You are on page 1of 205

Email Security :: Appliance,

Cloud, Virtual
Manish Behal
Security Solutions Architect
mbehal@cisco.com

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Presented by: Manish Behal - CCIE#22198

•  ~20 years industry experience


•  15 years in Networking and Security
•  Many roles: 1st line Support, engineer, consultant to Architect

•  Big and small networks


•  I’ve broken it too!!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
At the end of the session, the participants should be able to:
•  Describe the Security Threats posed by a customer’s Email
system
•  List and Describe Cisco’s Email Security Solutions

•  Suggest a Security Solution that Fits your Customer’s needs

•  Demonstrate a PoC
•  Use best practices during an appliance install so that customer
satisfaction is assured

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
•  Threat Landscape - Why it’s important
•  Introduction to Email Security
•  Email Form Factors - Picking the right box
•  Email Architecture - Getting it working
•  Mail Flow Pipeline & Processing
•  Inbound Features
•  Outbound Features
•  LDAP
•  Centralized Reporting & Message Tracking
•  PoC
•  What’s New in 9.x

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Introduction to Email Security
Customers can be curious about Cisco’s acquisition of
IronPort, LLC. IronPort was known for innovation.

What has Cisco done to carry the torch for email security?

First, let’s look at IronPort’s innovations that made is a market


leader from the start

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
IronPort Engineering
Dedicated to Development and Innovation

IronPort Virus IronPort


Outbreak Filter™ Bounce
Verification™
IronPort
SenderBase™
IronPort
AsyncOS™
Now let’s look at what Cisco
IronPorthas
Web accomplished
Reputation IronPort DVS™
IronPort
Reputation Engine
Filters™
IronPort Email
Security Appliances Domain Keys Cisco Acquires
Integrated IronPort Systems,
LLC

2001 2002 2003 2004 2005 2006 2007

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cisco Engineering
Dedicated to Continuing Development and Innovation

Cloud Email Data Center Launched in Sourcefire AMP integration


EU

Cloud Email Services RSA Enterprise Manager


Intelligent MultiScan for
Launched Integration
Antispam

Unwanted Marketing
IronPort Spoof Message Detection SAML Support for
Checker Encryption

URL
Global IPS Reputation Outbreak Filters
Classification
WBRS
Control
AMP
FIPS and Common Criteria IPv6 Support Integration
Deep Integration of RSA DLP
Engine Support

2014
2008 2009 2010 2011 2012

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
•  Cisco continuously develops new features that
solves complex mail management issues

•  9.x is a prime example, cutting edge features


are being introduced

•  ‘Intra Business’ Unit integration in constantly


happening: ISE (WSA), AMP, ThreadGrid etc

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
•  Traffic flow and installation connectivity will
depend on the customer’s security policy needs

•  Engaging with the right people early on can


ensure the solution does what it should and
demonstrates it’s capabilities to the full

•  Poor architecture and policy configuration can


result in little value add - Get it right early on by
keeping it simple where possible

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
•  SMTP - Simple Mail Transfer Protocol

•  MTA - Message Transfer Agent.

•  ESA - Email Security Appliance (a.k.a C-Series)

•  CASE - Context Adaptive Scanning Engine

•  SMA - Security Management Appliance (a.k.a M-Series)

•  TLS - Transport Layer Security, a.k.a. Gateway-to-Gateway Encryption

•  CES - Cisco Email Services – a.k.a. “hosted services”

•  IPAS - IronPort Anti-Spam

•  HAT - Host Access Table

•  RAT - Recipient Access Table

•  SBNP - SenderBase Network Participation

•  SBRS - SenderBase Reputation Score

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Email Terms and Flow
You send an email to a customer… how does it get there?
Q. Is it instant? Yes or no?
Q. If yes, how? If no, why not?
MTA Relay
sends it to
DNS the server
Type and
send email

Groupware
Server
Groupware LDAP Processes it
Server
Processes it

•  Groupware? SMTP?
•  Relay? LDAP? Customer
MTA Relay •  MTA? DNS? receives it
Relay if sends it to
external the customer Where does all of this live?

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
On-Premises Cloud Hybrid Managed Virtual
Award-Winning Dedicated Best of Both Fully Managed Fully Virtualized
Technology SaaS Instances Worlds on Premises
Vmware ESXi

Same Award Winning Technology

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
Email Security Appliance
Form Factors
Model Hard Disks RAID CPU / RAM NIC Fiber
Level Option
C680 6 x 300Gb 10 2X6 (2 hexa cores) 32GB 4 Yes

C380 2 x 600Gb 10 1X6 (1 hexa core) 16GB 4

C170 2 x 250Gb 1 (Software) 1X2 (1 dual core) 4GB 2

•  The x70 and x60 series appliances are no longer sold, but are currently supported.

•  x90 planned for Q3/4 2015

•  Due to resource constraints, the older x60 series appliances will not be supported on 9.0. AsyncOS
versions through 8.x will be the last versions supported

•  Always check the Datasheets on cisco.com for latest information

http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/data-sheet-c78-729751.html?cachemode=refresh

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Model Physical HW Disk (GB) RAM (GB) Cores
Equivalent

C000V C170 200 4 1

C100V C170 200 6 2

C300V C380 500 8 4

C600V C680 500 8 8

•  The C000v is recommended for evaluation use only as it is only a single core appliance
•  Virtual Machines have many possibilities, even if customer WANTS hardware

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Why migrate?

•  Lower operational cost vs. on- premises


•  Guaranteed scalability / capacity assurance
•  Service Level Agreements
-  99.999% uptime
-  99% inbound spam catch rate
-  1/1 million FP rate
-  100% known virus catch rate
-  99.999% CRES uptime

•  Hybrid model: Best of both worlds


-  Cloud for inbound, on-premises for outbound

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Data Centers

1
Email SaaS
Inbound Hygiene:
Removes spam
and viruses

Outbound Control:
Cisco Email Security Services Apply DLP and 3
Providing industry-leading email encryption policies
security in the cloud
§  99.999% Uptime
§  99+% Spam catch rate
Pass Clean Email 2
§  <1 in 1M false positives
§  100% known virus catch rate

Key Service Attributes


§  Co-managed access
§  Capacity assurance
Customer

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Data Centers

1
Hybrid SaaS
Inbound Hygiene:
Removes spam
and viruses

Cisco Email Security Services


Combining industry-leading email
security inbound in the cloud with
outbound control in the customer’s
network
§  Scan and control content before Pass Clean Email 2
it exits the network
§  Encryption happens before the
message hits the customer’s
network border

Key Service Attributes


Outbound Control:
§  Greater control for customers 3
Apply DLP and
who need or desire it encryption policies Customer

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
•  Threat Landscape
•  Introduction to Email Security
•  Email Form Factors
•  Email Architecture
•  Mail Flow Pipeline & Processing
•  Inbound Features
•  Outbound Features
•  LDAP
•  Centralized Reporting & Message Tracking
•  What’s New in 9.x

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Email Architecture
Email is simple. We want to be the:

§  First Hop In


§  Last Hop Out

There are many ways to install the Email Security


Appliance

Traffic flow and installation connectivity will


depend on the customer’s security policy needs.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
The ESA fits in nicely into almost any network topology, with minimal re-
design - mail solution customer side does not matter, Exchange, Domino,
anything!

