With Woody Hardison
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn from Cisco expert Woody Hardison about Cisco e-mail security appliance, configuration of the HAT, anti-spam, anti-virus and how to install and configure certificates.Woody Hardison is an Escalation Engineer at the Technical Assistance Center at Cisco's RTP campus in North Carolina. He has over 4 years experience configuring and troubleshooting the Cisco IronPort Email Security Appliance. Woody is a Cisco IronPort Certified Security Professional.
Remember to use the rating system to let Woody know if you have received an adequate response.
Woody might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Ironport sub-community discussion forum shortly after the event. This event lasts through March 9, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
The 7.6 build is currently in what can be considered a 'First Customer Ship' phase. It has not yet
been released for install by all appliances, but is considered a stable release. These builds
are released to specific customers who have aligned with Cisco to deploy the software before
General Availability. The build is considered stable, but these early adopters offer a chance
for any last minute issues to be addressed, should any be found.
If, while running the 'upgrade' command, you see 7.6 as an option, upgrade
at your leisure. For those who do not see this build available, take note that this is the final
step before General Availibilty, which means 7.6 will be available in the near future.
7.6 is an exciting release, as it will be the first official ESA build with IPV6 support. Cisco's website contains the 7.6 release notes outlining what is new and what defects have been addressed:
Woody, I see the 7.6 release is available for my C670 appliances (production environment) but is not for my C650 appilances (test/pilot environment). By policy I need to install in test/pilot before production. I am really interested in this release and would liek to have some idea when it might be available at the C650 level.
We'd be happy to help get your test boxes provisioned for the 7.6 release, if you'd like to test it out.
Since we'll need your appliance serial numbers, it would be best for you to open a standard support request to keep your information confidential.
Feel free to open a support request explaining that you'd like your test boxes be allowed to upgrade to 7.6.
Include the serial numbers of the appliances in the request. Once the engineer processes your request, your
appliances will automatically see the upgrade available via the 'upgrade' command in the CLI, or the upgrade
page in the web interface.
Since you mentioned these are test boxes, I will mention the requirement listed on Page 4 of the 7.6 release notes:
"Starting in AsyncOS 7.6, an Email Security appliance requires an anti-spam system feature key in order to use the SenderBase Reputation Service."
So, you'd want to keep that in mind that if your test boxes don't have current antispam keys, the SBRS system will not be available.
All that being said, as I mentioned in a previous post, the limited release is the last step before General Availability. We do not post time-frames for the GA release, in the event that any last minute issues need addressing. But, the release should be available in the very near future. Sorry for being so vague.
Thank you for your quick response, I will submit a support case to get the C650's added to the FCS to 7.6 release. Test is kind of a misnomer for these appliances they are fully functional with all the required feature keys as they support our fully functional pilot environment and mirror our production implemetation.
I've included my responses inline for easier reading:
1) Are SMTP TLS-Encryption and Cisco Ironport Email-Encryption are different ways to encrypt Mails ?
1A) Yes, they are different. SMTP TLS (Transport Layer Security )encryption is point-to-point encryption between to smtp servers when transmitting messages. This is to protect from others 'eavesdropping' on the connection and intercepting the communication in plain text. The communicating servers identify themselves using digital certificates. The client may contact the server that issued the certificate (the trusted CA) and confirm the validity of the certificate before proceeding.
Cisco IronPort Email Encryption is a system which encrypts the message itself, using ARC4 or AES encryption. (ARC4 is the most common choice, it provides encryption with minimal decryption delays for message recipients.)
The encrypted message can then be transmitted through a standard SMTP connection, or via TLS connection.
When you configure an encryption profile, you specify the parameters for message encryption. For an encrypted message, the Email Security appliance creates and stores a message key on a local key server or on the hosted key service (Cisco Registered Envelope Service).
When a recipient opens an encrypted message in a browser, a password may be required to authenticate the recipient’s identity. The key server returns the encryption key associated with the message.
When opening an encrypted email message for the first time, the recipient is required to register with the key service to open the secure envelope. After registering, the recipient may be able to open encrypted messages without authenticating, depending on settings configured in the encryption profile. The encryption profile may specify that a password isn’t required, but certain features will be unavailable.
2) For Ironport Email-Encryption i need a Feature Keys for TLS-Encryption not is this correct ?
