SCOR

Content Security
Email and web protocols are the most popular protocols used by individuals and organizations.
Cisco acquired a company called Ironport that created WSA and ESA.
Their operating system is the Async Operating System (AsyncOS).
Cisco WSA (Web Security Appliance)
A web proxy, a threat analytics engine, antimalware engine, policy management, and reporting device.
The main use of the WSA is to protect users from accessing malicious sites and being infected by malware.
Application Visibility and Control (AVC):
- You can allow users to use social media sites like Twitter and Facebook and then block micro-applications within those social media
sites (like Facebook games).
WSA supports different antivirus programs such as McAfee, Sophos, and Webroot.
WSA can redirect all outbound traffic to a third-party DLP system, allowing deep content inspection.
File sandboxing.
- The WSA has been integrated with the Cisco AMP and Cisco Threat Grid sandboxing capabilities.
- This allows for putting an unknown file in a sandbox to inspect its behavior.
WSA can be deployed as a physical appliance or as a virtual machine running on VMware s ESX, KVM, or Microsoft s Hyper-V.
WSA physical and virtual appliances interface types:
M
- Typically used for management.
- Can be used for data traffic (otherwise known as a one-armed interface configuration).
P /P
- These are typically the interfaces used for web proxy traffic (data interfaces).
- If you enable the P and P interfaces, each interface must be connected to different subnets.
T /T
Typically used for Layer traffic monitoring to listen to all TCP ports.
They are not configured with an IP address because they are promiscuous monitoring ports.
WSA in two different modes:
Explicit forward mode
The client is configured to explicitly use the proxy

You must configure each client to send traffic to the Cisco WSA.
You can also configure the client s proxy settings using DHCP or DNS, using proxy auto-configuration (PAC) files, or with
Microsoft Group Policy Objects (GPOs).

SCOR Page
Transparent mode
Clients donot know there is a proxy deployed.
Network infrastructure devices are configured to forward traffic to the Cisco WSA.
Network infrastructure devices redirect web traffic to the proxy.
Web traffic redirection can be done using PBR or WCCP protocols.

WCCP configuring on ASA.

Note:
The only topology that the ASA supports is when client & cache engine (WSA) are behind the same interface of the ASA and the
cache engine can directly communicate with the client without going through ASA.
To define content engine devices that traffic will be sent to.

SCOR Page
ciscoasa(config)# access-list wsa permit ip host any
ciscoasa(config)# access-list wsa permit ip host any
ciscoasa(config)# access-list localnet permit tcp any any eq
ciscoasa(config)# access-list localnet permit tcp any any eq
ciscoasa(config)# wccp web-cache| group-list wsa redirect-list localnet
ciscoasa(config)# wccp interface inside web-cache| redirect in
ASDM, Configurations, Device Management, Advanced, WCCP, Service Groups, Add, Dynamic service number:
in redirect list select what traffic will be redirected: Manage, Add ACL to specify the name of the ACL then Add ACE to define
traffic from internal network destined to any on http & https protocols.
if password is configured on the wsa, type the password and then ok.
To apply this redirection role to an interface.
ASDM, Configurations, Device Management, Advanced, WCCP, Redirection, Add, choose the interface and the service group ,
ok
Apply

To turn on WCCP and define service id number.

R(config)# ip wccp web-cache (if you want to redirect http traffic only)
R(config)# ip wccp
On the inside interface that will receive clients requests.
R(config-if)# ip wccp web-cache| redirect in
On the outside interface that will send clients requests to engines.
R(config-if)# ip wccp web-cache| redirect out
To define content engine devices that trafiic will be sent to.
R(config)# access-list permit host
R(config)# access-list permit host
R(config)# ip wccp web-cache| group-list
To define devices that their requests will be redirected (traffic matches this ACL will be redirected).
R(config)# access-list permit tcp any eq
R(config)# access-list permit tcp any eq
R(config)# ip wccp web-cache| redirect-list
To display wccp information.
R# sh ip wccp web-cache

WCCP configuration on WSA.

Network tab, Transparent Redirection, Add Service
Type a profile name for ex. profile
Dynamic service ID for ex.
Port numbers:
Router ip address:
Enable security for service then type and confirm the password.
submit, commit changes

SCOR Page
Identification policies are configured to identify the users behind the web requests, instead of just reporting based on the IP address.
WSA to interact with LDAP or Active Directory authentication servers.
WSA can be configured to authenticate users without prompting the end user for credentials (transparent identification).
You can also create an outbound malware policy on the Cisco WSA to block malware uploads.
WSA provides detailed reporting of all the web transactions, malware threats, URL categories, and many other web proxy
transactions.

