Describing the Cisco Email Security Appliance

1 Cisco Email Security Appliance Overview

 Describing the Cisco Email Security Appliance

MTA - Mail Transfer Agent (Email server on internet) is trying send email to our ESA.

MTA will start connection doing TCP handshake and SMTP conversation.
 Describing the Cisco Email Security Appliance

When wants to send email to our organization the ESA will right away (in real time) consult with TALOS to check senders reputation. Bad actor
drop the connection, SO SO reputation we will accept the connection but we will put more check on it.

Lets assume the IP address of sender is unknown i.e. we query TALOS and it does not know about this IP address.

Then email is checked against dynamic spam, ESA will start looking at the context of email and ESA will deduce if that email is SPAM, definite
spam, probable spam or no spam.

Next check is Anti virus (SOPHOS or McAfee) if the attachment is virus infected it is dropped or it will continue.
 Describing the Cisco Email Security Appliance

Then email is checked against Advanced Malware Protection (AMP) where ESA will calculate the SHA 256 finger print of the attachment, will
query AMP cloud and we will receive a reputation score (clean, infected, unknown).
 Describing the Cisco Email Security Appliance

For unknown attachments the ESA may be configured to upload the copy of email to the sandbox for inspection while the original copy will go in
quarantine until we get our answer if infected we drop it if clean its on its way.

Next step is analyze the email by outbreak filters. Outbreak filters are basically when TALOS are suspicious regarding a email e.g. a new IP
address is send hundred thousands of email are leaving that IP address, What TALOS does is in real time it notifies all the ESAs around the world
(if you get an email with subject: SHARK just put it in quarantine) we are working (investigating) on it.
Describing the Cisco Email Security Appliance
Describing the Cisco Email Security Appliance
Describing the Cisco Email Security Appliance
 Describing the Cisco Email Security Appliance

Email Filtering:

ESA upon receiving email will decide Who is sending me email? Is it someone reputable or not, If not reputable will not accept even SMTP
conversation.
If it is someone SOSO or good reputation we will accept this email and the job of your ESA is to decide is the email and the attachment is good,
bad or gray "unknown email".
If the sender is unknown ESA will apply more throttling to it.
Describing the Cisco Email Security Appliance
 Describing the Cisco Email Security Appliance

2 SMTP Conversation and ESA Pipeline

 Describing the Cisco Email Security Appliance

Other stuff we see in header would be x-header (extended header).

Every time ESA takes a match in on an email you can have your Cisco ESA add an entry (e.g. Email was processed by AV).
Advantage of adding the x-header is to search emails based on it.
 Describing the Cisco Email Security Appliance

Email pipeline is all the hoops that your email will go through before being delivered to your exchange server.
ESA is listening on port 25 so it is acting as SMTP server.
 Describing the Cisco Email Security Appliance

Another way presenting the email pipeline.

Describing the Cisco Email Security Appliance
 Describing the Cisco Email Security Appliance

3 ESA installation scenario and Initial configuration

ESA will be behind a firewall.

Best practice is to locate your ESA on your DMZ.
Describing the Cisco Email Security Appliance
 Describing the Cisco Email Security Appliance

1 Queue per domain

Describing the Cisco Email Security Appliance
Describing the Cisco Email Security Appliance
Describing the Cisco Email Security Appliance