email security deployment guide - cisco · • sales partners who sell new technology or who create...

http://www.cisco.com/go/sba


Email Security Deployment Guide

February 2012 Series

PrefaceFebruary 2012 Series

Preface

Who Should Read This GuideThis Cisco® Smart Business Architecture (SBA) guide is for people who fill a variety of roles:

• Systems engineers who need standard procedures for implementing solutions

• Project managers who create statements of work for Cisco SBA implementations

• Sales partners who sell new technology or who create implementation documentation

• Trainers who need material for classroom instruction or on-the-job training

In general, you can also use Cisco SBA guides to improve consistency among engineers and deployments, as well as to improve scoping and costing of deployment jobs.

Release SeriesCisco strives to update and enhance SBA guides on a regular basis. As we develop a new series of SBA guides, we test them together, as a complete system. To ensure the mutual compatibility of designs in Cisco SBA guides, you should use guides that belong to the same series.

All Cisco SBA guides include the series name on the cover and at the bottom left of each page. We name the series for the month and year that we release them, as follows:

month year Series

For example, the series of guides that we released in August 2011 are the “August 2011 Series”.

You can find the most recent series of SBA guides at the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

How to Read CommandsMany Cisco SBA guides provide specific details about how to configure Cisco network devices that run Cisco IOS, Cisco NX-OS, or other operating systems that you configure at a command-line interface (CLI). This section describes the conventions used to specify commands that you must enter.

Commands to enter at a CLI appear as follows:

configure terminal

Commands that specify a value for a variable appear as follows:

ntp server 10.10.48.17

Commands with variables that you must define appear as follows:

class-map [highest class name]

Commands shown in an interactive example, such as a script or when the command prompt is included, appear as follows:

Router# enable

Long commands that line wrap are underlined. Enter them as one command:

wrr-queue random-detect max-threshold 1 100 100 100 100 100 100 100 100

Noteworthy parts of system output or device configuration files appear highlighted, as follows:

interface Vlan64 ip address 10.5.204.5 255.255.255.0

Comments and QuestionsIf you would like to comment on a guide or ask questions, please use the forum at the bottom of one of the following sites:

Customer access: http://www.cisco.com/go/sba

Partner access: http://www.cisco.com/go/sbachannel

An RSS feed is available if you would like to be notified when new comments are posted.


http://www.cisco.com/go/sbachannel



Table of ContentsFebruary 2012 Series

What’s In This SBA Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1

About SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Business Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Technology Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Deployment Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Preparing for Cisco ESA Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Configuring the Internet Edge Firewall Email DMZ . . . . . . . . . . . . . . . . . . . . . . 5

Completing the Basic Cisco ESA Deployment . . . . . . . . . . . . . . . . . . . . . . . . . 13

Enabling Mail Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Maintaining Cisco ESA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Appendix A: Product List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Table of Contents

ALL DESIGNS, SPECIFICATIONS, STATEMENTS, INFORMATION, AND RECOMMENDATIONS (COLLECTIVELY, “DESIGNS”) IN THIS MANUAL ARE PRESENTED “AS IS,” WITH ALL FAULTS. CISCO AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITA- TION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THE DESIGNS, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE DESIGNS ARE SUBJECT TO CHANGE WITHOUT NOTICE. USERS ARE SOLELY RESPONSIBLE FOR THEIR APPLICATION OF THE DESIGNS. THE DESIGNS DO NOT CONSTITUTE THE TECHNICAL OR OTHER PROFESSIONAL ADVICE OF CISCO, ITS SUPPLIERS OR PARTNERS. USERS SHOULD CONSULT THEIR OWN TECHNICAL ADVISORS BEFORE IMPLEMENTING THE DESIGNS. RESULTS MAY VARY DEPENDING ON FACTORS NOT TESTED BY CISCO.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.

What’s In This SBA Guide

About SBACisco SBA helps you design and quickly deploy a full-service business network. A Cisco SBA deployment is prescriptive, out-of-the-box, scalable, and flexible.

Cisco SBA incorporates LAN, WAN, wireless, security, data center, application optimization, and unified communication technologies—tested together as a complete system. This component-level approach simplifies system integration of multiple technologies, allowing you to select solutions that solve your organization’s problems—without worrying about the technical complexity.

