Spam Filtering

Spam is both an annoyance to users and an aggravation to email administrators who must deal with the extra space the spam takes up on the servers. Spam filters are designed to prevent spam from being delivered to mailboxes. The issue with spam filters is that often legitimate email is marked as spam. Finding the right setting can be challenging. Users should be advised that no filter is perfect and that they should regularly check quarantined email for legitimate emails.

Reputation-based filtering relies on the identification of email servers that have become known for sending spam. When a system can do this, it must rely on some service for developing these “reputations.” As you will see later, an example is the Cisco SenderBase. This is the system the Cisco Email Security Appliance (ESA) uses. This repository manages reputation “scores” for servers based on any malicious activity in which the server is reported to have been involved.

Context-Based Filtering

Context-based filtering filters the message and attachments for sender identities, message content, embedded URLs, and email formatting. These systems use algorithms to examine these items to identify spam.

Anti-malware Filtering

Email can also introduce malware into the environment through both malicious attachments and deceptive links in emails. While user training is the best approach to preventing email-based malware, we know that it doesn’t always work. Even security professionals have inadvertently clicked malicious links and attachments by mistake. To augment training, the examination of all email for malware and the filtering of such malicious mail should be parts of providing secure email.

DLP

Data leakage occurs when sensitive data is disclosed to unauthorized personnel either intentionally or inadvertently. Data loss prevention (DLP) software attempts to prevent data leakage. It does this by maintaining awareness of actions that can and cannot be taken with respect to a document. For example, it might allow printing of a document but only at the company office. It might also disallow sending the document through email. DLP software uses ingress and egress filters to identify sensitive data that is leaving the organization and can prevent such leakage. Another scenario might be the release of product plans that should be available only to the sales group. The policy you could set for that document is as follows:

• It cannot be emailed to anyone other than sales group members.
• It cannot be printed.
• It cannot be copied.

There are two locations at which DLP can be implemented.

Network DLP Installed at network egress points near the perimeter, network DLP analyzes network traffic.

Endpoint DLP Endpoint DLP runs on end-user workstations or servers in the organization.

You can use both precise and imprecise methods to determine what is sensitive.

Precise methods These methods involve content registration and trigger almost zero false-positive incidents.

Imprecise methods These can include keywords, lexicons, regular expressions, extended regular expressions, metadata tags, Bayesian analysis, and statistical analysis.

The value of a DLP system resides in the level of precision with which it can locate and prevent the leakage of sensitive data.

Blacklisting

Blacklisting identifies bad senders. Whitelisting occurs when a list of acceptable e-mail addresses, Internet addresses, websites, applications, or other identifiers are configured as good senders or as allowed. Graylisting is somewhere in between the two when an entity cannot be identified as a whitelist or blacklist item. In the case of graylisting, the new entity must pass through a series of tests to determine whether it will be whitelisted or blacklisted. Whitelisting, blacklisting, and graylisting are commonly used with spam filtering tools.

Email Encryption

Email traffic, like any other traffic type, can be captured in its raw form with a protocol analyzer. If the email is clear text, it can be read. For this reason, encryption should be used for all emails of a sensitive nature. While this can be done using the digital certificate of the intended recipient, this is typically possible only if the recipient is part of your organization and your company has a public key infrastructure (PKI). Many email products include native support for digital signing and encryption of messages using digital certificates.

While it is possible to use email encryption programs like Pretty Good Privacy (PGP), it is confusing for many users to use these products correctly without training. Another option is to use an encryption appliance or service that automates the encryption of email. Regardless of the specific approach, encryption of messages is the only mitigation for information disclosure from captured packets.

Cisco Email Security Appliance

The Cisco Email Security Appliance can address each of these concerns. The features that address email issues in the ESA are covered in this section. At the end of the section is a discussion of the message flow when using ESA.

Advanced Malware Protection

Advanced Malware Protection (AMP) is the malware component in ESA that uses a combination of several technologies to protect you from email-based malware.