Single ISP Topology Dual ISP Topology

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
•  Work closely with the security and network
domains to work out how to get this into the
network so the solution demonstrates its
value

Lets take a look at how you can install this


into an existing network………

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
§  Easy to configure
§  Security Nightmare: No protection for
inside network or outside interfaces
Internet
§  The ESA is hardened;
§  but this is a DO NOT DO scenario

Outside interface

Inside interface

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
§  Easy to configure
§  No protection for the outside interface
Internet §  The ESA is hardened, however, generally is a
DO NOT DO scenario

Outside interface

Inside
interface

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
§  Both interfaces are protected by the firewall
Internet
§ Traffic can be buffered during an interface failure
or NIC pairing can be applied
§  Can filter and control traffic to/from the internet
Outside
interface and to/from the internal network

Inside §  Offers protection of all resources


interface
§  Firewall represents a possible single point of
failure or bottleneck

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
§  System protected by firewall
§  Simplifies firewall configuration for passing traffic
§  Single interface represents a “possible” traffic bottleneck
Internet
§  Preferred and THE most common method of installation
for customers

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
§  System is well protected
§  Traffic can be buffered during an interface failure
Internet §  Configure redundant firewalls for maximum uptime
and to reduce single points of failure

Outside
interface

Inside
interface

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
§  Meets the most stringent customer connectivity
needs
§  Requires a larger appliance with 3 interfaces
Internet
§  Can be done in multi-firewall DMZ or with a single
interface installation
§  Use the route command on CLI to configure traffic
Outside
interface
flows for the 3rd interface
Inside
interface

Management
Network Link

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
•  MX records are easiest and most common way to do redundancy
•  Relies on the robust nature of communications on the internet
•  If one server cannot be contacted, fail over to the next on the list

company.com MX preference = 10, mail exchanger = west.mail.company.com


company.com MX preference = 10, mail exchanger = east.mail.company.com

Internet

west.mail.company.com east.mail.company.com

West Coast
Mail Server East Coast
Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Resiliency and HA can be offered in multiple ways to
accommodate the business needs:
Internet

•  Use larger appliances with RAID Arrays and redundant PUS’s


•  Use NIC teaming to help protect against network failures
•  Use multiple appliances and MX records
•  Appliances can be load balanced with VIPs on a L4-7 switch or
L4-7 Switch
upstream load balancer

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
•  Manage a group of ESAs by making changes to one

•  No additional hardware or software required

•  Configuration changes on one machine pushed to the other

•  Can cluster up to 20 machines

•  Centralized reports, message tracking and quarantining on M-Series

Internet

Cluster

West Coast East Coast


Mail Server Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
•  Within a cluster, configuration information is divided into 3 groupings
or levels .
•  The top level describes cluster settings; the middle level describes
group settings; and the lowest level describes machine-specific
settings.
•  Cluster level settings are ‘enterprise wide’, good practice to configure
company wide parameters here
•  Settings that have been specifically configured at lower levels will
override settings configured at higher levels

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
•  Create and Join cluster from CLI only using clusterconfig
command, changes can be made at GUI later
•  Machine joining a cluster will inherit settings except machine specific
parameters like IP
•  A cluster does not allow the connected machines to have different
versions of AsyncOS.
•  Log files are still local – think SMA!

•  Removing a machine from a cluster ‘flattens’ the config, it becomes


an autonomous unit

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Mail Flow Pipeline & Processing
Anti-Spam Compliance
•  SenderBase Reputation Filtering •  Content Filters
•  Cisco Anti-Spam (IPAS) •  RSA DLP (Digital Guardian NOW)
•  Intelligent Multi-Scan •  Weighted Content Dictionaries
•  Envelope Encryption
•  TLS

Inbound Security Cisco Email Outbound Control


Security
Solution
Anti-Virus/Phish Control &
Monitoring
•  Outbreak Filters (OF)
•  McAfee Anti-Virus •  Secure Message Delivery
•  Sophos Anti-Virus •  Transport Layer Security
•  AMP – Anti-Malware •  Outbound client infection
monitoring and control
•  Administrative alerts
•  Outbound reporting

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Processing Incoming Mail (Work Queue)
Bad or Good Message Rules: Spam, Not-Spam,
senders? Drop, Bounce, Good BUT Signature AMP Filter on New
Archive, Marketing, Potential based AV Engine Specific Viruses
-10 to -3 ALL Quarantine Spam, types of with no
dropped! content Signatures

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS (IPAS, ISQ, AMP CONTENT OUTBREAK
(Shopos AND or
IMAS) FILTERS FILTERS
McAfee)

ASYNCOS EMAIL PLATFORM

TALOS SANDBOX

Filtering of External Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT OUTBREAK
FILTERS RSA*
FILTERS
DLP
OFF

ASYNCOS EMAIL PLATFORM

Enforcing Corporate Compliance

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
LDAP Recipient Acceptance
Encryption
Host Access Table (HAT) (Work Queue time)

Masquerading or Virtual Gateways


Received Header LDAP Masquerading
Delivery Limits
Default Domain LDAP Routing
Received: Header
Domain Map Message Filters
per-user safelist / blocklist
Domain-based Limits
Recipient Access Table (RAT) Anti-Spam
Domain-based Routing

Per-Policy Scanning
Anti-Virus
Alias Tables
Global Unsubscribe
AMP
LDAP Recipient Acceptance
Content Filters DKIM Signing
Process Mail
SMTP Call-Ahead
Outbreak Filters
Work Queue Bounce Profiles
DKIM Verification RSA DLP Engine
(outbound)
SPF/SIDF Verification
Work Queue SMTP client
SMTP Server SMTP Process Quarantine SMTP
Receive Mail Delivery

Deliver Mail
Accept Mail
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Inbound Email
Cisco® Talos
SenderBase Reputation Filtering Drop

Antispam Drop/Quarantine

Antivirus Drop/Quarantine

Advanced Malware Protection (AMP) Drop/Quarantine

Rewrite
Graymail Detection

Quarantine/Rewrite
Outbreak Filters

Real-Time URL Analysis

Deliver Quarantine Rewrite URLs Drop


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
•  Reputation Security delivers a numeric score about an object,
which allows a security device to take a policy-based action.
•  Reputation is built on three things:
1.  Our own assessment (e.g., using SensorBase data)
2.  Assessment by trusted 3rd parties
3.  Sophisticated models that produce a score in real-time

SensorBase The

?
IP Address Reputation
23.24.19.29 -3

-10 -5 0 +5 +10

Black List Suspect Unknown

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Talos Threat Intelligence

I00I III0I III00II 0II00II I0I000 0110 00 100I II0I III00II 0II00II I0I000 0II0 00
Threat Research
10I000 0II0 00 0III000 II1010011 101 1100001 110
Intelligence
II II0000I II0 101000 0II0 00 0III000 III0I00II
Response
110000III000III0
[Talos]
I00I II0I III0011 0110011 101000 0110 00 I00I II0I III00II 0II00II 101000 0110 00 1100001110001III0

Advanced Industry Disclosures


WWW
Outreach Activities
100 TBEndpoints
Email Web per Day
Networks IPS Devices

Intelligence 3.6PB Monthly Dynamic Analysis


1.6M sensors though CWS
Threat Centric Detection Content
150 million+
SEU/SRU
endpoints
35% Sandbox
email world wide VDB
FireAMP™, 3+
million Security Intelligence
13B web req Email & Web Reputation
AEGIS™ & SPARK
Open Source
Communities
180,000+ Files per
Day
1B SBRS Queries

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Cisco Security Intelligence Operations
Three Defense Pillars

SensorBase Threat Operations Dynamic Updates


Center
Comprehensive Threat Researchers and Real-Time Updates and
Intelligence Automated Analysis Best Practices

Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
SensorBase
Depth and Breadth of Coverage
Threat Intelligence Benefits

§  Over 1.6M global devices §  360 degree dynamic threat
visibility
§  Historical library of 40,000 threats
§  Understanding of vulnerabilities
§  35% of global email traffic seen
and exploit technologies
per day
§  Visibility into highest threat
§  13B+ Worldwide web requests
vehicles
seen per day
§  Latest attack trends and
§  200+ parameters tracked
techniques
§  Multi-vector visibility

Over 1,000 servers process over 500GB of threat data per day
Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Dynamic Updates
Automated Defense
Updates Cisco Security Benefits
Intelligence
§  Automated updates Operations §  Reduces exposure window
delivered to Cisco security
§  Minimizes security
devices every 3–5 minutes
management overhead
§  8M+ Rules per day
§  Reputation updates for
real-time protection

Leading the Competition © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
See the latest
threat outbreaks
and where they
are in the world
Enter your
customer’s IP
address to look
up their
reputation in
SenderBase.

