Be up against the UTM Dedicated Content Security solutions from Cisco

Similar documents
SESA Securing with Cisco Security Appliance Parts 1 and 2

Migration Project Plan for Cisco Cloud Security

Cisco IronPort C370 for Medium-Sized Enterprises and Satellite Offices

Cisco EXAM Implementing Cisco Threat Control Solutions (SITCS) Buy Full Product.

Anti-Phishing Best Practices for ISPs and Mailbox Providers

Networking for Caribbean Development

Top 10 Features: Clearswift SECURE Gateway

Configuration Information

Cisco IronPort X1070 Security System

Comprehensive Filtering. Whitepaper

Cisco Web Security: Protection, Control, and Value

Simple security is better security Or: How complexity became the biggest security threat

Comprehensive Anti-Spam Service

Cisco Cloud Security Interoperability with Microsoft Office 365

Security - DMARC ed Encryption

Objective This howto demonstrates and explains the different mechanisms for fending off unwanted spam .

V1.4. Spambrella Continuity SaaS. August 2

Configuration Information

Exchange Online Protection In-Depth

Cisco Advanced Malware Protection

A D M I N I S T R A T O R V 1. 0

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

How To Protect Your From Spam On A Barracuda Spam And Virus Firewall

Securing enterprise collaboration through and file sharing on a unified platform

Copyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.

Security Deployment Guide

Cisco Security: Layered Protection from Blended Threats

SWSA ((SECURING WEB WITH CISCO WEB SECURITY APPLIANCE)) 2.1

FortiMail Filtering Course 221-v2.2 Course Overview

Cisco Cloud Web Security

FortiMail Filtering. Course 221 (for FortiMail v5.0) Course Overview

Cisco Security Appliances

Cisco Security Appliances

anomaly, thus reported to our central servers.

FortiGate Multi-Threat Security Systems I Administration, Content Inspection and SSL VPN Course #201

Trend Micro Hosted Security Stop Spam. Save Time.

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

Did you know your security solution can help with PCI compliance too?

1 You will need the following items to get started:

McAfee Network Security Platform Administration Course

Cisco Web Security Appliance

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

European developer & provider ensuring data protection User console: Simile Fingerprint Filter Policies and content filtering rules

WATCHGUARD IRONPORT KEY SALES PITCH TRUTH BEHIND THE PITCH

Chapter 9 Firewalls and Intrusion Prevention Systems

What is a Mail Gateway?... 1 Mail Gateway Setup Peering... 3 Domain Forwarding... 4 External Address Verification... 4

SPAM FILTER Service Data Sheet

Cisco AnyConnect Secure Mobility Solution Guide

Cisco IronPort C670 for Large Enterprises and ISPs

Cisco Cloud Web Security Key Functionality [NOTE: Place caption above figure.]

Securing enterprise collaboration through and file sharing on a unified platform

MESSAGING SECURITY GATEWAY. Detect attacks before they enter your network

Move over, TMG! Replacing TMG with Sophos UTM

Unified Threat Management, Managed Security, and the Cloud Services Model

eprism Security Appliance 6.0 Release Notes What's New in 6.0

McAfee Network Security Platform

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

WEBSENSE SECURITY SOLUTIONS OVERVIEW

Cisco PIX vs. Checkpoint Firewall

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Threat Containment for Facebook

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

The Benefits of SSL Content Inspection ABSTRACT

Astaro Gateway Software Applications

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

On and off premises technologies Which is best for you?

AntiSpam. Administrator Guide and Spam Manager Deployment Guide

HTTPS Inspection with Cisco CWS

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Zscaler Internet Security Frequently Asked Questions

How To Configure Forefront Threat Management Gateway (Forefront) For An Server

COMBATING SPAM. Best Practices OVERVIEW. White Paper. March 2007

Avira Managed Security AMES FAQ.

C I S C O E M A I L S E C U R I T Y A P P L I A N C E

Mimecast Security

WHAT S NEW IN WEBSENSE TRITON RELEASE 7.8

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

The Leading Security Suites

SafeNet Content Security Product Overview. Protecting the Network Edge

System Compatibility. Enhancements. Operating Systems. Hardware Requirements. Security

MDaemon Vs. Microsoft Exchange Server 2013 Standard

The basic groups of components are described below. Fig X- 1 shows the relationship between components on a network.

QUICK START GUIDE. Cisco S170 Web Security Appliance. Web Security Appliance

Author: Kai Engert, kaie at redhat dot com or kaie at kuix dot de For updates to this document, please check

Where every interaction matters.

