Chapter 10

Content Security

This chapter covers the following topics:

Content Security Fundamentals

Cisco Web Security Appliance (WSA)

Cisco Email Security Appliance (ESA)

Cisco Content Security Management Appliance (SMA)

The following SCOR 350-701 exam objectives are covered in this chapter:

  • Domain 4.0 Content Security

    • 4.1 Implement traffic redirection and capture methods

    • 4.2 Describe web proxy identity and authentication, including transparent user identification

    • 4.3 Compare the components, capabilities, and benefits of local and cloud-based email and web solutions (ESA, CES, WSA)

    • 4.4 Configure and verify web and email security deployment methods to protect on-premises and remote users (inbound and outbound controls and policy management)

    • 4.5 Configure and verify email security features such as SPAM filtering, antimalware filtering, DLP, blacklisting, and email encryption

    • 4.6 Configure and verify secure Internet gateway and web security features such as blacklisting, URL filtering, malware scanning, URL categorization, web application filtering, and TLS decryption

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt about your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 10-1 lists the major headings in this chapter and their corresponding “Do I Know This Already?” quiz questions. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes and Q&A Sections.”

Table 10-1 “Do I Know This Already?” Section-to-Question Mapping

Foundation Topics Section

Questions

Content Security Fundamentals

1

Cisco Web Security Appliance (WSA)

2–5

Cisco Email Security Appliance (ESA)

5–8

Cisco Content Security Management Appliance (SMA)

9–10

Caution

The goal of self-assessment is to gauge your mastery of the topics in this chapter. If you do not know the answer to a question or are only partially sure of the answer, you should mark that question as wrong for purposes of the self-assessment. Giving yourself credit for an answer you incorrectly guess skews your self-assessment results and might provide you with a false sense of security.

1. Which of the following statements is not true about AsyncOS?

  1. AyncOS is the underlying operating system for Cisco WSA.

  2. AyncOS is the underlying operating system for Cisco ESA.

  3. AyncOS is the underlying operating system for Cisco SMA.

  4. AyncOS provides a user UNIX shell, and administrators can configure the system using a web admin portal (or a web-based GUI).

2. Which of the following is the Cisco WSA engine that analyzes and categorizes unknown URLs and blocks websites that fall below a defined security policy or threshold? The same engine analyzes more than 200 different factors related to web traffic and the network to determine the level of risk associated with a site.

  1. AVC engine

  2. Web reputation engine

  3. CASB engine

  4. File reputation engine

3. In which type of Cisco WSA deployment mode is the client configured to use the web proxy?

  1. Transparent mode

  2. Explicit forward mode

  3. WCCP mode

  4. None of these answers is correct.

4. Which of the following statements is not true?

  1. Because the client knows there is a proxy and sends all traffic to the proxy in explicit forward mode, the client does not perform a DNS lookup of the domain before requesting the URL. The Cisco WSA is responsible for DNS resolution, as well.

  2. When you configure the Cisco WSA in explicit mode, you do not need to configure any other network infrastructure devices to redirect client requests to the Cisco WSA. However, you must configure each client to send traffic to the Cisco WSA.

  3. In transparent mode, you can also configure the client’s proxy settings using DHCP or DNS, using proxy auto-configuration (PAC) files, or with Microsoft Group Policy Objects (GPOs).

  4. You can advertise and configure clients with PAC settings by using the Web Proxy Auto-Discovery (WPAD) protocol. WPAD uses the auto-detect proxy settings found in every modern web browser.

5. You are hired to deploy a web security solution using Cisco WSA. Your boss asks for you to select the best deployment option where web clients do not require an agent or a special configuration in the web browser or operating system. Which of the following is the best approach to accomplish this task?

  1. Enabling WCCP in your infrastructure to redirect web traffic to the Cisco WSA, requiring a review of routing configurations and firewall policies

  2. Configuring the Cisco WSA in transparent mode using hardware load balancers and PAC files

  3. Configuring policy-based routing along with hardware load balancers in explicit web traffic mode

  4. Configuring the Cisco WSA in explicit mode using PAC files and policy-based routing in Cisco routers

6. Which of the following is the entity responsible for forwarding emails from a sender to the recipient, which most people refer to as the “mail server”?

  1. Mail transfer agent (MTA)

  2. Mail delivery agent (MDA)

  3. Mail submission agent (MSA)

  4. Mail user agent (MUA)

7. The Cisco ESA acts as a mail transfer agent. The Cisco ESA is the destination of which public records?

  1. AA

  2. MX

  3. C-NAME

  4. All of these answers are correct.

8. Which of the following is used by the Cisco ESA to handle incoming SMTP connection requests? These entities demarcate the email processing service configured on a Cisco ESA interface.

  1. WCCP redirects

  2. MX records

  3. SMTP MSAs

  4. Listeners

9. Which of the following provides a means for gateway-based cryptographic signing of outgoing messages? This technology allows you to embed verification data in an email header and for email recipients to verify the integrity of the email messages, and it uses DNS TXT records to publish public keys.

  1. SPF

  2. DKIM

  3. SenderBase

  4. Cisco SMA

10. You are hired to deploy an email and web security solution that can be managed from a centralized location. In addition, this solution must allow you to integrate with third-party solutions to monitor outgoing emails to make sure that no sensitive information is being transferred out of your company. Which of the following is the best approach to accomplish this task?

  1. Deploy Cisco FMC to manage and monitor Cisco ESA, Cisco WSA, and Cisco FTD with DLP services.

  2. Deploy Cisco SMA to manage and monitor Cisco ESA and Cisco WSA, and make sure that the Cisco ESA DLP email policies are enabled in the Outgoing Mail Policies table.

  3. Deploy Cisco SMA to manage and monitor Cisco ESA and Cisco WSA, and make sure that the Cisco FMC DLP email policies are enabled in the Outgoing Mail Policies table.

  4. Deploy Cisco FMC to manage and monitor Cisco ESA and Cisco WSA, and make sure that the Cisco ESA DLP email policies are enabled in the Outgoing Mail Policies table.

Foundation Topics

Content Security Fundamentals

Cyber actors (attackers) use email and the web as the two top threat vectors to carry out many of their attacks. Why? It is because email and web protocols are the most popular protocols used by individuals and organizations. In Chapter 1, “Cybersecurity Fundamentals,” you learned the many different social engineering attacks that can be carried over email (phishing, spear phishing, whaling, and so on). You also learned how attackers can fool users to follow malicious links, impersonate websites, and attack different web-based applications.

