Cisco IronPort E-mail Security Appliance Best Practices : Part 1 (2022)

Categories

Tech

  • Post author By Mikail
  • Post date June 1, 2014
  • 8 Comments on Cisco IronPort E-mail Security Appliance Best Practices : Part 1

I’ve cheekily phrased this blog article as a best practice guide to setting up/configuring your Cisco IronPort email security appliance. However I must make clear that the belowis what I deem to be best practices/configuration. Every environment is unique so please make sure you understand what you are doing before attempting to implement any of my suggestions below. So, let’s get started! The suggestions below are in no particular order.

Quarantines

  1. It is a good idea to create separate quarantines for different items you expect to be in the quarantine. For example, it is easier to manage your quarantines if there is a one for ‘bad’ attachments, one for URL filtering, etc.

Incoming Content Filters

  1. Have a content filter to block actively exploited threats. For example, I have a content filter calledquarantine_active_exploits that blocks .rtf attachments (because of the recent Microsoft RTF 0-day that can execute code just by viewing an attachment in Outlook) and bounces back a message to the sender to inform them that their message has not been delivered, the reasons why and what they can do to get their message to go through. Obviously once the exploit is patched, the content filter will be modified to reflect that.
  2. A content filter to block executables or allow ONLY certain extensions is definitely a must for an email security appliance. Either have a content filter to block a list of ‘dangerous’ extensions(don’t bounce any of these messages) or one that will only allow a list of ‘safe’ extensions. The latter is obviously more secure but will probably cause you more of a management overhead/annoyance in the long run 😉
  3. A content filter to quarantine failed SPF messages willhelp reduce the number of spam/phishing messages coming through your environment. SPF is basically a DNS record which states which hosts are allowed to send on behalf of a domain. So for example, only100.100.100.100 is allowed to send from example.org. If your IronPort sees a message from example.org with the IP 200.200.200.200, it will be quarantined as the owners of example.org have said that nothing other than 100.100.100.100 is to be classed as legitimate. SPF is slowly becoming more and more popular; I recommend you set up SPF for your domain too if you can.
  4. Add a content filter for URL filtering. Choose your categories as appropriate to your environment but the obvious ones are pornography, illegal downloads, proxy avoidance, etc

Outgoing Content Filters

  1. A lot of people filter attachment typesinboundbut forget to do the same for outbound messages. If an internal machine is compromised and starts sending out malware to your customers, you’d probably want IT to be notified so they can identify and fix the issue asap.
  2. Encrypt e-mails. Create a policy to encrypt e-mails that contain the word confidential in the subject lineormessages with the headersensitivity=company-confidential (this header is set in Outlook when you mark a message as confidential in message composition options)

  3. I’ll go in to this in more detail later on (in the encryption section) but it is a good idea to create content filters that encrypt messages that contain certain keywords in the message body or even in attachments.

E-mail Encryption

  1. Edit your encryption profile so that the encryption algorithm is AES-256
  2. Customise the encryption HTML template and make it a bit more personalised – company logo, policies, who to send an e-mail to if the recipient has troubles opening the encrypted attachment, etc
  3. Personally I would recommend unchecking the box for Use Decryption Applet.The user experience is a lot better when the recipient doesn’t need to install Java or accept security warnings or other annoying pop-up messages just to open the secure message. I notice no performance or lack of functionality when I disable this checkbox – the secure attachment still opens in the browser – without the hassle
  4. Select the radio box forUse the Cisco Registered Envelope Service URL with HTTPs.
  5. This one is very important and I suggest you take some time doing this properly. Talk to all departments in your company and make a list of attachments or e-mail types that contain sensitive information that you/your company does not want to send out un-encrypted. Ideally you will have some example sensitive attachments so you can create unique regular expressions in content filters to encrypt messages that match the sensitive keywords. For example, let’s assume the finance team send out an attachment every month to an outsourced company with all employee salary and bonus details. I would ask the finance team for a copy of this attachment with all the actual numbers and figures blanked out. I would then look for keywords in the document or document name that would not normally be used in other documents. So let’s say this particular attachment has the keywordemployee salary details in it. I would then create a regex in a content filter to match this particular keyword and encrypt all messages containing that keyword. Your mileage and environment may vary but it is usually a good idea to do something like this

Host Access Table (HAT)

