delivery
Wed Dec 16 20:04:30 2009 Info: MID 174 enqueued for PXE encryption
Wed Dec 16 20:04:33 2009 Info: Start MID 175 ICID 0
Wed Dec 16 20:04:33 2009 Info: MID 175 was generated based on MID 174 by PXE encryption filter 'DLP'
Wed Dec 16 20:04:33 2009 Info: MID 175 ICID 0 From: <alan@exchange.alpha.com>
Wed Dec 16 20:04:33 2009 Info: MID 175 ICID 0 RID 0 To: <adam@outside.com>
Wed Dec 16 20:04:34 2009 Info: MID 175 ready 156437 bytes from <alan@exchange.alpha.com>
Wed Dec 16 20:04:34 2009 Info: MID 175 queued for delivery
Cisco Registered Envelope Service turnkey email encryption
ü  The only cloud-based encryption key server flexible enough to meet the
evolving secure-communications requirements of businesses today
Integrated
ü  Hosted key service
Encryption key is MTA to MTA
ü  Uses federated identity stored in the cloud TLS enforced
gateway
security with
ü  Push technology with advanced end
intuitive policy
to end
management
encryption to
ü  We make encryption easy meet evolving
for end users – a key
customer
adoption barrier
requirements
ü  Supports SAML for
federated identity
ü  Technology independent
– use your inbox or mail
server of choice
PUBLIC RECIPIENT
SUE
TO:SUE
Internet
TO: SUE and BOB TLS C
ONNE
CTION
TLS
CON
NEC
TION
BOB
PARTNER RECIPIENT
TO: BOB
Destination-Sensitive Email Encryption

Ø Use TLS if available
Ø Otherwise, encrypt using PXE Secure Envelope
§  Enable in Message and Content Filters, and DLP

Policies
Mobile Encryption on Smartphones – Send & Open Secure Email
For iPhone and Android
CRES
(Cisco Registered
Envelope Service)
Encrypting the email

F4pQT5xYLj30TUDR3f
Qrr79uMXCGt83ph9AS
KJDL5k6rlLTOIU46MW
OS2cFXU8vPsGG6sYR
Username
Password
Executive Accountant
Forward/Reply Email Control
Cloud
Read Email Receipt
Email
Read Receipt
CRES
(Cisco Registered
Envelope Service)
Username
Password
Email Recall & Expiration
CRES
(Cisco Registered
Envelope Service)
Expire Key
Username
Password
Six steps:
1.  Enable Email Encryption
2.  Configure Encryption Profile (multiple profiles may be configured)
3.  Provision with Cisco Registered Envelope Service
4.  Define policy via Content Filter(s)
5.  Reference the Content Filter in a Mail Policy
6.  Test using the trace and sample outbound emails
Encryption
Profile Provision
CRES
1. Enable Email Encryption
•  Key Server Type
Hosted Key Service: Use Cisco Registered
Envelope Service *, a managed service by
Cisco/IronPort
IronPort Encryption Appliance (IEA): use a
key server managed by customer and
running locally on an IEA
* New branding: product reflects previous IronPort branding of

IronPort Hosted Key Service
Security Services > IronPort Email Encryption > Add Encryption Profile
§  Message Security

§  Control if Recipient can
cache credentials in
browser
§  Or Remove the need for
Recipients to register
§  Read Receipts

§  If enabled, sender gets
read receipt when message
is opened
§  Guaranteed -can’t be
blocked by recipient
§  Encryption Algorithm

§  ARC4: industry standard, secure algorithm. Appropriate
for most applications.
§  AES: ultra-secure, used mainly by governments and
banks. Results in slower envelope opening for recipients.
§  Message Settings
Enable Secure
Reply All and Forward
buttons for recipients
§  Notification Settings

§  (Optional) Define custom notifications using
Text Resources.
§  Mail Policies > Text Resources > Add Text
Resource
§  Select them here, using drop downs.
•  Must Commit before you can provision!
Security Services > IronPort Email Encryption
•  Registers the appliance with the Cisco Registered Envelope Service