SCOR Page
 Cisco ESA (Email Security Appliance).
ESA is a solution to control and protect from different e-mail attacks.
Advanced solution for email security, protection and control
ESA services all SMTP connections by default acting as the SMTP gateway.
ESA can service e-mail connections from the Internet to users inside your network, and Vs.
Mail gateways are also known as a mail exchangers or MX.
Handles all e-mail connections, accepting messages, and relaying them to the appropriate systems.

ESA Key Features:

Inbound e-mail control and rate-limiting.
- You can control which domain or source your company can receive mail from and the amount.
Outbound e-mail control and high-performance delivery.
- You can control mails sent from your network.
Email security (SPAM, viruses, malware, fraud, phishing and more)
Data Loss Prevention (DLP) and encryption.
- Looking for a specific traffic that for ex should be sent encrypted like visa card numbers or some thing like that and encrypt it to
prevent data loss.
Advanced filtering capabilities (by looking at the subject, the recipient, body of the message, attachement type, specific regular
expression to filter messages).
The difference between C and X models is the performance (CPU, Memory, .).

SCOR Page
----------------------------------------------------------------------------------------------------------------------------

SMTP (Simple Mail Transfer Protocol).

TCP-based clear-text protocol used for e-mail transmission (TCP destination port )
Originally defined in RFC but finally updated in RFC (includes ESMTP additions).
The standard protocol for sending emails across the Internet.
SMTP server is also known as MTA (Mail Transfer Agent), user is MUA (Mail User Agent).
SMTP is never used to retrieve e-mails.
POP (Post Office Protocol) and IMAP (Internet Message Access Protocol) are used instead.
These protocols "pull" e-mails from a SMTP server.
How e-mail is sent from our local client to a public client.
The client sends the message to the local MTA by SMTP.
The server queries the public DNS for the mx record for that destination domain.
Then another dns query for the A record for the mail server of that domain.
Then the message is sent from our local mail server to the destination mail server ip by smtp.

SCOR Page
 Message Structure.

Envelope.
- Processed by MTAs to deliver an e-mail; not visible to the user.
Data (visible to the user).
- Header
- Body/Message + optional Attachments.
Common Data Headers.
- From (sender s address): mandatory field
- To: recipient s address.
- Date (timestamp): mandatory field
- Subject: (subject of the message, if any)
- CC: ("secondary" recipients)

HAT (Host Access Table).

Controls incomming connections to the listener.
Which remote host allowed to connect (send mails) to the listener (internal or external MTA but RAT is only for internal).
The ESA accepts outbound email based on settings in the Host Access Table for the private listener.
Senders can be grouped based on specific criteria.
Actions as reject, accept can be assigned to the sender group.

SCOR Page
 In HAT table ESA has a predefined sender groups.
Relay list
- Contains relay servers defined in the setup wizard and has the Mail policy flow is relayed so Mails will be relayed to these servers.
White list
- Contains trusted mail servers that always mails from these servers will be accepted.
- Contents from these servers will not be checked by anti-spam but checked by anti-virus
Black list
- Contains untrusted mail servers that always mails from these servers will be rejected.
SUSPECT list
- Has the throttled mail policy that slows the rate of incoming mails
- So if a sender is suspicious, you can add it to this group (anti-spam and anti-virus is enabled).
Unknown
All
RAT (Recipient Access Table)
For inbound email only, the RAT allows you to specify a list of all local domains for which the ESA will accept mail.

Listeners.
Public listeners.
- For e-mail comingin from the Internet.
- Receives connections from many external hosts and directs messages to a limited number of internal groupware servers.
- When using a single listener, the listener type should be public.
- Accepts connections from external mail hosts based on settings in the HAT.
- By default, the HAT is configured to ACCEPT connections from all external mail hosts.
- Accepts incoming mail only if it is addressed for the local domains specified in the RAT.
- All other domains are rejected.
Private listeners.
For e-mail coming from hosts in the corporate (inside) network.
These e-mails are typically from an internal groupware, Exchange, POP, or IMAP e-mail servers.
Receives connections from a limited number of internal groupware servers and directs messages to many external mail hosts.
Internal groupware servers are configured to route outgoing mail to the IronPort C- or X-Series appliance.

- Listener properties:
- A specific interface in the Cisco ESA.
- The TCP port that will be used.
- Whether it is a public or a private listener.
An administrator can specify which remote hosts can connect to the listener.
The local domains for which public listeners accept messages.

SCOR Page
CISCO CONTENT SECURITY MANAGEMENT APPLIANCE (SMA).
SMA provides centralized management and monitoring (reporting) of Cisco WSAs and Cisco ESAs.

SCOR Page
SCOR Page