Re: Email Security Appliance- AMA

Cisco Moderador · ‎09-23-2020

This topic is a chance to clarify your questions about Cisco Email Security Appliance (ESA) solutions

To participate in this event, please use the button below to ask your questions

Ask questions from Wednesday, September 23 to Friday, October 02, 2020

Clear up all your Email Security Appliance doubts. Questions related to Security are welcome.

Email threats continue to present security challenges for all organizations. Cisco Email Security Appliance (ESA) is an email security gateway introduced by Cisco to provide a solution to these difficult challenges. Protect your email against today's threats and vulnerabilities, including: spam, phishing, compromised business email (BEC), malware, data loss, and ransomware, as well as the option to encrypt your most important information. And with the new normal, data is considered the most important asset of a company and a person, therefore a broad understanding of the ESA pipeline will provide us with the skills and tools to know how our email is processed and what they are the best setup practices.

Featured Experts

Erika Valverde studied Communications and Electronics with a specialization in Control and Automation at the Instituto Politécnico Nacional (IPN) in Mexico City. She is currently an engineer at Cisco TAC. He has been working with security for 3 years and has the current CCNP Security certification among other related courses such as python, linux, virtualization, etc. She works on automation, content publishing, documentation and video initiatives for ESA technology. Among other things, she is vice president of public relations (PR) for the Cisco Toastmasters Club. She enjoys playing chess and finds the joy of working as a team.

For more information, visit the Email Security category.

Find further events on https://community.cisco.com/t5/custom/page/page-id/Events?categoryId=technology-support

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

Cisco Moderador · ‎09-23-2020

What do Active Recipients mean?

Note: This question is a translation of a post originally generated in Spanish by Didier M. It has been translated by the Cisco Community to share the question and solution in different languages.

ervalver · ‎09-24-2020

Hi Didier,

The active recipients option within the ESA allows you to view the message queue by delivery hosts, that is, it will give you an overview of the messages waiting to be delivered by domain. This information can be accessed through the CLI connection, with the command: tophost> active recipients.

The tophost command is quite useful, since it will allow you to review, in addition to the messages that are pending to be delivered (Active recipients), the domains that are unreachable or down.

Hope this information is helpful. I share the link with information regarding email delivery, verification and monitoring:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118424-technote-esa-00.html

Regards

Cisco Moderador · ‎09-23-2020

Hi Erika,

How can I protect myself from attacks on my domain?

Thank you!

Regards,

Note: This question is a translation of a post originally generated in French by Nono82. It has been translated by the Cisco Community to share the question and solution in different languages.

ervalver · ‎09-24-2020

Hello,

Excellent question, Cisco ESA offers a layered protection model, which allows us to protect our domain from various types of attacks. I would like to divide the answer as follows:

1- SMTP Server- Cisco ESA protects us against

-DoS attack

-Directory Harvest attack

-IPs & Fictitious or disreputable domains

-Phishing & spoofing (DMARC, DKIM and SPF)

2-Mail processing (workqueue) - ESA engines perform a verification of the content of the mail, from the headers, attachments, and the body / content of the mail. (Antispam, AntiVirus, Graymail detection, Content filters, Data Loss prevention for outgoing emails, Outbreak filters)

3- SMTP Client - At this point we find the dkim signatures, email encryption for sensitive data, and limits for outgoing emails.

Hope this information is helpful. Remember that the ESA offers information and domain protection for incoming and outgoing mail. I share the configuration guide in the current version of the equipment:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1.html

Regards,

Cisco Moderador · ‎09-23-2020

Is there something in the ESA configuration that helps us manage and control the attachments with internal URLs?

Note: This question is a translation of a post originally generated in Portuguese by Olipo. It has been translated by the Cisco Community to share the question and solution in different languages.

ervalver · ‎09-23-2020

Hello,

In short, Cisco ESA provides us with a very useful function called "URL filtering". It is activated from: ESA -> Security Services -> URL Filtering

And for its proper functioning it requires the activation of Outbreak filters: Security Services -> Outbreak Filters

The URL filtering function is very extensive, it allows you to validate the URLs that have been entered in each email, know which are the URLs that have been clicked by user and make a scan of these in the body of the email as well as in email attachments.

As of ESA version 11.1 URL scanning in attachments is available. You can configure your device to search for URLs in message attachments and perform configured actions on those messages.