Authenticates the appliance and associates with an existing account
Allows keys to be registered when messages sent
•  Must happen before encrypted messages can be sent
•  Does not apply to local key server (on IronPort Encryption Appliance)
Message Policies > Outgoing Content Filters > Add Content Filter > Add Condition
The "\" is an escape for regex Meta characters

Remember to put a
"\" in front of Meta characters in the GUI
"\\" in front of Meta characters in the CLI
Meta characters include: ^ $ * \ . ? | + [ and ]
Message Policies > Outgoing Content Filters > Add Content Filter>Add Action
Drill down reporting and detailed Message Tracking
Drill Down Reporting Detailed Message Tracking
Drill down reporting and detailed Message Tracking
Reporting is done in a drill-down fashion. This eliminates the

need for having many dozens of reports. Reporting covers:
•  Inbound and outbound emails
•  Policy and threat blocked emails – content, spam, virus,
invalid recipients, and more
Reports can be:

•  Run for specific time ranges
•  Scheduled to be run off hours
•  Delivered automatically to recipients – even if they have no
credentials on the system
Quarantines are places to hold emails that violate policies: Anti-Spam, Anti-Virus, email
policy, and that contain outbreaks
•  Spam Quarantine, Outbreak, Policy, and Virus quarantines are enabled by default
•  Can create other quarantines as needed or desired to fit company policy
The system has finite space for quarantines on box. For more Spam Quarantine space, use
an M-series appliance. Policy quarantines are not yet able to be centralized on the M Series
•  LDAP
LDAP
Lightweight Directory Access Protocol
Based on the X.500 standard
Significantly simpler
More readily adapted to meet custom needs
Unlike X.500, LDAP supports TCP/IP, which is necessary for Internet
access
The core LDAP specifications are defined in RFCs
LDAP can:
Provide data to clients
Search data with filters
Access specific information from an object
Be customized: each implementation is usually different
•  A hierarchical object-oriented database
A repository of information
Provide a single point of data management
LDAP directories are heavily optimized for read performance
•  LDAP is not a relational database

•  Standardized access protocol
Access the LDAP directory from nearly all platforms
Applications don’t need to know details of back-end
directory implementation
Free client access Formal Implementations
•  Microsoft Exchange™
•  Best used for information:
•  Microsoft Active Directory™
That must be available from many locations •  Lotus Notes™ (Domino)
To which updates are infrequent •  OSS (OpenLDAP, tinyldap, etc.)
Ø Whitepages/contact information •  Sun (Part of SunOne™)
Ø Email routing information •  Netscape (NDS™)
Ø Config information for distributed software •  Novell (Part of eDirectory™)
Ø Public certs and keys
Ø Photos
1. Verify the receiving domain in LDAP Directory
the RAT
2. Search LDAP directory from
the base DN for the recipient
email address
3. Return an accept or reject to Query: (mail= {abuse@alpha.com})
sending domain.
Query: (mail= {a})

Returned 1 Result
RAT Action
alpha.com Accept LDAP Exchange
exchange.alpha.com Accept Server Server
All Others Reject
LDAP_Svr1.accept
Rcpt to: sam@alpha.com
IncomingMail Listener
abuse@exchange.alpha.com
C-Series Appliance
Rcpt to: abuse@alpha.com
System Administration > LDAP
Supports
•  Active
Directory
•  Lotus
Notes
•  Open
LDAP
•  SunOne
•  Others
System Administration > LDAP
Test Query: Will initiate a query to the

LDAP server with the query string,
provides search results. No impact on
production mail.
•  Problem: A University mail admin wants to prevent hackers from
discovering the valid usernames
Spiders use dictionary attacks or common user names to work out which
recipients are conversationally rejected or bounced, then hackers sell the list
of good addresses that Pass LDAP Accept validation
•  Solution: (Mail Policiesà Mail Flow Policiesà Default Policy