For more information, see the How to Get Started with Cisco SBA document:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Borderless_Networks/Smart_Business_Architecture/SBA_Getting_Started.pdf

About This GuideThis additional deployment guide includes the following sections:

• BusinessOverview—The challenge that your organization faces. Business decision makers can use this section to understand the relevance of the solution to their organizations’ operations.

• TechnologyOverview—How Cisco solves the challenge. Technical decision makers can use this section to understand how the solution works.

• DeploymentDetails—Step-by-step instructions for implementing the solution. Systems engineers can use this section to get the solution up and running quickly and reliably.

This guide presumes that you have read the prerequisites guides, as shown on the Route to Success below.

1What’s In This SBA GuideFebruary 2012 Series

Route to SuccessTo ensure your success when implementing the designs in this guide, you should read any guides that this guide depends upon—shown to the left of this guide on the route above. Any guides that depend upon this guide are shown to the right of this guide.

For customer access to all SBA guides: http://www.cisco.com/go/sba For partner access: http://www.cisco.com/go/sbachannel

FoundationDesign Overview

FoundationDeployment Guide

Email SecurityDeployment Guide

BN

You are HerePrerequisite Guides





2IntroductionFebruary 2012 Series

Introduction

Business OverviewDue to a business need for functional and reliable email, an email security solution becomes a requirement. This solution must handle the common threats without introducing new issues like blocking legitimate emails.

The two major threats to your organization’s email system are:

• Floods of unsolicited and unwanted email, called spam, that waste employee time through sheer volume and use valuable resources like bandwidth and storage.

• Malicious email that comes in two basic forms: embedded attacks, which include viruses and malware that perform actions on the end device when clicked, and phishing attacks, which try to mislead employees into releasing sensitive information like credit card numbers, social security numbers, or intellectual property. Phishing attacks might direct employ-ees to inadvertently browse malicious websites that distribute additional malware to computer endpoints.

Email will become unusable if spam—unsolicited and unwanted email—is not filtered properly. The sheer volume of spam messages can crowd out legitimate mail. A side effect of some anti-spam solutions is false positives or email that is incorrectly identified as spam. When this occurs, the organi-zation must expend resources to sift through the junk email looking for legiti-mate messages or reduce the level of filtering, which allows more messages to go to users, making the user responsible for determining whether emails are spam.

Technology OverviewCisco IronPort Email Security Appliance (ESA) protects the email infrastruc-ture and the employees who use email at work. The appliance integrates into the existing email infrastructures easily with a high degree of flexibility. It does this by acting as a mail transfer agent (MTA), or mail relay, along the email delivery chain.

This guide describes the an appliance deployment with a single physical interface to filter email to and from the organization’s mail servers.

A normal email exchange, when an organization is using an MTA, might look like the email message flow depicted in Figure 1.

Figure 1 - Email Message Flow

A Cisco ESA appliance uses a variety of mechanisms for spam and antivirus filtering.

3IntroductionFebruary 2012 Series

Filtering Spam

There are two ways to filter spam: reputation-based filtering and context-based filtering.

One technique used to combat spam and phishing attacks is reputation-based filtering checks. If a server is a known spam sender, then it is more likely that email coming from that server is spam compared to a host that does not have a reputation for distributing spam. Similar processes can be applied to emails carrying viruses and other threats.

The goal of the solution is to filter out positively identified spam and quar-antine or discard emails sent from untrusted or potentially hostile locations. Anti-virus (AV) scanning is applied to emails and attachments from all servers to remove known malware.

Reputation filters provide the first layer of defense by looking at the source IP address of the email server and comparing this to the reputation data downloaded from Cisco SenderBase. SenderBase is the world’s largest repository for security data, including spam sources, botnets, and other malicious hosts. When hosts on the Internet engage in malicious activity, SenderBase lowers the reputation of that host. Devices that use reputation filtering, like Cisco ESA, receive updates from SenderBase several times a day. When the Cisco ESA appliance receives an email, it compares the source IP to the SenderBase database (see Figure 2). If the reputation of the sender is:

• Positive, the email gets forwarded on to the next layer of defense.

• Negative, the email is discarded.

• In between, the email is considered suspicious, is quarantined, and must wait for inspection before being delivered.

Context-based anti-spam filters in the appliance inspect the entire mail message, including attachments, looking for details such as sender identity, message contents, embedded URLs, and email formatting. Using these algorithms, the appliance can identify spam messages without blocking legitimate email.