Cisco acquired a company called Ironport that created what we know today as the Cisco Web Security Appliance (WSA) and the Cisco Email Security Appliance (ESA) to address this problem. The Cisco WSA and Cisco ESA are solutions designed to provide strong protection, complete control, and operational visibility into threats to an organization. The Cisco WSA and Cisco ESA have been integrated with other Cisco solutions such as AMP, and they also can digest threat intelligence from Cisco Talos.

The Cisco WSA and Cisco ESA can be managed by the Cisco Content Security Management Appliance (SMA). The Cisco SMA provides a solution for centralizing the management and reporting functions of multiple Cisco ESA and Cisco WSA devices. When you deploy the Cisco SMA, it provides simplification of administration and planning, and it improves compliance monitoring. Another benefit of the Cisco SMA is that it allows administrators to enable consistent policy enforcement and enhances threat protection.

The underlying operating system of the Cisco ESA, Cisco WSA, and Cisco SMA is the Async Operating System (AsyncOS). You will learn more about AsyncOS in the following section.

images

Cisco Async Operating System (AsyncOS)

AsyncOS powers the Cisco WSA, Cisco ESA, and Cisco SMA, and it is based on a FreeBSD-based kernel. However, Cisco enhanced AsyncOS to address some of the limitations of traditional Linux and UNIX operating systems. One focus was scalability in order to support thousands of connections per minute. Cisco WSA, Cisco ESA, and Cisco SMA running AsyncOS take advantage of a high-performance file system and optimized asynchronous communication of email and web transactions (thus the name AsyncOS). AsyncOS does not have a user UNIX shell. Administrators can configure the system using a web admin portal (or a web-based GUI) or a fully scriptable command-line interface (CLI).

Cisco WSA

Under the hood, the Cisco Web Security Appliance (WSA) includes a web proxy, a threat analytics engine, antimalware engine, policy management, and reporting in a single physical or virtual appliance. The main use of the Cisco WSA is to protect users from accessing malicious websites and being infected by malware.

Organizations can also configure the Cisco WSA to give users access to the sites they need to do their work and deny other sites, including gaming sites, social media, and so forth.

images

The following are the different Cisco WSA feature engines:

  • Web Reputation engine: Analyzes and categorizes unknown URLs and blocks websites that fall below a defined security policy or threshold. The Web Reputation engine analyzes more than 200 different factors related to web traffic and the network to determine the level of risk associated with a site. The Cisco WSA Web Reputation engine is very different in comparison to legacy URL blacklisting and whitelisting capabilities of traditional web proxies. The Cisco WSA engine analyzes a large data set and produces a granular reputation score of –10 to +10. This reputation score allows security professionals to make a better risk assessment.

  • Web filtering: Syndicates traditional URL filtering with real-time dynamic content analysis. This, in turn, allows for granular acceptable use policy (AUP) creation and warns the user on certain quota and bandwidth conditions.

  • Application Visibility and Control (AVC): Enables the Cisco WSA to inspect and/or block applications that are not allowed by the organization’s security policy. You can allow users to use social media sites like Twitter and Facebook and then block micro-applications within those social media sites (like Facebook games).

  • Cloud access security: The Cisco WSA can detect and stop hidden threats in cloud apps by leveraging built-in AVC along with integrations with cloud access security brokers (CASBs) such as Cisco Cloudlock.

  • Antivirus scanning: The Cisco WSA supports different antivirus programs such as McAfee, Sophos, and Webroot.

  • File reputation: Based on Cisco Talos threat intelligence, which is updated every three to five minutes.

  • Data-loss prevention (DLP): The Cisco WSA can redirect all outbound traffic to a third-party DLP system, allowing deep content inspection for regulatory compliance and data exfiltration protection. This allows you to inspect web content by title, metadata, and size, and even to prevent users from storing files to cloud services, such as Box, Dropbox, iCloud, and Google Drive.

  • File sandboxing: The Cisco WSA has been integrated with the Cisco AMP and Cisco Threat Grid sandboxing capabilities. This allows for putting an unknown file in a sandbox to inspect its behavior. Cisco AMP and Threat Grid use machine learning to analyze the file and determine the threat level. You will learn more about Cisco AMP and Threat Grid in Chapter 11, “Endpoint Protection and Detection.”

  • File retrospection: The Cisco WSA examines files that are downloaded and continues to cross-examine files over an extended period of time. The file disposition can be Unknown, Clean, Malware, and so on. A changed file disposition is referred to as a retrospective disposition.

  • Cognitive threat analytics: The Cisco WSA supports anomaly detection of HTTP and HTTPS traffic. The state and results of the cognitive threat analytics metrics are fine-tuned based on new threat information discovered by the system and Cisco Talos. This allows the Cisco WSA to discover confirmed threats in an environment even when HTTPS traffic inspection has been disabled.

images

The Cisco WSA Proxy

The Cisco WSA virtual and physical appliances are typically placed either on the inside of the Internet edge firewall or in a demilitarized zone (DMZ). The reason you deploy the Cisco WSA behind the firewall or in a DMX is to be able to centralize proxying and to reduce the number of Cisco WSA appliances.

Note

The Cisco WSA can be deployed as a physical appliance or as a virtual machine running on VMware’s ESX, KVM, or Microsoft’s Hyper-V. A proxy sits between HTTP clients (web browsers or APIs [in the case of machine-to-machine communication]) and HTTP servers. This specifically means that the WSA as a web proxy has two sets of TCP sockets per client request: one connection from the client to the WSA and another connection from the WSA to the web server.

Cisco WSA physical and virtual appliances have one or more of the following interface types:

  • M1: Typically used for management. The M1 interface can be used for data traffic (otherwise known as a one-armed interface configuration).

  • P1/P2: These are typically the interfaces used for web proxy traffic (that is, data interfaces). If you enable the P1 and P2 interfaces, each interface must be connected to different subnets. You can also combine M1 and P1. If doing so, M1 can be configured to proxy requests and P1 is used to send traffic to the Internet. If you use multiple interfaces for proxying, you need to configure static routes to direct the traffic to the correct interface.