Parameters)
Set Max Invalid Recipients/hr to 5
SMTP Call-Ahead is used to verify legitimate recipient addresses in
hosted customers domains without accessing their LDAP directory. Call
ahead to the SMTP server with a RCP TO command to test before
sending the mail
Hosted
Customer 1 Hosted
Email Service
Internet Mail
Domains
Hosted
Customer 2
Network -> SMTP Call-Ahead
Centralized Reporting &
Message Tracking
Localized reporting and Tracking are useful features but:
•  Reports are not consolidated to represent the whole enterprise
that uses multiple ESAs
•  Distributed C-Series appliances can cause difficulty in
determining a single message disposition
Incoming Mail ESA 1 Outgoing Mail
Internet Mail Server

ESA 2
Which Appliance?
Mail Admin
•  Reports are Consolidated to view the Mail aggregated across the
whole enterprise
•  Individual messages can be tracked regardless of the path taken
through the enterprise.
M-Series
ESA 1
Incoming Mail Outgoing Mail
Internet Mail Server

ESA 2
Mail Admin
C370s
END-USER ISQ 1
Quarantine
Suspect Spam
END-USER ISQ 2
End User
Notification
Access link
M1070
Cisco Content Security Management Appliances for Email and Web Security
•  M-Series Appliances centralizes reporting, AS quarantines, and

Message Tracking Consolidated Reports
ü  Single view

across the
organization
ü  Real Time insight
Multiple data points

into email traffic
Email Volumes
and security Spam Counters
threats Policy Violations
Virus Reports
ü  Single location for Outgoing Email Data
Message Message Tracking
Tracking System Health View
ü  Actionable drill

down reports
Flexible deployment options with software bundles and a la carte options
Flexible Deployment
Appliances Cloud
CLOUD HYBRID MANAGED
right size to fit your needs select number of mailboxes, expand as you grow
X1070 C670 C370 C170 500-999 to 100,000+
1, 3, 5 yr – starting at 100 mailboxes monthly, quarterly, annual – starting at 500 mailboxes
Software Subscription Bundles

INBOUND OUTBOUND
Antivirus/Anti-spam Outbreak Filter DLP Encryption
PREMIUM = INBOUND + OUTBOUND
A La Carte Software
Cloudmark Anti-Spam, Image Analyzer, McAfee Anti-Virus, Intelligent Multi-Scan
Service and Support

Procedure:
•  Determine the number of Seats
•  Determine which features will be enabled
•  Contact your Cisco Sales Rep to determine needed
hardware.
POC
•  What are the customer’s experiences with their email security solution
today?
•  What are the customer’s concerns? These may include the following:
•  -- Poor efficacy
•  -- Poor performance
•  -- Pricing (OpEx or CapEx)
•  -- Efficiency and ease of use
•  -- Data loss, outbound control, blacklists
•  -- Phishing
•  How do these issues relate to the customer’s overall security? When
does the current solution expire?
•  • What are the outsourced deployment methodologies?
•  -- Hosted email security
•  -- Hybrid hosted email security
•  -- Managed services
•  • What are the on-premises deployment methodologies?
•  -- Cisco ESA installation
•  -- Cisco ESAV installation
•  • How will the proof of concept be deployed?
•  -- In a test Lab
•  -- In production
•  »» Behind the existing solution (not ideal).
•  »» See “Determining Sender IP Address In Deployments with Incoming

Relays”
•  in the Email User Guide.
•  »» In front of existing solution (Ideal).
•  »» Partial mail exchange allocation
•  »» Monitoring or blocking (monitoring will involve marking all malware

and forwarding it inbound)
•  •
•
•  How will the proof of concept be evaluated?
-- List the criteria for success and, if possible, provide the relative
weightings.
-- Most items should be quantitative with either a Pass/Fail grade or a

rating.
-- Criteria should be separated into categories (for example, End User

Experience, Administrative Ease, Effectiveness, Reporting) and by
importance
-- Example: One criterion of success would be to catch 99 percent of

all production spam during the PoC with less than 1 in 1 million false
positives.
What’s New in 9.x
Performance Monitoring /
Enhancements
Graymail and Safe Unsubscribe
Web Interaction Tracking
AMP / Local ‘Sandboxing’ with

ThreatGrid
Encryption
Product Update and Roadmap

Enhancements
Performance Monitoring - System Health Check
On demand System Health of the

appliance
System Administration >

System Health
Click Edit Settings to
change thresholds
Alternatively, click
Run Health Check.
Performance Monitoring - System Health Check
When run, the system analyzes historical data (up to 3 months) to determine the
health of the appliance.
Reports back on key system indicators:
-  ResCon mode
-  Delay in mail processing
-  High CPU usage
-  High memory usage
-  High memory page swapping
•  System tuning, reconfiguration or additional resources may be required.