Excellent way to show off the power of the solution and how it can help
your customers

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Processing Incoming Mail (Work Queue)

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS

ASYNCOS EMAIL PLATFORM

Filtering of External Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Before During After
Scope
Discover Detect Contain
Enforce Block Remediate
Harden Defend

Cisco
Anti-
Intelligent multiscan (IMS) spam
Engine

Cisco
Anti- Anti-
What spam
Engine B
spam
Engine

Anti-
spam
Engine

SBRS Who When (Future)

Cisco
Powered by Anti-Spam
Cisco® SIO Mail Policies
§  Normal mail is
spam filtered Where How
§  Suspicious emails
Incoming mail are rate limited and
good, bad, and spam filtered
unknown email

Whitelist is spam filtered

Known bad email is §  URL reputation and context


blocked before used in scoring
entering the network §  > 99% catch rate
§  < 1 in 1 million false positives

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
HOW?
• Message leaves trace of
spamware tool WHO?

•  IP address recently
WHAT?
started sending email
•  All text inside an image •  Message originated from
•  Random dots appear dial-up IP address
within the message •  Sending IP address
•  Nearly identical color located in regions known
scheme in 100,000s for attack.
spamtrap msgs

WHERE?
WWW.FASTMONEY.COM
Verdict

Positive Spam >90


Suspect Spam >50
Clean Message < = 49

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Defense-In-Depth Anti Spam

IronPort
Anti-
Spam
Engine

Delivered

Anti- IronPort
Spam Anti- Results
Engine Spam
Incoming Engine
good, bad, B
and
unknown
email Anti-
Spam
Engine Dropped
(Future)

Intelligent Multi-Scan

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
1
2

Configure Anti-Spam
Settings here Default: Admin can view Quarantine, must enable
Quarantine Notification to allow users to view.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
EDITOR'S CORNER
Securing The Web Anticipation

Gateway In The World Of


Big changes are happening at
Websense, and as a loyal subscriber

Web 2.0
to our newsletter,
WebsenseConnect, I want to share
Does Web 2.0 have legitimate business applications? If so, how can business the news with you first. Think you
take advantage of its unique capabilities? In this Q&A, Gene Hodges, CEO of know Websense? If you've been a
Websense, shares his insights on the risks, rewards, and future of Web 2.0 and Websense (or SurfControl) customer
the secure Web gateway. for years, be prepared for a big
MOREsurprise—we are way more than
BUSINESS FOCUS APPLICATION FOCUS
Web security.
Business Blogs, Vapid Web 2.0 Ready for MORE
or Vital? Prime Time? QUICK LINKS
PRODUCT TIP OF THE MONTH
With 40,000 new blogs cropping up Web 2.0 makes many promises, but
CUSTOMER TRAINING
every day, it begs the question—is there managers are stumped about how to use EVENTS
a business benefit to blogging? And with it to drive growth and profits. With SUPPORT
the blogosphere already inconceivably companies like Google, IBM, and Adobe WEBSENSE NEWS
immense, how can one company stand creating software for commercial use ofSUCCESS STORY
out? Learn how enterprises such as Furniture Seller
Web 2.0, businesses are poised to make
General Motors have made their mark, the leap. Learn more about the new Tables Threats
and how you can too, in this applications and how your business can
Furniture retailer WS Badcock
BusinessWeek story about social media get up to speed in this ChannelWeb Corporation is taking aggressive
and business. review. measures against emerging Internet
MORE MORE
threats. Awarethat current attacks
LATEST NEWS
are focused on secretly stealing
OLYMPIANS CONNECT WI TH FANS THROUGH BLOGS
information rather than the highly
visible and public "bring down the
ACQUISITION HELPS READY INTERNET SECURI TY SOFTWARE FIRM FOR WEB 2.0 network" attacks, the company
selected Websense Email Security
THE 2008 SUMMER OLYMPICS: THE MOST DIGITAL OF ALL because of its ability to stop spam
and viruses and prevent confidential
information from leaving the
MANAGING ACCESS TO FACEBOOK: A GOOD IDEA?
organization through email.

Privacy Policy
At Buy.com, your privacy
is a top priority. Please
read our privacy policy
details.

X All information collected
from you will be shared
with Buy.com and its
affiliate companies.

§  Not Spam, because of tacit opt-in and working opt-out

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
§  Full Overview Reporting
§  Config in IPAS settings
Monitor > Incoming Mail
Mail Policies > Incoming Mail Policies > Anti-
Spam
   

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
End-user clicks on the
Graymail Detection rewritten un-subscription link
in the banner

Click-time check of the


rewritten link

Marketing If found safe > redirect to


palladium

Palladium service executes


Social Media Rewrites
Unsubscribe
un-subscription on behalf of
the end-user

Bulk

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Cisco® Talos
Rewrite
Email Contains URL
Send to Cloud

§  BLOCKEDwww.playb
oy.comBLOCKED
Defang/Block §  BLOCKEDwww.proxy
.orgBLOCKED

“This URL is blocked by


Replace
policy”

URL Reputation and


Categorization

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
Processing Incoming Mail (Work Queue)

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS

ASYNCOS EMAIL PLATFORM

Filtering of External Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
Antispam Engines Antivirus Engines

Cisco
Anti-Spam

Choice of Antivirus Engines


§  Sophos
§  McAfee
§  Or both Sophos and McAfee

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Mail Policies > Incoming Mail Policies > AV link in Mail Policy

Click to edit policy

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Mail Policies > Incoming Mail Policies > AV link in Mail Policy

Enable AV for Mail Policy

Action when virus


found: “Scan, or
Scan and Repair”
Attachments Dropped,
Rest delivered

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Mail Policies > Incoming Mail Policies > AV link in Mail Policy

For Encrypted
and
Unscannable,
you can’t be sure
the message is
clean

Advanced settings
provide custom
headers for mail
agents to sort on,
or redirect a
message

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Processing Incoming Mail (Work Queue)

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS

ASYNCOS EMAIL PLATFORM

Filtering of External Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
Cisco AMP delivers integrated…

Additional Point-in-time
Retrospective Security
Protection

File Reputation & Sandboxing Continuous Analysis

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Cisco zero-hour malware protection
Advanced Malware Protection
Reputation
SourceFire update
AMP File File
integration Reputatio Sandboxing
Unknown files are
n uploaded for
Known File sandboxing
Reputation

Advanced Malware Protection Outbreak Filters

Cloud Powered Telemetry Based Zero-


Zero-Hour Malware Hour Virus and
Detection Malware Detection

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
AMP On-Prem Sandboxing
AMP with ThreatGrid Solution Architecture

Heartbeat
Retrospective
Cisco (Talos, AMP)
ESA Cloud
AMP Client
File Reputation
Query
AMP
Connector Local Cache

