C I S C O E M A I L S E C U R I T Y A P P L I A N C E

Similar documents
Using Security to Protect Against Phishing, Spam, and Targeted Attacks: Combining Features for Higher Education

Barracuda Spam Firewall

Configuring Trend Micro Content Security

Webmail Friends & Exceptions Guide

BrightVisions Spam Filter User Guide

IBM Express Managed Security Services for Security. Anti-Spam Administrator s Guide. Version 5.32

WatchGuard QMS End User Guide

the barricademx end user interface documentation for barricademx users

SESA Securing with Cisco Security Appliance Parts 1 and 2

IT Services page 1 of 10 Spam Filtering. Overview

Filtering Admin Guide. Guide to Administrative Functions of Spam and Virus Filtering Service

Apps4Rent Hosted Exchange Spam Management Interface Guide.

- Spam Spam Firewall How Does the Spam Firewall Work? Getting Started username Create New Password

Using the Barracuda Spam Blocker

Navigating Through SpamTitan

M+ Guardian Firewall. 1. Introduction

Spam Manager User Guide. Boundary Defense for Anti-Spam End User Guide

Icebox - Sendio SPAM Filter

K12 Spam Management Blocked s from parents

Cisco Cloud Security Interoperability with Microsoft Office 365

Trustwave SEG Cloud Customer Guide

About this documentation

How to make sure you receive all s from the University of Edinburgh

How to Use Red Condor Spam Filtering

The Institute of Education Spam filter service allows you to take control of your spam filtering.

Migration Manual (For Outlook Express 6)

Using McAfee Quarantine Manager

Migration Project Plan for Cisco Cloud Security

ESET NOD32 Antivirus 4 for Linux Desktop. Quick Start Guide

Barracuda Security Service User Guide

How To Integrate Hosted Security With Office 365 And Microsoft Mail Flow Security With Microsoft Security (Hes)

Icebox - Sendio SPAM Filter

MySpam filtering service Protection against spam, viruses and phishing attacks

GFI Product Manual. Administration and Configuration Manual

- Spam Filtering

Using Barracuda Spam Firewall

Roaring Penguin User Guide

Using the Barracuda Spam Firewall to Filter Your s

CanIt-PRO End-User s Guide Roaring Penguin Software Inc. 9 September 2005

Overview. Accessing the User Interface. Logging In. Resetting your Password

Cloud Services. Anti-Spam. Admin Guide

PureMessage for Microsoft Exchange Help. Product version: 4.0

Quarantine Central for end users: FAQs

SonicWALL Security Quick Start Guide. Version 4.6

eprism Security Appliance 6.0 Intercept Anti-Spam Quick Start Guide

Migration Manual (For Outlook 2010)

Comprehensive Anti-Spam Service

MX LOGIC SPAM FILTERING

KUMC Spam Firewall: Barracuda Instructions

Forefront Online Protection for Exchange (FOPE) User documentation

How To Use The Mail Control Console On A Pc Or Macbook (For A Macbook)

K7 Mail Security FOR MICROSOFT EXCHANGE SERVERS. v.109

Best Practice Settings

Security Intelligence Blacklisting

Policy Based Encryption Gateway. Administration Guide

To help you spot potential junk mail, spam and phishing s you can read through the guide located on the IT Services website.

Using the Barracuda to Filter Your s

Cisco EXAM Implementing Cisco Threat Control Solutions (SITCS) Buy Full Product.

Administration Guide Revision A. SaaS Protection

EnterGroup offers multiple spam fighting technologies so that you can pick and choose one or more that are right for you.

PureMessage for Microsoft Exchange 2013 startup guide. Product version: 4.0

Government of Canada Managed Security Service (GCMSS) Annex A-5: Statement of Work - Antispam

Cloud Services. Cloud Control Panel. Admin Guide

FastNetSecurity SpamGuard Spam Filter How-To

Administration User Guide


ITS Spam Filtering Service Quick Guide 2: Using the Quarantine

LOGGING IN. Please take a moment to add this page to the favorites in your preferred Web Browser. (

Using the University s Spam and Virus Filtering Service

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

Deploying Layered Security. What is Layered Security?