I share two links that may be useful for the configuration of this feature:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-5-1/user_guide/b_ESA_Admin_Guide_13-5-1/b_ESA_Admin_Guide_12_1_chapter_01000.html#id_87550

URL Defense Guide (cisco.com)

Regards

Cisco Moderador · ‎09-23-2020

Hello
I have a query, I have a WSA (Web Security Appliance) which I have activated because it was completely deactivated, I already configured the administration part of the device, etc. I suffered a lot in the part of the wccp but it is already configured only with a problem, when I configure the wccp with ports 80 and 443 for an ID 90 and then the web proxy with the same ports all the traffic reaches the WSA but does not go to the internet , that is, the users of my LAN surf the web but do not have answers from the pages, to fix that configure the part of the https proxy server in which I had to place an auto-generated certificate and with that configuration the users could already access the web pages but with a detail, the pages are shown as unsafe, bone manually, they have to place advanced settings and enter anyway so that the web page just opens but not in all the pages, but in most, my first query Is it can be configured without using the https proxy server so that all the navigation of the web pages comes out normally? In case you have to use the https proxy server configuration, is the issue that some pages appear to me that they are not secure is a problem because of my certificate that is autogenerated? I have to buy a certificate? Or is it a configuration x there of the threshold or something like that that is making some pages come out safe and others not?
Note: the pages that are not secure are completely secure pages, from a couple of newspapers in my country, from some pages from national institutions in my country, something that in any browser would have no problem.

Note: This question is a translation of a post originally generated in Spanish by GandhyFlores It has been translated by the Cisco Community to share the question and solution in different languages.

ervalver · ‎09-23-2020

Hi Gandhy,
Generating a certificate generally means that the client's browser will complain about the certificate for every connection to an HTTPS website. To avoid this, you can upload a certificate file and its corresponding private key file to the device if you have a certificate that is trusted by your organization. If users already have this certificate loaded on their machines, the HTTPS proxy will not generate errors related to UnknownCertificate Authority.
As a second option, instead of adding a company root certificate to the WSA, another option is to inform users in the organization to accept the root certificate provided by the WSA as a trusted source.
I share a Best practices guide for the product, hoping they will be useful for you:
https://www.cisco.com/c/en/us/products/collateral/security/web-security-appliance/guide-c07-742373.html#_Toc10022545
Regards

Cisco Moderador · ‎09-23-2020

Hello, thank you very much for your answer, I still have some doubts, when you tell me ... you can upload a certificate file and its corresponding private key file on the device if you have a certificate that is trusted by your organization ... you mean a private certificate (bought) that my organization buys a certificate and the certificate to place it in the WSA? If so, is there any way that my LAN users no longer see an unsecured page without having to buy a said certificate? any special policy? something in the settings?

Note: This question is a translation of a post originally generated in Spanish by GandhyFlores It has been translated by the Cisco Community to share the question and solution in different languages.

Cisco Moderador · ‎09-24-2020

Dear, I managed to solve my problem, the issue was going through the reputation part of the policies on the web, that's why the unsafe thing came out, the threshold was adjusted and the problem was fixed.

Thank you very much for your help.

Regards.

Note: This question is a translation of a post originally generated in Spanish by GandhyFlores It has been translated by the Cisco Community to share the question and solution in different languages.

ervalver · ‎09-28-2020

Thanks for bringing this question to our forum.

Greetings

Cisco Moderador · ‎09-24-2020

Hello,

Is the ESA able to verify and scan the files attached to an email that is compressed?

Note: This question is a translation of a post originally generated in Spanish by jossanc3. It has been translated by the Cisco Community to share the question and solution in different languages.

ervalver · ‎09-28-2020

Hello,

Thank you for your participation in this forum. I confirm that yes, the ESA is capable of verifying and scanning attached files. You can verify a zip, or a zip within another zip, etc. The antivirus component has an online decompressor to scan compressed files. As well as the content filters tool, which helps us analyze the content of the files which will take an action if they contain a file that matches the configured rule.

Hope this information is helpful.

I share the following links where you can find more information about it:

Virus Detection Engine:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_chapter_01011.html

Content Filter Actions:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-1/user_guide/b_ESA_Admin_Guide_12_1/b_ESA_Admin_Guide_12_1_chapter_01010.html

Regards,

Steflstefan · ‎09-25-2020

Hello,

what would you recommend to detect and reject/drop messages with envelope sender and/or from header contains cousin domain with homoglyph?
Sample: mydomain.com

Homoglyph: mýdomain.com (xn--mdomain-v2a.com)

Is it better to detect it by message filter or by content filter?
Should I use a dictionary or should the REGEX directly typed in the conditions?

Thanks Stefan