Professional Documents
Culture Documents
Cisco Email Security: Deployment and Troubleshooting
Cisco Email Security: Deployment and Troubleshooting
Cisco Email Security: Deployment and Troubleshooting
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 1
• Email Security Deployment
• Devices
• Deployment Methods
• Virtual Requirements
• Advanced Topics
Agenda • Troubleshooting
• Basics
• Virtual Machines
• Tailing Logs
• Message Flows
• Engines
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
• Email Security Deployment
• Devices
• Deployment Methods
• Virtual Requirements
• Advanced Topics
Agenda • Troubleshooting
• Basics
• Virtual Machines
• Tailing Logs
• Message Flows
• Engines
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Devices Covered
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Traffic Flow Considerations
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Ports and Protocols
Typically Used Between the ESA and the Internet
Mail Server
The complete list can be found in the ESA Configuration Guide, Appendix C
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Ports and Protocols
Typically Used Between the ESA and the Internal Network
The complete list can be found in the ESA Configuration Guide, Appendix C
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Support Tunnels
Beware of Firewall Issues
The complete list can be found in the ESA Configuration Guide, Appendix C
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
ESA Installation Types
Internet
There are multiple ways to configure the
ESA on a network. Each has their pros
and cons. Outside
• Security Nightmare
• No protection for the inside network or Inside
outside interfaces
Mail Server
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
ESA Installation
Parallel to the Firewall
Internet
• Easy to Configure
• Security Nightmare
Outside
• No protection for the inside network or
outside interfaces
NOT DO scenario
Mail Server
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
ESA Installation
Protected Private Interface
Internet
• Easy to Configure
• Still a Security Nightmare
Outside
• No protection for the outside interface
NOT DO scenario
Mail Server
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
ESA Installation
Protected Public Interface
Internet
• Public interface protected by firewall
• Can filter inbound and outbound email
related traffic
Outside
• No inside interface filtering
• Works well in smaller accounts Inside
Mail Server
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
ESA Installation
Single Interface
Internet
• System protected by firewall
• Simplifies firewall configuration for
passing email related traffic
• No specific routes required on the
ESA. Minimizes network
troubleshooting
• Single interface represents a possible
single point of failure or bottleneck
• Preferred and THE most common Mail Server
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
ESA Installation
Dual DMZ Interfaces
Internet
• Inside and outside interfaces
protected by firewall
• Can fully filter and control inbound and Outside
outbound email related traffic Inside
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
ESA Installation
Large DMZ with Dual Firewalls
Internet
• System is well protected
• Allows for maximum control and
isolation of traffic flowing in the DMZ Outside
Mail Server
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
ESA Installation
Separate Management Network
Internet
• Meets the most stringent customer
connectivity needs
• Requires a larger appliance with 3 Outside
interfaces Inside
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
ESA Installation
High Availability
Internet
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
ESA Redundancy
MX Records
Internet
west.mail.company.com east.mail.company.com
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
ESA Redundancy
Clustering Appliances
Internet
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Virtual Architecture
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Virtual Architecture
Hardware Specifications
• If you build your systems to meet or exceed this configuration you will have
similar performance to our performance metrics
• Your Cisco or partner account teams can help you with sizing your solution
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Virtual Architecture
Separate Management Network, Consolidated Data Center
• Less rack
Mail Server VM
space needed ESAv
Internet
• Lower power
requirements
Virtual Management
• Lower cooling UCS Network
costs Outside
securely
separated
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Virtual Architecture
Redundant Data Centers
• Migrate
machines in
Internet
event of a Mail Server Mail Server
ESAv ESAv
failure
• Easily add UCS1 UCS 2
additional VMs
for extra mail
capacity
handling
Virtual Management
Network
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Advanced Topics
Outbreak Filters
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Outbreak Filters
Enabling Globally
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Outbreak Filters
Enabling Per Incoming Mail Policy
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Configuring Outbreak Filters
• Enable Message Modification and URL Rewriting MUST be set for the targeted threat components
to be active
• Threat Level default is 3. Raising it to a 2 or 1 makes it more aggressive in identifying threats
• False positives are OK with this feature as messages not caught by IPAS rule updates after
quarntine timer expiration are delivered to the end user with the appropriate mark ups and changes
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Advanced Topics
URL Reputation and Filtering
Included in the Outbreak Filters policy and introduced in AsyncOS 8.5.x; Outbreak
Filters and IPAS use web reputation components to target more spam
• Enable URL filtering globally to enable it in IPAS and Outbreak Filters
automatically.
• Whitelist can be created to bypass scanning for specific domains at a global
level
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Configuring URL Category Filtering
URL Category Condition
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Configuring URL Category Action
Actions to Take on URLs
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Filtering URLs by Reputation
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Filtering URLs by Reputation
Actions to Take on Reputation
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Advanced Topics
DKIM – DomainKeys Identified Mail
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
DKIM – DomainKeys Identified Mail
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Advanced Topics
SPF – Sender Policy Framework
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
SPF – Sender Policy Framework
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Shortcomings
SPF and DKIM
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
DMARC
Domain-Based Message Authentication, Reporting & Conformance
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Configuring DMARC
• Enable DKIM and SPF Verification in each Mail Flow Policy – no need to create the
Content Filters
• Global settings such as bypassing verification for emails with specific headers must
be configured.
