© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1

Email Security Appliance

Appliance Evaluation and Deployment Chris Porter

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

One Armed Deployment with Private Address Original public IP and MX record are kept. Firewall rules will map the public

address to private address on C-Series. Internal groupware servers will route outgoing mail to this private IP address. No need to place appliance inside a DMZ.

Mail Server

Incoming M

ail

SMTP

Public IP XXX.XXX.XXX.XXX

192.168.10.101

Cisco ASA 5500 or equivalent

Internet

192.168.10.56

NAT

One physical interface with one Public IP and one listener for accepting incoming

mail and outgoing mail

C-160

Optional Management network on DATA 2 not shown.

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

One Armed Deployment with Public Address I need to map a single MX record to a public IP address and forward

mail to a hosting mail backend

Mail Server

Incoming M

ail

SMTP Public IP

XXX.XXX.XXX.XXX Cisco ASA 5500 or equivalent

192.168.10.56

Internet

C-160

One physical interface with one Public IP and one listener for accepting incoming

mail and outgoing mail

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

Considering your Evaluation Options

  Virtual Evaluation: on demand virtual evaluation

environment for the C-Series

  Preferred option

  Fast to deploy

  Cost Effective

  A 30 Day Hardware Installation Evaluation

  Typical for Enterprise engagements

  Necessary where performance cannot be easily gauged

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5

The Evaluation Process

1. Identify the Customer’s Hardware

2. Identify the Customer’s Functional specs

3. Identify the Network Topology

4. Gather Installation Information

5. Perform the Installation

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6

Identify the Customer's Hardware Requirements

The following are general performance numbers

 C160 ~ 43,000 MPH

 C360 ~ 68,000 MPH

 C660 ~ 108,000 MPH

 X1060 ~ 118,000 MPH

Base guideline accounts for:

 SenderBase + AS + AV + VOF

Additional customer filtering requirements may require derating these guidelines, typically 10% - 40%

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7

Identifying Customer’s Functional Needs Which of the following features are needed?

  Incoming Mail Handling  IronPort Anti-spam  Sophos or McAfee Anti-virus  IronPort Virus Outbreak Filters  Recipient Validation via LDAP  Content Filters

  Outgoing Mail Handling  Sophos or McAfee Anti-virus  Encryption  Data Leakage Protection (DLP)  Content Filters

  End User Spam Quarantine  Safelist/Blocklist  Spam Quarantine Notifications  End User Access to Spam Quarantine Via LDAP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8

Identifying the Customer's Current Topology

Email Server With Anti-Spam

internet internet

Email Gateway With Anti-Spam

Email Server

internet

Firewall Only Email Gateway in DMZ

Email Gateway with Firewall

(Most common)

Email Gateway With Anti-Spam

Email Server

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9

Gathering Installation Information Network Information

  Network Settings

  DNS Settings

  NTP Settings

Mail Information

  Incoming Mail Information  Recipient Access Domains  IP addresses of Groupware Servers

  Outgoing Mail Information  IP addresses allowed to Relay

  Monitoring Addresses  Alert Recipient  Scheduled Report Recipient

Directory Information

  LDAP Server Type

  IP Address / Hostname

  Port Number

  Base DN

  Credential Info

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10

Configuring Firewall Settings

  From the Internet to the IronPort

  From the IronPort to the Internet

internet

192.168.10.103

IronPort C-Series

Intranet

Groupware Administrator LDAP

DNS NTP

SMTP

IronPort HTTP Updates

DMZ   From the IronPort to the Intranet LAN

  From the Intranet LAN to the IronPort

A detailed list is part of your Pre-install Checklist

Port 25

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11

Firewall Settings

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12

Staging the Installation (Virtual Eval)

1.  Complete the "ESA Pre-Installation Worksheet" available on the Channel Portal

2.  Download the relevant Install Guide for the C-Series hardware from the Support Portal

3.  Verify your IT Structures account and setup

4.  Allocate the Eval instance

5.  Power Up the appliance

6.  Perform installation based on Customer information in the "IronPort ESA Evaluation Configuration Guide"

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13

Staging the Installation (C-160)