File Reputation A fingerprint of every file that traverses the Cisco email security gateway is sent to AMP’s cloud-based intelligence network for a reputation verdict. Based on these results, you can block malicious files identified as having a bad reputation.

File Retrospection Sometimes files enter the network and are later identified as being a threat. This allows for the identification and removal of these files later. If malicious behavior is spotted later, AMP sends a retrospective alert so that you can contain and remediate the malware. This process is depicted in Figure 17.1 .

File Sandboxing This provides the ability to analyze files that traverse the gateway. Then in the safe sandboxed environment, AMP can obtain details about the threat level of the malware and communicate that information to the Cisco Talos intelligence network to update the AMP cloud data for all.

ESA Message Flow

ESA performs its job by acting as a message transfer agent (MTA) in the email system. Another name for this function is email relay. Figure 17.2 shows a normal inbound message flow.

Figure 17.3 shows a normal outbound message flow.

Putting the Pieces Together

The various components that ESA brings to bear in its role as an email security utility work together in an integrated fashion, as shown in Figure 17.4 , which is how ESA operates against incoming email.

Regarding email that is leaving the organization, the operations of these components are depicted in Figure 17.5 .

Understanding Web Proxies

Proxy servers can be appliances, or they can be installed on a server operating system. These servers act like a proxy firewall in that they create the web connection between systems on their behalf, but they can typically allow and disallow traffic on a more granular basis. For example, a proxy server may allow the sales group to go to certain websites while not allowing the data entry group access to those same sites. The functionality extends beyond HTTP to other traffic type, such as FTP traffic.

Proxy servers can provide an additional beneficial function called web caching. When a proxy server is configured to provide web caching, it saves a copy of all web pages that have been delivered to internal computers in a web cache. If any user requests the same page later, the proxy server has a local copy and need not spend the time and effort to retrieve it from the Internet. This greatly improves web performance for frequently requested pages.

From a deployment perspective, web proxies can be implemented in two ways.

Cisco Web Security Appliance

The Cisco Web Security Appliance (WSA) is a web proxy that integrates with other network components to monitor and control outbound requests for web content. Traffic can be directed to the WSA explicitly on the end host or by using Web Cache Control Protocol on an inline device like the perimeter router. The features it provides are covered in this section and will be followed by a description of traffic flow when using a WSA.

Cisco Identity Services Engine (ISE)

Finally, if the organization is implementing a BYOD policy, it can streamline this with self-service onboarding and management. While many of these features are beyond the scope of this book, we are going to discuss how it can handle the settings in this section.

Antivirus/Anti-malware

The Cisco ISE posture service interrogates a device requesting access for information regarding the presence of and proper configuration of antivirus and/or anti-malware software. It also checks for the presence of the latest available updates. Only when the machine is fully compliant is it allowed full access to the network.

Personal Firewall

While the Cisco ISE posture service verifies the presence of and proper configuration of antivirus and/or anti-malware software, it doesn’t stop there. It can also verify the function and settings of the personal firewall. It can compare this with a baseline for compliance in the same way it verifies the antivirus and/or anti-malware software.

Hardware/Software Encryption of Local Data

Finally, sensitive data located in endpoints should be secured with either hardware or software encryption. Cisco ISE can be used to implement a mobile management solution that can require encryption of the storage in both easily stolen mobile devices and other devices that may contain sensitive information.

HIPS

While not a function that can be controlled through ISE or TrustSec, a host-based IPS (HIPS) monitors traffic on a single system. Its primary responsibility is to protect the system on which it is installed. An HIPS typically works closely with anti-malware products and host firewall products. They generally monitor the interaction of sites and applications with the operating system and stop any malicious activity or, in some cases, ask the user to approve changes that the application or site would like to make to the system.

These systems can use several methods of detecting intrusions. The two main methods are as follows:

• Signature based: Analyzes traffic and compares patterns, called signatures, that reside within the IDS database. This requires constant updating of the signature database.
• Anomaly based: Analyzes traffic and compares it to normal traffic to determine whether the traffic is a threat. This means any traffic out of the ordinary will set off an alert.