Eiteasy s Enterprise Filter

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

IronPort C300 for Medium-Sized Enterprises and Satellite Offices

WEBTHREATS. Constantly Evolving Web Threats Require Revolutionary Security. Securing Your Web World

Cisco RSA Announcement Update

Mailwall Remote Features Tour Datasheet

IINS Implementing Cisco Network Security 3.0 (IINS)

Transcription:

Be up against the UTM Dedicated Content from Cisco Istvan Segyik Systems Engineer CCIE Security #47531 Cisco Global Virtual Engineering (GVE)

Topics E-mail threats A few things to do for safer e-mail with no $$ investment Cisco E-mail Security Appliance (ESA) Web threats Cisco Web Security Appliance (WSA)

E-mail security

E-mail Threats SPAM - unsolicited e-mail, usually advertising: Causes employee productivity issues; May cause Denial of Service issues in the e-mail infrastructure; Can be used to spread malware. SCAM unsolicited e-mail with forged sender address: Usually used for advertising; Many times spreads malware; Many times used for Phishing attack = Phishing SCAM; The victim is not the recipient only but the legal owner of the sender address (domain). Malware in e-mail (doesn t have to be SPAM or SCAM). Confidential data leakage. Targeted attack (DoS, Privilege escalation, data theft).

Phishing SCAM Starts with a forged e-mail: Sender identity has been forged; Internal content resembles to a company s brand (typically banks or governmental organizations). Forging senders: Simply changing sender addresses and using open SMTP relay servers that don t check source addresses; Compromising the e-mail servers of the real owner of the sending domain. The goal of the attack is to ask the addressee to visit a portal (e.g. forged banking portal) and hand over login credentials or credit card data. The legal owner of the sender usually suffers serious loss of reputation so becomes secondary victim.

SCAM example: the e-mail

SCAM example: the alleged sender Memfus Wong Surveyors Limited: mwsl.com.hk Property agency in Hong Kong

SCAM Example: the apparent issue

SCAM Example: the real bad thing

SCAM example: who are the victims? In this example: The person who lost its credit card details. The property agency in Hong Kong whose e-mail system was compromised. The clothing company whose web site was compromised. Worldwide: Manufacturing: 8% Other industry: 8% Design and development agencies: 8% Utility (e.g. energy): 19% Financial industry: 27%

What can we do? Educate users. Apply industry s best practices to secure our e-mail infrastructure: SPF, DKIM, DMARC; Upgrading, patching systems; IPS/IDS systems. Use advanced e-mail security solutions such as Cisco E-mail Security Appliance (ESA).

SPF, DKIM, DMARC

DKIM, SPF, DMARC in general With these techniques configured on both sender and receiver sides, sender forging can be prevented. The recipient server can verify the sender server s identity and authority. Verified SIGNED Your Company DNS Server SIGNED Trusted_Partner.com Recipient server Imposter Drop/Quarantine Trusted_Partner.com

Sender Policy Framework - SPF RFC7208 The sender makes the recipient able to verify if a certain SMTP server is authorized to send e-mails from a domain or not. The recipient server can verify the HELO and MAIL FROM addresses. The sender can instruct the recipient how to interpret and what to react in case of a violation. Example (cisco.com): "v=spf1 ip4:173.37.147.224/27 ip4:173.37.142.64/26 ip4:173.38.212.128/27 ip4:173.38.203.0/24 ip4:64.100.0.0/14 ip4:72.163.7.160/27 ip4:72.163.197.0/24 ip4:144.254.0.0/16 ip4:66.187.208.0/20 ip4:173.37.86.0/24 ip4:64.104.206.0/24 ip4:64.104.15.96/27 ip4:64.102.19.192/26 ip4:144.254.15.96/27 ip4:173.36.137.128/26 ip4:173.36.130.0/24 mx:res.cisco.com mx:sco.cisco.com ~all"

Question: what does it mean? sub-domain.domain.com. IN TXT "v=spf1 -all"

SPF shortcomings Doesn t protect against intra-domain forgery. Doesn t inspect inner header. Doesn t check the integrity of the e-mail.