PDF AMP verdict


HTML
Email Parallel Query is prioritized
– Clean
SWF Pre-Classification
Malicious
JPG

Disposition
Sandbox Connector Query
Qualified File,
Upload for
Sandboxing
Local AV
PDF Scanners

Cisco On Prem
Sandboxing

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
§  Quarantine to store potential malware under investigation in sandbox
§  System quarantine with standard functions
-  Release, Delete, Send Copy, and Delay scheduled exit

§  Autorelease and rescan the message when file analysis is complete

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Processing Incoming Mail (Work Queue)

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS

ASYNCOS EMAIL PLATFORM

Filtering of External Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Content Filters
•  Executed after the Policy Engine
•  Executed after security engines
•  Nice, easy to use GUI
•  Limited scope of conditions/actions
•  Either “AND” or “OR” logical operators between all conditions
•  Separate set of filters for Incoming and Outgoing mail

Message Filters
•  Executed before the Policy Engine
•  Applies to the entire mail flow
•  More flexible in both capabilities and scripting capabilities; Python

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
Actions You Can Take Things You Can Look for
Quarantine message (or a copy) Message Body or Attachments
Send copy to (bcc) Message Body
Notify someone Message Size
Strip attachments by type Attachment Content
Redirect message Attachment File Info
Insert or Strip a header Attachment Protected
Add footer Subject Header
Skip Outbreak Filter processing Other Header
AND Envelope Sender
Bounce message, or Envelope Recipient
Drop message, or Receiving Listener
Deliver message Remote IP
Encrypt and Deliver Reputation Score
DKIM Authentication

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
1 Identify the content that needs a custom action

Build the filter with ‘Conditions & Actions’. Order the filter appropriately
2
in the list.

3 Choose a Mail Policy to apply this Filter to

4 Test the filter with the Trace tool

5 Commit the changes Globally

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
1

•  Business Needs determine ‘sensitive’ content

•  Content can be tracked on key words

Exchange.cisco.com
172.20.0.10

Content Internet
Filter

If the body contains


"Confidential"
Then
Quarantine

Policy
Quarantine
Human Resources
78
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
2

Note: Policies are


bi-directional

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
2

Conditions:
Message Body
-- Subject Header
-- Other Header
Attachment
Attachment File Type
(fingerprint)
Attachment Name
Attachment MIME Type
Envelope Sender
Envelope Recipient

Text comparisons:
Contains
Does not contain
Equals
Does not equal
Begins with
Does not begin with
Ends with
Does not end with
… plus a whole lot of
Multiple conditions can be combined - Exists
Attachment matching
either AND or OR choices… and more!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
3

Outgoing Mail Policies > Content Filters >

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
4

82 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Processing Incoming Mail (Work Queue)

REPUTATION MESSAGE
FILTERS ANTI-SPAM ANTI-VIRUS
FILTERS AMP CONTENT OUTBREAK
FILTERS FILTERS

ASYNCOS EMAIL PLATFORM

Filtering of External Threats

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Before During After
Scope
Discover Detect Contain
Enforce Block Remediate
Harden Defend

Cisco® Talos

Website is clean
Link is clicked

Cisco Security

The requested web page


Website is blocked has been blocked

http://www.threatlink.com
Cisco Email and Web Security protects your
organization’s network from malicious software.
Malware is designed to look like a legitimate email
or website which accesses your computer, hides
itself in your system, and damages files.

Dynamic, real-time
inspection via HTTP

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
After
Before During
Scope
Discover Detect
Contain
Enforce Block
Remediate
Harden Defend

List of users
Add malicious
Rewritten accessing
URLs to
URL Report rewritten
blacklist
URLs

URL Rewritten The top


Based on
malicious Stop 0-Day
Email ID
URLs
Based on
Users Dynamic
LDAP
clicked Intelligence
group
Date/time,
rewrite Based on
Users Click Educate users
Rewritten URL reason, IP Address
URL action
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
LDAP Recipient Acceptance
(Work Queue time)

Masquerading or
LDAP Masquerading

LDAP Routing
SenderBase Network
Message Filters

Anti-Spam

Per-Policy Scanning
Anti-Virus

Content Filters

VirusVirus
Outbreak Filter
Outbreak Filters

“I normally see Outbreak Filters Work Queue

10 .pif files per hour” apply SenderBase


threat level
Got “I see 90% increase 1 Low
information to
it in .pif files” 2 Low / Med
incoming mail
3 Med

Watch out 4 High


for .pif
files” 5 Extreme

Threat =
3
Calculate change
in threat level
SenderBase data collection allows statistical
analysis to spot virus outbreak trends - on average
13 hours before the signature is released!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Outbreak Filter
V3R
: Zu
R
RIle
Puu(le Quarantine
le
.V
E1VV:E42Q
X )::,5IuZ
D
0a< IE
P
rsa(iz
#n
.E
1tin
e 1
<X57e
E5)r,Z,ne>Iale
P
3ma
(6.esK
E=eB
X
*spE ) e*
ric
SOPHOS IronPort
McAfee Virus Outbreak
Anti-Virus Filters
Anti-Virus
r n # 117
Patte

Message passes through Anti-Virus because it did not match a signature.

IronPort releases RULE-V1 raising threat level for all ZIP files containing .EXE parts. Message
hits Outbreak Filters and is quarantined.
IronPort releases RULE-V2, matching only ZIP files with .EXE parts that are larger than 36KB.
Any message quarantined by RULE-V1 but not by RULE-V2 is released and delivered.

IronPort releases RULE-V3, matching ZIP files with .EXE parts that are between 50 & 55KB
with “price” in the filename match. Any message quarantined by RULE-V2 but not by RULE-V3
is released and delivered.

Sophos & McAfee release patterns matching virus. IronPort releases RULE-V4, directing all
files to be released (and rescanned) after rule updates are loaded.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
Mail Policies > Incoming Mail Policies > Outbreak Filter hyperlink in Policy

Click link to edit policy – you can


Remember there is a separate Mail Exempt extension for files critical to your
Policy for Outgoing Mail business.
Enable Message Modification

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
•  Threat Landscape
•  Email Form Factors
•  Email Architecture
•  Mail Flow Pipeline & Processing
•  Inbound Features
•  Outbound Features
•  LDAP
•  Centralized Reporting & Message Tracking
•  What’s New in 9.x

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Outbound Features
REPUTATION
FILTERS MESSAGE
OFF FILTERS ANTI-SPAM
ANTI-VIRUS
OFF CONTENT OUTBREAK
FILTERS RSA
FILTERS
DLP
OFF

ASYNCOS EMAIL PLATFORM

Enforcing Corporate Compliance

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Outbound

Content Filters DLP Remediation Encryption

Automatic
Encryption / Decryption

Easy Setup 100+ Policies Severity-based Easy for


Robust Conditions Industry-leading Remediation Sender + Recipient
and Actions Accuracy Business Class
Email

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
Part of a comprehensive DLP solution with RSA – Accurate, Easy, Extensible

Email Security Data Loss Prevention

Policies

Incidents

•  Email Uptime •  Risk Policy


Definition
•  Threat Prevention
•  Incident
•  Policy Enforcement
Management
•  Compliance

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
Integrating the ESA into an Enterprise-wide DLP Deployment

In the RSA Enterprise


DLP solution, the ESA
replaces:
Cisco Email Security
Appliance •  SMTP Interceptor

•  Encryption Server

•  SMTP Smart Host

Enterprise Manager
integration brings:
•  Additional Policies

•  Fingerprinting

•  Policy Management

•  Remediation

•  Investigation, and more

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
DLP Assessment
Wizard streamlines the
setup but not all filter
options shown

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
Security Services > RSA Email DLP to enable

Mail Policies > DLP Manager > Add DLP Policy

Choose a
Template
Category

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
Add a Template
from the Category
list

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
•  The default is to monitor only – the Deliver action

You may Choose Action for Each Severity:


•  Deliver •  Critical
•  Quarantine •  High
•  Drop •  Medium
•  Encrypt •  Low
(if encryption is configured)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Add custom header,
modify subject, or add
disclaimer

Copy admins or
supervisors

Notify sender or
recipient with custom
message

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
Commit Changes
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
Results of Sample Payment Card Industry (PCI) Violation:
Visa 4999999999999996

track DLP Policies with “tail mail_logs”.