1.  Complete the "ESA Pre-Installation Worksheet" available on the Channel Portal

2.  Download the relevant Install Guide for the C-Series hardware from the Support Portal

3.  Verify that your installation parts are present

4.  Rack the appliance

5.  Connect the Ethernet cable

6.  Power Up the appliance

7.  Perform installation based on Customer information in the "IronPort ESA Evaluation Configuration Guide"

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14

The Cisco IronPort C-160

Data 1

Data 2

Power

Serial Interface

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15

Sample Installation

Data 1

Inside

Mgmt (management) (192.168.42.42 Default)

Data 1 Interface •  Interface hostname will be the same as the MX-Record

•  Is the first email hop in the enterprise

Exchange Mail Server

Incoming M

ail

SMTP

Public IP XXX.XXX.XXX.XXX

192.168.10.103

Cisco ASA 5500 or equivalent

Internet

SSC

admin

Outside

HTTP/HTTPS

172.20.0.10

Data 2

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16

System Setup Wizard System Administration > system setup wizard

ironport

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17

System Setup Wizard (continued)

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18

System Setup Review

/32

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19

Verifying Port 25 to Internet and Intranet

Mail servers

Remote MTA

telnet 192.168.10.200 25

quit

quit

quit

telnet 172.20.0.20 25

telnet 172.20.0.10 25

Look for: •  Connection •  SMTP Banner

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20

Verifying MX Records & Access to Updates

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21

Tracking Individual Emails You can quickly determine the exact location of a

message by using the Message Tracking Feature

Tracking must be explicitly enabled

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22

Creating Email Reports Reporting in AsyncOS involves three basic actions:

• Create Scheduled Reports to be run daily, weekly, or monthly

• Generate a report immediately (“on-demand” report).

• View archived reports (both scheduled and on-demand).

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23

Incoming Mail Listener

192.168.10.110

outside.com

SenderBaseData

IP = 64.12.193.85

SBRS = -2.7

Controlling the SMTP Connection

Joel

HAT RAT

Body Header Envelope

mail from: jerry@outside.com rcpt to: joel@exchange.juliet.com

64.12.193.85

Jerry

Ant

i-Spa

m

SMB Install

exchange.juliet.com

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24

Incoming Mail Listener

192.168.10.110

outside.com

SenderBaseData

64.12.193.85 oldname.com

Body Header Envelope

To: Jerry@outside.com From: Joel@exchange.juliet.com

exchange.juliet.com 172.20.0.10

Jerry

Joel

Defining HAT Operation (Outgoing Mail)

Internet

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25

Using Mail Flow Policies in the HAT

Sender Group Name Mail Flow Policy RELAYLIST RELAYED WHITELIST TRUSTED BLACKLIST BLOCKED SUSPECTLIST THROTTLED UNKNOWNLIST ACCEPTED ALL ACCEPTED

HAT for an Incoming Mail Listener (1 Data interface)

Policy Name Action Inbound Throttling

Anti-Spam Anti-Virus

RELAYED RELAY NO NO YES TRUSTED ACCEPT NO NO YES BLOCKED REJECT N/A N/A N/A THROTTLED ACCEPT YES YES YES ACCEPTED ACCEPT NO YES YES

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26

Matching Domains to HAT Sender Groups

TCP Connection: 192.168.10.200,12345 (mail1.from.com)

SMTP Session: EHLO from.com MAIL FROM:<joe@from.com> RCPT TO:<user1@notes.scu.com> RCPT TO:<user2@scu.com>

Content Headers: Received: from mail1.from.com (1.2... Subject: Hello From: “Joe” joe@from.com To: “User One” user1@notes.scu.com To: "User two" user2@scu.com Data

Message Body: Hello,

192.168.10.103,25 (mx1.scu.com)

Identify senders by their IP addresses:

Complete address Partial address CIDR block Range of addresses SenderBase score for an address Validated Domain name (PTR+A record) Partial domain name DNS List lookup