  1. Unless you absolutely have to and have no other choice, never put anything in the whitelist/trusted policies; especially if it’s a large subnet of IPs or domains as this could leave you wide open to attacks. If you do need to whitelist some IPs or domains, do NOT disable spam/virus checking otherwise you’re just asking for trouble.
  2. Edit the default mail flow policy so that:
    Max. Concurrent Connections From a Single IP is not more than 2. Your environment may, for whatever reason, require external users more than that but it has never been an issue for me. Normal, well behaved e-mail clients should not open more than 1.
    Enable Directory Harvest Attack Prevention and set it to something low. I have mine set to 5. This will stop automated bots from attempting to guess and store a list of valid e-mail addresses
    Set TLS under Encryption and Authentication to preferred.
    EnableSPF/SIDF Verification
    EnableDMARC Verification
    EnableEnvelope Sender DNS Verification – this hasn’t caused issues for me and it shouldn’t for you assuming sender domains and DNS are properly configured but that can be a dangerous assumption to make
  3. Edit your sender group settings to enable the following: Connecting host PTR record does not exist in DNS. Connecting host reverse DNS lookup (PTR) does not match the forward DNS lookup (A)
  4. I haven’t done this yet but I do think it is something I will implement soon – adding DNS lists; also known as DNS blacklists (DNSBL) and Real-time blackhole list (RBL). In your sender group settings, there is a field for DNS lists. Add well known, popular sourcessuch as Spamhaus and SpamCop. These blacklists along with the Cisco senderbase network will make your ESA an almost unstoppable force against the evil of spam/malicious e-mail.

Destination Controls

  1. Change TLS Support to preferred

I hope this has been useful to you! If I have missed anything obvious from the list above, or if you have any comments, please sharethem below. I plan on creating a part 2 to cover some things I have missed such as DLP, bounce profiles, LDAP queries, and moreso stay tuned!

Edit December 2014: Part two has been released!

(Video) Cisco IronPort Email Security Appliance (ESA) C170 Web Gui Overview
  • Tags cisco ironport, email security, esa

Nice one.More ironport ftw!

And where is the promised continuation?

It’s coming soon, promise!

(Video) PART - 1 - MESSAGE FILTERS IN THE CISCO ESA - Email Security Appliance - Hardening your ESA

In our environment we operate a blacklist approach so never came across this issue but interesting nonetheless.
I would have thought the IronPort would drop the message or remove the attachment at the very least.
Might do some testing with this to confirm the behaviour in the latest version of AsyncOS.

Are there any repercussions for changing TLS from Off to Preferred?

Hello Khaim,
As far as my knowledge and experience on the matter goes, there is no disadvantage of turning on TLS to the preferred mode. The only thing you may notice is the additional CPU overhead (to create the encrypted connection) but I would only expect this to be noticeable if your IronPort goes through a high rate of mail per second – you can always check the system status graphs before and after the changes to see if you notice anything abnormal.

This post goes through the changes in more detail regarding TLS on the IronPort so I would recommend you read the post @ https://supportforums.cisco.com/discussion/12191921/configuring-tls-ironport-esa

(Video) Cisco Email Security#Module#1#Lecture#1#Cisco Email Security Appliance Overview#

[…] you haven’t already, have a look at part 1 and part 2 of this […]

Comments are closed.

(Video) How to deploy Cisco Cloud Email Security (CES) | Best Practice for Cisco Email Security appliance.

FAQs

What is Cisco ironport called? ›

IronPort was integrated into the Cisco Security business unit. SenderBase was renamed SensorBase to take account of the input into this database that other Cisco devices provide.
...
IronPort.
TypeDivision
FateAcquired by Cisco Systems
SuccessorCisco Systems
HeadquartersSan Bruno, California, United States
ParentCisco Systems
4 more rows

What is ESA and SMA? ›

Email Security Appliance (ESA) Security Management Appliance (SMA)

How does Cisco SMA work? ›

The Cisco SMA reports the number of transactions per second and the system's latency, response time, and proxy buffer memory. This information allows administrators to determine when they need to reconfigure the system or install additional appliances.

Is IronPort a firewall? ›

It is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network; Cisco IronPort: Email and web security gateway and management.

What is Cisco IronPort used for? ›

The Cisco IronPort Hosted Email Security solution cleans up all inbound mail by using industry leading anti-spam, anti-virus, and other rules. This ensures that the mail traffic that reaches the customer premises is free from email malware.

What is Cisco IronPort SMA? ›

The Cisco SMA simplifies administration by publishing configurations from a single management console to multiple Cisco WSAs. Updates and settings are managed centrally on that console rather than on the individual appliances.

How does Cisco ESA work? ›

Cisco Email Security Appliance (ESA) protects the email infrastructure, and employees who use email at work, by filtering unsolicited and malicious email before it reaches the user. Cisco ESA easily integrates into existing email infrastructures with a high degree of flexibility.