Wed Dec 16 20:04:29 2009 Info: MID 174 interim AV verdict using Sophos CLEAN

Wed Dec 16 20:04:29 2009 Info: MID 174 antivirus negative

Wed Dec 16 20:04:30 2009 Info: MID 174 DLP violation

Wed Dec 16 20:04:30 2009 Info: MID 174 queued for delivery

Wed Dec 16 20:04:30 2009 Info: MID 174 enqueued for PXE encryption

Wed Dec 16 20:04:33 2009 Info: Start MID 175 ICID 0

Wed Dec 16 20:04:33 2009 Info: MID 175 was generated based on MID 174 by PXE encryption filter 'DLP'

Wed Dec 16 20:04:33 2009 Info: MID 175 ICID 0 From: <alan@exchange.alpha.com>

Wed Dec 16 20:04:33 2009 Info: MID 175 ICID 0 RID 0 To: <adam@outside.com>

Wed Dec 16 20:04:34 2009 Info: MID 175 ready 156437 bytes from <alan@exchange.alpha.com>

Wed Dec 16 20:04:34 2009 Info: MID 175 queued for delivery

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
Cisco Registered Envelope Service turnkey email encryption

ü  The only cloud-based encryption key server flexible enough to meet the
evolving secure-communications requirements of businesses today
Integrated
ü  Hosted key service
Encryption key is MTA to MTA
ü  Uses federated identity stored in the cloud TLS enforced
gateway
security with
ü  Push technology with advanced end
intuitive policy
to end
management
encryption to
ü  We make encryption easy meet evolving
for end users – a key
customer
adoption barrier
requirements
ü  Supports SAML for
federated identity
ü  Technology independent
– use your inbox or mail
server of choice

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
PUBLIC RECIPIENT

SUE
TO:SUE
Internet
TO: SUE and BOB TLS C
ONNE
CTION
TLS
CON
NEC
TION
BOB

PARTNER RECIPIENT
TO: BOB

Destination-Sensitive Email Encryption


Ø Use TLS if available
Ø Otherwise, encrypt using PXE Secure Envelope

§  Enable in Message and Content Filters, and DLP


Policies
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103
Mobile Encryption on Smartphones – Send & Open Secure Email
For iPhone and Android

CRES
(Cisco Registered
Envelope Service)

Encrypting the email


F4pQT5xYLj30TUDR3f
Qrr79uMXCGt83ph9AS
KJDL5k6rlLTOIU46MW
OS2cFXU8vPsGG6sYR

Username
Password

Executive Accountant

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
Forward/Reply Email Control

Cloud

Executive Accountant

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
Read Email Receipt
Email
Read Receipt

CRES
(Cisco Registered
Envelope Service)

Username
Password

Executive Accountant

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
Email Recall & Expiration

CRES
(Cisco Registered
Envelope Service)

Expire Key
Username
Password

Executive Accountant

© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
Six steps:
1.  Enable Email Encryption
2.  Configure Encryption Profile (multiple profiles may be configured)
3.  Provision with Cisco Registered Envelope Service
4.  Define policy via Content Filter(s)
5.  Reference the Content Filter in a Mail Policy
6.  Test using the trace and sample outbound emails
Encryption
Profile Provision

CRES

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
1. Enable Email Encryption

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
•  Key Server Type
Hosted Key Service: Use Cisco Registered
Envelope Service *, a managed service by
Cisco/IronPort
IronPort Encryption Appliance (IEA): use a
key server managed by customer and
running locally on an IEA

* New branding: product reflects previous IronPort branding of


IronPort Hosted Key Service

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Security Services > IronPort Email Encryption > Add Encryption Profile

§  Message Security


§  Control if Recipient can
cache credentials in
browser
§  Or Remove the need for
Recipients to register

§  Read Receipts


§  If enabled, sender gets
read receipt when message
is opened
§  Guaranteed -can’t be
blocked by recipient

§  Encryption Algorithm


§  ARC4: industry standard, secure algorithm. Appropriate
for most applications.
§  AES: ultra-secure, used mainly by governments and
banks. Results in slower envelope opening for recipients.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111
§  Message Settings
Enable Secure
Reply All and Forward
buttons for recipients

§  Notification Settings


§  (Optional) Define custom notifications using
Text Resources.
§  Mail Policies > Text Resources > Add Text
Resource
§  Select them here, using drop downs.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 112
•  Must Commit before you can provision!

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Security Services > IronPort Email Encryption

•  Registers the appliance with the Cisco Registered Envelope Service


Authenticates the appliance and associates with an existing account
Allows keys to be registered when messages sent

•  Must happen before encrypted messages can be sent

•  Does not apply to local key server (on IronPort Encryption Appliance)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
Message Policies > Outgoing Content Filters > Add Content Filter > Add Condition

The "\" is an escape for regex Meta characters


Remember to put a
"\" in front of Meta characters in the GUI
"\\" in front of Meta characters in the CLI

Meta characters include: ^ $ * \ . ? | + [ and ]

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116
Message Policies > Outgoing Content Filters > Add Content Filter>Add Action

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117
Drill down reporting and detailed Message Tracking

Drill Down Reporting Detailed Message Tracking

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118
Drill down reporting and detailed Message Tracking

Reporting is done in a drill-down fashion. This eliminates the


need for having many dozens of reports. Reporting covers:
•  Inbound and outbound emails
•  Policy and threat blocked emails – content, spam, virus,
invalid recipients, and more

Reports can be:


•  Run for specific time ranges
•  Scheduled to be run off hours
•  Delivered automatically to recipients – even if they have no
credentials on the system

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Quarantines are places to hold emails that violate policies: Anti-Spam, Anti-Virus, email
policy, and that contain outbreaks
•  Spam Quarantine, Outbreak, Policy, and Virus quarantines are enabled by default
•  Can create other quarantines as needed or desired to fit company policy

The system has finite space for quarantines on box. For more Spam Quarantine space, use
an M-series appliance. Policy quarantines are not yet able to be centralized on the M Series

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120
•  Threat Landscape
•  Email Form Factors
•  Email Architecture
•  Mail Flow Pipeline & Processing
•  Inbound Features
•  Outbound Features
•  LDAP
•  Centralized Reporting & Message Tracking
•  What’s New in 9.x

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 121
LDAP
Lightweight Directory Access Protocol
Based on the X.500 standard
Significantly simpler
More readily adapted to meet custom needs
Unlike X.500, LDAP supports TCP/IP, which is necessary for Internet
access
The core LDAP specifications are defined in RFCs

LDAP can:
Provide data to clients
Search data with filters
Access specific information from an object
Be customized: each implementation is usually different

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
•  A hierarchical object-oriented database
A repository of information
Provide a single point of data management
LDAP directories are heavily optimized for read performance

•  LDAP is not a relational database


•  Standardized access protocol
Access the LDAP directory from nearly all platforms
Applications don’t need to know details of back-end
directory implementation
Free client access Formal Implementations
•  Microsoft Exchange™
•  Best used for information:
•  Microsoft Active Directory™
That must be available from many locations •  Lotus Notes™ (Domino)
To which updates are infrequent •  OSS (OpenLDAP, tinyldap, etc.)
Ø Whitepages/contact information •  Sun (Part of SunOne™)
Ø Email routing information •  Netscape (NDS™)
Ø Config information for distributed software •  Novell (Part of eDirectory™)
Ø Public certs and keys
Ø Photos

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 124
1. Verify the receiving domain in LDAP Directory
the RAT
2. Search LDAP directory from
the base DN for the recipient
email address
3. Return an accept or reject to Query: (mail= {abuse@alpha.com})
sending domain.

