Professional Documents
Culture Documents
Cloud, Virtual
Manish Behal
Security Solutions Architect
mbehal@cisco.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Presented by: Manish Behal - CCIE#22198
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
At the end of the session, the participants should be able to:
• Describe the Security Threats posed by a customer’s Email
system
• List and Describe Cisco’s Email Security Solutions
• Demonstrate a PoC
• Use best practices during an appliance install so that customer
satisfaction is assured
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
• Threat Landscape - Why it’s important
• Introduction to Email Security
• Email Form Factors - Picking the right box
• Email Architecture - Getting it working
• Mail Flow Pipeline & Processing
• Inbound Features
• Outbound Features
• LDAP
• Centralized Reporting & Message Tracking
• PoC
• What’s New in 9.x
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Introduction to Email Security
Customers can be curious about Cisco’s acquisition of
IronPort, LLC. IronPort was known for innovation.
What has Cisco done to carry the torch for email security?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
IronPort Engineering
Dedicated to Development and Innovation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cisco Engineering
Dedicated to Continuing Development and Innovation
Unwanted Marketing
IronPort Spoof Message Detection SAML Support for
Checker Encryption
URL
Global IPS Reputation Outbreak Filters
Classification
WBRS
Control
AMP
FIPS and Common Criteria IPv6 Support Integration
Deep Integration of RSA DLP
Engine Support
2014
2008 2009 2010 2011 2012
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
• Cisco continuously develops new features that
solves complex mail management issues
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
• Traffic flow and installation connectivity will
depend on the customer’s security policy needs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• SMTP - Simple Mail Transfer Protocol
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Email Terms and Flow
You send an email to a customer… how does it get there?
Q. Is it instant? Yes or no?
Q. If yes, how? If no, why not?
MTA Relay
sends it to
DNS the server
Type and
send email
Groupware
Server
Groupware LDAP Processes it
Server
Processes it
• Groupware? SMTP?
• Relay? LDAP? Customer
MTA Relay • MTA? DNS? receives it
Relay if sends it to
external the customer Where does all of this live?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
On-Premises Cloud Hybrid Managed Virtual
Award-Winning Dedicated Best of Both Fully Managed Fully Virtualized
Technology SaaS Instances Worlds on Premises
Vmware ESXi
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Email Security Appliance
Form Factors
Model Hard Disks RAID CPU / RAM NIC Fiber
Level Option
C680 6 x 300Gb 10 2X6 (2 hexa cores) 32GB 4 Yes
• The x70 and x60 series appliances are no longer sold, but are currently supported.
• Due to resource constraints, the older x60 series appliances will not be supported on 9.0. AsyncOS
versions through 8.x will be the last versions supported
http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-729751.html?cachemode=refresh
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Model Physical HW Disk (GB) RAM (GB) Cores
Equivalent
• The C000v is recommended for evaluation use only as it is only a single core appliance
• Virtual Machines have many possibilities, even if customer WANTS hardware
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Why migrate?
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Data Centers
1
Email SaaS
Inbound Hygiene:
Removes spam
and viruses
Outbound Control:
Cisco Email Security Services Apply DLP and 3
Providing industry-leading email encryption policies
security in the cloud
§ 99.999% Uptime
§ 99+% Spam catch rate
Pass Clean Email 2
§ <1 in 1M false positives
§ 100% known virus catch rate
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Data Centers
1
Hybrid SaaS
Inbound Hygiene:
Removes spam
and viruses
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
• Threat Landscape
• Introduction to Email Security
• Email Form Factors
• Email Architecture
• Mail Flow Pipeline & Processing
• Inbound Features
• Outbound Features
• LDAP
• Centralized Reporting & Message Tracking
• What’s New in 9.x
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Email Architecture
Email is simple. We want to be the:
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
The ESA fits in nicely into almost any network topology, with minimal re-
design - mail solution customer side does not matter, Exchange, Domino,
anything!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
• Work closely with the security and network
domains to work out how to get this into the
network so the solution demonstrates its
value
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
§ Easy to configure
§ Security Nightmare: No protection for
inside network or outside interfaces
Internet
§ The ESA is hardened;
§ but this is a DO NOT DO scenario
Outside interface
Inside interface
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
§ Easy to configure
§ No protection for the outside interface
Internet § The ESA is hardened, however, generally is a
DO NOT DO scenario
Outside interface
Inside
interface
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
§ Both interfaces are protected by the firewall
Internet
§ Traffic can be buffered during an interface failure
or NIC pairing can be applied
§ Can filter and control traffic to/from the internet
Outside
interface and to/from the internal network
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
§ System protected by firewall
§ Simplifies firewall configuration for passing traffic
§ Single interface represents a “possible” traffic bottleneck
Internet
§ Preferred and THE most common method of installation
for customers
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
§ System is well protected
§ Traffic can be buffered during an interface failure
Internet § Configure redundant firewalls for maximum uptime
and to reduce single points of failure
Outside
interface
Inside
interface
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
§ Meets the most stringent customer connectivity
needs
§ Requires a larger appliance with 3 interfaces
Internet
§ Can be done in multi-firewall DMZ or with a single
interface installation
§ Use the route command on CLI to configure traffic
Outside
interface
flows for the 3rd interface
Inside
interface
Management
Network Link
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
• MX records are easiest and most common way to do redundancy
• Relies on the robust nature of communications on the internet
• If one server cannot be contacted, fail over to the next on the list
Internet
west.mail.company.com east.mail.company.com
West Coast
Mail Server East Coast
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Resiliency and HA can be offered in multiple ways to
accommodate the business needs:
Internet
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
• Manage a group of ESAs by making changes to one
Internet
Cluster
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
• Within a cluster, configuration information is divided into 3 groupings
or levels .