Domain Key Identified e-mail - DKIM RFC5585, RFC6376, RFC5863, RFC5617 (ADSP) The sender SMTP host creates an SHA-1 or SHA-256 hash of the message and signs the hash with a private key. The public key is stored in a DNS record. DNS record example: c3po._domainkey.altn.com text = "v=dkim1; k=rsa; p=migfma0gcsqgsib3dqebaquaa4gnadcbiqkbgqcjvrk3kpx17dwax uya/66/qgzu/r/7325hxqhg8poaqmn3jzpagh9gdaocdzxbtnbqkknojmkkczr41xb4h3u5reinbbq8g rfynp3n6s2kz2lwwwpssavdgtotcuxqt+pwesda7c0z5v2axgg76ygyh8b504gv+yhaxurqxnbzqwida QAB"

DKIM shortcomings Requires significant processing power. Can be optimized but that reduces security: Header and content simplification; Use of SHA-1 instead of SHA-256. If an e-mail was not signed, its verification would be ignored. Author Domain Signing Practices (ADSP) could mitigate the problem above, but rarely implemented, because: Can handle DKIM only; Doesn t ensure feedback channel to the sending party. _adsp._domainkey.example.com IN TXT "dkim=unknown all discardable"

Domain-based Message Authentication, Reporting & Conformance The DMARC protocol: Unifies the instructions for SPF and DKIM verifications at the recipient side; The sender can sign to the recipient what to do with SPF and DKIM errors; The following actions can be requested by the sender: none reject quarantine; Provides feedback channels: for every single error message OR for aggregate error reports. Not surprisingly uses a DNS record. More complicated than ADSP but there are on-line tools that help you, e.g.: https://dmarcian.com/dmarc-inspector/ A DNS record example: v=dmarc1; p=quarantine; pct=100; rua=mailto:dmarc-reports@bounces.amazon.com; ruf=mailto:dmarc-reports@bounces.amazon.com

DMARC visualized DNS Server DMARC p=reject SIGNED Verified SIGNED Trusted_Partner.com Cisco ESA Report Imposter Drop/Quarantine Trusted_Partner.com

Cisco E-mail Security Appliance - ESA

Cisco Ironport E-mail Security Appliance ESA www.cisco.com/go/esa Virtual (on Cisco UCS hardware + VMware) and hardware appliance. Main features: E-mail traffic normalization; SPF, DKIM, DMARC verification, DKIM signing; Sender reputation filtering; Anti-SPAM; Anti-malware engines (Sophos, McAfee, FireAMP); Integrated RSA DLP engine; Outbreak Filter (automatically enforced Cisco Talos rules); Real-time URL analysis; Local or off-box (Management Appliance) e-mail quarantine; E-mail encryption (Cisco Secure Envelope Services or S/MIME). Can be managed over its embedded GUI or through a Content Security Management Appliance.

Simplified incoming mail verification flow Normalization, SFP/DKIM/ DMARC, recipient identity checks Drop/Quarantine SenderBase Reputation Filtering Drop Anti-Spam Drop/Quarantine Cisco Talos Anti-Virus Drop/Quarantine Advanced Malware Protection AMP Drop/Quarantine Outbreak Filters Quarantine/Re-write Real-time URL Analysis cws Deliver Quarantine Re-write URLs Drop

Cisco Senderbase reputation filtering Big-big data: More than 1.6 million sensors; Covers approximately 35% of the World s e-mail traffic; Inspects over 13 billion Web requests per day; More than 200 web and e-mail parameters are analysed for hosts and domains. The result is a reputation score between -10 and +10 for SMTP servers and web sites which is used as a condition in rules. It is inspected for incoming mails only. The reputation score in Senderbase cannot be modified manually. The owner of the domain or host must comply! Public website for Senderbase: www.senderbase.org

Anti-SPAM ESA has two Anti-SPAM engines. You may run both using Intelligent Multi-Scan. It can be applied on both outgoing and incoming e-mails. ESA may put suspected SPAM messages into quarantine, drop or just mark them. There is an approximate 99% catch rate. The categories into which an e-mail may fall into: Not SPAM; Unwanted marketing e-mail from a legitimate source; Suspected SPAM; Positively identified SPAM. The system gives integrated feedback channel to Cisco in case of false positive or false negative classification events.

Anti-virus on ESA There are two traditional A/V engines on ESA: Sophos and McAfee. One or both can be run in the same time on the same message. Both engines can do traditional pattern matching and heuristic analysis. Infected messages can be disinfected or quarantined. Messages with attachments that cannot be inspected can be quarantined or tagged. Can be used on both incoming and outgoing e-mails.

FireAMP on ESA Called File Reputation and File Analysis engine in ESA. Can be used to inspect incoming messages only. Requires continuous access to Sourcefire cloud. At the moment it uses cloud Sandboxing (Threat Grid in AMP cloud). Integrated Sandboxing is on roadmap. Comprehensive reporting and audit functionality. File tracking with alerting and reporting on false negatives (initially missed malware).

