- Email security appliance (ESA)
- Cloud ESA (CES)
- Hybrid
- SMTP
- Host access table (HAT)
- Recipient address table (RAT)
- Pipeline
- Antispam
- SenderBase Reputation Service (SBRS)
- Graymail
- AV
- AMP
- Outbreak filter
- DLP
- Encryption
- TLS
- S/MIME
- Sender policy framework (SPF)
- Domain keys identified mail (DKIM)
- Domain-based message authentication reporting and conformance (DMARC)
- Logging
- AsyncOS CLI
Email security appliance (ESA)
- can use AMP to scan attachments
- actions:
- drop email
- drop malicious attachment
- add warning to subject
- rewrite malicious URL
- deliver
- quarantine
- bounce to sender
- drop
- email gateway, MTA ≡ mail transfer agent ≡ mail relay (address in DNS MX)
- AsyncOS ≡ FreeBSD without shell + fibers + custom filesystem
- filtering
- reputation-based: score from SenderBase
- context-based: on content
- if file is received from malicious mail server – quarantine unless AV has necessary signatures
- AV engines: Sophos, McAfee
- updates from Talos every 3-5 minutes
- high-availability: 2xESA + 2xMX records (lower priority number has more priority)
- config sync within cluster group
- message tracking: stores info about message flow
- message splintering:
- creates copies within ESA with different message IDs
- if inbound email has several recipients that fall under different policies
- ports
- SSH, no Telnet
Cloud ESA (CES)
- features: antispam, AV, DLP, graymail detection, safe unsubscribing, outbreak filter, URL filter, web tracking, remediation for O365
Hybrid
- CES: inbound inspection
- ESA: outbound inspection, encryption, DLP
SMTP
- null sender address ≡ no bounce notification required
- sender verification
- inbound connection from IP
- FQDN = PTR(IP)
- IP* = A(FQDN)
- IP =? IP* – equal ≡ verified
Host access table (HAT)
- for public and private listeners (SMTP daemon)
- ingress reputation-based verification of sender domain
- bypasses spam filter for known good domains
- group assignment: match-any condition, sequence – order of group definitions
- sender groups (logical OR)
- relaylist:
- whitelist
- blacklist
- block
- incoming email
- -10 – -3
- suspectlist
- rate limit
- incoming email
- -3 – -1
- unknownlist
- antispam, AV, SBRS
- incoming mail
- -1 – 10
- all
- private listener – drop
- public listener – forward
- actions
- accept
- reject: accept TCP + reply with SMTP 4**/5**
- TCP refuse: drop TCP
- relay: accept + bypass RAT
- continue: skip
Recipient address table (RAT)
- after HAT before pipeline and LDAP
- public listener only
- actions
- top-down match, default policy = reject
- LDAP integration allows to drop emails for non-existent users
Pipeline
- phases
- receipt
- work queue
- delivery
- ingress
- reputation filter
- message filter
- CLI only
- based on metadata
- before applying policies and message splintering
- antispam
- AV
- AMP
- graymail
- valid in the past, likely spam at the moment (e.g. newsfeed)
- safe unsubscribe
- content filter
- outbreak filter
- egress
- message filter
- AV
- graymail
- content filter
- DLP
- changing policy does not have effect on messages already in pipeline
Antispam
- context adaptive scanning engine (CASE)
- IronPort criteria:
- sender reputation
- message content
- message structure
- reputation of URLs in message
- MultiScan: uses several engines
- score
- range: 1-100
- 1-50 = not spam
- 50-90 = suspected spam
- 90-100 = spam
- 100 = definitely spam
SenderBase Reputation Service (SBRS)
- between -10 and +10
- external threat feeds (ETF): receive STIX via TAXII
- public listener only
Graymail
- detects phishing
- safe unsubscribe with cloud-based Unsubscribe Service (verifies URL)
- inserts banner
- passes original URL as parameter
- formats email to highlight URLs