• The top level describes cluster settings; the middle level describes
group settings; and the lowest level describes machine-specific
settings.
• Cluster level settings are ‘enterprise wide’, good practice to configure
company wide parameters here
• Settings that have been specifically configured at lower levels will
override settings configured at higher levels
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• Create and Join cluster from CLI only using clusterconfig
command, changes can be made at GUI later
• Machine joining a cluster will inherit settings except machine specific
parameters like IP
• A cluster does not allow the connected machines to have different
versions of AsyncOS.
• Log files are still local – think SMA!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Mail Flow Pipeline & Processing
Anti-Spam Compliance
• SenderBase Reputation Filtering • Content Filters
• Cisco Anti-Spam (IPAS) • RSA DLP (Digital Guardian NOW)
• Intelligent Multi-Scan • Weighted Content Dictionaries
• Envelope Encryption
• TLS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Processing Incoming Mail (Work Queue)
Bad or Good Message Rules: Spam, Not-Spam,
senders? Drop, Bounce, Good BUT Signature AMP Filter on New
Archive, Marketing, Potential based AV Engine Specific Viruses
-10 to -3 ALL Quarantine Spam, types of with no
dropped! content Signatures
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS (IPAS, ISQ, AMP CONTENT OUTBREAK
(Shopos AND or
IMAS) FILTERS FILTERS
McAfee)
TALOS SANDBOX
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT OUTBREAK
FILTERS RSA*
FILTERS
DLP
OFF
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
LDAP Recipient Acceptance
Encryption
Host Access Table (HAT) (Work Queue time)
Per-Policy Scanning
Anti-Virus
Alias Tables
Global Unsubscribe
AMP
LDAP Recipient Acceptance
Content Filters DKIM Signing
Process Mail
SMTP Call-Ahead
Outbreak Filters
Work Queue Bounce Profiles
DKIM Verification RSA DLP Engine
(outbound)
SPF/SIDF Verification
Work Queue SMTP client
SMTP Server SMTP Process Quarantine SMTP
Receive Mail Delivery
Deliver Mail
Accept Mail
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Inbound Email
Cisco® Talos
SenderBase Reputation Filtering Drop
Antispam Drop/Quarantine
Antivirus Drop/Quarantine
Rewrite
Graymail Detection
Quarantine/Rewrite
Outbreak Filters
SensorBase The
?
IP Address Reputation
23.24.19.29 -3
-10 -5 0 +5 +10
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Talos Threat Intelligence
I00I III0I III00II 0II00II I0I000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00
Threat Research
10I000 0II0 00 0III000 II1010011 101 1100001 110
Intelligence
II II0000I II0 101000 0II0 00 0III000 III0I00II
Response
110000III000III0
[Talos]
I00I II0I III0011 0110011 101000 0110 00 I00I II0I III00II 0II00II 101000 0110 00 1100001110001III0
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Cisco Security Intelligence Operations
Three Defense Pillars
Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
SensorBase
Depth and Breadth of Coverage
Threat Intelligence Benefits
§ Over 1.6M global devices § 360 degree dynamic threat
visibility
§ Historical library of 40,000 threats
§ Understanding of vulnerabilities
§ 35% of global email traffic seen
and exploit technologies
per day
§ Visibility into highest threat
§ 13B+ Worldwide web requests
vehicles
seen per day
§ Latest attack trends and
§ 200+ parameters tracked
techniques
§ Multi-vector visibility
Over 1,000 servers process over 500GB of threat data per day
Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Dynamic Updates
Automated Defense
Updates Cisco Security Benefits
Intelligence
§ Automated updates Operations § Reduces exposure window
delivered to Cisco security
§ Minimizes security
devices every 3–5 minutes
management overhead
§ 8M+ Rules per day
§ Reputation updates for
real-time protection
Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
See the latest
threat outbreaks
and where they
are in the world
Enter your
customer’s IP
address to look
up their
reputation in
SenderBase.