•  Useful in capacity planning scenarios, such as new campaigns, acquisitions
etcetera
Performance Monitoring - Upgrade Guidance
•  When you click Upgrade
Options the system will
prompt you about a System
Health Check
•  If you are confident in the

health of your systems this
can be skipped
•  If there isn’t enough

historical data (30 days) to
check the system you will
be asked if you wish to
proceed with the upgrade
Performance Monitoring - Upgrade Guidance
•  If issues are found the

system will clearly list
out what it thinks the
problem areas are
•  TAC can assist with

guidance on upgrading
or reviewing your
configuration, but if
more capacity is the
answer then additional
ESA’s may be needed
Performance Monitoring - ‘ResCon’ Mode
•  A new report under Monitor > System Capacity >
System Load page counts times in which the system
has entered Resource Conservation mode.
•  Consider adding additional capacity or restructuring mail
flows if excessive resource conservation activity is seen
Enhancements
Graymail and Safe
Unsubscribe
Graymail - What is it?
Graymail is email you opted in to receive, but don't really want
anymore - we all get it.
Graymail - The Solution
The Graymail solution will provide:
•  Protection against malicious threats masquerading as
unsubscribe links
•  A uniform interface for all subscription management to end-
users
•  Better visibility to the email administrators and end-users
into such emails
For Cisco the benefit will be:

•  Reduced ‘false spam’ submissions by end users
•  Reduced load on TAC and perceived increase in our spam
efficacy
Graymail - Architecture & Mail Flow
A new engine has been added to identify Graymail. This

engine will also extract unsubscribe links from the message
and pass a verdict to IPAS for improved spam efficacy
Graymail Actions occur after AMP as CASE/IPAS will have

the final answer on whether a message is actually Graymail
However, Graymail Scanning occurs earlier in the pipeline:
Graymail - Sub-Categories - Identifying Graymail
Marketing
•  Email campaigns sent through professional routing platforms
•  These market players generally follow the rules of use for
email advertising: unsubscribe links, list cleaning/verification,
etcetera
Bulk
•  Any advertising email sent that follows the advertising rules
of use and not sent through a professional routing platform.
Here the heuristic rules used are predictive and generic
Social Networking:
•  Social Networking emails: Facebook, LinkedIn, etcetera
Graymail - Configuration, Policy Settings
Graymail can be configured as part of the default policy or with

different parameters under different incoming mail policies.
Graymail - Configuration
All the typical policy

settings are available
for messages
identified as
Marketing, Social
Network, or Bulk
For monitoring
purposes, enable
Graymail detection
with no actions.
Graymail - End User Experience
Graymail - End User Experience Workflow
Link is checked to
User clicks on the ensure it’s safe Service executes
rewritten and then un-subscription on
un-subscription redirected to behalf of the end-
link in the banner unsubscribing user
Service.
Graymail - End User Experience
Graymail - Reporting
Separate entries show the

number of Marketing,
Social Media, and Bulk
messages caught /
identified
Messages with an added

Unsubscribe Banner are
also identified on their own
line
Graymail - Reporting
Separate report
elements show the
Top Senders by
Graymail by sending
domain and the Top
Senders by Category
Category Names can

be clicked to sort by
that column
Graymail - Message Tracking
Message Tracking has been enhanced with a new Message

Event added to search specifically for Graymail events
Improvements
Graymail
Web Interaction Tracking - Brief Overview
Web Interaction Tracking (Click Tracking) allows

administrators to track the end users who click on URLs
that have been rewritten by the ESA
The on-box reports show:

•  Top users who clicked on malicious URLs
•  The top malicious URLs clicked by end users
•  Date/time, rewrite reason, and action taken on the
URLs
Web Interaction Tracking - Limitations
•  Tracking URLs re-written by Outbreak Filters is partially

supported on 9.5.x release
Ø  Action taken on the URLs would be unknown
•  Customer visible logs for URL click data are not available
•  Report modules are refreshed every 30 minutes - non
configurable
Web Interaction Tracking - Configuration: URL Filtering
•  Enable service under Security Services > URL Filtering

•  Click the box for Enable URL Click Tracking, Submit, then Commit.
Web Interaction Tracking - Configuration: Outbreak Filters
•  Ensure IPAS or IMS is enabled under Security Services

•  Next, enable Click Tracking under Security Services > Outbreak
Filters
•  Click the box for Enable URL Click Tracking, Submit, then
Commit.
•  Enable URL Rewrite action for Outbreak Positive

messages on the appropriate Incoming Mail Policy
Web Interaction Tracking - Reporting
Web Interaction Tracking - Message Tracking
Message Tracking has been enhanced to search for URL Click
Tracking events and specific URLs
Improvements
Graymail
AMP / Local ‘Sandboxing’ with

ThreatGrid
AMP - Architecture and Mail Flow
In the 9.5.x release AMP is positioned between Anti-Virus Scanning

and Graymail Detection
Same features of AMP as before:
•  File Reputation, File Analysis, Retrospection
•  But now: Leveraging benefits of ThreatGrid sandbox by replacing

SourceFire sandbox
AMP - ThreatGrid Configuration
•  Configured under Services > File Reputation and Analysis

•  File Analysis Server (ThreatGrid) URL is updated from the cloud
•  ESA first platform in Content Security portfolio to integrate this
AMP with ThreatGrid Solution Architecture
Heartbeat
retrospectiv Cisco
e Talos, AMP
File Reputation Cloud
ESA AMP
Query
Client
AMP Local
Cache
connecto
r
Emai
l Pre- Parallel
Classification Query
Sandbox connector Dispositi

on Query
Qualified
File, upload
Local AV for
Sandboxin
Scanners g
Cisco On
Prem
Sandboxing
AMP - Decision Flow - ThreatGrid
Local Sandboxing - Configuration
•  Local Sandboxing when cloud is not an option, for legal or

contractual reasons
•  Configured under Security Services > File Reputation and
Analysis in the Advanced Settings for File Analysis section select
‘Private Cloud’
AMP - File Analysis Report Page
Three different
disposition
values:
•  Clean
•  Malicious
•  Unknown
File Analysis Details Report Page
Malicious SHA
Improvements
Tracking threats and end user

actions
Graymail
Local ‘Sandboxing’ with

ThreatGrid
Encryption
Encryption - TLS 1.2
Configure the GUI HTTPS for TLS v1 for TLS v1/v1.2 support
Don’t turn off SSLv3 on Inbound SMTP on publicly facing MX - Be strict on your
outbound but permissive on inbound to support legacy implementations
What is worse? Using a legacy protocol on inbound email or having incoming
messages being delivered in the clear
Encryption - Zix Partnership
•  Goal of partnership: a
replacement product for IEA
(IronPort Encryption Appliance)
•  Improve standing in Gartner

MQ
- Lack of on-premises
encryption cited as reason for
decline in 2014
• Prevent ESA business from

being captured by competitors
with on-premises encryption
http://blog.zixcorp.com/2015/03/cisco-partners-with-zix-for-email-encryption/
offers
Encryption - Timeline
Calendar Year
2015 2016 2017 2018 2019
Zix Encryption
Appliance
Existing IEA
customer only
Cisco Zix Gateway 2.0+
Cisco Zix Gateway 1.0+

New on-premises
encryption
customer
Encryption - Zix Encryption Appliance Hardware
Hardware
CCS-ZEA200-K9 Zix EA Corporate Edition
CCS-ZEA400-K9 Zix EA Enterprise Edition
CCS-ZEAV-K9 Zix EA Virtual Appliance*
ZEA 200 Specs ZEA 400 Specs