What is WSA in Cisco? ›

Cisco WSA is an all-in-one highly secure web gateway that brings you strong protection, complete control, and investment value. It also offers an array of competitive web security deployment options, each of which includes Cisco's market-leading global threat intelligence infrastructure.

How do I integrate ESA with SMA? ›

Configuring Cisco Security Management Appliance (SMA ...

What is email security appliance? ›

The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts.

What is SMA in networking? ›

SonicWall Secure Mobile Access (SMA) is a unified secure access gateway that enables organizations to provide access to any application, anytime, from anywhere and any devices, including managed and unmanaged.

Where do I get ESA? ›

You can get an ESA from an SMSF messaging provider or through your SMSF intermediary such as SMSF administrator, tax agent, accountant or some banks. Many of these options are no cost or low cost. Once you have obtained or updated your ESA, you need to notify us.

What is my ESA? ›

An Electronic Service Address (ESA) is an alias used by your SMSF Fund that acts as a 'digital post office' to receive messages sent by your employer. Contribution remittance advice is automatically sent to this address when employers pay your superannuation contribution into your SMSF bank account.

Is USI same as ESA? ›

USIs are provided by the ATO. SMSFs do not have USIs. If a form/webpage requires a USI for an SMSF – the SMSF should use their ABN, bank account details and electronic service address. Electronic Service Address (ESAs) – these are an electronic web address (not simply an email address) for a superannuation fund.

Is Cisco firepower a firewall? ›

The Cisco Firepower Next-Generation Firewall (NGFW) is the industry's first fully integrated, threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.

How do I download Cisco ESA logs? ›

1. Log into the GUI of your CES Email Security Appliance (ESA) instance and navigate to System Administration > Log Subscriptions. 3. Next, you need to review the Log Settings column and find a log that you wish to download.

What does ironport taste like? ›

Its taste is described as a cross of root beer and Caribbean spices. Some say the drink was named after Porter Rockwell, the Destroying Angel from the early years of the Mormon Church, whose nickname was Old Port. That might explain Ironport's strong taste and lack of caffeine.

What is IronPort email security? ›

The IronPort C380 email security appliance prevents advanced threats, blocks spam and viruses, and helps enable corporate email policy enforcement for medium-sized enterprises and satellite offices.

What is the benefit of Cisco secure email and web manager? ›

The Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco email and web security appliances. It simplifies administration and planning, improves compliance monitoring, helps to enable consistent enforcement of policy, and enhances threat protection.

What is Cisco secure email encryption service? ›

Cisco Secure Email Encryption Service is an email encryption tool which is fully compliant and offers many customizable features and policies to end users. It has a focus on giving end users more control over the email they send.

What are two solutions Cisco offers for Web security? ›

In addition to DNS-layer security and interactive threat intelligence, Cisco Umbrella now includes secure web gateway, firewall, and cloud access security broker (CASB) functionality, plus integration with Cisco SD-WAN, delivered from a single cloud security service.

What is ESA network? ›

A community site for entomologists and other scientists interested in entomology, hosted by the Entomological Society of America. ESA Networks are free for anyone to join.

What is Cisco AsyncOS? ›

The Cisco IronPort AsyncOS operating system lets Cisco IronPort appliances process mail more than 10 times more efficiently than traditional UNIX systems do, providing extremely high capacity and availability.

What is Cisco advanced phishing protection? ›

Cisco Advanced Phishing Protection provides Business Email Compromise (BEC) and phishing detection capabilities. It detects identity deception-based threats by performing reputation checks on sender address by using advanced machine learning techniques and added intelligence.

How do I setup my Cisco email on my mobile phone? ›

To open the application, tap the Cisco BCE icon from the Android home screen. You can use multiple CRES accounts to open BCE email on the same device. To create multiple accounts, configure your account to be associated with different servers. Each of these account will have its own account settings.

How does the ESA distinguish between incoming and outgoing messages within the mail flow policies? ›

Incoming and outgoing follow the general ESA rule for determining email direction: incoming are messages that are accepted; outgoing are messages that are relayed.

What is IronPort proxy? ›

Cisco IronPort Web Security Appliance is a web proxy that checks and allows, or blocks, web traffic based on filters and inline file scanning. There are two capabilities of the WSA: Web-Based Reputation Filters (WBRS) Webroot and McAfee anti-malware scanning engines ...

How do I block a URL in Cisco WSA? ›

Open Web Security Manager > Access Policies> Global Policy > URL Filtering. Click on Select Custom Categories…. Click on Blocked URLs drop-down arrow, choose Include in policy and click Apply.