Excellent way to show off the power of the solution and how it can help
your customers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Before During After
Scope
Discover Detect Contain
Enforce Block Remediate
Harden Defend
Cisco
Anti-
Intelligent multiscan (IMS) spam
Engine
Cisco
Anti- Anti-
What spam
Engine B
spam
Engine
Anti-
spam
Engine
Cisco
Powered by Anti-Spam
Cisco® SIO Mail Policies
§ Normal mail is
spam filtered Where How
§ Suspicious emails
Incoming mail are rate limited and
good, bad, and spam filtered
unknown email
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
HOW?
• Message leaves trace of
spamware tool WHO?
• IP address recently
WHAT?
started sending email
• All text inside an image • Message originated from
• Random dots appear dial-up IP address
within the message • Sending IP address
• Nearly identical color located in regions known
scheme in 100,000s for attack.
spamtrap msgs
WHERE?
WWW.FASTMONEY.COM
Verdict
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Defense-In-Depth Anti Spam
IronPort
Anti-
Spam
Engine
Delivered
Anti- IronPort
Spam Anti- Results
Engine Spam
Incoming Engine
good, bad, B
and
unknown
email Anti-
Spam
Engine Dropped
(Future)
Intelligent Multi-Scan
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
1
2
Configure Anti-Spam
Settings here Default: Admin can view Quarantine, must enable
Quarantine Notification to allow users to view.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
EDITOR'S CORNER
Securing The Web Anticipation
Web 2.0
to our newsletter,
WebsenseConnect, I want to share
Does Web 2.0 have legitimate business applications? If so, how can business the news with you first. Think you
take advantage of its unique capabilities? In this Q&A, Gene Hodges, CEO of know Websense? If you've been a
Websense, shares his insights on the risks, rewards, and future of Web 2.0 and Websense (or SurfControl) customer
the secure Web gateway. for years, be prepared for a big
MOREsurprise—we are way more than
BUSINESS FOCUS APPLICATION FOCUS
Web security.
Business Blogs, Vapid Web 2.0 Ready for MORE
or Vital? Prime Time? QUICK LINKS
PRODUCT TIP OF THE MONTH
With 40,000 new blogs cropping up Web 2.0 makes many promises, but
CUSTOMER TRAINING
every day, it begs the question—is there managers are stumped about how to use EVENTS
a business benefit to blogging? And with it to drive growth and profits. With SUPPORT
the blogosphere already inconceivably companies like Google, IBM, and Adobe WEBSENSE NEWS
immense, how can one company stand creating software for commercial use ofSUCCESS STORY
out? Learn how enterprises such as Furniture Seller
Web 2.0, businesses are poised to make
General Motors have made their mark, the leap. Learn more about the new Tables Threats
and how you can too, in this applications and how your business can
Furniture retailer WS Badcock
BusinessWeek story about social media get up to speed in this ChannelWeb Corporation is taking aggressive
and business. review. measures against emerging Internet
MORE MORE
threats. Awarethat current attacks
LATEST NEWS
are focused on secretly stealing
OLYMPIANS CONNECT WI TH FANS THROUGH BLOGS
information rather than the highly
visible and public "bring down the
ACQUISITION HELPS READY INTERNET SECURI TY SOFTWARE FIRM FOR WEB 2.0 network" attacks, the company
selected Websense Email Security
THE 2008 SUMMER OLYMPICS: THE MOST DIGITAL OF ALL because of its ability to stop spam
and viruses and prevent confidential
information from leaving the
MANAGING ACCESS TO FACEBOOK: A GOOD IDEA?
organization through email.
Privacy Policy
At Buy.com, your privacy
is a top priority. Please
read our privacy policy
details.
