Re: New Capabilities to Protect Your Users with Cisco Secure Email - AMA - Page 3

ciscomoderator · ‎01-31-2021

Ask Me Anything Forum

This event is a chance to review how customers of all sizes face the same daunting challenge: email is simultaneously the most important business communication tool and the leading attack vector for security breaches. Cisco Secure Email enables users to communicate securely and helps organizations combat Business Email Compromise (BEC), ransomware, advanced malware, phishing, spam, and data loss with a multilayered approach to security.

To participate in this event, please use the button below to ask your questions

Ask questions from Monday, February 1 to Friday, February 12, 2021

Featured Experts

Dennis McCabe Jr is a Technical Consulting Engineer at the Cisco Global Technical Assistance Center (TAC) for Content Security Email. With more than five years of experience and a broad scope of knowledge relating to Cloud Email Security (CES) and the Email Security Appliance (ESA), Dennis holds certifications including Cisco’s Certified Specialist with Email Security and an MCITP concentrating on Microsoft Exchange. He holds a CCNA Security certification.

Erica Parker is an experienced Technical Consulting Engineer with a demonstrated history of working in the computer networking and cybersecurity industry. With a Bachelor's degree focused in Computer Systems Networking and Telecommunications from Rochester Institute of Technology, she is skilled in Email Security, Software Deployment, and Security Penetration testing with a passion in biomedical sciences. She holds two certifications on CCNA R&S and Security.

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to your Questions

Do you know you can get answers before opening a TAC case by visiting the Cisco Community?
For more information, visit the Email Security category. To find further Cisco Community events: Click here.

Jackson Braddock · ‎02-10-2021

Hi Erica and Dennis,

Can you group two or more ESAs together to form a cluster?

Jackson

dmccabej · ‎02-10-2021

Hello,

You can certainly group multiple ESAs together to form a cluster; however, the one caveat to keep in mind is that the cluster functionality within AsyncOS does not have any type of built-in HA/DR capabilities. The only thing that the cluster is used for is sharing the configuration across multiple devices. Steps for forming and joining a cluster can be found here. From the CLI, you'll want to use clusterconfig > Create a new cluster to form a new cluster, and then clusterconfig > Join an existing cluster over SSH on other ESAs once the cluster has been formed.

Thanks!

-Dennis M.

Ken Stieers · ‎02-10-2021

Aka "cluster" is a really poor name for "multi-layer configuration replication"

Olipo · ‎02-12-2021

Hi there,

By any chance do you have any best practice recommendations when setting up service "X"?

Oliver

dmccabej · ‎02-12-2021

Hello,

In general, the best practice settings are always going to be what comes configured by default on the ESA. Of course, the default settings may need to be tweaked depending on your company policies, and Cisco TAC is always available to help guide you through any changes.

Here are some of the available recommendations outside of the default configuration:

For CES/On-prem: Best Practices section here
For CES: here

Thanks!

-Dennis M.

ciscomoderator · ‎02-12-2021

A question regarding encryption? We can help!

Find the following question from rolelael:

Question about local users and encryption mechanism of password ( ESA )

Does anyone know which encryption mechanism is being used to store the passwords for local users ?

I got a question from audit about it ? They need to know how the password is stored in the config etc and with how many bits/hash it has been encrypted.

tx

ericpark · ‎02-12-2021

Thanks for your question Rolelael,

The passwords are stored with the same algorithm internally as they are
stored within an exported configuration file with passwords unmasked.

The method used is the UNIX crypt function:
http://en.wikipedia.org/wiki/Crypt_%28C%29#MD5-based_scheme

You can determine which algorithm a given password is stored in
by looking at the '$x$' at the beginning of the password.

For example:

$1$ = MD5
$3$ = NT Hash
$5$ = SHA-256

I hope that helps!

Erica

ciscomoderator · ‎02-12-2021

And a new question from pgiouvanellis:

Cisco SMA 13.0.0-392 - Disable weak Ciphers

Hello Team ,

We are trying to disable all weak ciphers to gui of SMA EUQ until know we manage to disable some of them but we are not able to disbale all the weak ciphers .

I attached a printscreen of the weak ciphers .

On SMA configuration we have unti know the below config :

<ssl_gui_ciphers>HIGH:-SSLv2:-aNULL:!RC4:-EXPORT:@STRENGTH</ssl_gui_ciphers>
<ssl_compression>0</ssl_compression>

What we need to do to disable all other weak ciphers ?

Does anyone can help me ?

Thank You,

Palaiologos

dmccabej · ‎02-12-2021

Hello,

You could attempt to change the cipher string to something like the following:

HIGH:-SSLv2:-aNULL:!RC4:-EXPORT:!SHA1:!SHA56:!SHA384:@STRENGTH

Though, ideally, you would be testing this on a lab box prior to making any changes as it could potentially impact GUI access.

I am not aware of there being a way to strictly remove all CBC related ciphers, so, you will need to make some additional modifications and continue testing until you find your desired results. Essentially, you would keep adding other cipher types by including a !<cipher> at the end of the string.

You can also find more information concerning the cipher list format here.

Thanks!

-Dennis M.