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

MailFoundry Users Manual. MailFoundry User Manual Revision: MF Copyright 2005, Solinus Inc. All Rights Reserved

Barracuda Spam Firewall

Green House Data Spam Firewall Administrator Guide

eprism Security Appliance 6.0 Release Notes What's New in 6.0

HOSTED EXCHANGE ADVANCED SECURITY. Hosted Exchange Advanced Security Feb 2013

Microsoft Security Essentials Installation and Configuration Guide

D3 TECHNOLOGIES SPAM FILTER

PORTLANDDIOCESE.ORG - How to Connect Table of Contents

Security Deployment Guide

Quick Start Policy Patrol Mail Security 10

Barracuda Spam Control System

Admin Guide Boundary Defense for Anti-Virus & Anti-Spam

Mailwall Remote Features Tour Datasheet

Using Webmail. Technical Manual: User Guide. Document Updated: 1/07. The Webmail Window. Displaying and Hiding the Full Header.

Avira Managed Security AMES FAQ.

Title: Spam Filter Active / Spam Filter Active : CAB Page 1 of 5

SpamPanel Level Manual Version 1 Last update: March 21, 2014 SpamPanel

Frequently Asked Questions for New Electric Mail Administrators 1 Domain Setup/Administration

Quick Start Guide for End Users

Setting up Microsoft Outlook to reject unsolicited (UCE or Spam )

Managing Spam in & More Introduction Spam Detector Block Sender Filters

Barracuda Spam Firewall User 's Guide 6.x

BARRACUDA SPAM FIREWALL FAQ

Anti-Spam Configuration in Outlook 2003 INDEX. Webmail settings Page 2. Client settings Page 6. Creation date Version 1.2

Transcription:

C I S C O E M A I L S E C U R I T Y A P P L I A N C E U R L F I L T E R I N G September 2015 Version 1.3 Tobias Mayer Consulting Systems Engineer The most current version of this document can be found here: https://cisco.com/go/emailsecurity-customer

Contents CISCO EMAIL SECURITY APPLIANCE 1 URL FILTERING 1 PURPOSE OF THIS DOCUMENT 3 OVERVIEW OF STEPS 3 STEP 1: ACTIVATING URL FILTERING 3 STEP 2: USING URL FILTERING AND MODIFICATION IN OUTBREAK FILTER 4 STEP 3: USING URL FILTERING AND MODIFICATION IN MESSAGE & CONTENT FILTERS 6 STEP 4: WHITELISTING URLS 10 STEP 5: RECOMMENDED FILTERS 12 STEP 6: REPORTING 15 2

P U R P O S E OF T H I S D O C U M E N T The Integration of URL Filtering on the Email Security Appliance (ESA) is expanding the capabilities of email security beyond traditional Anti Spam technology. This Document will show how to activate the feature and where in the ESA it is used. O V E R V I E W OF S T E P S This document will provide the steps necessary for you to implement some Best Practices for URL Filtering on the ESA. We will first show how and where in the email pipeline the URL Filtering feature is activated and give some practical examples how to use it and how to combine it with existing filtering criteria. S T E P 1: A C T I V A T I N G URL F I L T E R I N G URL Filtering is a feature that comes with the license of Web Security Essentials and is technically included as a function in the Outbreak Filter. If you do not have a license for Web Security Essentials (with Outbreak Filter), you will not be able to use this feature! To activate you need to go to Security Services -> URL Filtering first. If you have successfully activated the feature, it will show Connected in the connection status. This means that the appliance could connect to the Talos Cloud and get the latest Updates on URL categories and URL reputation. By default, the URL Filtering goes across all URL, but you have the possibility to whitelist certain URL. This can be useful for internal domains and URL, that will of course not have a reputation score or a URL Category. 3

S T E P 2: U S I N G URL F I L T E R I N G A N D M O D I F I C A T I ON IN O U T B R E A K F I L T E R The first place to use URL Filtering will be the Outbreak Filter. Go to your mail policies and click on the Outbreak Filter Tab in the policies: Click on the the Enable Message Modification button. Outbreak Filter will now scan URL within Emails. Outbreak Filter will only scan emails that are considered a Threat. The Threat level is set to 3 and above by default, see screenshot The two sections on Include Headers is recommended to be activated. This allows later to track certain messages and determine how Outbreak Filter was treating them. The next important setting is the URL rewriting. Outbreak Filter has the option to rewrite a URL. This means, that the URL is no longer pointing directly to the destination but will now be redirected over the Cisco Cloud Web Security Proxy. A rewritten URL is looking like this in the email client: It is recommended to rewrite only URLs that are not signed. If a URL is digitally signed, the rewriting would make the signature no longer valid. 4

What happens if the user clicks on the URL? If the user clicks on the URL he will be redirected to the Cloud Web Security Proxy: The URL is sandboxed and scanned for any malicious content. If the URL is malicious, the request is blocked: 5