Figure 2 - Email Filtering Overview

Fighting Viruses and Malware

Cisco ESA uses a multilayer approach to fight viruses and malware.

The first layer is the virus outbreak filters, which the appliance downloads from SenderBase. They contain a list of known bad mail servers. These filters are generated by watching global email traffic patterns and looking for anomalies associated with an outbreak. When an email is received from a server on this list, it is kept in quarantine until the anti-virus signatures are updated to counter the current threat.

The Cisco ESA appliance’s second layer of defense involves using AV signatures to scan quarantined emails, to ensure that they do not carry viruses into the network.

4Deployment DetailsFebruary 2012 Series

Deployment Details

This section describes how you deploy Cisco ESA in Cisco SBA. Here, you configure Cisco ESA for basic network access and build and apply an anti-spam and anti-virus policy. You modify the Domain Name System (DNS) to support the appliance, update the appliance software, and install the feature keys for the appliance.

You make some slight policy changes, but a detailed policy configuration discussion, troubleshooting, and ongoing monitoring are beyond the scope of this document. You should direct your questions about policy migration and advanced policy creation for the Cisco ESA appliance to your trusted Cisco IronPort partner or reseller or your Cisco account team.

The Cisco ESA deployment is designed to be as easy as possible. It is deployed into your existing mail delivery chain as a mail transfer agent. The Cisco ESA appliance is the destination of the organization’s email; as such, the public mail transfer (MX) records (the DNS record that defines where to send mail) must eventually point to the appliance’s public IP address.

In this deployment guide, the appliance is physically deployed on the DMZ of the Internet Edge firewall using a single interface for simplicity (see Figure 3). This interface handles all incoming and outgoing email and carries man-agement traffic. The port on the appliance is the M1 management interface.

Figure 3 - Deployment Overview

It is important that the appliance be accessible via the public Internet and that the appliance is the “first hop” in your email infrastructure. Several of the appliance’s processes use the sender’s IP address, and that address is one of the primary identifiers SenderBase uses to determine the sender’s reputation. If another device receives mail before forwarding it to the Cisco ESA appliance, the appliance will not be able to determine the sender’s IP address and filtering cannot be applied properly.

Preparing for Cisco ESA Deployment

1. Configure the DMZ switch

Process

Before you begin Cisco ESA deployment, you need to configure the DNS.

The Cisco ESA appliance’s hostname is the name carried in the DNS’s MX record, and it indicates that the appliance is the primary MTA. The DNS A (IP address) record corresponds to the IP address that Cisco Adaptive Security Appliance (ASA) is statically translating to the appliance’s address in the DMZ.

Procedure 1 Configure the DMZ switch

The Cisco ESA appliance is connected to an access port associated with a DMZ VLAN that is dedicated for DMZ email services.

Step 1: Add the email DMZ VLAN to the DMZ switch’s VLAN database.

vlan 1165 name mail-dmz

Step 2: Add the VLAN to the trunks that connect to the Cisco ASA appli-ances’ DMZ ports.

interface range GigabitEthernet1/0/24,GigabitEthernet2/0/24 switchport trunk allowed vlan add 1165


Step 3: Configure DMZ switch ports where web and file-transfer servers will be connected as access ports.

interface GigabitEthernet1/0/13 description Email Security Appliance access port switchport mode access switchport access vlan 1165

Configuring the Internet Edge Firewall Email DMZ

1. Configure the email DMZ interface

2. Add DMZ NAT rule to Cisco ASA

3. Add DMZ Firewall Rules to ASA

Process

An additional step is required to allow Internet connectivity for the appliance. The DMZ network uses private network (RFC 1918) addressing that is not Internet-routable, so the Cisco ASA must translate the Cisco ESA address to an outside public address. For this configuration, you create a static transla-tion of Cisco ESA’s DMZ address to a public IP address that can be routed on the Internet.

Table 1 - Email Security Appliance IP Address Translation Information

DMZ Address of Cisco ESA Outside Address of ESA

192.168.65.50 172.16.30.20

While you apply the address translation configuration described in this portion of the document, Cisco ASA applies its default access rule set that permits traffic from higher-security interfaces to lower-security interfaces. Review your expected traffic carefully; if you cannot allow some or all traffic that is allowed by the default rules, you should shut down the various device interfaces until you have completely configured your firewall rule set.