Intel Zeon E3-1220 Intel Zeon E5-2630
8GB RAM 16GB RAM
2x1TB SATA III 7200 64MB 2x1TB SATA III 7200 64MB
2.5 in 2.5 in
RAID Card SAS 2.0 RAID Card SAS 2.0
Support included (no Support included (no
Smartnet) Smartnet)
* Virtual Appliance is $0 and used for tracking purposes
Encryption - Zix Encryption Appliance Software Licenses
Software
L-ZEA-K9-LIC=
§  User tiers L-ZEA-1Y-S1
§  100-100,000+ users L-ZEA-1Y-S2
L-ZEA-1Y-S3
§  One license for all L-ZEA-1Y-S4
functionality L-ZEA-1Y-S5
§  Up to a 24 month term L-ZEA-1Y-S6
L-ZEA-1Y-S7
§  Activation services L-ZEA-1Y-S8
through Zix L-ZEA-1Y-S9
L-ZEA-1Y-S10
L-ZEA-1Y-S11
L-ZEA-1Y-S12
Encryption - ZixPhase 0
Partnership for Phase 1
On-premises Phase 2
Encryption
Date May 2015 October 2015 April 2016
Zix version of IEA* Cisco Zix Gateway Cisco Zix Gateway

Product
1.0 2.0
Zix is building a First version of the
Second version of
new version of the Zix Gateway in a the Zix Gateway
IEA on their own custom build just for
which will include
hardware which Cisco. migration tools to
they will support. migrate off IEA and
Designed to work support for
Customers will be with ESA. Includes Websafe.
Description purchasing new PXE encryption.
software No IEA migration
subscription tools. No Websafe
licenses and support.
hardware. Only 1
and 3 year SKUs
available for
purchase.
*Not for new customers
Encryption - Zix Features Relative to CRES
Feature Cisco Registered Zix Gateway with Cisco

Envelope Service Technology
Public Key Infrastructure þ
PostX Envelope Push þ þ

Encryption
Secure Webmail Pull þ
Encryption
S/MIME þ
S/MIME Gateway þ
Open PGP þ
Statement Delivery þ
Secure File Transfer
Mobile Support þ þ
Improvements
Tracking threats and end user

actions
Graymail
Local ‘Sandboxing’ with

ThreatGrid
Encryption
Product Update and Roadmap

Product Update - Cloud Email Security 9.1 Update
•  Qualification imminent of 9.1 on C80x platforms

ü  9.1 Evals can begin as soon as it’s qualified
ü  You MUST ask for 9.1 to be provisioned on the order form
•  Post qualification is the migration of C801 >> C802 platform

ü  This will take approximately 7 weeks
•  AsyncOS for Email 9.1 mass upgrades for customers will happen after
migration is complete
Product Update - Cloud Email Roadmap Priorities
•  Centralized LDAP meta directory – LDAP cache in Cloud

•  SAML authentication for administration
•  Improved CES architecture to expand footprint, lower costs and
Infrastructure extend down to 100 users
•  Expand DC’s in Canada, Singapore and Germany
•  All new features to be either first introduced in cloud or at same time as
on premise
•  SW Billing integration (related to SMART licensing) support utility
Order billing & pay-as-you-grow
Processing •  Automated order processing and auto-provisioning
•  Alternate DLP solution (RSA EoL)

•  Graymail management
Security •  URL Click-Tracking for re-written URLs
Features •  Real-time analysis of policy re-written URLs
•  Spam submission portal
Product Update - Email Security Roadmap Priorities
Drive SaaS Growth While Maintaining on-Prem Leadership
CLOUD PREMISES
•  Centralized LDAP meta directory – LDAP cache in

Cloud
•  SAML authentication for administration •  x90 HW Support
New •  Improved CES architecture to expand footprint,
•  Critical Customer
Focus lower costs and extend down to 100 users
•  Expand DC’s in Canada, Singapore and Germany Requests
•  SW Billing integration (related to SMART licensing) •  Maintenance
– support utility billing & pay-as-you-grow
•  Automated order processing and auto-provisioning
•  RSA DLP replacement •  Efficacy Enhancements (AS & OF)