…
X All information collected
from you will be shared
with Buy.com and its
affiliate companies.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
§ Full Overview Reporting
§ Config in IPAS settings
Monitor > Incoming Mail
Mail Policies > Incoming Mail Policies > Anti-
Spam
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
End-user clicks on the
Graymail Detection rewritten un-subscription link
in the banner
Bulk
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Cisco® Talos
Rewrite
Email Contains URL
Send to Cloud
§ BLOCKEDwww.playb
oy.comBLOCKED
Defang/Block § BLOCKEDwww.proxy
.orgBLOCKED
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Antispam Engines Antivirus Engines
Cisco
Anti-Spam
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Mail Policies > Incoming Mail Policies > AV link in Mail Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Mail Policies > Incoming Mail Policies > AV link in Mail Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Mail Policies > Incoming Mail Policies > AV link in Mail Policy
For Encrypted
and
Unscannable,
you can’t be sure
the message is
clean
Advanced settings
provide custom
headers for mail
agents to sort on,
or redirect a
message
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Cisco AMP delivers integrated…
Additional Point-in-time
Retrospective Security
Protection
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Cisco zero-hour malware protection
Advanced Malware Protection
Reputation
SourceFire update
AMP File File
integration Reputatio Sandboxing
Unknown files are
n uploaded for
Known File sandboxing
Reputation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
AMP On-Prem Sandboxing
AMP with ThreatGrid Solution Architecture
Heartbeat
Retrospective
Cisco (Talos, AMP)
ESA Cloud
AMP Client
File Reputation
Query
AMP
Connector Local Cache
Disposition
Sandbox Connector Query
Qualified File,
Upload for
Sandboxing
Local AV
PDF Scanners
Cisco On Prem
Sandboxing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
§ Quarantine to store potential malware under investigation in sandbox
§ System quarantine with standard functions
- Release, Delete, Send Copy, and Delay scheduled exit
§ Autorelease and rescan the message when file analysis is complete
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Content Filters
• Executed after the Policy Engine
• Executed after security engines
• Nice, easy to use GUI
• Limited scope of conditions/actions
• Either “AND” or “OR” logical operators between all conditions
• Separate set of filters for Incoming and Outgoing mail
Message Filters
• Executed before the Policy Engine
• Applies to the entire mail flow
• More flexible in both capabilities and scripting capabilities; Python
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Actions You Can Take Things You Can Look for
Quarantine message (or a copy) Message Body or Attachments
Send copy to (bcc) Message Body
Notify someone Message Size
Strip attachments by type Attachment Content
Redirect message Attachment File Info
Insert or Strip a header Attachment Protected
Add footer Subject Header
Skip Outbreak Filter processing Other Header
AND Envelope Sender
Bounce message, or Envelope Recipient
Drop message, or Receiving Listener
Deliver message Remote IP
Encrypt and Deliver Reputation Score
DKIM Authentication
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
1 Identify the content that needs a custom action
Build the filter with ‘Conditions & Actions’. Order the filter appropriately
2
in the list.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
1
Exchange.cisco.com
172.20.0.10
Content Internet
Filter
Policy
Quarantine
Human Resources
78
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
2
Conditions:
Message Body
-- Subject Header
-- Other Header
Attachment
Attachment File Type
(fingerprint)
Attachment Name
Attachment MIME Type
Envelope Sender
Envelope Recipient
Text comparisons:
Contains
Does not contain
Equals
Does not equal
Begins with
Does not begin with
Ends with
Does not end with
… plus a whole lot of
Multiple conditions can be combined - Exists
Attachment matching
either AND or OR choices… and more!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
3
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
4
82 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Processing Incoming Mail (Work Queue)
REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Before During After
Scope
Discover Detect Contain
Enforce Block Remediate
Harden Defend
Cisco® Talos
Website is clean
Link is clicked
Cisco Security
http://www.threatlink.com
Cisco Email and Web Security protects your
organization’s network from malicious software.
Malware is designed to look like a legitimate email
or website which accesses your computer, hides
itself in your system, and damages files.
Dynamic, real-time
inspection via HTTP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
After
Before During
Scope
Discover Detect
Contain
Enforce Block
Remediate
Harden Defend
List of users
Add malicious
Rewritten accessing
URLs to
URL Report rewritten
blacklist
URLs
Masquerading or
LDAP Masquerading
LDAP Routing
SenderBase Network
Message Filters
Anti-Spam
Per-Policy Scanning
Anti-Virus
Content Filters
VirusVirus
Outbreak Filter
Outbreak Filters
Threat =
3
Calculate change
in threat level
SenderBase data collection allows statistical
analysis to spot virus outbreak trends - on average
13 hours before the signature is released!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Outbreak Filter
V3R
: Zu
R
RIle
Puu(le Quarantine
le
.V
E1VV:E42Q
X )::,5IuZ
D
0a< IE
P
rsa(iz
#n
.E
1tin
e 1
<X57e
E5)r,Z,ne>Iale
P
3ma
(6.esK
E=eB
X
*spE ) e*
ric
SOPHOS IronPort
McAfee Virus Outbreak
Anti-Virus Filters
Anti-Virus
r n # 117
Patte
IronPort releases RULE-V1 raising threat level for all ZIP files containing .EXE parts. Message
hits Outbreak Filters and is quarantined.