  • T1/T2: Typically used for Layer 4 traffic monitoring to listen to all TCP ports. When you enable the T1/T2 ports, they are not configured with an IP address because they are promiscuous monitoring ports. T1 can be configured alone for duplex communication, or T1 and T2 can be configured together in simplex mode. For instance, T1 can be configured to receive all outgoing traffic to the Internet, and the T2 interface can be configured to receive all incoming traffic from the Internet.

images

You can deploy the Cisco WSA in two different modes:

  • Explicit forward mode

  • Transparent mode

images

Cisco WSA in Explicit Forward Mode

In explicit forward mode, the client is configured to explicitly use the proxy, consequently sending all web traffic to the proxy, as demonstrated in Figure 10-1.

images

Figure 10-1 Cisco WSA in Explicit Forward Mode

Tip

Because the client knows there is a proxy and sends all traffic to the proxy in explicit forward mode, the client does not perform a DNS lookup of the domain before requesting the URL. The Cisco WSA is responsible for DNS resolution, as well.

When you configure the Cisco WSA in explicit mode, you do not need to configure any other network infrastructure devices to redirect client requests to the Cisco WSA. However, you must configure each client to send traffic to the Cisco WSA. In large environments, this could be problematic. However, you can also configure the client’s proxy settings using DHCP or DNS, using proxy auto-configuration (PAC) files, or with Microsoft Group Policy Objects (GPOs). You can also lock browser proxy settings with solutions like Microsoft GPOs.

Tip

You can advertise and configure clients with PAC settings by using the Web Proxy Auto-Discovery (WPAD) protocol. WPAD uses the auto-detect proxy settings found in every modern web browser. Proxy server configurations can be provisioned to clients through DHCP option 252 with the URL as a string in the option (for example, https://secretcorp.org/wpad.dat) or with DNS by creating an A host record for wpad.secretcorp.org.

Figure 10-2 shows the proxy configuration of a macOS device.

images

Figure 10-2 Proxy Configuration in a Mac OS X Device

The Cisco WSA also supports SOCKS proxy configurations When it is configured as a SOCKS proxy, the client exchanges SOCKS protocol messages to negotiate a proxy connection. When a connection is established, the client communicates with the Cisco WSA by using the SOCKS protocol.

Note

You need to configure a SOCKS policy in order to use the Cisco WSA SOCKS proxy. The SOCKS protocol (and consequently the Cisco WSA) only supports direct forward connections. The Cisco WSA does not forward traffic to any upstream proxies when configured as a SOCKS proxy. In addition, the Cisco WSA SOCKS proxy does not support scanning services, which are used by AVC, DLP, and malware detection. The Cisco WSA SOCKS proxy is not able to decrypt SSL traffic because it tunnels traffic from the client to the server.

images

Cisco WSA in Transparent Mode

When the Cisco WSA is in transparent mode, clients do not know there is a proxy deployed. Network infrastructure devices are configured to forward traffic to the Cisco WSA. In transparent mode deployments, network infrastructure devices redirect web traffic to the proxy. Web traffic redirection can be done using policy-based routing (PBR)—available on many routers—or using Cisco’s Web Cache Communication Protocol (WCCP) on Cisco ASA, Cisco routers, or switches.

Figure 10-3 shows a Cisco WSA in transparent mode.

images

Figure 10-3 Cisco WSA in Transparent Mode

Tip

WCCP is a Cisco-developed content-routing protocol that provides a mechanism to redirect traffic flows in real time. It has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms.

The following are the steps illustrated in Figure 10-3.

Step 1. The client initiates a connection to h4cker.org.

Step 2. The Cisco ASA redirects the request to the Cisco WSA using WCCP.

Step 3. The Cisco WSA verifies the request and replies to the client if the web request violates a policy or the security engine flags it.

Step 4. The Cisco WSA initiates a new connection to h4cker.org.

Step 5. The h4cker.org web server replies to the Cisco WSA. The Cisco WSA checks for malicious or inappropriate content and blocks it, if needed.

Step 6. If the content is acceptable, the Cisco WSA forwards the content to the client.

Tip

In Figure 10-3, the client is unaware its traffic is being sent to a proxy (Cisco WSA) and, as a result, the client uses DNS to resolve the domain name in the URL and send the web request destined for the web server (not the proxy). When you configure the Cisco WSA in transparent mode, you need to identify a network choke point with a redirection device (in this example, a Cisco ASA) to redirect traffic to the proxy.

When transparent mode is configured, you are able to force all traffic to the proxy if desired (without end-user interaction). Load balancing is inherent without the use of hardware load balancers or PAC files. Many organizations deploy transparent mode Cisco WSAs in phases by using access control lists (ACLs) with policy-based routing or WCCP.

Note

When you enable WCCP in your infrastructure, it requires review of routing configurations, firewall policies, and so on. For instance, when you configure WCCP in the Cisco ASA, the Cisco WSA and clients need to be within the same security zone.

Configuring WCCP in a Cisco ASA to Redirect Web Traffic to a Cisco WSA

The following are the steps to configure WCCP in the Cisco ASA:

Step 1. Create an access control list (ACL) to define (match) the HTTP and HTTPS traffic from the 10.1.1.0/24 and 10.1.2.0/24 subnets, as shown in Example 10-1.

Example 10-1 Matching the HTTP and HTTP Traffic

access-list HTTP-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any eq www
access-list HTTP-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any eq www
access-list HTTPS-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any eq https
access-list HTTPS-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any eq https

Step 2. You can also inspect FTP traffic in the Cisco WSA. In order to do so, create an ACL to match FTP traffic, as demonstrated in Example 10-2.

Example 10-2 Matching FTP Traffic

access-list FTP-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any eq ftp
access-list FTP-TRAFFIC permit tcp 10.1.1.0 255.255.255.0 any range 11000 11006
access-list FTP-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any eq ftp
access-list FTP-TRAFFIC permit tcp 10.1.2.0 255.255.255.0 any range 11000 11006

Step 3. Create another ACL to include the IP address of the Cisco WSA (10.1.2.3) and create the WCCP redirect lists, as demonstrated in Example 10-3. You can configure WCCP redirection of HTTP traffic (TCP port 80 traffic) and also non-HTTP TCP traffic, as well as UDP packets. For instance, you can redirect packets used for proxy-web cache handling, File Transfer Protocol (FTP) caching, FTP proxy handling, audio and video applications, and so on. To achieve this task, you can configure multiple WCCP service groups. Service information is specified in the WCCP configuration commands using dynamic services identification numbers (such as “10” or “20”, as shown in Example 10-4) or a predefined service keywords (such as “web-cache”). The networking device uses that information to validate that service group members are all providing or using the same service.