Procedure 1 Configure the email DMZ interface

First, you add an additional VLAN to the DMZ trunk port, GigabitEthernet 0/1, to provide connectivity for Cisco ESA in the email DMZ.

Step 1: In ASDM, browse to Configuration>DeviceSetup>Interfaces, click Add, and choose Interface


Step 2: In the AddInterface window, enter the following configuration details:

• Hardware Port—GigabitEthernet0/1

• VLAN ID—1165

• Subinterface ID—1165

• Interface Name—Email-DMZ

• Security Level—50

• Dedicate This Interface to Management Only—unchecked

• Enable Interface—checked

• Description—EmailDMZ

• IP Address—192.168.65.1

• Security Level—255.255.255.0

Step 3: Click OK.You return to Configuration > Device Setup > Interfaces.

Step 4: Click Apply.

Step 5: Navigate to Configuration>DeviceManagement>HighAvailability>Failover, and then select the Interfaces tab.

Step 6: Find the Email-DMZinterface, and select its Monitored check box, and then click Apply.

The preceding steps apply this configuration.

interface GigabitEthernet0/1.1165 vlan 1165 no shutdown description Email DMZ nameif Email-DMZ security-level 50 ip address 192.168.65.1 255.255.255.0!monitor-interface Email-DMZ


Procedure 2 Add DMZ NAT rule to Cisco ASA

To expose Cisco ESA to the Internet, Cisco ASA must carry a NAT rule that translates the Cisco ESA appliance’s private addresses used in the email DMZ to the routable address on Cisco ASA’s outside interface.

Step 1: In ASDM, browse toConfiguration>Firewall>NATRules, click Add, and select Add“NetworkObject”NATRule.

Step 2: In the Add Network Object window, enter the following configuration details:

• Name—ESA-Private

• Type—Host

• IP Address—192.168.65.50

• Description—ESAPrivateAddress

Step 3: Next to NAT, click the drop-down to reveal NAT configuration settings

• Ensure that AddAutomaticAddressTranslationRules is checked

• In the Type list, choose Static

• Click the ellipses (…) next to TranslatedAddress.

Step 4: In the BrowseTranslatedAddr window, click Add, and select NetworkObject.

Step 5: In the Add Network Object window, enter the following configuration details, then click OK:

• Name—ESA-Public

• Type—Host

• IP Address—172.16.30.20

• Description—ESAPublicAddress


Step 6: Click OK. You return to the Browse Translated Address window.

Step 7: Select the host that you just defined.

Step 8: Click OK. You return to the initial Add Network Object window.

Step 9: Review the configuration.

Step 10: Click OK. You return to Configuration > Firewall > NAT Rules.


Step 11: Verify your configuration, and then click Apply.

The preceding steps result in this configuration:

object network ESA-Private host 192.168.65.50 description ESA Private Addressobject network ESA-Public host 172.16.30.20 description ESA Public Addressobject network ESA-Private nat static ESA-Public

Procedure 3 Add DMZ Firewall Rules to ASA

The NAT rule configured above translates the DMZ addresses to Internet-routable addresses, but access rules are still needed to expose DMZ services such as web and FTP. Five rules are needed to allow the ESA sufficient connectivity to perform its function:

1. The Cisco ESA must be able to resolve network hostnames on the organization’s DNS server.

2. The Cisco ESA must be able to retrieve time from the network ’s Network Time Protocol (NTP) server

3. The Cisco ESA must be able to reach the organization’s internal mail server to forward email messages with Simple Mail Transfer Protocol

4. Other organizations’ email servers on the Internet must be able to reach the Cisco ESA to send mail bound for the organization’s domain names

5. The Cisco ESA must be able to connect to the Cisco servers for soft-ware updates and reputation information using http and https

Step 1: In ASDM, browse to Configuration>Firewall>Objects>NetworkObjects/Groups. Click Add, and then choose NetworkObject.

Step 2: Add a Network Object namedInside-DNS of type host, with an IP address of 10.10.48.10. You should add an appropriate description to for this network object, as well. Click OK .


Step 3: Repeat steps 1 and 2 two more times to configure the following network objects:

• NTP-Server with an IP address of 10.10.48.17

• Inside-Mail with an IP address of 10.10.48.60.

Step 4: In ASDM, browse to Configuration>Firewall>AccessRules. Click Add, and then choose AddAccessRule…

First, you add a rule to allow the appliance to synchronize to the LAN’s time server.