HAT Matching

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27

Matching Domains to HAT Sender Groups Continued

192.35.195.42 Full IP Address 216.255.128. Partial IP Address - matches any IP address

beginning with this string 216.255.128-159. Range of IP addresses 216.255.128.0/19 CIDR address block AOL.COM A fully-qualified domain name

.mx.AOL.COM Everything within the partial host domain

SBRS[-10.0:-7.0]* SenderBase Reputation Score range

dnslist[bl.spamcop.net]* DNS List query against domain dns server

ALL Special keyword that matches ALL addresses

Sender Group Meaning

* This syntax is only used in the CLI; DNS lists and SenderBase Reputation Score ranges are handled in the GUI using different syntax

Domain listed by FQDN must have valid PTR records

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28

Creating New Mail Flow Policies

Example: The Default HAT settings are not correctly limiting domains with SBRS between -3 and -1.

Solution: Create an alternate Mail Flow Policy

Internet

New_BP.com

Outside.com

Incoming Mail Listener

192.168.10.103

oldname.com

exchange.charlie.com

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29

Creating New Mail Flow Policies (continued)

Settings for LIMITED Connection Behavior = Accept Custom SMTP Banner Text = Your messages are being limited Max Recipients / hour = 50

Mail Policies Tab > Mail Flow Policies > Add Policy

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30

Changing a Sender Group’s Mail Flow Policy Mail Policies Tab > HAT Overview > Suspect List > Edit Settings

Enable Connecting Host DNS Verification for SUSPECTLIST

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31

Incoming Mail Listener

192.168.10.103

outside.com

Unblocking a Preferred Sender

Example: add a New Business Partner to the Sender Group: “WHITELIST”

NewBP.com

SBRS = - 4

Black List NewBP.com :

Internet

Note: The WHITELIST Mail Flow Policy skips all Anti-Spam processing. This should be considered a termporary measure only!

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32

Using the Mail Policies Tab to Edit the HAT

Example: Click to add a trusted sender to the WHITELIST Sender Group of the IncomingMail listener

1

2

3

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33

Using the Recipient Access Table (RAT)

  Accept recipient

  Reject recipient

  Accept recipient and bypass throttling

The RAT is applied only to SMTP conversations that have an "Accept" Connection Behavior.

TCP Connection: 192.168.10.200,12345 (mail1.from.com)

SMTP Session: EHLO from.com MAIL FROM:<joe@from.com> RCPT TO:<user1@notes.scu.com> RCPT TO:<user2@scu.com>

Content Headers: Received: from mail1.from.com (1.2... Subject: Hello From: “Joe” joe@from.com To: “User One” user1@notes.scu.com To: "User two" user2@scu.com Data

Message Body: Hello,

192.168.10.103,25 (mx1.scu.com)

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34

How the RAT Matches on Recipients

example.com Everything just at example.com .example.com Everything within the .example.com domain division.example.com A fully-qualified domain name

Recipient Syntax Match ON

User@domain Complete email address User@ Anything with the given username User@[192.168.10.200] Username at a domain literal address

(square brackets required)

Q: When do you add to the RAT? A: When you acquire a new domain.

Less common usages

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35

Specifying New Recipients in the RAT

Users in domain notes.charlie.com can not receive mail

Fix: notes.charlie.com needs to be in the RAT.

Internet

new_bp.com

Outside.com

Incoming Mail Listener

192.168.10.103

oldname.com

exchange.charlie.com

notes.charlie.com

Body Header Envelope

To: chelsea@notes.charlie.com From: carlo@outside.com

Rejected by RAT

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36

Configuring the Recipient Access Table

1

2

3

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37

Adding a New RAT Entry scu.com ACCEPT notes.scu.com ACCEPT oldname.com REJECT

(with custom SMTP message)

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38

Specifying SMTP Routes on a Per-Domain Basis

Mail for *@notes.charlie.com needs to be delivered to 172.20.0.20

172.20.0.20

A comma-separated list will round-robin to multiple servers

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39

A Mistake in SMTP Routing Causes a Loop Problem: 1. The recipient domain is specified in the RAT but there is no SMTP route to override the DNS MX record. 2. The mail is processed to the delivery stage where the route lookup fails. 3. The appliance falls back to the MX Record for delivery which sends the mail to itself. 4. Process loops until incoming mail limits are applied.