Example 10-3 Creating an ACL to Define Where to Send the Traffic and Creating the WCCP Redirect Lists

access-list WSA extended permit ip host 10.1.2.3 any
wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA
wccp 10 redirect-list FTP-TRAFFIC group-list WSA
wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA

Step 4. Finally, configure the WCCP redirection of traffic on the source interface (the inside interface in this example).

Example 10-4 Configuring Redirection of Traffic on Source Interface

wccp interface inside web-cache redirect in
wccp interface inside 10 redirect in
wccp interface inside 20 redirect in

You can also configure WCCP on a Cisco Firepower Threat Defense (FTD) device by using the Cisco Firepower Management Console (FMC) FlexConfig policies. A FlexConfig policy is a container of an ordered list of FlexConfig objects. Each object includes a series of Apache Velocity scripting language commands, Cisco ASA software configuration commands, and variables that you define. The contents of each FlexConfig object are essentially a program that generates a sequence of the Cisco ASA commands that will then be deployed to the assigned devices. This command sequence then configures the related feature on the Cisco FTD device.

The Cisco FTD devices use Cisco ASA configuration commands to implement some features, but not all features. There is no unique set of Cisco FTD configuration commands. Instead, the point of FlexConfig is to allow you to configure features that are not yet directly supported through the Cisco FMC policies and settings. Figure 10-4 shows the use of FlexConfig to configure WCCP on a Cisco FTD device via the Cisco FMC.

images

Figure 10-4 Configuring WCCP on a Cisco FTD via FMC’s FlexConfig

Note

Cisco strongly recommends using FlexConfig policies only if you are an advanced user with a strong Cisco ASA background and at your own risk. Enabling features through FlexConfig policies may cause unintended results with other configured features.

Configuring WCCP on a Cisco Switch

Let’s take a look on how to configure WCCP on a Cisco switch to redirect traffic to the Cisco WSA. Refer to the topology shown in Figure 10-5.

images

Figure 10-5 Configuring WCCP on a Cisco Switch to Send Traffic to a Cisco WSA

The following are the steps to configure WCCP on a Cisco switch to send traffic to the Cisco WSA.

Step 1. Configure an access control list (ACL) to match the web traffic, as demonstrated in Example 10-5.

Example 10-5 Matching HTTP and HTTPS Traffic

ip access-list extended WEB-TRAFFIC
 permit tcp 10.1.1.0 0.0.0.255 any eq www
 permit tcp 10.1.2.0 0.0.0.255 any eq www
 permit tcp 10.1.1.0 0.0.0.255 any eq 443
 permit tcp 10.1.2.0 0.0.0.255 any eq 443

Step 2. You can also redirect FTP traffic to the Cisco WSA. In Example 10-6, an ACL called FTP-TRAFFIC is configured to redirect FTP traffic via WCCP. This ACL, along with the one configured in Example 10-5, will be associated to the WCCP configuration at a later step.

Example 10-6 Matching FTP Traffic

ip access-list extended FTP-TRAFFIC
 permit tcp 10.1.1.00.0.0.255 any eq ftp
 permit tcp 10.1.1.00.0.0.255 any range 11000 11006
 permit tcp 10.1.2.00.0.0.255 any eq ftp
 permit tcp 10.1.2.00.0.0.255 any range 11000 11006

Step 3. Configure another ACL to define where to send the traffic (that is, the Cisco WSA’s IP address), as shown in Example 10-7.

Example 10-7 Defining Where to Send the HTTP, HTTPS, and FTP Traffic

ip access-list standard WSA
 permit 10.1.3.3

Step 4. Create the WCCP lists, as demonstrated in Example 10-8.

Example 10-8 Creating the WCCP Lists

ip wccp web-cache redirect-list HTTP-TRAFFIC group-list WSA
ip wccp 10 redirect-list FTP-TRAFFIC group-list WSA
ip wccp 20 redirect-list HTTPS-TRAFFIC group-list WSA

Step 5. Configure the WCCP redirection of traffic on the source interface, as shown in Example 10-9.

Example 10-9 Configuring the WCCP Redirection of Traffic on the Source Interface

interface vlan88
 ip wccp web-cache redirect in
 ip wccp 10 redirect in
 ip wccp 20 redirect in

Configuring the Cisco WSA to Accept WCCP Redirection

Figure 10-6 shows how to configure WCCP on the Cisco WSA.

images

Figure 10-6 Configuring WCCP on the Cisco WSA

Navigate to Network > Transparent Redirection and click Edit Device. Select WCCP v2 Router from the drop-down and click Submit. Click Add Service to add a new WCCP redirection service, and the screen shown in Figure 10-6 is displayed.

Note

The WCCP configuration can be customized to use different service IDs for different traffic. Each service ID needs a separate entry on the Cisco WSA.

Traffic Redirection with Policy-Based Routing

You can also configure PBR on a Cisco router to redirect web traffic to the Cisco WSA.

Note

Configuring PBR can affect the router’s performance if enabled in software (without hardware acceleration). You should review the respective router documentation to determine any impact.

When you configure the Cisco WSA in transparent mode using a “Layer 4 switch,” no additional configuration is needed on the Cisco WSA. You just navigate to Network > Transparent Redirection and select Layer 4 Switch. In this case, the redirection is controlled by the Layer 4 switch (or router). Why Layer 4? Because redirection is being done based on Layer 4 ports.

In Example 10-10, a PBR policy is configured in a Cisco router that matches traffic from two source subnets (10.1.1.0/24 and 10.1.1.2.0/24). The web traffic is received on interface VLAN 88. The traffic is sent to the Cisco WSA configured with IP address 10.1.2.3.

Example 10-10 PBR Configuration in a Cisco Router

access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 80
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 80
access-list 101 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 101 permit tcp 10.1.2.0 0.0.0.255 any eq 443
!
route-map WebRedirect permit 10
  match ip address 101
  set ip next-hop 10.1.3.3
interface vlan88
  ip policy route-map WebRedirect

Cisco WSA Security Services

The Cisco WSA uses security components to protect end users from a range of malware threats. You can configure antimalware and web reputation settings for each policy group. When you configure Access Policies, you can also have AsyncOS for Web choose a combination of antimalware scanning and web reputation scoring to use when determining what content to block.