IronPort releases RULE-V2, matching only ZIP files with .EXE parts that are larger than 36KB.
Any message quarantined by RULE-V1 but not by RULE-V2 is released and delivered.
IronPort releases RULE-V3, matching ZIP files with .EXE parts that are between 50 & 55KB
with “price” in the filename match. Any message quarantined by RULE-V2 but not by RULE-V3
is released and delivered.
Sophos & McAfee release patterns matching virus. IronPort releases RULE-V4, directing all
files to be released (and rescanned) after rule updates are loaded.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Mail Policies > Incoming Mail Policies > Outbreak Filter hyperlink in Policy
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
• Threat Landscape
• Email Form Factors
• Email Architecture
• Mail Flow Pipeline & Processing
• Inbound Features
• Outbound Features
• LDAP
• Centralized Reporting & Message Tracking
• What’s New in 9.x
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Outbound Features
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT OUTBREAK
FILTERS RSA
FILTERS
DLP
OFF
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Outbound
Automatic
Encryption / Decryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Part of a comprehensive DLP solution with RSA – Accurate, Easy, Extensible
Policies
Incidents
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Integrating the ESA into an Enterprise-wide DLP Deployment
• Encryption Server
Enterprise Manager
integration brings:
• Additional Policies
• Fingerprinting
• Policy Management
• Remediation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
DLP Assessment
Wizard streamlines the
setup but not all filter
options shown
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
Security Services > RSA Email DLP to enable
Choose a
Template
Category
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
Add a Template
from the Category
list
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
• The default is to monitor only – the Deliver action
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Add custom header,
modify subject, or add
disclaimer
Copy admins or
supervisors
Notify sender or
recipient with custom
message
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Commit Changes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
Results of Sample Payment Card Industry (PCI) Violation:
Visa 4999999999999996
Wed Dec 16 20:04:29 2009 Info: MID 174 interim AV verdict using Sophos CLEAN
Wed Dec 16 20:04:30 2009 Info: MID 174 queued for delivery
Wed Dec 16 20:04:30 2009 Info: MID 174 enqueued for PXE encryption
Wed Dec 16 20:04:33 2009 Info: MID 175 was generated based on MID 174 by PXE encryption filter 'DLP'
Wed Dec 16 20:04:33 2009 Info: MID 175 ICID 0 From: <alan@exchange.alpha.com>
Wed Dec 16 20:04:33 2009 Info: MID 175 ICID 0 RID 0 To: <adam@outside.com>
Wed Dec 16 20:04:34 2009 Info: MID 175 ready 156437 bytes from <alan@exchange.alpha.com>
Wed Dec 16 20:04:34 2009 Info: MID 175 queued for delivery
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
Cisco Registered Envelope Service turnkey email encryption
ü The only cloud-based encryption key server flexible enough to meet the
evolving secure-communications requirements of businesses today
Integrated
ü Hosted key service
Encryption key is MTA to MTA
ü Uses federated identity stored in the cloud TLS enforced
gateway
security with
ü Push technology with advanced end
intuitive policy
to end
management
encryption to
ü We make encryption easy meet evolving
for end users – a key
customer
adoption barrier
requirements
ü Supports SAML for
federated identity
ü Technology independent
– use your inbox or mail
server of choice
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
PUBLIC RECIPIENT
SUE
TO:SUE
Internet
TO: SUE and BOB TLS C
ONNE
CTION
TLS
CON
NEC
TION
BOB
PARTNER RECIPIENT
TO: BOB
CRES
(Cisco Registered
Envelope Service)
Username
Password
Executive Accountant
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
Forward/Reply Email Control
Cloud
Executive Accountant
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
Read Email Receipt
Email
Read Receipt
CRES
(Cisco Registered
Envelope Service)
Username
Password
Executive Accountant
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
Email Recall & Expiration
CRES
(Cisco Registered
Envelope Service)
Expire Key
Username
Password
Executive Accountant
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
Six steps:
1. Enable Email Encryption
2. Configure Encryption Profile (multiple profiles may be configured)
3. Provision with Cisco Registered Envelope Service
4. Define policy via Content Filter(s)
5. Reference the Content Filter in a Mail Policy
6. Test using the trace and sample outbound emails
Encryption
Profile Provision
CRES
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
1. Enable Email Encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
• Key Server Type
Hosted Key Service: Use Cisco Registered
Envelope Service *, a managed service by
Cisco/IronPort
IronPort Encryption Appliance (IEA): use a
key server managed by customer and
running locally on an IEA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Security Services > IronPort Email Encryption > Add Encryption Profile
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111
§ Message Settings
Enable Secure
Reply All and Forward
buttons for recipients
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 112
• Must Commit before you can provision!
