Cisco Email Security

Appliance (ESA)
Mohamed Maklad
Cybersecurity Services Consultant
CCIE Security # 55128
Agenda
• Email Concepts
• Email Flow
• Cisco ESA Business Needs
• ESA Technology Overview
• Cisco ESA Deployment Modes
• Cisco ESA Hardware Overview
• Cisco ESA Configuration Steps
• Cisco ESA HAT table
• Cisco ESA RAT table
• Cisco ESA Licensing

5
Email Concepts
SMTP (Simple Mail Transfer Protocol):
is a widely used TCP protocol for email sending. The
SMTP protocol is mainly used by the clients to send
emails to the servers or for the email communications
between servers.

POP3 (Post Office Protocol)

is a user-friendly method of accessing mailboxes.
Version 3 is the most widely used version of this
standard. POP3 transfers emails from the server to
the client.
IMAP (Internet Message Access Protocol)
is a protocol for receiving emails from a server. It keeps the email
on the server after being delivered. Also, it doesn't download the
entire email until the recipient opens it.
Email Concepts
Mail User Agent (MUA):
A Mail User Agent (MUA) is an email client application. An MUA allows a user to read and
compose email messages. Many MUAs are capable of retrieving messages via the POP3 or
IMAP protocols, setting up mailboxes to store messages, and sending outbound messages to
an MTA. Microsoft Outlook and Apple mail are examples of MUAs.

Mail Transport Agent (MTA):

Mail Transport Agent is an intermediate hop that processes emails, also know as mail relay.

Mail Delivery Agent (MDA)

MDA is a component in the MTA which handles a message for delivery to the point where
it can be read by an email client application
Email Concepts (Continue)
Mail eXchanger Record (MX record)
MX record is used to specify the mail server responsible for accepting email messages on
behalf of a domain name. It is a resource record in the Domain Name System (DNS). It is
possible to configure several MX records, typically pointing to an array of mail servers for
redundancy.
Email Concepts (Continue)
Mail eXchanger Record (MX record)

When an e-mail message is sent through the Internet, the sending mail transfer agent (MTA)
queries the Domain Name System for the MX records of each recipient’s domain name. This query
returns a list of hostnames of mail exchange servers accepting incoming mail for that domain and
their preferences. The sending agent then attempts to establish an SMTP connection, trying the
host with the lowest "Priority" value first.
Email Flow
Mail Security Gateway Business Needs
• Most successful cyberattacks start with a phishing link in an email or with a
compromised attachment. The traditional, single-layer defense approach is no longer
enough.
• The Email Security Gateway serves as the entry point for emails coming from outside
the organization, shielding the email infrastructure and users from unsolicited emails
using multilayer protection. Custom policies, such as those against unsafe
attachments, are applied to protect users. Policies to ensure message integrity are
also easily enforced
Cisco ESA Technology Overview

• The ESA protects the email infrastructure

and the employees who use email at work.

• ESA integrates into the existing email

infrastructures easily with a high degree of
flexibility.

• It does this by acting as a Mail Transfer

Agent (MTA), or mail relay, along the email
delivery chain..
Cisco ESA Technology Overview (Continue)
Filtering Spam

There are two ways to filter spam using Cisco ESA:

✓ Reputation-based filtering.

✓ Context-based filtering.
Cisco ESA Technology Overview (Continue)
Reputation-Based Filtering
Reputation filters provide the first layer of defense by looking at the source IP address of the
email server and comparing this to the reputation data downloaded from Cisco SenderBase.

SenderBase is the world’s largest repository for security data including spam sources, botnets,
and other malicious hosts. When hosts on the Internet engage in malicious activity, SenderBase
lowers the reputation of that host.
Devices that use reputation filtering, like Cisco Email Security Appliance (ESA), receive updates
from SenderBase several times a day. When ESA receives an email, it compares the source IP to
the SenderBase database. If the reputation of the sender is:

• Positive, the email gets forwarded on to the next layer of defense.

• Negative, the email is discarded.
• In between, the email is considered suspicious, is quarantined, and must wait for inspection
before being delivered.
Cisco ESA Technology Overview (Continue)
Context-Based Filtering

Context-based anti-spam inspection in ESA inspects the entire mail message, including
attachments, looking for details like sender identity, message contents, embedded
URLs, and email formatting. Using these algorithms, the ESA can identify spam
messages without blocking legitimate email.
Cisco ESA Technology Overview (Continue)
Fighting Viruses and Malware

Cisco Email Security Appliance uses a multilayer approach to fight viruses

and malware:

➢ The first layer is the Virus Outbreak Filters which are downloaded from SenderBase by
the appliance. They contain a list of known bad mail servers. These filters are
generated by watching global email traffic patterns and looking for anomalies
associated with an outbreak. When an email is received from a server on this list, it is
kept in quarantine until the anti-virus signatures are updated to counter the current
threat.

➢ The ESA second layer of defense involves using AV signatures to scan quarantined
emails to ensure that they do not carry viruses into the network.
Cisco ESA Deployment Modes
Cisco ESA can be deployed:

• With a single physical interface to

filter email to and from the agency’s
mail servers.

• Using a two-interface configuration,

one for email transfers to and from the
Internet and the other for email
transfers to and from the internal
servers.
Cisco ESA Hardware Overview

Cisco ESA C190, C390, C690

Cisco ESA Configuration Steps

Before you begin the ESA deployment, you need to prepare the following :

❑ Configure the required Firewall access rules and static NAT

❑ Configure the DNS and MX Record with the required preferences

❑ Complete the initial configuration of the box

❑ Configure the system updates and feature keys

❑ Set the Host Access table (HAT) and Receipt Access Table (RAT) policies

❑ Enabling the security services on the box

Cisco ESA Host Access Table (HAT)
For every configured listener, you must define a set of rules that control incoming
connections from remote hosts. For example, you can define remote hosts and whether
they can connect to the listener. AsyncOS allows you to define which hosts are allowed
to connect to the listener using the Host Access Table (HAT).
Cisco ESA Recipient Access Table (RAT)

AsyncOS uses a Recipient Access Table (RAT) for each public listener to manage
accept and reject actions for recipient addresses. Recipient addresses include these:
• Domains
• Email addresses
• Groups of email addresses
Cisco ESA Licensing
Thank you