•  URL Click-Tracking for re-written
Common URLs •  SMART Licensing
(MTA •  Real-time analysis of policy re- •  IOC Feeds for FireSIGHT
Platform) written URLs
•  Threat Efficacy: Exchange of AMP
•  Spam submission portal & OF verdicts
Version 10.0 - Feature List
Feature Description
URL Logging in Message Include URLs that violate Reputation and URL Categorization Content Filters in Message
Tracking Tracking
Message Language Detection Use the language of the email message to determine which configured Content Filter action is
applied
Message Digest Modification Suppress the message subject in spam notification messages.
Mailbox Auto Remediation w/ Uses API calls and AMP Retrospection to take action on emails with attachments in an Office 365
O365 user’s inbox that were later determined to be malicious.
Improved AMP Reporting Give customers improved visibility into threats identified by the AMP engine
SAML Authentication Leverage corporate credentials via SAML for SMA End User Spam Quarantine access
Updateable ClamAV Use the updater service and separate ClamAV engine updates from AsyncOS updates.
Spam Submission Tracking Let’s customers track submission and the usability of messages sent to Cisco
Portal
Additional resources for information:
•  Support Forums
https://supportforums.cisco.com/community/5756/email-security
•  Customer Knowledgebase
https://supportforums.cisco.com/blog/12176911/updated-access-customer-knowledge-
base
•  Partner Collateral and Tools

https://www.ciscopartnermarketing.com/Orgs/Initiative.aspx?id=2145
The more work you do ahead of time,
the easier the evaluation will be.
•  Identify the customer network and email solution topology
•  Set expectations appropriately – control the scope of the

evaluation
•  Show features and functionality needed to close the deal
•  Contact your Cisco rep for 1st time evals or complexities
When using the ESA with a 3rd party email gateway solution, the ESA should be on
the outside of that solution to show the power of SBRS
Beware of missed spam – Use Marketing Message Detection and/or IMS
If ESA is in the middle we’ll show better anti-spam efficacy – Catch what they miss, but
won’t show much blocked by reputation
Internet Internet
Cisco Ironport ESA Email Gateway
3rd Party Email Gateway Cisco Ironport ESA
Mail Server
Mail Server
Putting the appliances in parallel with an additional MX record will allow for the
best testing.
Great for inbound testing. For outbound it may only allow for one Smarthost. May need
to direct all outbound through the IP appliance.
This is the typical way to test and allows for use of both systems with an easy way to
migrate off the old solution.
Internet
Cisco Ironport ESA Email Gateway
Mail Server
Mail Server
•  Configure the ESA to pass through all email, discuss with customer benefits of dropping via
SBRS or accepting all connections.
•  Insert X-headers showing SBRS
•  Insert X-headers showing Mail Flow Policy
•  Positive spam
•  Suspect spam
•  Marketing Messages
•  Set all Incoming Policy rules to Deliver
•  Have customer write rules in existing gateway to record emails missed by existing solution.
•  Examine Overview Reports
Internet
Cisco ESA
add_SBRS_Policy: if (sendergroup != "RELAYLIST") {
insert-header("X-Ironport-SBRS", "$REPUTATION");
insert-header("X-Ironport-Group-Policy", "$GROUP-$POLICY"); Existing Email Gateway
}
Mail Server
Thank you.

ESA Partner Training 2016 V2

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ESA Partner Training 2016 V2

Uploaded by

Copyright:

Available Formats

Email Security :: Appliance,

• ~20 years industry experience

• Big and small networks

• Suggest a Security Solution that Fits your Customer’s needs

First, let’s look at IronPort’s innovations that made is a market

IronPort Virus IronPort

2001 2002 2003 2004 2005 2006 2007

Cloud Email Data Center Launched in Sourcefire AMP integration

Cloud Email Services RSA Enterprise Manager

• 9.x is a prime example, cutting edge features

• ‘Intra Business’ Unit integration in constantly

• Engaging with the right people early on can

• Poor architecture and policy configuration can

• MTA - Message Transfer Agent.