Mail Flow Pipeline File Reputation update FireAMP on ESA To Content Filters AMP Cloud AMP Client Local Cache File Reputation Query Sha256 checksum +SPERO fingerprint for WinPE files Verdict Unknown File Upload for Sandboxing VRT Sandboxing From Anti-Virus

Outbreak Filter Automated intervention point for Cisco Talos. Can be used on both incoming and outgoing e-mails. Virus, Malware and Phishing SCAM protection. Ways of intervention: May quarantine or drop harmful messages; Suspected messages can be hold back until an anti-virus system declares it clean; Modification of the message, e.g.: Tagging the URL, delete or rewrite the URL, redirect to Cisco Cloud Web Security (CWS) proxy. End users cannot write custom rules for the Outbreak Filter engine. The default poll time is 5 minutes.

Real-time URL analysis in ESA The embedded URLs in an e-mail can be analysed automatically. This may be used for both incoming and outgoing e-mails. The category and the web reputation score of the URL (host) can be verified. Above message drop and quarantine, the following actions can be done: Tag the URL (so they are not parsed as valid URL); Replace the URL (can even redirect to Cisco Cloud Web Security (CWS) proxy); Overwrite the URL with any text. Note: many such phishing URLs point to new web sites with currently neutral (0) reputation. See our previous example! So this function doesn t prevent you having sufficient web security measures.

Real-time URL analysis in ESA Email Contains URL Rewrite Send to Cloud Tag BLOCKEDwww.playboy.comBLOCKED BLOCKEDwww.proxy.orgBLOCKED Cisco Talos Replace This URL is blocked by policy URL Categorization

Inspection of outgoing e-mails The previously mentioned bi-directional inspection functions are: Normalization; Anti-SPAM; Legacy anti-virus; Outbreak filter; URL analysis. One not yet mentioned bi-directional function: decryption with S/MIME. Above the above-mentioned: RSA DLP engine; E-mail encryption using either Cisco Registered Envelope Service (CRES) or S/MIME; DKIM signature.

Cisco Registered Envelope Service (CRES) Cisco Email Security Appliance Message Key Sender Controls Recipient Automated key management on a local server or in cloud. The e-mail content is never processed in the cloud, encrypted on ESA. Policy driven encryption, can be transparent at the sender side. Alternative solution #1: TLS encrypted SMTP between servers. Supported on ESA. Alternative solution #2: S/MIME. End-to-end or encryption done on ESA. FAQ: https://res.cisco.com/websafe/help?topic=faq

S/MIME on ESA NEW in version 9.0 Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard based method for integrity checking (signing) and encryption. RFCs: 3369, 3370, 3850, 3851, 5750 and 5751. The ESA can (on gateway level with common key materials): Sign, encrypt, or sign and encrypt messages using S/MIME; Verify, decrypt, or decrypt and verify messages using S/MIME. May work together with CRES. ESA can generate self-signed or use imported certificates for signing and decryption.

S/MIME on ESA NEW in version 9.0 Encryption requires ESA having the public key of the recipient: It can be added manually; ESA can try to harvest them. Public key harvesting: ESA can automatically collect the public keys from incoming e-mails; The maximum storage size for that purpose is 512 Mbytes per appliance; Oldest keys are deleted when the storage space fills up; The HAT (Host Access Table) can be fine tuned to allow/disallow harvesting for certain e-mail categories. Outgoing S/MIME signing and encryption can be controlled in policy. S/MIME challenges: Requires PKI; Some webmail systems have difficulties to handle it.

Some deployment considerations ESA should be connected into the DMZ. Logically ESA must be in front of the Groupware/E-mail server. Redundancy and load-balancing can be achieved via: Multiple MX records in the DNS zone; Load-balancer. Please ask Cisco or a certified Cisco partner to size the ESA deployment!

Dedicated E-mail security vs. UTM/NGFW Dedicated E-mail security solutions offer: More controls; Defense in depth (e.g. Multiple anti-virus/malware engines); More processing power for features like DKIM, S/MIME, etc.. Better reporting on E-mail related data; Think about ACI, it is easy to separate applications traffic.

Web security

Common Web Threats #1 Malware Visiting phishing sites. Productivity issues: employees spending time with visiting non-productive web sites. Bandwidth issues: employees downloading large files (bad files or good files but big size and bad timing).