What are two differences between a Cisco WSA that is running in transparent mode and one running in explicit mode? ›

The only major difference between transparent and forward mode on the WSA is that in transparent mode, the WSA responds to both transparent and explicit HTTP requests. Whereas in explicit, the WSA ONLY responds to explicit HTTP requests.

What is new SMTP ICID? ›

An Injection Connection ID (ICID) is a numerical identifier for an individual SMTP connection to the system, over which 1 to thousands of individual messages may be sent.

What is ASA network device? ›

The ASA in Cisco ASA stands for Adaptive Security Appliance.

In brief, Cisco ASA is a security device that combines firewall, antivirus, intrusion prevention, and virtual private network (VPN) capabilities. It provides proactive threat defense that stops attacks before they spread through the network.

Why do you need email security gateway? ›

A Secure Email Gateway (SEG) is a device or software used for email monitoring that are being sent and received. Email gateway protection is designed to prevent unwanted email and deliver good email. Messages that are unwanted include spam, phishing attacks, malware or fraudulent content.

What is an email firewall? ›

Email firewalls work like spam filters by regulating incoming email based on a set of rules established by the email server. Firewalls analyze email messages to determine if the message should be flagged as spam.

Which capabilities does Cisco Securex combine? ›

Secure Access by Duo
  • Phones, headsets, and room devices.
  • Unified communications and collaboration.
  • Webex App - Team collaboration.
  • AI-enabled experiences for Webex.

What is SMA acronym? ›

Spinal muscular atrophy (SMA) is a genetic (inherited) neuromuscular disease that causes muscles to become weak and waste away. People with SMA lose a specific type of nerve cell in the spinal cord (called motor neurons) that control muscle movement.

What is the full form of SMA? ›

Spinal muscular atrophy is a genetic disorder characterized by weakness and wasting (atrophy ) in muscles used for movement (skeletal muscles). It is caused by a loss of specialized nerve cells, called motor neurons that control muscle movement.

What is sonic wall SMA? ›

SonicWall Secure Mobile Access (SMA) is a unified secure access gateway that enables organization to provide anytime, anywhere and any device access to any application.

Can I change my address for ESA online? ›

Update ESA Online

You can update your address for your Employment Support Allowance (ESA) online using SlothMove's online change of address service.

How do I notify ESA of changes? ›

You can report a change of circumstances by: calling Jobcentre Plus. writing to the Jobcentre Plus office that pays your ESA - the address is on the letters you get about your ESA.

What's ESA allowance? ›

What is Employment and Support Allowance (ESA)? Employment and Support Allowance (ESA) is money for people who have limited capability for work because of their sickness or disability but do not get Statutory Sick Pay. There are two types: income-related Employment and Support Allowance.

Is click Super An ESA? ›

ClickSuper is a provider of ESA services. When employers make contributions to Self-Managed Super Funds (SMSF's), the SuperStream data and payment standards require that a remittance advice also be sent. The remittance advice must be sent via an electronic message.

What is the class super ESA? ›

Class provides a free ESA for funds that are active on Class. The criteria to use this ESA are: The fund must be loaded to Class and active. The fund must have a valid ABN.

What is a super fund address? ›

Under the Superannuation Industry (Supervision) Act 1993. , a fund's address details can be displayed on Super Fund Lookup. Address information is used to facilitate rollover requests between funds and to enable members of the public to contact the SMSF.

What is the USI code? ›

The USI is a unique identifier assigned to all swap transactions which identifies the transaction (the swap and its counterparties) uniquely throughout its duration. The creation and use of the USI has been mandated by the CFTC and SEC as part of the Dodd-Frank Act.

What is the USI for? ›

What is a Unique Student Identifier (USI)? A USI is your individual education number for life. It also gives you an online record of your vocational education and training (VET) undertaken in Australia. If you're at university, TAFE or doing other nationally recognised training, you need a USI.

How many digits is a super member number? ›

a super product identification number (SPIN) of nine alphanumeric characters preceded by five leading zeroes to make a total of 14 alphanumeric characters.

What is IronPort in networking? ›

The Cisco Ironport is an appliance that is deployed into an existing mail infrastructure. All emails are sent to the IronPort and the IronPort is either the last point out (most common configuration) or it can process email and then send it back to the mail server where it is sent out.

What is an IronPort? ›

Ironport (sometimes spelled as two words: Iron Port) is an old-fashioned carbonated soft drink from the early part of the 20th century that was served at soda fountains and is still popular in the Intermountain West.