• ESA - Email Security Appliance (a.k.a C-Series)

• CASE - Context Adaptive Scanning Engine

• SMA - Security Management Appliance (a.k.a M-Series)

• TLS - Transport Layer Security, a.k.a. Gateway-to-Gateway Encryption

• CES - Cisco Email Services – a.k.a. “hosted services”

• IPAS - IronPort Anti-Spam

• HAT - Host Access Table

• RAT - Recipient Access Table

• SBNP - SenderBase Network Participation

• SBRS - SenderBase Reputation Score

Same Award Winning Technology

C380 2 x 600Gb 10 1X6 (1 hexa core) 16GB 4

C170 2 x 250Gb 1 (Software) 1X2 (1 dual core) 4GB 2

• x90 planned for Q3/4 2015

• Always check the Datasheets on cisco.com for latest information

C000V C170 200 4 1

C100V C170 200 6 2

C300V C380 500 8 4

C600V C680 500 8 8

• Lower operational cost vs. on- premises

• Hybrid model: Best of both worlds

Key Service Attributes

Cisco Email Security Services

Key Service Attributes

§ First Hop In

There are many ways to install the Email Security

Traffic flow and installation connectivity will

Single ISP Topology Dual ISP Topology

Lets take a look at how you can install this

Inside § Offers protection of all resources

company.com MX preference = 10, mail exchanger = west.mail.company.com

• Use larger appliances with RAID Arrays and redundant PUS’s

• No additional hardware or software required

• Configuration changes on one machine pushed to the other

• Can cluster up to 20 machines

• Centralized reports, message tracking and quarantining on M-Series

West Coast East Coast

• Removing a machine from a cluster ‘flattens’ the config, it becomes

Inbound Security Cisco Email Outbound Control

ASYNCOS EMAIL PLATFORM

Filtering of External Threats

ASYNCOS EMAIL PLATFORM

Enforcing Corporate Compliance

Masquerading or Virtual Gateways

Advanced Malware Protection (AMP) Drop/Quarantine

Real-Time URL Analysis

Deliver Quarantine Rewrite URLs Drop

Black List Suspect Unknown

Advanced Industry Disclosures

Intelligence 3.6PB Monthly Dynamic Analysis

•  ~20 years industry experience

•  Big and small networks

•  Suggest a Security Solution that Fits your Customer’s needs

•  9.x is a prime example, cutting edge features

•  ‘Intra Business’ Unit integration in constantly

•  Engaging with the right people early on can

•  Poor architecture and policy configuration can

•  MTA - Message Transfer Agent.

•  ESA - Email Security Appliance (a.k.a C-Series)

•  CASE - Context Adaptive Scanning Engine

•  SMA - Security Management Appliance (a.k.a M-Series)

•  TLS - Transport Layer Security, a.k.a. Gateway-to-Gateway Encryption

•  CES - Cisco Email Services – a.k.a. “hosted services”

•  IPAS - IronPort Anti-Spam

•  HAT - Host Access Table

•  RAT - Recipient Access Table

•  SBNP - SenderBase Network Participation

•  SBRS - SenderBase Reputation Score

•  x90 planned for Q3/4 2015

•  Always check the Datasheets on cisco.com for latest information

•  Lower operational cost vs. on- premises

•  Hybrid model: Best of both worlds

§  First Hop In

Inside §  Offers protection of all resources

•  Use larger appliances with RAID Arrays and redundant PUS’s

•  No additional hardware or software required

•  Configuration changes on one machine pushed to the other

•  Can cluster up to 20 machines

•  Centralized reports, message tracking and quarantining on M-Series

•  Removing a machine from a cluster ‘flattens’ the config, it becomes

Known bad email is §  URL reputation and context

§  Not Spam, because of tacit opt-in and working opt-out

•  Business Needs determine ‘sensitive’ content

•  Content can be tracked on key words

•  Email Uptime •  Risk Policy

•  SMTP Smart Host

•  Investigation, and more

§  Enable in Message and Content Filters, and DLP

§  Message Security

§  Read Receipts

§  Encryption Algorithm

§  Notification Settings

•  Registers the appliance with the Cisco Registered Envelope Service

•  Must happen before encrypted messages can be sent