This event is a chance to review how customers of all sizes face the same daunting challenge: email is simultaneously the most important business communication tool and the leading attack vector for security breaches. Cisco Secure Email enables users to communicate securely and helps organizations combat Business Email Compromise (BEC), ransomware, advanced malware, phishing, spam, and data loss with a multilayered approach to security.
To participate in this event, please use the button below to ask your questions
Ask questions from Monday, February 1 to Friday, February 12, 2021
You can certainly group multiple ESAs together to form a cluster; however, the one caveat to keep in mind is that the cluster functionality within AsyncOS does not have any type of built-in HA/DR capabilities. The only thing that the cluster is used for is sharing the configuration across multiple devices. Steps for forming and joining a cluster can be found here. From the CLI, you'll want to use clusterconfig > Create a new cluster to form a new cluster, and then clusterconfig > Join an existing cluster over SSH on other ESAs once the cluster has been formed.
In general, the best practice settings are always going to be what comes configured by default on the ESA. Of course, the default settings may need to be tweaked depending on your company policies, and Cisco TAC is always available to help guide you through any changes.
Here are some of the available recommendations outside of the default configuration:
A question regarding encryption? We can help!
Does anyone know which encryption mechanism is being used to store the passwords for local users ?
I got a question from audit about it ? They need to know how the password is stored in the config etc and with how many bits/hash it has been encrypted.
Thanks for your question Rolelael,
The passwords are stored with the same algorithm internally as they are
stored within an exported configuration file with passwords unmasked.
The method used is the UNIX crypt function:
You can determine which algorithm a given password is stored in
by looking at the '$x$' at the beginning of the password.
$1$ = MD5
$3$ = NT Hash
$5$ = SHA-256
I hope that helps!
And a new question from pgiouvanellis:
Hello Team ,
We are trying to disable all weak ciphers to gui of SMA EUQ until know we manage to disable some of them but we are not able to disbale all the weak ciphers .
I attached a printscreen of the weak ciphers .
On SMA configuration we have unti know the below config :
What we need to do to disable all other weak ciphers ?
Does anyone can help me ?
You could attempt to change the cipher string to something like the following:
Though, ideally, you would be testing this on a lab box prior to making any changes as it could potentially impact GUI access.
I am not aware of there being a way to strictly remove all CBC related ciphers, so, you will need to make some additional modifications and continue testing until you find your desired results. Essentially, you would keep adding other cipher types by including a !<cipher> at the end of the string.
You can also find more information concerning the cipher list format here.