Is Cisco firepower a firewall? ›

The Cisco Firepower Next-Generation Firewall (NGFW) is the industry's first fully integrated, threat-focused NGFW. It delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.

What is Cisco AsyncOS? ›

The Cisco IronPort AsyncOS operating system lets Cisco IronPort appliances process mail more than 10 times more efficiently than traditional UNIX systems do, providing extremely high capacity and availability.

What is IronPort email security? ›

The IronPort C380 email security appliance prevents advanced threats, blocks spam and viruses, and helps enable corporate email policy enforcement for medium-sized enterprises and satellite offices.

What is email security appliance? ›

The Cisco Email Security Appliance is an email security gateway product. It is designed to detect and block a wide variety of email-borne threats, such as malware, spam and phishing attempts.

How do I download Cisco ESA logs? ›

1. Log into the GUI of your CES Email Security Appliance (ESA) instance and navigate to System Administration > Log Subscriptions. 3. Next, you need to review the Log Settings column and find a log that you wish to download.

How does Cisco email security work? ›

Cisco Email Security provides industry-leading protection against malware, ransomware, business email compromise (BEC), URL-based phishing attacks, and spam. It also has full protection for outbound messaging.

How do you make a IronPort? ›

How To Make copy cat cherry ironport soda
  1. It is way easy to make…just 5 parts sparkling water and 1 part Ironport Syrup. ...
  2. Ironport (sometimes spelled as two words: Iron Port) is an old-fashioned carbonated soft drink from the early part of the 20th century that was served at soda fountains.

What is an email security gateway? ›

Secure Email Gateways (SEGs) are an email security solution that sits inline on emails' path from the public Internet to the corporate email server. This position allows it to inspect email for malicious content before it reaches corporate systems.

What are the 3 types of firewalls? ›

According to their structure, there are three types of firewalls – software firewalls, hardware firewalls, or both.

What is the difference between Cisco ASA and firepower? ›

The main difference between Cisco FTD and ASA is that Cisco FTD and ASA is that the former is a turnkey appliance, where Cisco Firepower Threat Defense (FTD) does not have any access to VPN and multiple contexts. Cisco Adaptive Security Appliance (ASA), on the other hand, has access to VPN and multiple contexts.

What is the difference between Cisco ASA and Palo Alto firewall? ›

The main difference between Cisco ASA and Palo Alto is that Cisco ASA has integrated deep packet inspection, giving the visibility over every bit of traffic on the network, whereas Palo Alto Networks only inspects traffic as it passes through its gateway device, giving the active security without allowing any threat to ...

What is the benefit of Cisco secure email and web manager? ›

The Cisco Secure Email and Web Manager centralizes management and reporting functions across multiple Cisco email and web security appliances. It simplifies administration and planning, improves compliance monitoring, helps to enable consistent enforcement of policy, and enhances threat protection.

What is Cisco secure email encryption service? ›

Cisco Secure Email Encryption Service is an email encryption tool which is fully compliant and offers many customizable features and policies to end users. It has a focus on giving end users more control over the email they send.

What is WSA in Cisco? ›

Cisco WSA is an all-in-one highly secure web gateway that brings you strong protection, complete control, and investment value. It also offers an array of competitive web security deployment options, each of which includes Cisco's market-leading global threat intelligence infrastructure.

Videos

1. Cisco Email Security terms and flow [Hindi]
(Networking Hub)
2. Learn Securing Email with Cisco Email Security Appliance (SESA) v3.1 online | Koenig Solutions
(Koenig Solutions)
3. how to configure cisco esa basic configuration ESA Initial Setup Best Practices Cisco
(Aravind Ch)
4. 09 Introduction to Cisco Email Security Appliance ESA
(CLoudNet)
5. (HINDI)Cisco Email Security Appliance Antispam, IMS and Graymail and Outbreak Filter best practices.
(Networking Hub)
6. Cisco Email Security#Module#1#Lecture#1#ESA Installation Scenarios
(InfoSecurity)

Top Articles

You might also like

Latest Posts

Article information

Author: Moshe Kshlerin

Last Updated: 11/02/2022

Views: 5815

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Moshe Kshlerin

Birthday: 1994-01-25

Address: Suite 609 315 Lupita Unions, Ronnieburgh, MI 62697

Phone: +2424755286529

Job: District Education Designer

Hobby: Yoga, Gunsmithing, Singing, 3D printing, Nordic skating, Soapmaking, Juggling

Introduction: My name is Moshe Kshlerin, I am a gleaming, attractive, outstanding, pleasant, delightful, outstanding, famous person who loves writing and wants to share my knowledge and understanding with you.