ASDM displays all default and configured IPv4 and IPv6 rules configured. The view can be simplified by selecting the “IPv4 Only” radio button at the bottom of the panel.

Tech Tip

Step 5: In the Add Access Rule window, in the Interface list, choose Any.

Step 6: Next to Action, choose Permit.

Step 7: In the Source field, enter the name of theESA-Privateobject that you created in the NAT configuration procedure above.

If you begin typing an object name, ASDM will offer a list of object names that begin with the characters you have entered You can typically type the first few letters of the object name, then select the appropriate item from the list. You also have the option of clicking the ellipses, and picking object names from the list.

Tech Tip

Step 8: In the Destination box, enter the name of the Inside-DNS host that you created above, in step 2.

Step 9: In the Service box, enter domain, and select UDPdomain(53) from the options presented.

ASDM offers suggestions of services that match the first few letters of service names that you type in the Services field. If you have trouble finding the service you’re looking for, you can click the ellipsis and pick your service from the list.

Tech Tip

Step 10: Click OK . You return to Configuration > Firewall > Access Rules.


Step 11: In the Configuration > Firewall > Access Rules window, click Add, and then select AddAccessRule.

Next, you add a rule to allow the appliance to synchronize to the LAN’s time server.

Step 12: In the AddAccessRule window, in the Interface list, choose Any.



Step 15: In the Destination field, enter the name of the NTP-Server host that you created above, in step 3.

Step 16: In the Service box, enter time, and select UDPtime,(123) from the options presented.

Step 17: Click OK. You return to Configuration > Firewall > Access Rules.


Next, you add a rule that allows the appliance to forward SMTP traffic to the internal mail server.

Step 19: In the Add Access Rule window, in the Interface list, choose Any.



Step 22: In the Destination field, enter the name of the Inside-Mail host that you created above, in step 2.

Step 23: In the Service box, enter smtp, and select TCPsmtp,(25) from the options presented.


\



Next, you add a rule to allow Internet mail servers to send SMTP mail to the appliance.

Step 26: In theAddAccessRulewindow, in the Interface list, choose Any.


Step 28: In the Source field, choose or type any.

Step 29: In the Destination field, enter the name of theESA-Privateobject that you created in the NAT configuration procedure above.

Step 30: In the Service field, enter smtp, and select TCPsmtp,(25) from the options presented.



Next, you add a rule to allow the appliance to reach Cisco updates and reputation databases.

Step 33: In the AddAccessRule window, in the Interface list, choose Any.



Step 36: In the Destination field, choose or type any.

Step 37: In the Service box, enter http, and select TCPhttp,(80) from the options presented. Type a comma, enter https, and select TCPhttps,(443) from the options presented.

Step 38: Click OK. You return to Configuration > Firewall > Access Rules.


Step 39: Verify that the access rules are configured in the correct order, and then click Apply. The configuration changes are sent to the appliance.

The preceding steps apply this configuration:

object network Inside-DNS host 10.10.48.10 description Private DNS Serverobject network Inside-Mail host 10.10.48.60 description Private Mail Serverobject network NTP-Server host 10.10.48.17 description Private NTP Serverobject-group service DM_INLINE_TCP_2 tcp port-object eq http port-object eq httpsaccess-list global_access line 7 extended permit udp object ESA-Private object Inside-DNS eq domainaccess-list global_access line 8 extended permit udp object ESA-Private object NTP-Server eq timeaccess-list global_access line 9 extended permit tcp object ESA-Private object Inside-Mail eq smtpaccess-list global_access line 10 extended permit tcp any object ESA-Private eq smtpaccess-list global_access line 11 extended permit tcp object ESA-Private any object-group DM_INLINE_TCP_2

Completing the Basic Cisco ESA Deployment

1. Complete Basic ESA Setup

2. Complete the GUI-Based System Setup

3. Configure Updates and Feature Keys

Process

You use the console port to complete the basic configuration for network connectivity in the DMZ.

Procedure 1 Complete Basic ESA Setup

After physically installing and connecting the appliance to the network, the next step is basic setup.

Step 1: Connect the Cisco ESA management port to the DMZ switch port that you configured earlier, in Procedure 2.

Step 2: Via the console port, log on to the device’s command-line interface (CLI).