Query: (mail= {a})


Returned 1 Result

RAT Action
alpha.com Accept LDAP Exchange
exchange.alpha.com Accept Server Server
All Others Reject
LDAP_Svr1.accept
Rcpt to: sam@alpha.com
IncomingMail Listener
abuse@exchange.alpha.com

C-Series Appliance
Rcpt to: abuse@alpha.com
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 125
System Administration > LDAP

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 126
Supports
•  Active
Directory
•  Lotus
Notes
•  Open
LDAP
•  SunOne

•  Others

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 127
System Administration > LDAP

Test Query: Will initiate a query to the


LDAP server with the query string,
provides search results. No impact on
production mail.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 128
•  Problem: A University mail admin wants to prevent hackers from
discovering the valid usernames
Spiders use dictionary attacks or common user names to work out which
recipients are conversationally rejected or bounced, then hackers sell the list
of good addresses that Pass LDAP Accept validation

•  Solution: (Mail Policiesà Mail Flow Policiesà Default Policy


Parameters)
Set Max Invalid Recipients/hr to 5

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 129
SMTP Call-Ahead is used to verify legitimate recipient addresses in
hosted customers domains without accessing their LDAP directory. Call
ahead to the SMTP server with a RCP TO command to test before
sending the mail

Hosted
Customer 1 Hosted
Email Service

Internet Mail
Domains

Hosted
Customer 2

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 130
Network -> SMTP Call-Ahead

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 131
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 132
Centralized Reporting &
Message Tracking
Localized reporting and Tracking are useful features but:
•  Reports are not consolidated to represent the whole enterprise
that uses multiple ESAs
•  Distributed C-Series appliances can cause difficulty in
determining a single message disposition

Incoming Mail ESA 1 Outgoing Mail

Internet Mail Server


ESA 2

Which Appliance?

Mail Admin

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 134
•  Reports are Consolidated to view the Mail aggregated across the
whole enterprise
•  Individual messages can be tracked regardless of the path taken
through the enterprise.

M-Series

ESA 1
Incoming Mail Outgoing Mail

Internet Mail Server


ESA 2

Mail Admin

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 135
C370s
END-USER ISQ 1

Quarantine
Suspect Spam
END-USER ISQ 2

End User
Notification
Access link

M1070

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 136
Cisco Content Security Management Appliances for Email and Web Security

•  M-Series Appliances centralizes reporting, AS quarantines, and


Message Tracking Consolidated Reports

ü  Single view


across the
organization
ü  Real Time insight

Multiple data points


into email traffic
Email Volumes
and security Spam Counters
threats Policy Violations
Virus Reports
ü  Single location for Outgoing Email Data
Message Message Tracking
Tracking System Health View

ü  Actionable drill


down reports

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 137
Flexible deployment options with software bundles and a la carte options

Flexible Deployment

Appliances Cloud
CLOUD HYBRID MANAGED

right size to fit your needs select number of mailboxes, expand as you grow

X1070 C670 C370 C170 500-999 to 100,000+

1, 3, 5 yr – starting at 100 mailboxes monthly, quarterly, annual – starting at 500 mailboxes

Software Subscription Bundles


INBOUND OUTBOUND

Antivirus/Anti-spam Outbreak Filter DLP Encryption

PREMIUM = INBOUND + OUTBOUND

A La Carte Software
Cloudmark Anti-Spam, Image Analyzer, McAfee Anti-Virus, Intelligent Multi-Scan

Service and Support


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 138
Procedure:
•  Determine the number of Seats
•  Determine which features will be enabled
•  Contact your Cisco Sales Rep to determine needed
hardware.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 139
•  Threat Landscape
•  Email Form Factors
•  Email Architecture
•  Mail Flow Pipeline & Processing
•  Inbound Features
•  Outbound Features
•  Centralized Reporting & Message Tracking
•  What’s New in 9.x

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 140
POC
•  What are the customer’s experiences with their email security solution
today?
•  What are the customer’s concerns? These may include the following:

•  -- Poor efficacy

•  -- Poor performance

•  -- Pricing (OpEx or CapEx)

•  -- Efficiency and ease of use

•  -- Data loss, outbound control, blacklists

•  -- Phishing

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 142
•  How do these issues relate to the customer’s overall security? When
does the current solution expire?
•  • What are the outsourced deployment methodologies?

•  -- Hosted email security

•  -- Hybrid hosted email security

•  -- Managed services

•  • What are the on-premises deployment methodologies?

•  -- Cisco ESA installation

•  -- Cisco ESAV installation

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 143
•  • How will the proof of concept be deployed?

•  -- In a test Lab

•  -- In production

•  »» Behind the existing solution (not ideal).

•  »» See “Determining Sender IP Address In Deployments with Incoming


Relays”
•  in the Email User Guide.

•  »» In front of existing solution (Ideal).

•  »» Partial mail exchange allocation

•  »» Monitoring or blocking (monitoring will involve marking all malware


and forwarding it inbound)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 144
•  •

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 145

•  How will the proof of concept be evaluated?
-- List the criteria for success and, if possible, provide the relative
weightings.

-- Most items should be quantitative with either a Pass/Fail grade or a


rating.

-- Criteria should be separated into categories (for example, End User


Experience, Administrative Ease, Effectiveness, Reporting) and by
importance

-- Example: One criterion of success would be to catch 99 percent of


all production spam during the PoC with less than 1 in 1 million false
positives.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 146
What’s New in 9.x
Performance Monitoring /
Enhancements

Graymail and Safe Unsubscribe

Web Interaction Tracking

AMP / Local ‘Sandboxing’ with


ThreatGrid

Encryption

Product Update and Roadmap


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 148
Performance Monitoring /
Enhancements

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 149
Performance Monitoring - System Health Check

On demand System Health of the


appliance

System Administration >


System Health
Click Edit Settings to
change thresholds

Alternatively, click
Run Health Check.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 150
Performance Monitoring - System Health Check
When run, the system analyzes historical data (up to 3 months) to determine the
health of the appliance.

Reports back on key system indicators:

-  ResCon mode
-  Delay in mail processing
-  High CPU usage
-  High memory usage
-  High memory page swapping

•  System tuning, reconfiguration or additional resources may be required.