Figure 10-7 shows the Security Services options in the Cisco WSA.

images

Figure 10-7 Configuring WCCP on the Cisco WSA

Note

The CCNP Security 300-725 SWSA exam, “Securing the Web with Cisco Web Security Appliance (SWSA),” and the CCIE lab cover configuration and troubleshooting of the Cisco WSA.

images

Deploying Web Proxy IP Spoofing

When the Cisco WSA (as a web proxy) forwards a request, by default it changes the request source IP address to match its own address. However, you can change this behavior by enabling web proxy IP spoofing so that requests appear to come from the client rather than from the Cisco WSA.

IP spoofing is supported in transparent and explicitly forwarded proxy configurations. When the Cisco WSA is deployed in transparent mode, you can enable IP spoofing either for only transparently redirected connections or for all connections (transparently redirected and explicitly forwarded).

When you configure explicit proxy with IP spoofing, you must ensure that HTTP reply packets are routed back to the Cisco WSA.

Note

When you configure IP spoofing and the Cisco WSA is connected to a WCCP router, two WCCP services must be configured (one based on source ports and one based on destination ports) in order to track the underlying HTTP transactions.

images

Configuring Policies in the Cisco WSA

The Cisco WSA identifies and controls web requests using different policies. When a client initiates a web request to a web server, the Cisco WSA inspects the transaction and determines to which policy it belongs. The defined policy actions are applied to the request.

Tip

The Cisco WSA evaluates policies from the top down (similar to router and firewall ACLs). A best practice is to place the most accessed or used policies at the top to increase performance.

One of the policy types you can enable in the Cisco WSA is called identification policies. Identification policies are configured to identify the users behind the web requests, instead of just reporting based on the IP address of the system or device making the web request. You can configure the Cisco WSA to interact with Lightweight Directory Access Protocol (LDAP) or Active Directory (AD) authentication servers.

Note

LDAP supports only basic authentication, whereas AD supports NTLM, Kerberos, and basic authentication.

Traditionally, users can be identified by username and password and then their credentials are validated with an authentication. Subsequently, policies are applied based on the username. However, the WSA can be configured to authenticate users without prompting the end user for credentials (transparent identification). When you enable transparent identification, the user is authenticated using the authentication “state” obtained from another trusted source. Consequently, the Cisco WSA assumes that the user has already been authenticated by that trusted source and applies the configured policies. Transparent authentication is considered a single sign-on (SSO) environment, and the users are not aware that a proxy has been deployed. This is also useful when client devices are not capable of displaying an authentication prompt (such as a printer or an IP phone).

images

The Cisco WSA provides different options for the AD or LDAP realm (authentication). The following are the available schemes when using AD authentication (AD realm):

  • Basic authentication: Done via a web browser. Basic authentication is not transparent.

  • NTLMSSP: This is a type of transparent authentication. The web browser must be compatible and provide support for NTLMSSP. NTLMSSP uses AD domain credentials for login and is typically used in Windows AD environments (although it can also work with Mac, with additional configuration on the client side).

  • Kerberos: Primarily used with Windows clients, Kerberos is considered the more secure option.

The Cisco WSA supports different authentication schemes for a wide range of client support. The Authentication Surrogates options enable you to configure how web transactions will be associated with a user after the user has been successfully authenticated. The following options are provided by the Cisco WSA:

  • IP Address: The user’s identity is used until the surrogate times out.

  • Persistent Cookie: The user’s identity is used until the surrogate times out.

  • Session Cookie: The user’s identity is used until the browser is closed or the session times out.

There are also access policies. Access policies configured in the Cisco WSA map the identification profiles and users. They also map time-based restrictions, to make sure that the necessary controls align with your business policies.

You can add a new policy by navigating to Web Security Manager > Access Policies > Add Policy. There you can assign a unique name for the policy and map the identification profile settings and optionally additional advanced settings. After submitting the new policy, you can do additional customization to adjust how the access policy behaves compared to the global policy settings.

Tip

You can use protocols and user agents to control policy access to protocols and configure blocking for specific client applications (including social media or instant messaging clients). You can also configure the Cisco WSA to tunnel HTTP CONNECT requests on specific ports.

You can also customize URL filtering using different policies to specify how a transaction based on the URL category of a particular HTTP or HTTPS request is handled by the Cisco WSA. When you configure URL filtering, you can also define custom URL categories. Once the custom URL category is created, you can specify whether to block, redirect, allow, monitor, warn, or apply quota-based or time-based filters for websites in the custom categories.

images

The following are some additional settings and customizations you can configure in the Cisco WSA:

  • Earlier in this chapter you learned about the AVC engine. You can use the AVC engine to enforce acceptable-use policy components to block or allow applications by application type and by individual applications. In addition, you can control different application behaviors (for example, file transfers).

  • You can also configure the Cisco WSA web proxy to block file downloads based on file characteristics, including the file size, file type, and MIME type.

  • You can also define an access policy to apply antimalware and URL reputation.

  • By default, the Cisco WSA only redirects and decodes port 80 HTTP traffic. However, you can configure the Cisco WSA to decrypt and evaluate SSL traffic. You can do this by navigating to Security Services > HTTPS Proxy. Furthermore, a root certificate used to sign web traffic must be created or uploaded to the Cisco WSA. You can create a certificate on the Cisco WSA and then install the certificate to all clients that will be connecting through the Cisco WSA. You can also use the HTTPS proxy to change the decryption options, invalid certificate handling, and Online Certificate Status Protocol (OCSP) options. Then you add a decryption policy or edit the global policy once the HTTPS proxy is configured.

  • You can also create an outbound malware policy on the Cisco WSA to block malware uploads.

  • The Cisco WSA supports DLP servers. To integrate the Cisco WSA with an external DLP server, you need to configure a data security policy to manage data uploads to the web. Then enable external DLP policies to redirect outbound traffic to external servers for scanning. You can define an external DLP by navigating to Network > External DLP Servers and configuring the server by selecting the communication protocol (Internet Content Adaptation Protocol [ICAP] or Secure ICAP) and setting the service address, service URL, and load-balancing method. ICAP is a lightweight HTTP-like protocol that is used to forward web requests to external DLP servers or content scanners.

Cisco WSA Reports

The Cisco WSA provides detailed reporting of all the web transactions, malware threats, URL categories, and many other web proxy transactions.

