Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
727
Views
5
Helpful
3
Replies

Need best security configuartion for ESA

pravin001
Level 1
Level 1

‎03-20-2015 12:21 AM

Hi ,

I am looking for best security configuration for ESA as per the audit propose can any one help me out?

 

Labels:
0 Helpful
3 Replies 3

Paul Cardelli
Level 1
Level 1

‎03-20-2015 10:46 AM

Now this depends, as each organization has different views and regulatory guidance based on the size and complexity of your environment. Much of this is in the first few planning phases of the admin guide of the ESA. It also depends on other objectives you wish to achieve. In this response I'm assuming basic layout, with the limited information you provided.

The ESA can be configured in a few different ways, think of the ESA as the firewall for your e-mail, and you can use an edge configuration. The benefits of this configuration is it simplifies configuration of the firewall, and better lays out how logically the ESA Ironport works for troubleshooting.

<Management Interface Optional> management network

<Interface 1> DMZ  <limit incoming to ICMP/SMTP> <outgoing ICMP/DNS/SMPT>

<Interface 2> LAN   <Limit to HTTP/HTTPS/SSH/LDAP/SMTP>

Some organizations do not like having edge servers on their network and do not want to implement a second DMZ. So they wish to keep it all on the DMZ. This is possible, but will require configuring a different port for SMTP such as 26 for your outgoing e-mail. This is so you can assign your outgoing listener to this port and leave the incoming port for SMTP 25 for the incoming e-mail.

<Interface 1> DMZ  - rules are a little more intense as you will need to allow access for management and everything through this.

 

Now if you want to get into additional features:

- AMP

- AV Sophos/McAfee

- SPAM Filter Settings

- Content Filter

- Message Filter

- Outbreak

- SPF/DKIM/DMARC

- TLS/Email Encryption CRES

and so on....

 

Each of these features can take a lot of time to explain. I know Robert has a document he has been trying to share with us that has all the best settings to tweak.

 

 

 

Mathew Huynh
Cisco Employee
Cisco Employee
In response to Paul Cardelli

‎03-22-2015 05:18 PM

As Paul has provided, the 'best' configuration comes down to your network and business operational needs and topology deployed.

 

However -- with the configuration; it is usually best to have the figures left on the defaulted unless you need to customize otherwise.

 

 

0 Helpful

Bob Fayne
Level 1
Level 1

‎03-27-2015 06:15 AM

This document is a bit basic but it's a good place to start. Basing an installation on documented design principles is often the best way to handle audits.

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Aug2014/CVD-EmailSecurityUsingCiscoESADesignGuide-AUG14.pdf

 

Definitely leaving most settings at the default until you have a specific reason to make a change. The defaults have been carefully chosen to be a good "average" setup.

0 Helpful
Customers Also Viewed These Support Documents