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Security Services > IronPort Email Encryption
• Does not apply to local key server (on IronPort Encryption Appliance)
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
Message Policies > Outgoing Content Filters > Add Content Filter > Add Condition
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116
Message Policies > Outgoing Content Filters > Add Content Filter>Add Action
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117
Drill down reporting and detailed Message Tracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118
Drill down reporting and detailed Message Tracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Quarantines are places to hold emails that violate policies: Anti-Spam, Anti-Virus, email
policy, and that contain outbreaks
• Spam Quarantine, Outbreak, Policy, and Virus quarantines are enabled by default
• Can create other quarantines as needed or desired to fit company policy
The system has finite space for quarantines on box. For more Spam Quarantine space, use
an M-series appliance. Policy quarantines are not yet able to be centralized on the M Series
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120
• Threat Landscape
• Email Form Factors
• Email Architecture
• Mail Flow Pipeline & Processing
• Inbound Features
• Outbound Features
• LDAP
• Centralized Reporting & Message Tracking
• What’s New in 9.x
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 121
LDAP
Lightweight Directory Access Protocol
Based on the X.500 standard
Significantly simpler
More readily adapted to meet custom needs
Unlike X.500, LDAP supports TCP/IP, which is necessary for Internet
access
The core LDAP specifications are defined in RFCs
LDAP can:
Provide data to clients
Search data with filters
Access specific information from an object
Be customized: each implementation is usually different
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
• A hierarchical object-oriented database
A repository of information
Provide a single point of data management
LDAP directories are heavily optimized for read performance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 124
1. Verify the receiving domain in LDAP Directory
the RAT
2. Search LDAP directory from
the base DN for the recipient
email address
3. Return an accept or reject to Query: (mail= {abuse@alpha.com})
sending domain.
RAT Action
alpha.com Accept LDAP Exchange
exchange.alpha.com Accept Server Server
All Others Reject
LDAP_Svr1.accept
Rcpt to: sam@alpha.com
IncomingMail Listener
abuse@exchange.alpha.com
C-Series Appliance
Rcpt to: abuse@alpha.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 125
System Administration > LDAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 126
Supports
• Active
Directory
• Lotus
Notes
• Open
LDAP
• SunOne
• Others
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 127
System Administration > LDAP
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 129
SMTP Call-Ahead is used to verify legitimate recipient addresses in
hosted customers domains without accessing their LDAP directory. Call
ahead to the SMTP server with a RCP TO command to test before
sending the mail
Hosted
Customer 1 Hosted
Email Service
Internet Mail
Domains
Hosted
Customer 2
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 130
Network -> SMTP Call-Ahead
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 131
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 132
Centralized Reporting &
Message Tracking
Localized reporting and Tracking are useful features but:
• Reports are not consolidated to represent the whole enterprise
that uses multiple ESAs
• Distributed C-Series appliances can cause difficulty in
determining a single message disposition
Which Appliance?
Mail Admin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 134
• Reports are Consolidated to view the Mail aggregated across the
whole enterprise
• Individual messages can be tracked regardless of the path taken
through the enterprise.
M-Series
ESA 1
Incoming Mail Outgoing Mail
Mail Admin
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 135
C370s
END-USER ISQ 1
Quarantine
Suspect Spam
END-USER ISQ 2
End User
Notification
Access link
M1070
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 136
Cisco Content Security Management Appliances for Email and Web Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 137
Flexible deployment options with software bundles and a la carte options
Flexible Deployment
Appliances Cloud
CLOUD HYBRID MANAGED
right size to fit your needs select number of mailboxes, expand as you grow
A La Carte Software
Cloudmark Anti-Spam, Image Analyzer, McAfee Anti-Virus, Intelligent Multi-Scan
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 139
• Threat Landscape
• Email Form Factors
• Email Architecture
• Mail Flow Pipeline & Processing
• Inbound Features
• Outbound Features
• Centralized Reporting & Message Tracking
• What’s New in 9.x
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 140
POC
• What are the customer’s experiences with their email security solution
today?