• Additional contact information mailbox should not be a real user. These are being
harvested by spammers.
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
DMARC
Domain-Based Message Authentication, Reporting & Conformance
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Sending Messages
Using DKIM, SPF, and DMARC
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Use Caution
When Creating Your SPF Record
Do not use the –all unless you know ALL of the email senders sending on your behalf.
• Amazon.com uses the –all. When is the last time you saw spoofed email on that
domain?
• Allow third parties to relay through a set of ESAs from specific IP addresses. Cisco
IT does this.
You are limited to 10 recursions when doing SPF record queries
• Do not use hostnames. Use IP addresses and save FQDNs for includes
Keep your record <512 bytes in size
• You’re using DNS queries. When you pass 512 bytes it’s a TCP connection instead
of UDP and many networks filter TCP 53
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Additional Resources
For DKIM, SPF, and DMARC
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Email Security Deployment
• Devices
• Deployment Methods
• Virtual Requirements
• Advanced Topics
Agenda Troubleshooting
• Virtual Machines
• Basics
• Tailing Logs
• Message Flows
• Engines
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Troubleshooting
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Licensing
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Licensing
“Malformed License” Error
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cloning Virtual Machines
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Mixed Clusters
Virtual and Hardware Appliances
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Testing Communications
The Basics
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Testing Communications
The Basics
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Testing Communications
The Basics
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Testing Communications
The Basics
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Testing Communications
LDAP
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Tailing Logs
Using mail_logs
From the CLI, use tail mail_logs to watch what is happening when you send test
messages through the ESA
This command will display the tail of any log you choose. use the tail command by
itself and the system will list the 27 logs available
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Searching Logs
Using findevent
From the CLI, use findevent to search logs for specific messages
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Searching Logs
Using grep
From the CLI, use grep to search logs for specific messages
If you don’t know the log name, use grep without any parameters to use it
interactively
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Troubleshooting Mail Delivery
RAT Entries and SMTP Routes
If your mail_logs show problems delivering mail to the correct location, ensure you
have an SMTP Route for each RAT entry.
The RAT entries signify “I accept incoming email for these domains” and the
SMTP Route tells the ESA where to deliver that mail.
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Troubleshooting Message Flows
TLS Messages
Use the tlsverify CLI command to verify against a domain to ensure TLS is working
properly
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Troubleshooting Message Flows
What’s in Queue?
Use the showrecipients CLI command to see what is currently in queue or the
Delivery Status report on the UI to see if messages are still in the queue
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Troubleshooting Message Flows
Anti-Spam Scanning
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Troubleshooting Message Flows
Anti-Spam Scanning
Look in Message
Tracking for:
• Sender Group
• per-recipient
policy
• CASE
verdicts
• Outbreak
Filters verdict
Are any of the items
missing?
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Troubleshooting Message Flows
Sender Groups
Sender Groups are important in tracking down sources of spam as they can be
set to bypass anti-spam scanning
An example of this is the TRUSTED Mail Flow Policy used by the WHITELIST
Sender Group
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Marketing Message Detection
When Spam is Not Spam
A large number of end-user spam complaints come from aggressive email marketers who
use Opt-Out messaging techniques. Their messages conform to Can-SPAM and other
legal requirements.
Marketing Message Detection is off by default. Turn it on to address these messages
Options are Deliver, Drop, Spam Quarantine, or Bounce
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Is IPAS Updating Properly?
The Anti-Spam engine in the ESA regularly communicates and checks for updates to the
engines, databases, and rules. This can be checked under Security Services > IronPort
Anti-Spam
Click Update Now, or use the CLI command antispamupdate ironport force
You can run the tail updater_logs CLI command to watch for errors in updating
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Is Anti-Virus Updating Properly?
Similar to Anti-Spam, the Anti-Virus engine in the ESA regularly communicates and checks
for updates to the engines, databases, and rules. This can be checked under Security
Services > Sophos or Security Services > McAfee
Click Update Now, or use the CLI command antivirusupdate force
You can run the tail updater_logs CLI command to watch for errors in updating
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
One Last Item
Submitting Missed Spam
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Resources
White Papers:
Catch More Spam: Fine-Tune Your Email Security Appliance
http://www.cisco.com/c/en/us/products/collateral/security/email-security-appliance/white-paper-c11-732910.html
Software:
Email Security Plug-in for Outlook (7.3.x) and Lotus Notes (7.1.x)
http://software.cisco.com/download/release.html?mdfid=283137618&flowid=4948&softwareid=283090992
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Questions?
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
C97-728331-00 © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 70