S T E P 3: U S I N G URL F I L T E R I N G A N D M O D I F I C A T I O N IN M E S S A G E & C O N T E N T F I L T E R S URL Filtering can also be used in the various filters on the ESA. A simple and effective way to use them is shown in this example: If a URL has a Web Reputation lower than -6, quarantine the email and log a message Create a incoming content filter and define the condition : Next step, define the action. You have a full range of actions. You can drop the message, put it in quarantine or take action on the link directly. In this example we want to log a message and also put the email in quarantine. Our action in the filter looks like this: Now the filter is ready for use and can be applied to a mail policy. 6

The same result can be achieved through a message filter, the syntax would look like this: Enforce_Web_Reputation: If url-reputation(-10,-6) { log-entry('malicious URL'); quarantine ("Policy"); } From the CLI, go to filters and choose NEW. Then, copy or type in the filter above and end the input with a single. Note: In the URL Reputation Condition there is a Section called Suspect URL. Due to a recent change in our Talos Backend Cloud, the Suspect Range is no longer from -5.9 to 5.9 as shown here. Instead, use a custom range from -5.9 to -3.1 to mark suspect URLs 7

The filters can also work based on URL Categories. For example, you can block emails with unwanted Categories. In this example we select a few Categories in our Content Filter and make the URL no longer clickable. Define a Condition : And then define an Action : 8

In this Example we define an Action of Defang. Defang means, the HTML part of the URL is destroyed but still visible. It will look like this in the message: The User can see the URL but can no longer click on them. 9

S T E P 4: W H I T E L I S T I N G U R L S There are two ways of whitelisting URLs that you do not want to be scanned. You can whitelist them globally or use dedicated whitelist per content filter. The place to globally whitelist URLs is in Security Services -> URL Filtering. Go to Mail Policies -> URL Lists and create first a URL List. Enter the desired URLs to be whitelisted. The following formats are allowed: Hostnames such as "example.com", "10.1.1.1" or "2001:db8:85a3:8d3:1319:8a2e:370:7348" Hostnames with wildcard '*' such as "example.com/*" or "example.com/path/*" "10.1.1.1/*" or "10.1.1.1/path/*" "2001:db8:85a3:8d3:1319:8a2e:370:7348/*" or "2001:db8:85a3:8d3:1319:8a2e:370:7348/path/*" Partial hostnames with wildcard '*', such as "*.example.com" "*.example.com/*" "*.example.com/path/*" 10

Apply the global URL list in the URL SECURITY SERVICE, in this example we called the URL list internalurls The second place to whitelist is within the Condition Component in the Content Filter Rule. Lets take an example and look into the condition of such a rule: This is a condition filtering on malicious url. If you want to make sure that some URLs are never filtered you can apply a URL whitelist within this condition by selecting it in the drop down menu. This function applies to the conditions URL Category and URL Reputation. 11

S T E P 5 : R E C O M M E N D E D F I L T E R S There are some filters that are recommended to use, here are some interesting definitions: Quarantine Emails with Bad URLs - If url reputation is malicious, Quarantine the email and log a message in the mail_logs It is a good best Practice that you create a separate quarantine for different messag types. To do so, go to Monitoring -> Policy, Virus and Outbreak Quarantines and add a new Quarantine. Here, we call it Bad URL Quarantine : In our Rule, we reference the newly created Quarantine. 12

Note: If you are very cautious to now block any mail, you can send a copy of the email to the quarantine while delivering the original email to the sender. This is done by selecting the Duplicate message button in the quarantine action: Quarantine Emails with unwanted Categories - If url category is XYZ, put message in Quarantine and log a message in the mail_logs Modify Subject Header and Log, if message has No Web Reputation Score, no URL Category and Sender has no Email Reputation Score, modify the Subject and defang the URL. 13

14

S T E P 6 : R E P O R T I N G After the URL Filtering is enabled and filters are defined, there are several reports that you can access. First place is the dedicated report in the URL filters under Monitoring -> URL Filter Here you can see which categories of URLs are inside of your received messages: Further statistics tell you about the amount of malicious URLs: In the far left column, you have a link that leads to the Message Tracking of the messages that are listed here. Another statistic tells you about the Top URLs that were contained in detected Spam messages: 15

Beside the dedicate URL filtering report, you have of course also reports on message and content filters: Note: A good best practice to start with, is to define the filters and put as an Action only the Log Entry. Messages will not be blocked but still you will get the reports. This can be useful to determine what categories you have in the emails, what reputation they have, if they contain malicious URLs, etc. And at the same time, do not impact your traffic flow. 16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information