2A) Correct. A feature key is required for Cisco IronPort Email encryption. TLS is a standard mail transmission
protocol and as such, is available for configuration within the appliance's settings.
3) How can i check in the Version 6.5.3 how long my certificate for TLS Encryption is valid ?
3A) In version 6.5.3, the appliance uses one certificate for TLS and SSL ( browser security ), so the easiest way
to check its expiration date is to connect to the Cisco IronPort's web interface, and use your browser to view the
certificate the site uses. For instance, in my version of Firefox, I can click on the domain name beside the url bar, choose 'More Information -> View Certificate' and the certificate details are shown. This includes the expiration date of the certificate. Directions for retrieving a certificate's information through other browsers should be readily available on the Internet.
You can also pull the certificate information from an openssl connection to your appliance and extract the expiration date. The following commands are generally available on a Linux/Unix box:
$ echo "" | openssl s_client -connect ironports_hostname:25 -starttls smtp > dump_certificate
$ openssl x509 -in dump_certificate -noout -enddate
notAfter=May 20 22:00:00 2019 GMT
( Substitute ironports_hostname for the hostname of your Cisco IronPort Email Security Appliance in the example.)
Hope that helps.
Directory Harvest Attacks, sometimes called 'dictionary attacks' are defined by the technique spammers use to try to determine valid email addresses on a mail domain.
Many spammers send emails to a high number of invalid addresses, so blocking senders who send to invalid recipients can also decrease spam.
Given that Directory Harvest Attack Prevention (DHAP) on the Cisco IronPort aborts the connection at the SMTP conversation phase, it is quite effective at preventing the attacker from reaching many valid usernames on your domain.
As a general rule, DHAP attacks are short-lived burts of attempts to reach valid users. Given the nature of these attacks, and their (usual) brevity, I would recommend allowing the Cisco IronPort to handle the rejections for you. DHAP was designed to exclusively handle these types of attacks.
Good question. I'm assuming you'd like to block inbound messages from a particular sender.
Message filters will use the least amount of resources to block an email. This is basically due to the fact that message filters affect the message very early in the process of evaluation. Policies and content filters occur later in the process, triggering more actions before they are reached, and therefore will use more resources.
That being said, if you find yourself wanting to block several senders and find you are adding more and more individual message filters, you'd be counter-acting their advantage. Also, this can become unwieldly, as it's harder to manage than a list of "bad senders" which can be managed centrally.
That's a situation where you would want to consider using a dictionary to store the list of sender addresses, where you can add and subtract them as needed in one central file.
Cisco's Knowledge Base contains an existing article describing how to do just that, and I encourage you to read it to see if it meets your needs:
For examples and syntax of message filters, you can access the Cisco IronPort's online help from the appliance's web interface through the link: 'Help and Support -> Online Help'
Use the Search box in the online help to search for 'message filters', then scroll down to the section 'Advanced Configuration Guide'. There are several sections dedicated to message filters.
Hope that helps,
We have been running the Ironport C370 for over 1 year now and would like to say they are the best product that I have used. Very easy to maintain and very good at what they do.
With that being said, I want to see what I can do to increase the amount of Spam that I'm currently blocking. On average, we are blocking about 91% of the Spam at our Gateways. I would like to see about trying to increase this by at least 1 to 2%. Currently we are setup as follows:
Blacklist - -10 to -2
Suspectlist - -2 to 0
Unknowlist - 0 to 7.5
Whitelist - 7.5 to 10
Any Positively-Identified Spam is dropped. Any Suspected Spam is sent to Quarantine. Our Spam Thresholds are:
Positively Identified Spam Score > 74
Suspected Spam Score > 36
What can I adjust to try to block the most Spam possible?
Hi Woody, very interesting discussion!
I've got a question regarding the cipher use for TLS. We have currently configured our SSL for
AES256-SHA:AES128-SHA:RC4-SHA:RC4-MD5 ciphers. However it seems that there are a lot more available for Ironports. What do you recommend in term of choice for the ciphers, and what are the consequences of this choice especially in term of performances (obviously I don't want to enter the whole list of available ciphers if there is a risk of increase the latency). Please note also that we can't add :ALL at the end of the cipher list for security policies reasons.