Figure 10-8 shows the Web Sites report (dashboard), which includes statistics about the top domains requested, top domains blocked, and several other statistics.

images

Figure 10-8 The Cisco WSA Web Sites report

Figure 10-9 shows the Users report (dashboard), including the transactions blocked for the top users and the top users based on bandwidth usage.

images

Figure 10-9 The Cisco WSA Users Report

The Cisco WSA can also provide reports about the top malware threats (files) monitored or blocked, as well as the trend of malware threat files detected, as shown in Figure 10-10. The report illustrated in Figure 10-10 also includes the top malware threat files by file type and the malware files by category.

images

Figure 10-10 The Cisco WSA Malware Threats Report

Figure 10-11 shows the URL categories report displaying the top URL categories (total transactions) and the total URL blocked and warned transactions sorted by category.

images

Figure 10-11 The Cisco WSA URL Categories Report

Cisco ESA

In Chapter 9, “Securing the Cloud,” you learned that the Cisco ESA can be deployed as a physical appliance, virtual appliance, or as a cloud service. In this section you will learn the details about the Cisco ESA acting as the email gateway to an organization, controlling the transfer of all email connections, accepting messages, and relaying messages to the appropriate email servers. As you probably already know, email transactions on the Internet use SMTP. The Cisco ESA can handle all SMTP connections for an organization acting as the SMTP gateway.

images

Reviewing a Few Email Concepts

You may already be familiar with email protocols and concepts. However, as a refresher, the following are some of the most important email concepts that you must be familiar with to understand how the Cisco ESA works:

  • Mail transfer agent (MTA): Most people refer to the MTA as the “mail server” (the entity responsible for transferring emails from a sender to the recipient).

  • Mail delivery agent (MDA): A component of an MTA responsible for the final delivery of an email message to a person’s inbox (mailbox).

  • Mail user agent (MUA): An email client or email reader installed on the user’s system (or mobile device).

  • Mail submission agent (MSA): A component of an MTA that accepts new mail messages from an MUA (using SMTP).

  • Internet Message Access Protocol (IMAP): An email client communication protocol that allows users to keep messages on the server. An IMAP-enabled MUA displays messages directly from the server. However, you can also download messages using IMAP for archiving purposes.

  • Post Office Protocol (POP): An application-layer protocol used by an email client to retrieve (download) email from a remote server.

People have called “mail servers” so many different things, such as an MTA, a mail router, a mail transport agent, and a mail exchanger (MX). DNS MX records are used to route the mail traffic on the Internet. An MX record is a type of verified resource record in DNS that specifies a mail server responsible for accepting email messages on behalf of a recipient’s domain, and a preference value is used to prioritize mail delivery if multiple mail servers are available. The set of MX records of a domain name specifies how email should be routed with SMTP. Example 10-11 shows the output of the Linux dig command displaying the DNS resolution of the domain h4cker.org. The highlighted lines are the MX records for the domain.

Example 10-11 An Example of DNS MX Records

$dig h4cker.org MX
; <<>> DiG 9.10.6 <<>> h4cker.org MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13242
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;h4cker.org.             IN       MX

;; ANSWER SECTION:
h4cker.org.      3600    IN       MX    5 gmr-smtp-in.l.google.com.               
h4cker.org.      3600    IN       MX    10 alt1.gmr-smtp-in.l.google.com.         
h4cker.org.      3600    IN       MX    20 alt2.gmr-smtp-in.l.google.com.         
h4cker.org.      3600    IN       MX    30 alt3.gmr-smtp-in.l.google.com.         
h4cker.org.      3600    IN       MX    40 alt4.gmr-smtp-in.l.google.com.         

;; Query time: 291 msec
;; SERVER: 192.168.88.1#53(192.168.88.1)
;; MSG SIZE  rcvd: 163
images

Cisco ESA Deployment

The Cisco ESA can be deployed in different ways. Similar to the Cisco WSA, the Cisco ESA can be deployed with a single physical interface to filter email to and from your mail servers or in a two-interface configuration. When you configure the Cisco ESA with two interfaces, one interface is used for email transfers to and from the Internet and the other interface is used for email transfers to and from the internal servers.

Cisco ESA deployments are fairly straightforward. The Cisco ESA acts as a mail transfer agent. The Cisco ESA is the destination of the public MX records. In other words, the MX records of the underlying domain should point to the Cisco ESA’s public IP address. The Cisco ESA needs to be accessible through the public Internet and should be the first hop in the organization’s email infrastructure. Let’s take a look at the topology in Figure 10-12.

images

Figure 10-12 An Example of a Cisco ESA Deployment

The following are the steps illustrated in Figure 10-12:

  1. The email sender attempts to send an email to [email protected]. The email client sends the email to the “sending email server.”

  2. The sending mail server looks up the secretcorp.org MX record and receives the hostname of the Cisco ESA (mail.secretcorp.org). The sending email server also queries the DNS server for the IP address of mail.secretcorp.org.

  3. The sending mail server opens an SMTP connection with the Cisco ESA.

  4. The Cisco ESA inspects the email transaction and sends the mail to the internal mail server, if it conforms to the configured security policies and it is determined that the email is not malicious or spam.

  5. The email recipient’s client retrieves the email from the internal mail server by using IMAP or POP.

images

Cisco ESA Listeners

The Cisco ESA uses listeners to handle incoming SMTP connection requests. Such listener delimits the email processing service configured on a Cisco ESA interface.

Cisco ESA listeners apply to email entering the appliance from either the Internet (public listeners) or internal systems (private listeners), as demonstrated in Figure 10-13.

images

Figure 10-13 Cisco ESA Listeners

SenderBase

images

The Cisco ESA and Cisco WSA are products that evolved from a company that Cisco acquired called Ironport. Ironport’s SenderBase (now Cisco SenderBase) is a reputation service that enables you to control the messages that come through the Cisco ESA email gateway based on the senders’ trustworthiness (reputation). When the Cisco ESA receives messages from known or highly reputable senders, it delivers them directly to the end user without any content scanning. However, when the Cisco ESA receives email messages from unknown or less reputable senders, it performs antispam and antivirus scanning. The Cisco ESA uses a reputation score that ranges from –10 to +10.

Tip

Cisco partnered with antivirus companies such as McAfee and Sophos to provide network antivirus scanning capabilities on the Cisco ESA.

The Cisco ESA has the concept of outbreak filters. Outbreak filters are enabled by default and provide a dynamic quarantine (also called a DELAY quarantine). The Cisco ESA can continue to hold or release back though antivirus and Advanced Malware Protection (AMP) for additional scans.