• What are the customer’s concerns? These may include the following:
• -- Poor efficacy
• -- Poor performance
• -- Phishing
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 142
• How do these issues relate to the customer’s overall security? When
does the current solution expire?
• • What are the outsourced deployment methodologies?
• -- Managed services
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 143
• • How will the proof of concept be deployed?
• -- In a test Lab
• -- In production
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 144
• •
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 145
•
• How will the proof of concept be evaluated?
-- List the criteria for success and, if possible, provide the relative
weightings.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 146
What’s New in 9.x
Performance Monitoring /
Enhancements
Encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 149
Performance Monitoring - System Health Check
Alternatively, click
Run Health Check.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 150
Performance Monitoring - System Health Check
When run, the system analyzes historical data (up to 3 months) to determine the
health of the appliance.
- ResCon mode
- Delay in mail processing
- High CPU usage
- High memory usage
- High memory page swapping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 151
Performance Monitoring - Upgrade Guidance
• When you click Upgrade
Options the system will
prompt you about a System
Health Check
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 152
Performance Monitoring - Upgrade Guidance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 153
Performance Monitoring - ‘ResCon’ Mode
• A new report under Monitor > System Capacity >
System Load page counts times in which the system
has entered Resource Conservation mode.
• Consider adding additional capacity or restructuring mail
flows if excessive resource conservation activity is seen
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 154
Performance Monitoring /
Enhancements
Graymail and Safe
Unsubscribe
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 155
Graymail - What is it?
Graymail is email you opted in to receive, but don't really want
anymore - we all get it.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 156
Graymail - The Solution
The Graymail solution will provide:
• Protection against malicious threats masquerading as
unsubscribe links
• A uniform interface for all subscription management to end-
users
• Better visibility to the email administrators and end-users
into such emails
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 157
Graymail - Architecture & Mail Flow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 158
Graymail - Sub-Categories - Identifying Graymail
Marketing
• Email campaigns sent through professional routing platforms
• These market players generally follow the rules of use for
email advertising: unsubscribe links, list cleaning/verification,
etcetera
Bulk
• Any advertising email sent that follows the advertising rules
of use and not sent through a professional routing platform.
Here the heuristic rules used are predictive and generic
Social Networking:
• Social Networking emails: Facebook, LinkedIn, etcetera
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 159
Graymail - Configuration, Policy Settings
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 160
Graymail - Configuration
For monitoring
purposes, enable
Graymail detection
with no actions.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 161
Graymail - End User Experience
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 162
Graymail - End User Experience Workflow
Link is checked to
User clicks on the ensure it’s safe Service executes
rewritten and then un-subscription on
un-subscription redirected to behalf of the end-
link in the banner unsubscribing user
Service.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 163
Graymail - End User Experience
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 164
Graymail - Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 165
Graymail - Reporting
Separate report
elements show the
Top Senders by
Graymail by sending
domain and the Top
Senders by Category
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 166
Graymail - Message Tracking
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 167
Performance Monitoring /
Improvements
Graymail
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 168
Web Interaction Tracking - Brief Overview
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 169
Web Interaction Tracking - Limitations
• Customer visible logs for URL click data are not available
• Report modules are refreshed every 30 minutes - non
configurable
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 170
Web Interaction Tracking - Configuration: URL Filtering
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 171
Web Interaction Tracking - Configuration: Outbreak Filters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 172
Web Interaction Tracking - Configuration: Outbreak Filters
• Click the box for Enable URL Click Tracking, Submit, then
Commit.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 173
Web Interaction Tracking - Configuration: Outbreak Filters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 174
Web Interaction Tracking - Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175
Web Interaction Tracking - Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176
Web Interaction Tracking - Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 177
Web Interaction Tracking - Message Tracking
Message Tracking has been enhanced to search for URL Click
Tracking events and specific URLs
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 178
Performance Monitoring /
Improvements
Graymail
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 179
AMP - Architecture and Mail Flow