•  Useful in capacity planning scenarios, such as new campaigns, acquisitions
etcetera

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 151
Performance Monitoring - Upgrade Guidance
•  When you click Upgrade
Options the system will
prompt you about a System
Health Check

•  If you are confident in the


health of your systems this
can be skipped

•  If there isn’t enough


historical data (30 days) to
check the system you will
be asked if you wish to
proceed with the upgrade

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 152
Performance Monitoring - Upgrade Guidance

•  If issues are found the


system will clearly list
out what it thinks the
problem areas are

•  TAC can assist with


guidance on upgrading
or reviewing your
configuration, but if
more capacity is the
answer then additional
ESA’s may be needed

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 153
Performance Monitoring - ‘ResCon’ Mode
•  A new report under Monitor > System Capacity >
System Load page counts times in which the system
has entered Resource Conservation mode.
•  Consider adding additional capacity or restructuring mail
flows if excessive resource conservation activity is seen

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 154
Performance Monitoring /
Enhancements
Graymail and Safe
Unsubscribe

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 155
Graymail - What is it?
Graymail is email you opted in to receive, but don't really want
anymore - we all get it.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 156
Graymail - The Solution
The Graymail solution will provide:
•  Protection against malicious threats masquerading as
unsubscribe links
•  A uniform interface for all subscription management to end-
users
•  Better visibility to the email administrators and end-users
into such emails

For Cisco the benefit will be:


•  Reduced ‘false spam’ submissions by end users
•  Reduced load on TAC and perceived increase in our spam
efficacy

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 157
Graymail - Architecture & Mail Flow

A new engine has been added to identify Graymail. This


engine will also extract unsubscribe links from the message
and pass a verdict to IPAS for improved spam efficacy

Graymail Actions occur after AMP as CASE/IPAS will have


the final answer on whether a message is actually Graymail

However, Graymail Scanning occurs earlier in the pipeline:

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 158
Graymail - Sub-Categories - Identifying Graymail

Marketing
•  Email campaigns sent through professional routing platforms
•  These market players generally follow the rules of use for
email advertising: unsubscribe links, list cleaning/verification,
etcetera
Bulk
•  Any advertising email sent that follows the advertising rules
of use and not sent through a professional routing platform.
Here the heuristic rules used are predictive and generic
Social Networking:
•  Social Networking emails: Facebook, LinkedIn, etcetera

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 159
Graymail - Configuration, Policy Settings

Graymail can be configured as part of the default policy or with


different parameters under different incoming mail policies.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 160
Graymail - Configuration

All the typical policy


settings are available
for messages
identified as
Marketing, Social
Network, or Bulk

For monitoring
purposes, enable
Graymail detection
with no actions.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 161
Graymail - End User Experience

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 162
Graymail - End User Experience Workflow

Link is checked to
User clicks on the ensure it’s safe Service executes
rewritten and then un-subscription on
un-subscription redirected to behalf of the end-
link in the banner unsubscribing user
Service.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 163
Graymail - End User Experience

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 164
Graymail - Reporting

Separate entries show the


number of Marketing,
Social Media, and Bulk
messages caught /
identified

Messages with an added


Unsubscribe Banner are
also identified on their own
line

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 165
Graymail - Reporting

Separate report
elements show the
Top Senders by
Graymail by sending
domain and the Top
Senders by Category

Category Names can


be clicked to sort by
that column

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 166
Graymail - Message Tracking

Message Tracking has been enhanced with a new Message


Event added to search specifically for Graymail events

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 167
Performance Monitoring /
Improvements
Graymail

Web Interaction Tracking

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 168
Web Interaction Tracking - Brief Overview

Web Interaction Tracking (Click Tracking) allows


administrators to track the end users who click on URLs
that have been rewritten by the ESA

The on-box reports show:


•  Top users who clicked on malicious URLs
•  The top malicious URLs clicked by end users
•  Date/time, rewrite reason, and action taken on the
URLs

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 169
Web Interaction Tracking - Limitations

•  Tracking URLs re-written by Outbreak Filters is partially


supported on 9.5.x release
Ø  Action taken on the URLs would be unknown

•  Customer visible logs for URL click data are not available
•  Report modules are refreshed every 30 minutes - non
configurable

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 170
Web Interaction Tracking - Configuration: URL Filtering

•  Enable service under Security Services > URL Filtering


•  Click the box for Enable URL Click Tracking, Submit, then Commit.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 171
Web Interaction Tracking - Configuration: Outbreak Filters

•  Ensure IPAS or IMS is enabled under Security Services


•  Next, enable Click Tracking under Security Services > Outbreak
Filters

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 172
Web Interaction Tracking - Configuration: Outbreak Filters

•  Click the box for Enable URL Click Tracking, Submit, then
Commit.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 173
Web Interaction Tracking - Configuration: Outbreak Filters

•  Enable URL Rewrite action for Outbreak Positive


messages on the appropriate Incoming Mail Policy

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 174
Web Interaction Tracking - Reporting

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175
Web Interaction Tracking - Reporting

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176
Web Interaction Tracking - Reporting

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 177
Web Interaction Tracking - Message Tracking
Message Tracking has been enhanced to search for URL Click
Tracking events and specific URLs

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 178
Performance Monitoring /
Improvements

Graymail

Web Interaction Tracking

AMP / Local ‘Sandboxing’ with


ThreatGrid

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 179
AMP - Architecture and Mail Flow

In the 9.5.x release AMP is positioned between Anti-Virus Scanning


and Graymail Detection

Same features of AMP as before:

•  File Reputation, File Analysis, Retrospection

•  But now: Leveraging benefits of ThreatGrid sandbox by replacing


SourceFire sandbox

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 180
AMP - ThreatGrid Configuration

•  Configured under Services > File Reputation and Analysis


•  File Analysis Server (ThreatGrid) URL is updated from the cloud
•  ESA first platform in Content Security portfolio to integrate this

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 181
AMP with ThreatGrid Solution Architecture

Heartbeat
retrospectiv Cisco
e Talos, AMP
File Reputation Cloud
ESA AMP
Query
Client
AMP Local
Cache
connecto
r

Emai
l Pre- Parallel
Classification Query

Sandbox connector Dispositi


on Query
Qualified
File, upload
Local AV for
Sandboxin
Scanners g
Cisco On
Prem
Sandboxing

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 182
AMP - Decision Flow - ThreatGrid

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 183
Local Sandboxing - Configuration

•  Local Sandboxing when cloud is not an option, for legal or


contractual reasons
•  Configured under Security Services > File Reputation and
Analysis in the Advanced Settings for File Analysis section select
‘Private Cloud’

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
AMP - File Analysis Report Page

Three different
disposition
values:
•  Clean
•  Malicious
•  Unknown

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 185
File Analysis Details Report Page
Malicious SHA

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 186
Performance Monitoring /
Improvements

Tracking threats and end user


actions

Graymail

Local ‘Sandboxing’ with


ThreatGrid

Encryption

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 187
Encryption - TLS 1.2
Configure the GUI HTTPS for TLS v1 for TLS v1/v1.2 support

Don’t turn off SSLv3 on Inbound SMTP on publicly facing MX - Be strict on your
outbound but permissive on inbound to support legacy implementations
What is worse? Using a legacy protocol on inbound email or having incoming
messages being delivered in the clear

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 188
Encryption - Zix Partnership

•  Goal of partnership: a
replacement product for IEA
(IronPort Encryption Appliance)

•  Improve standing in Gartner


MQ
- Lack of on-premises
encryption cited as reason for
decline in 2014

• Prevent ESA business from


being captured by competitors
with on-premises encryption
http://blog.zixcorp.com/2015/03/cisco-partners-with-zix-for-email-encryption/
offers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 189
Encryption - Timeline
Calendar Year

2015 2016 2017 2018 2019

Zix Encryption
Appliance
Existing IEA
customer only
Cisco Zix Gateway 2.0+

Cisco Zix Gateway 1.0+


New on-premises
encryption
customer

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 190
Encryption - Zix Encryption Appliance Hardware

Hardware
CCS-ZEA200-K9 Zix EA Corporate Edition
CCS-ZEA400-K9 Zix EA Enterprise Edition
CCS-ZEAV-K9 Zix EA Virtual Appliance*