Tip

These outbreak filters offer a significant catch rate for outbreaks over traditional solutions, since they provide the “human” element after signature, heuristics, and hash-based scanning. It has been proven that outbreak filters deliver more than nine hours of lead time over antivirus engines for zero-day outbreaks.

images

The Recipient Access Table (RAT)

The recipient access table (RAT), not to be confused with remote-access Trojan (also RAT), is a Cisco ESA term that defines which recipients are accepted by a public listener.

Tip

At a minimum, RAT stipulates the listener address and whether to accept or reject it. For instance, a Cisco ESA might accept mail from secretcorp.com or secretcorp.org.

images

Cisco ESA Data Loss Prevention

The Cisco ESA has a DLP feature that allows you to secure your sensitive, proprietary information and intellectual property, preventing this data from leaving your network (maliciously or unintentionally).

Tip

You can specify the types of data your users are not allowed to send via email by creating DLP policies to scan outgoing messages.

The Cisco ESA’s mail policy is a set of rules that specify the types of suspect, sensitive, or malicious content you might not want entering or leaving your network, such as the following:

  • Marketing messages

  • Spam

  • Graymail

  • Malware

  • Phishing, spear phishing, whaling, and other targeted email-based attacks

  • Confidential data

  • Personally identifiable information (PII)

images

SMTP Authentication and Encryption

Sender Policy Framework (SPF) enables recipients to verify the sender’s IP addresses by looking up DNS records that list authorized mail gateways for a particular domain. SPF is an industry standard defined in RFC 4408. SPF uses DNS TXT resource records. The Cisco ESA supports SPF to verify HELO/EHLO and MAIL FROM identity (FQDN). When you enable SPF, the Cisco ESA adds headers in the message, allowing you to obtain additional intelligence on the email sender. One challenge is that the effectiveness of SPF implementations is based on participation. Also, you need to invest time to make sure SPF records are up to date. Many organizations implement SPF because some of the most prevalent email providers nowadays do not accept mail without SPF records.

Tip

Some organizations go to the extent of not allowing any emails that do not have an SPF record. Doing so will block more spam emails; however, some legitimate mail might also be dropped if the sending entity hasn’t configured SPF correctly.

images

Domain Keys Identified Mail (DKIM)

DKIM is an industry standard defined in RFC 5585. DKIM provides a means for gateway-based cryptographic signing of outgoing messages. This allows you to embed verification data in an email header and for email recipients to verify the integrity of the email messages.

DKIM uses DNS TXT records to publish public keys.

Note

A few additional specifications related to DKIM exist. RFC 6376 introduces DKIM signatures, RFC 5863 provides information on DKIM development, deployment, and operation, and RFC 5617 addresses Author Domain Signing Practices (ADSP).

You configure SPF and DKIM verification in mail flow policies (by navigating to Mail Policies > Mail Flow Policy).

images

Cisco Content Security Management Appliance (SMA)

The Cisco Content SMA provides centralized management and monitoring (reporting) of Cisco WSAs and Cisco ESAs. The Cisco SMA simplifies the planning and administration of Cisco ESA and Cisco WSA deployments. In Figure 10-14, a Cisco SMA is deployed to manage and monitor two Cisco ESAs and three Cisco WSAs.

images

Figure 10-14 Cisco SMA Managing Cisco ESAs and Cisco WSAs

The centralized configuration and management provided by the Cisco SMA in Figure 10-14 helps with consistent enforcement of acceptable-use policies and to enhance threat protection. In other words, this centralized reporting and management helps determine which users are in violation of acceptable use policies.

Tip

In the Cisco SMA, data is aggregated from multiple Cisco ESAs, including data categorized by sender, recipient, message subject, and other parameters. Scanning results, such as spam and virus verdicts, are also displayed, as are policy violations.

Figure 10-15 shows the Cisco SMA Monitoring Mail Flow Summary dashboard for Email Security. There you can see the number of attempted incoming email messages along with the email messages that were categorized as security threats.

images

Figure 10-15 Cisco SMA Mail Flow Summary

Similarly, Figure 10-16 shows the number of outgoing email messages processed along with the email messages that were categorized as “clean” and other outgoing email statistics.

images

Figure 10-16 Cisco SMA Outgoing Email Statistics

Figure 10-17 shows the Advanced Malware Protection (AMP) summary dashboard for incoming files within email messages. Statistics about the disposition of each file is displayed, including clean, unknown, unscannable, low risk, and malicious. The malicious category is further decomposed into malware, custom detection, and custom threshold.

images

Figure 10-17 Cisco SMA AMP Summary Dashboard for Incoming Email Messages

Figure 10-18 shows the AMP Reputation dashboard in the Cisco SMA. Keep in mind that these are statistics summarized from all managed Cisco ESA appliances (physical or virtual).

images

Figure 10-18 Cisco SMA AMP Reputation Dashboard

Figure 10-19 shows the Cisco SMA AMP File Analysis dashboard. The dashboard shows the time and verdict (or interim verdict) for each file sent for analysis. Each managed Cisco ESA checks for analysis results every 30 minutes. You can also export the data as a .csv file to view more than 1000 File Analysis results.

images

Figure 10-19 Cisco SMA AMP File Analysis Dashboard

As you learned earlier in this chapter, the Cisco ESA and Cisco WSA can integrate with the Cisco AMP Threat Grid cloud and on-premises appliances. Files that are whitelisted on the AMP Threat Grid appliance show as “clean.” You can drill down to view detailed analysis results, including the threat characteristics for each file.

Tip

You can also search for additional information about an SHA value, or you can click the link at the bottom of the File Analysis details page to view additional details on the server that analyzed the file. If a file extracted from a compressed or archived file is sent for analysis, only the SHA value of the extracted file is included in the File Analysis report.

You can use the File Analysis view of the AMP dashboard to view the following:

  • The number of incoming and outgoing files that are uploaded for file analysis by the File Analysis service of the Advanced Malware Protection engine

  • A list of incoming and outgoing files that have completed File Analysis requests

  • A list of incoming and outgoing files that have pending File Analysis requests

The File Retrospection dashboard (shown in Figure 10-20) lists the files processed by the managed Cisco ESAs for which the verdict has changed since the message was received. Because Advanced Malware Protection is focused on targeted and zero-day threats, threat verdicts can change as aggregated data might reveal more information.

images

Figure 10-20 Cisco SMA File Retrospection Dashboard

Figure 10-21 shows the DLP Incident Summary dashboard, which includes the incidents of DLP policy violations occurring in outgoing mail. As discussed earlier in this chapter, the Cisco ESA uses DLP email policies enabled in the Outgoing Mail Policies table to detect sensitive data sent by your users. Every occurrence of an outgoing message violating a DLP policy is reported as an incident.

images

Figure 10-21 DLP Incident Summary Dashboard

You can leverage the DLP Incident Summary report to see what type of sensitive data is being sent by your users and how severe such DLP incidents are. Additionally, you can see how many of these messages are being delivered, dropped, and who is sending these messages.