The default username and password are admin/ironport

Tech Tip


Step 3: Issue the interfaceconfig command, and then follow the CLI dialogue as shown.

ironport.example.com>interfaceconfigCurrently configured interfaces: 1. Management (192.168.42.42/24 on Data 1: ironport.example.com)Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - GROUPS - Define interface groups. - DELETE - Remove an interface. []>editEnter the number of the interface you wish to edit. []>1IP interface name (Ex: “InternalNet”): [Management]>DMZ_InterfaceIP Address (Ex: 192.168.1.2): [192.168.42.42]>192.168.65.60Ethernet interface: 1. Data 1 2. Data 2 [1]>1Netmask (Ex: “255.255.255.0” or “0xffffff00”): [255.255.255.0]>255.255.255.0Hostname: [ironport.example.com]>email1.cisco.local Do you want to enable FTP on this interface? [N]>nDo you want to enable Telnet on this interface? [Y]>nDo you want to enable SSH on this interface? [Y]>yWhich port do you want to use for SSH? [22]>22Do you want to enable Cluster Communication Service on this interface? [N]>nDo you want to enable HTTP on this interface? [Y]>yWhich port do you want to use for HTTP? [80]>80Do you want to enable HTTPS on this interface? [Y]>yWhich port do you want to use for HTTPS? [443]>443

Do you want to enable Spam Quarantine HTTP on this interface? [N]>yWhich port do you want to use for Spam Quarantine HTTP? [82]>82Do you want to enable Spam Quarantine HTTPS on this interface? [N]>yWhich port do you want to use for Spam Quarantine HTTPS? [83]>83The “Demo” certificate is currently configured. You may use “Demo”, but this will not be secure. To assure privacy, run “certconfig” first.Both HTTP and HTTPS are enabled for this interface, should HTTP requests redirect to the secure service? [Y]>yBoth Spam Quarantine HTTP and Spam Quarantine HTTPS are enabled for this interface, should Spam Quarantine HTTP requests redirect to the secure service? [Y]>yDo you want DMZ_Interface as the default interface for your Spam Quarantine? [N]>yDo you want to use a custom base URL in your Spam Quarantine email notifications? [N]>nThe interface you edited might be the one you are currently logged into. Are you sure you want to change it? [Y]>yCurrently configured interfaces: 1. DMZ_Interface (192.168.65.60/24 on Data 1: email1.cisco.local)Choose the operation you want to perform: - NEW - Create a new interface. - EDIT - Modify an interface. - GROUPS - Define interface groups. - DELETE - Remove an interface. []>

You must press Enter to return to the main prompt.

Tech Tip


Step 4: Issue the sethostname command and define the appliance’s hostname.

ironport.example.com> sethostname[ironport.example.com]> ?A hostname is a string that must match the following rules:- A label is a set of characters, numbers and dashes.- The first and last character of a label must be a letter or a number.- The hostname must have at least 2 labels separated by a period.- The last label cannot be all numbers.[ironport.example.com]> email1.cisco.localemail1.cisco.local>

Step 5: Issue the setgateway command and define the appliance’s default gateway (the Email-DMZ interface on the firewall).

ironport.example.com>setgatewayWarning: setting an incorrect default gateway may cause the current connection to be interrupted when the changes are committed.Enter new default gateway: []>192.168.65.1

Step 6: Issue the commit command and provide a summary of your con-figuration activity.

ironport.example.com> commit Please enter some comments describing your changes: []>initial setupChanges committed: Tue Jun 21 16:40:11 2011 GMT

Procedure 2 Complete the GUI-Based System Setup

You finish configuring the appliance by using the built-in web GUI device management tool.

Step 1: After initial configuration is complete, connect to the appliance by using a browser to access the device management application GUI (https://192.168.65.50/).

Step 2: Run the System Setup Wizard.


Step 3: Read the license agreement and accept, and then click theBeginSetup button.

Answer the system configuration questions. This defines the basic settings such as time settings, default hostname, and the default password. Click Next.

The last two questions determine whether the appliance will participate in the SenderBase network by allowing Cisco ESA to send anonymized reputation details about email traffic back to Cisco to improve SenderBase and the product in general.

Tech Tip

Step 4: Select the network integration settings for your deployment, and then click Next.

These settings allow you to define your DNS server (or tell the appliance to use the Internet’s root DNS servers). This page is also where you set up the network interface(s) used for mail processing.