Malware Web Malware related attack vectors: Browser exploit; Browser plugin exploit; Downloaded file hides malware; Harmful web applications; Etc. The attack vector is increasingly sophisticated: The web site that hosts the harmful code is many times accessed via multiple redirections and hidden links; The initially run code downloads and/or creates other files it can be the fourth, fifth, etc. level that implements the real harmful activity; SSL/TLS encrypted channels can be used. Web surfing is the hardest to protect attack surface today.

Cisco Ironport Web Security Appliance WSA www.cisco.com/go/wsa Virtual (Cisco UCS + VMware or KVM) or hardware appliance formats. Features: HTTP(S), FTP(S) proxy, caching and TCP optimization; TLS decryption and re-encryption (MITM); Dynamic URL category and reputation filtering; Content filtering (file type); Simple in-box DLP engine, ICAP interface for external engines; Web Application Visibility and Control (AVC) engine; Anti-malware engines (Sophos, McAfee, Webroot and FireAMP); Botnet Activity Filtering (L4TM) inspection over the whole TCP/UDP port range; User Authentication, quota control, user-based reporting. Can be managed over its embedded GUI and CLI or over the centrally through a Content Security Management Appliance.

WSA TLS Proxy The SSL/TLS encryption blinds the content analysis engines. URL Filtering can still work. How? WSA supports Man In The Middle (MITM) style SSL/TLS decryption and reencryption. It can be transparent to the end user: The proxy (e.g. WSA) receives the request; The proxy opens a new encrypted session towards the web server; The proxy generates and signs a new certificate which is very similar to the original certificate of the server; If the proxy s certificate comes from a Trusted CA, the client browser won t raise any alert. For effective use of this function a signing certificate must be installed on the WSA that comes from a Trusted Root CA server.

WSA TLS Proxy - certificates An example for a decrypted session. The banking site in the example is 100% safe and used by the author daily.

Latest additions to WSA FireAMP anti-malware (File reputation and analysis): May block file download; Has extensive file tracking and reporting; Retrospective analysis and alerting; Approximately 6-16% extra load. Cisco Identity Services Engine (ISE) pxgrid API integration: An additional transparent user authentication method (in addition to the CDA method for AD); Maps the username and the Security Group Tag to the source IP address; The SGT is used in the Web Access Policy as a condition; Can identify non-ad users and non-user endpoints; At the moment unidirectional but automated remediation initiated by the WSA over ISE is on roadmap. Time and volume quotas.

Some WSA deployment considerations WSA fully inspects HTTP(s) and FTP(s) only. The rest of the traffic can be inspected by the Botnet Traffic Filter function over different in-line or promiscuous ports only. The (selective) traffic redirection can be done in the following ways: Explicit Proxy settings in the OS or in the browser (manual or PAC file); Transparent (to end user) redirection: WCCP; Policy Based Routing (PBR); Destination NAT (breaks SSL/TLS proxy). Normally WSA uses its proxy IP address as the source IP for sending traffic out to the Internet. It can be changed to preserve the source IP address.

Some WSA deployment considerations The L4TM (Botnet Traffic Filter) is working on separate interfaces (in-line or promiscuous). The Load-balancing and redundancy options are: WCCP; Multiple proxies configured in the PAC file; Load-balancer. Web Cache Communication Protocol (WCCP) Content routing protocol developed by Cisco; Redirects traffic AND provides: fail-open, redundancy, load-balancing and signalling; There are Layer 2 and Layer 3 (GRE) redirection methods; Redirection is supported on Cisco switches, IOS routers, ASA firewalls and 3rd party devices; Read more: http://en.wikipedia.org/wiki/web_cache_communication_protocol

Dedicated Web proxy vs. UTM/NGFW Pros: Do caching as well, ideal for low-bandwidth connections; The deployment requires no- or minimal change in the existing firewall system; Has enough processing power for defense in depth kind of processing (e.g. multiple anti-virus/malware engines). Cons: There are no IPS functions; Fully inspects HTTP(s) and FTP(s) only; Separate device to manage.

Dedicated Web proxy customer scenario The customer: Multinational pathological microscope and x-ray developer; Low bandwidth Internet uplink (20 Mbps for 300 employees); Existing corporate standard 3rd party Firewall with IPS license; The existing firewall s web security features didn t satisfy the needs but has PBR functionality. Requirements: #1 Malware filtering even in SSL/TLS encrypted traffic; Authenticated user access primarily for reporting; URL filtering to increase productivity and decrease the load on the Internet uplink; Caching would be a nice to have feature. They have bought WSA on Cisco appliance after evaluating it on VMware.

THANK YOU!

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information