The DLP Incident Summary page contains two main sections:

  • The DLP Incident Trend graphs summarizing the top DLP incidents by severity (Low, Medium, High, Critical) and policy matches

  • The DLP Incident Details listing

Exam Preparation Tasks

As mentioned in the section “How to Use This Book” in the Introduction, you have a couple of choices for exam preparation: the exercises here, Chapter 12, “Final Preparation,” and the exam simulation questions in the Pearson Test Prep Software Online.

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topic icon in the outer margin of the page. Table 10-2 lists these key topics and the page numbers on which each is found.

images

Table 10-2 Key Topics for Chapter 10

Key Topic Element

Description

Page Number

Section

Cisco Async Operating System (AsyncOS)

604

List

Defining the different Cisco WSA feature engines

604

Section

The Cisco WSA Proxy

605

List

Listing the Cisco WSA deployment modes

606

Section

Cisco WSA in Explicit Forward Mode

606

Section

Cisco WSA in Transparent Mode

608

Section

Deploying Web Proxy IP Spoofing

614

Section

Configuring Policies in the Cisco WSA

615

List

Listing the available schemes when using AD authentication (AD realm) in the Cisco WSA

615

List

Recognizing the different customization and configurations supported in the Cisco WSA

616

List

Reviewing email fundamentals

619

Section

Cisco ESA Deployment

620

Section

Cisco ESA Listeners

621

Section

SenderBase

622

Section

The Recipient Access Table (RAT)

622

Section

Cisco ESA Data Loss Prevention

622

Section

SMTP Authentication and Encryption

623

Section

Domain Keys Identified Mail (DKIM)

623

Section

Cisco Content Security Management Appliance (SMA)

624

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

Domain Keys Identified Mail (DKIM)

Sender Policy Framework (SPF)

SenderBase

mail transfer agent (MTA)

mail delivery agent (MDA)

mail user agent (MUA)

Internet Message Access Protocol (IMAP)

Post Office Protocol (POP)

Mail Exchanger (MX) record

Web Proxy Auto-Discovery (WPAD) protocol

proxy auto-configuration (PAC) files

Web Cache Communication Protocol (WCCP)

Review Questions

1. You have been asked to configure the company’s network in a way that web traffic is redirected to a Cisco WSA in real time. You must pick a solution that has built-in load balancing, scaling, fault tolerance, and service-assurance (failsafe) mechanisms. Which of the following technologies and deployment modes can accomplish this task?

  1. Cisco WSA in explicit client mode with policy-based routing in Cisco routers

  2. Cisco WSA in explicit client mode with WCCP Cisco switches and firewalls

  3. Cisco WSA in transparent mode with WCCP enabled in Cisco switches and firewalls

  4. Cisco SMA using WCCP and policy-based routing to redirect traffic to the Cisco WSA

2. The Cisco WSA supports SOCKS proxy configurations. Which of the following is not true about Cisco WSA SOCKS proxy configurations?

  1. WCCP can be used to redirect traffic in explicit SOCKS proxy configuration mode.

  2. The SOCKS protocol (and consequently the Cisco WSA) only supports direct forward connections.

  3. The Cisco WSA does not forward traffic to any upstream proxies when configured as a SOCKS proxy.

  4. The Cisco WSA SOCKS proxy does not support scanning services, which are used by AVC, DLP, and malware detection.

3. You can advertise and configure clients with PAC settings by using Web Proxy Auto-Discovery (WPAD) protocol. WPAD uses the auto-detect proxy settings found in every modern web browser. Proxy server configurations can be provisioned to clients through which of the following options?

  1. DHCP option 252 with the URL as a string in the option

  2. DHCP option 252 with the IP address of the Cisco WSA as a string in the option

  3. DHCP option 110 with the IP address of the Cisco WSA as a string in the option

  4. DHCP option 110 with the URL as a string in the option

4. Which of the following can be used in transparent mode Cisco WSA deployments?

  1. Policy-based routing in Cisco routers

  2. WCCP in Cisco ASA and Cisco FTD devices

  3. WCCP in Cisco switches and routers

  4. All of these answers are correct.

5. The Cisco WSA provides different options for AD or LDAP realm (authentication). Which of the following is an available scheme when using AD authentication (AD realm)?

  1. Basic authentication via a web browser

  2. NTLMSSP

  3. Kerberos

  4. All of these answers are correct.

6. The Authentication Surrogates option in the Cisco WSA enables you to configure how web transactions will be associated with a user after the user has been successfully authenticated. Which of the following is not an option provided by the Cisco WSA?

  1. The IP address of the user

  2. Persistent cookies

  3. Session cookies

  4. The WCCP ID

7. Which of the following is an email client communication protocol that allows users to keep messages on the server?

  1. IMAP

  2. POP3

  3. SMTP

  4. None of these answers is correct.

8. Which of the following is a component of a mail transfer agent (MTA) responsible for the final delivery of an email message to a person’s inbox (mailbox)?

  1. Mail Submission Agent (MSA)

  2. Mail User Agent (MUA)

  3. Mail Delivery Agent (MDA)

  4. DKIM

9. Which of the following statements is not true?

  1. The Cisco ESA can be deployed with a single physical interface to filter email to and from your mail servers or in a two-interface configuration.

  2. The Cisco WSA can be deployed with a single physical interface to inspect web traffic or in a two-interface configuration.

  3. When you configure the Cisco ESA with two interfaces, one interface is used for email transfers to and from the Internet and the other interface is used for email transfers to and from the internal servers.

  4. The Cisco ESA can be deployed with a single physical interface to filter email to and from your mail servers or in a two-interface configuration. However, the Cisco WSA can only be deployed in a two-interface configuration.

10. Which of the following protocols is used by the Cisco ESA to verify HELO/EHLO and MAIL FROM identity (FQDN)? When you enable this protocol, the Cisco ESA adds headers in the message, allowing you to obtain additional intelligence on the email sender.

  1. Domain Keys Identified Mail (DKIM)

  2. SenderBase

  3. Sender Policy Framework (SPF)

  4. WCCP

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
44.223.39.67