Step 5: On the Message Security page, click Next.

For your message security settings (which determine whether anti-spam and anti-virus filtering are enabled and which engine is used for each func-tion), this example uses the default options of participating in SenderBase and enabling anti-spam and the Sophos anti-virus engine.

If your environment requires proxies for HTTP or HTTPS commu-nications, define them in the Services Updates portion of the Web interface. Select the SecurityServices>ServicesUpdates, andthen click EditUpdateSettings. At the bottom of this page, enter the proxy settings for HTTP and HTTPS, and then click Submit.

Tech Tip

Step 6: Review your configuration, and if necessary, modify the configura-tion that you have defined. If the configuration is correct, click Accept, and the appliance activates the configuration on your Cisco ESA appliance.

Step 7: When the Active Directory wizard appears, click Cancel. In this example, you do not configure an Active Directory server.

Procedure 3 Configure Updates and Feature Keys

Before you start using your appliance, it is important to look at two other areas : feature keys and system upgrades.

Step 1: In the web configuration tool, browse toSystemAdministration>FeatureKeys.

This is where the license keys for the different features on the box are displayed.

Step 2: Check whether your appliance has any licenses that are not cur-rently enabled. Click the CheckforNewKeys button. This enables the appliance to connect to Cisco.com and determine if all purchased licenses are installed and enabled.

Next, you upgrade the system software on the appliance.

Step 3: Select theSystemAdministration>SystemUpgrade button. The current software version appears.

Step 4: Click AvailableUpdates. This determines if updates are available.

Step 5: If newer versions are available, you may select and install them now. Although it is not necessary to load all updates in order, it is possible that the latest update will require interim updates before it can be loaded. If interim updates are required, the appliance’s web manager interface pro-vides guidance on the necessary upgrade path.

At this writing, it is not possible to downgrade software versions without exchanging hardware, so be certain that you want to upgrade before proceeding.

Tech Tip

Enabling Mail Policies

1. Set Up Bounce Verification

2. Review Incoming Mail Policies

Process

Now that system setup is complete, you are ready to enable security services.

Procedure 1 Set Up Bounce Verification

Bounce verification is a process that allows the appliance to apply a specific tag to outgoing messages so that when bounced emails come back to the appliance, it can verify that the emails were actually originally sent out by the appliance. Spammers and hackers use fake bounced messages for many malicious purposes.

Step 1: Navigate to MailPolicies>BounceVerification, and then click NewKey.

Step 2: Enter an arbitrary text string that the appliance will apply in the bounce verification process. Click Commit to apply the changes.

Step 3: Navigate to MailPolicies>DestinationControls, and in the first table, click Default.

Step 4: Change Performaddresstagging to Yes.

Step 5: Click Submit to commit changes.



Procedure 2 Review Incoming Mail Policies

The last stage in appliance setup is reviewing the incoming mail policies.

Step 1: Navigate to MailPolicies>IncomingMailPolicies.

Currently there is one default mail policy. It marks a positive anti-spam result for Quarantine. You will change this to instead apply a Drop action.

Step 2: Under the Anti-Spam column header. select the policy definition.

Step 3: Change thePositively-IdentifiedSpamSettings from SpamQuarantine to Drop.

Step 4: Click Submit to commit the changes.

Maintaining Cisco ESAWith your system fully deployed, you are ready to monitor and maintain the appliance.

To help you monitor the appliance’s behavior, there are a variety of reports available under the Monitor menu. These reports make it possible to track activity and statistics for spam, virus types, incoming mail domains, out-bound destinations, system capacity, and system status.

To determine why the appliance applied specific actions to a given email, you can run the Trace tool under SystemAdministration.

By defining a search using details of a given email in question, you can test a specific email to determine how the appliance handled the message and why. This is especially useful if some of the more advanced features of the appliance are used (like DLP).

20Appendix A: Product ListFebruary 2012 Series

Appendix A: Product List

The following products and software version have been validated for Cisco SBA:

Functional Area Product Part Numbers Software Version

Internet Edge Cisco Ironport C160 Email Security Appliance C160-BUN-R-NA 7.1.5-017

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Americas HeadquartersCisco Systems, Inc.San Jose, CA

Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore

Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands

SMART BUSINESS ARCHITECTURE

B-0000509-1 1/12

email security deployment guide - cisco · • sales partners who sell new technology or who create...

Documents