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 180
AMP - ThreatGrid Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 181
AMP with ThreatGrid Solution Architecture
Heartbeat
retrospectiv Cisco
e Talos, AMP
File Reputation Cloud
ESA AMP
Query
Client
AMP Local
Cache
connecto
r
Emai
l Pre- Parallel
Classification Query
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 182
AMP - Decision Flow - ThreatGrid
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 183
Local Sandboxing - Configuration
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
AMP - File Analysis Report Page
Three different
disposition
values:
• Clean
• Malicious
• Unknown
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 185
File Analysis Details Report Page
Malicious SHA
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 186
Performance Monitoring /
Improvements
Graymail
Encryption
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 187
Encryption - TLS 1.2
Configure the GUI HTTPS for TLS v1 for TLS v1/v1.2 support
Don’t turn off SSLv3 on Inbound SMTP on publicly facing MX - Be strict on your
outbound but permissive on inbound to support legacy implementations
What is worse? Using a legacy protocol on inbound email or having incoming
messages being delivered in the clear
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 188
Encryption - Zix Partnership
• Goal of partnership: a
replacement product for IEA
(IronPort Encryption Appliance)
Zix Encryption
Appliance
Existing IEA
customer only
Cisco Zix Gateway 2.0+
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 190
Encryption - Zix Encryption Appliance Hardware
Hardware
CCS-ZEA200-K9 Zix EA Corporate Edition
CCS-ZEA400-K9 Zix EA Enterprise Edition
CCS-ZEAV-K9 Zix EA Virtual Appliance*
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 191
Encryption - Zix Encryption Appliance Software Licenses
Software
L-ZEA-K9-LIC=
§ User tiers L-ZEA-1Y-S1
L-ZEA-1Y-S3
§ One license for all L-ZEA-1Y-S4
functionality L-ZEA-1Y-S5
L-ZEA-1Y-S7
§ Activation services L-ZEA-1Y-S8
through Zix L-ZEA-1Y-S9
L-ZEA-1Y-S10
L-ZEA-1Y-S11
L-ZEA-1Y-S12
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 192
Encryption - ZixPhase 0
Partnership for Phase 1
On-premises Phase 2
Encryption
Date May 2015 October 2015 April 2016
S/MIME Gateway þ
Open PGP þ
Statement Delivery þ
Mobile Support þ þ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 194
Performance Monitoring /
Improvements
Graymail
Encryption
• AsyncOS for Email 9.1 mass upgrades for customers will happen after
migration is complete
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 196
Product Update - Cloud Email Roadmap Priorities
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 197
Product Update - Email Security Roadmap Priorities
Drive SaaS Growth While Maintaining on-Prem Leadership
CLOUD PREMISES
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 198
Version 10.0 - Feature List
Feature Description
URL Logging in Message Include URLs that violate Reputation and URL Categorization Content Filters in Message
Tracking Tracking
Message Language Detection Use the language of the email message to determine which configured Content Filter action is
applied
Message Digest Modification Suppress the message subject in spam notification messages.
Mailbox Auto Remediation w/ Uses API calls and AMP Retrospection to take action on emails with attachments in an Office 365
O365 user’s inbox that were later determined to be malicious.
Improved AMP Reporting Give customers improved visibility into threats identified by the AMP engine
SAML Authentication Leverage corporate credentials via SAML for SMA End User Spam Quarantine access
Updateable ClamAV Use the updater service and separate ClamAV engine updates from AsyncOS updates.
Spam Submission Tracking Let’s customers track submission and the usability of messages sent to Cisco
Portal
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 199
Additional resources for information:
• Support Forums
https://supportforums.cisco.com/community/5756/email-security
• Customer Knowledgebase
https://supportforums.cisco.com/blog/12176911/updated-access-customer-knowledge-
base
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 200
The more work you do ahead of time,
the easier the evaluation will be.
• Identify the customer network and email solution topology
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 201
When using the ESA with a 3rd party email gateway solution, the ESA should be on
the outside of that solution to show the power of SBRS
Beware of missed spam – Use Marketing Message Detection and/or IMS
If ESA is in the middle we’ll show better anti-spam efficacy – Catch what they miss, but
won’t show much blocked by reputation
Internet Internet
Mail Server
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 202
Putting the appliances in parallel with an additional MX record will allow for the
best testing.
Great for inbound testing. For outbound it may only allow for one Smarthost. May need
to direct all outbound through the IP appliance.
This is the typical way to test and allows for use of both systems with an easy way to
migrate off the old solution.
Internet
Mail Server
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 203
• Configure the ESA to pass through all email, discuss with customer benefits of dropping via
SBRS or accepting all connections.
• Insert X-headers showing SBRS
• Insert X-headers showing Mail Flow Policy
• Positive spam
• Suspect spam
• Marketing Messages
• Set all Incoming Policy rules to Deliver
• Have customer write rules in existing gateway to record emails missed by existing solution.
• Examine Overview Reports
Internet
Cisco ESA
add_SBRS_Policy: if (sendergroup != "RELAYLIST") {
insert-header("X-Ironport-SBRS", "$REPUTATION");
insert-header("X-Ironport-Group-Policy", "$GROUP-$POLICY"); Existing Email Gateway
}
Mail Server
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 204
Thank you.