ZEA 200 Specs ZEA 400 Specs


Intel Zeon E3-1220 Intel Zeon E5-2630
8GB RAM 16GB RAM
2x1TB SATA III 7200 64MB 2x1TB SATA III 7200 64MB
2.5 in 2.5 in
RAID Card SAS 2.0 RAID Card SAS 2.0
Support included (no Support included (no
Smartnet) Smartnet)

* Virtual Appliance is $0 and used for tracking purposes

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 191
Encryption - Zix Encryption Appliance Software Licenses
Software

L-ZEA-K9-LIC=
§  User tiers L-ZEA-1Y-S1

§  100-100,000+ users L-ZEA-1Y-S2

L-ZEA-1Y-S3
§  One license for all L-ZEA-1Y-S4
functionality L-ZEA-1Y-S5

§  Up to a 24 month term L-ZEA-1Y-S6

L-ZEA-1Y-S7
§  Activation services L-ZEA-1Y-S8
through Zix L-ZEA-1Y-S9

L-ZEA-1Y-S10

L-ZEA-1Y-S11

L-ZEA-1Y-S12

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 192
Encryption - ZixPhase 0
Partnership for Phase 1
On-premises Phase 2
Encryption
Date May 2015 October 2015 April 2016

Zix version of IEA* Cisco Zix Gateway Cisco Zix Gateway


Product
1.0 2.0
Zix is building a First version of the
Second version of
new version of the Zix Gateway in a the Zix Gateway
IEA on their own custom build just for
which will include
hardware which Cisco. migration tools to
they will support. migrate off IEA and
Designed to work support for
Customers will be with ESA. Includes Websafe.
Description purchasing new PXE encryption.
software No IEA migration
subscription tools. No Websafe
licenses and support.
hardware. Only 1
and 3 year SKUs
available for
purchase.
*Not for new customers
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 193
Encryption - Zix Features Relative to CRES

Feature Cisco Registered Zix Gateway with Cisco


Envelope Service Technology
Public Key Infrastructure þ

PostX Envelope Push þ þ


Encryption
Secure Webmail Pull þ
Encryption
S/MIME þ

S/MIME Gateway þ

Open PGP þ

Statement Delivery þ

Secure File Transfer

Mobile Support þ þ
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 194
Performance Monitoring /
Improvements

Tracking threats and end user


actions

Graymail

Local ‘Sandboxing’ with


ThreatGrid

Encryption

Product Update and Roadmap


© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 195
Product Update - Cloud Email Security 9.1 Update

•  Qualification imminent of 9.1 on C80x platforms


ü  9.1 Evals can begin as soon as it’s qualified
ü  You MUST ask for 9.1 to be provisioned on the order form

•  Post qualification is the migration of C801 >> C802 platform


ü  This will take approximately 7 weeks

•  AsyncOS for Email 9.1 mass upgrades for customers will happen after
migration is complete

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 196
Product Update - Cloud Email Roadmap Priorities

•  Centralized LDAP meta directory – LDAP cache in Cloud


•  SAML authentication for administration
•  Improved CES architecture to expand footprint, lower costs and
Infrastructure extend down to 100 users
•  Expand DC’s in Canada, Singapore and Germany
•  All new features to be either first introduced in cloud or at same time as
on premise
•  SW Billing integration (related to SMART licensing) support utility
Order billing & pay-as-you-grow
Processing •  Automated order processing and auto-provisioning

•  Alternate DLP solution (RSA EoL)


•  Graymail management
Security •  URL Click-Tracking for re-written URLs
Features •  Real-time analysis of policy re-written URLs
•  Spam submission portal

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 197
Product Update - Email Security Roadmap Priorities
Drive SaaS Growth While Maintaining on-Prem Leadership
CLOUD PREMISES

•  Centralized LDAP meta directory – LDAP cache in


Cloud
•  SAML authentication for administration •  x90 HW Support
New •  Improved CES architecture to expand footprint,
•  Critical Customer
Focus lower costs and extend down to 100 users
•  Expand DC’s in Canada, Singapore and Germany Requests
•  SW Billing integration (related to SMART licensing) •  Maintenance
– support utility billing & pay-as-you-grow
•  Automated order processing and auto-provisioning

•  RSA DLP replacement •  Efficacy Enhancements (AS & OF)


•  URL Click-Tracking for re-written
Common URLs •  SMART Licensing
(MTA •  Real-time analysis of policy re- •  IOC Feeds for FireSIGHT
Platform) written URLs
•  Threat Efficacy: Exchange of AMP
•  Spam submission portal & OF verdicts

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 198
Version 10.0 - Feature List

Feature Description
URL Logging in Message Include URLs that violate Reputation and URL Categorization Content Filters in Message
Tracking Tracking

Message Language Detection Use the language of the email message to determine which configured Content Filter action is
applied

Message Digest Modification Suppress the message subject in spam notification messages.

Mailbox Auto Remediation w/ Uses API calls and AMP Retrospection to take action on emails with attachments in an Office 365
O365 user’s inbox that were later determined to be malicious.

Improved AMP Reporting Give customers improved visibility into threats identified by the AMP engine

SAML Authentication Leverage corporate credentials via SAML for SMA End User Spam Quarantine access

Updateable ClamAV Use the updater service and separate ClamAV engine updates from AsyncOS updates.

Spam Submission Tracking Let’s customers track submission and the usability of messages sent to Cisco
Portal

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 199
Additional resources for information:
•  Support Forums
https://supportforums.cisco.com/community/5756/email-security

•  Customer Knowledgebase
https://supportforums.cisco.com/blog/12176911/updated-access-customer-knowledge-
base

•  Partner Collateral and Tools


https://www.ciscopartnermarketing.com/Orgs/Initiative.aspx?id=2145

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 200
The more work you do ahead of time,
the easier the evaluation will be.
•  Identify the customer network and email solution topology

•  Set expectations appropriately – control the scope of the


evaluation
•  Show features and functionality needed to close the deal
•  Contact your Cisco rep for 1st time evals or complexities

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 201
When using the ESA with a 3rd party email gateway solution, the ESA should be on
the outside of that solution to show the power of SBRS
Beware of missed spam – Use Marketing Message Detection and/or IMS
If ESA is in the middle we’ll show better anti-spam efficacy – Catch what they miss, but
won’t show much blocked by reputation

Internet Internet

Cisco Ironport ESA Email Gateway

3rd Party Email Gateway Cisco Ironport ESA

Mail Server
Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 202
Putting the appliances in parallel with an additional MX record will allow for the
best testing.
Great for inbound testing. For outbound it may only allow for one Smarthost. May need
to direct all outbound through the IP appliance.
This is the typical way to test and allows for use of both systems with an easy way to
migrate off the old solution.

Internet

Cisco Ironport ESA Email Gateway

Mail Server
Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 203
•  Configure the ESA to pass through all email, discuss with customer benefits of dropping via
SBRS or accepting all connections.
•  Insert X-headers showing SBRS
•  Insert X-headers showing Mail Flow Policy
•  Positive spam
•  Suspect spam
•  Marketing Messages
•  Set all Incoming Policy rules to Deliver
•  Have customer write rules in existing gateway to record emails missed by existing solution.
•  Examine Overview Reports

Internet

Cisco ESA
add_SBRS_Policy: if (sendergroup != "RELAYLIST") {
insert-header("X-Ironport-SBRS", "$REPUTATION");
insert-header("X-Ironport-Group-Policy", "$GROUP-$POLICY"); Existing Email Gateway
}

Mail Server

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 204
Thank you.