- requires antispam
- categories
- marketing email
- social network
- bulk email: does not fall under other 2 categories
AV
- engines: McAfee → Sophos
- signature updates every 5 mins
- actions
- scan for viruses only
- scan and repair viruses
- drop attachments
- X-portiron-AV header
- malicious classes
- repaired message
- encrypted: PGP, S/MIME
- unscannable
- virus infected
- reaction
- drop
- deliver as attachment
- deliver
- quarantine – unique, ESA only
- optional reaction
- archive
- modify subject
- add custom header
- send notification when delivered
- modify recipient
- send to another host
AMP
- TCP 32137 by default
- incoming policy only
Outbreak filter
- protection from large-scale attacks with new viruss, web pages, phishing
- real-time updates, once per 5 minutes
- actions
- delay: ≡ quarantine
- redirect to splash
- modify message body (threat alert banner)
- outbreak rules
- file extension
- file name
- file size
- encrypted or not
- URL
- adaptive rules: AV required
- mismatch between file extension and content
- whitespaces in name
- several extensions in name (.doc.exe)
- SenderBase score
- threat level: 0-5 (5 = risky)
- match if all rules are hit
- if quarantine overflows, messages that timeout first are deleted first
DLP
- score: 0-100 (100 = risky)
- proximity: how close to pattern
- minimum total score: protection from false positive
- weight: increases every rule hit
- maximum score: protection from many match
- egress only (not within organisation, not ingress)
- logarithmic scale
- uses RSA disctionary
Encryption
- Cisco email encryption
- stores keys on key server (can be Cisco Registered Envelope Service (CRES))
- symmetric encryption
- TLS
- S/MIME
TLS
- SMTP over STARTTLS
- TCP 465
- modes
- none: default
- preferred
- preferred-verify: checks sender TLS certificate
- required
- required-verify
- required-verify hosted domains
S/MIME
- asymmetric encryption
- PXE = PostX Envelope
Sender policy framework (SPF)
- RFC 4408
- uses DNS TXT records: authorized mail gateway for sender domain (IP addresses)
Domain keys identified mail (DKIM)
- RFC 5585
- DNS TXT contains public key
- outgoing email is signed
- “d=” ≡ domain, “s=” ≡ selector ⇒ key in selector._domainkey.domain
- s=mail
- d=yandex.ru
- key is in mail._domainkey.yandex.ru
Domain-based message authentication reporting and conformance (DMARC)
- policy
- none: monitor
- quarantine: move to spam
- reject: drop
- “p=”
- alignment
- match between domains of mailfrom (real host) and header from (reply sender)
- types
- relaxed: host = mail.yandex.ru, header from = yandex.ru → pass
- strict: host = mail.yandex.ru, header from = yandex.ru → fail
- mailfrom ≠ header from on autoreply (header from – user-friendly name, mailfrom – system-generated)
- adkim tag: DKIM alignment
- aspf tag: SPF alignment
- subdomain
- by default uses parent policy
- “sp=” overrides parent policy
Logging
- types:
- text mail
- authC
- delivery: binary format
- bounce
- FTP server
- HTTP
- LDAP debug
- antispam
- graymail
- AV
- reporting
- configuration history
- updater
- retrieval:
- manual
- FTP
- SCP
- Syslog: RFC3164
AsyncOS CLI
; does not reset settings in contrast to GUI
# systemsetup
; apply settings
# commit
; L1/L2
# etherconfig
; L3
# interfaceconfig
; static routes except 0.0.0.0/0
# routeconfig
; localhosts hidden
# dnsconfig [localhosts]
; reset cache
# dnsflush
; logs
# tail
; tcpdump
# packetcapture
; test sending email
# mailconfig
; large volume senders
# topin
; ≈ ASA packettracer
# trace
; reboot engine instead of whole appliance, hidden
# diagnostic [kick]
; message filters
# filters
# arp
# ndp
# status [detail]
# hoststatus
# ntpconfig
# setgateway
# nslookup
# dig @<DNS_IP> <DOMAIN>