DNS

charllie.com MX = 192.168.10.103

Data 1

Internet

Incoming Mail Listener

192.168.10.103 oldname.com exchange.charlie.com

notes.charlie.com

DNS Records charlie.com IN MX smtp.charlie.com smtp.charlie.com IN A 192.168.10.103

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40

Adding New Servers to the Relay List

 Notes.charlie.com can not send outbound mail

 Add it to the relay list

new_bp.com

Internet

Incoming Mail Listener

192.168.10.103

oldname.com

exchange.charlie.com

notes.charlie.com

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41

Adding New Servers to the Relay List Mail Policies > Hat Overview > RELAYLIST > Add Sender

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42

Verifying Changes with the Trace Tool

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43

Troubleshooting with the Mail Logs   The CLI tail command watches the logs in real time

  Log subscriptions (configured in the GUI or the CLI) put logs at your disposal on your desktop for detailed searches

  You can enable deeper levels of debugging when troubleshooting tough problems

  Log viewer tools provided at the support site extract data from the binary logs

  Not all logs are enabled by default, so it is good to know what is available

  Access logs at: ftp://smtp.<teamname>.com

bounces directory: bounces.text.current bounces.text.@20050910T160104.c bounces.text.@20050824T160804.s

Log file naming The .current and .c are really the same file

The current log, open for writing .c means the file is current, open for writing .s means the file is saved, complete

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44

Troubleshooting with the Mail Logs (Continued)   Contains details of message receiving, delivery, and bounces

Status information is also logged every minute (unless you change it with System Administration->Log Subscriptions->Edit Settings and change System Measurements Frequency) Does not include delivery codes

  Use cases Track the receipt, processing, and delivery of specific messages Track Anti-Spam and Anti-Virus checking results Analyze system performance

  How event records are identified New New connection initiated; ICID created ICID Incoming Connection ID Start New message started; MID created MID Message ID RID Recipient ID DCID Delivery Connection ID Done Command Complete Ready System waiting for next command in SMTP

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45

Mon Mar 9 12:03:36 2009 Info: New SMTP ICID 9 interface Data 1 (192.168.10.103) address 172.20.0.20 reverse dns host notes.inside.com verified yes Mon Mar 9 12:03:36 2009 Info: ICID 9 RELAY SG RELAYLIST match 172.20.0.20/32 SBRS -2.7SBRS[-3.0:-1.0] SBRS -2.7 Mon Mar 9 12:04:28 2009 Info: Start MID 24 ICID 9 Mon Mar 9 12:04:28 2009 Info: MID 24 ICID 9 From: <chelsea@exchange.charlie.com> Mon Mar 9 12:06:21 2009 Info: MID 24 Message-ID '<7lvi8e$o@smtp.charlie.com>' Mon Mar 9 12:06:21 2009 Info: MID 24 Subject 'The real email' Mon Mar 9 12:06:21 2009 Info: MID 24 ready 314 bytes from <chelsea@exchange.charlie.com> Mon Mar 9 12:06:21 2009 Info: MID 24 matched all recipients for per-recipient policy DEFAULT in the outbound table

New connection initiated; ICID created Incoming Connection ID

New message started; MID created

Tracking Mail Messages with "tail mail_logs" Sender Group match

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 46

Mon Mar 9 12:06:21 2009 Info: MID 24 interim AV verdict using Sophos CLEAN Mon Mar 9 12:06:21 2009 Info: MID 24 antivirus negative Mon Mar 9 12:06:21 2009 Info: MID 24 queued for delivery Mon Mar 9 12:06:21 2009 Info: New SMTP DCID 14 interface 192.168.10.103 address 192.168.10.200 port 25 Mon Mar 9 12:06:21 2009 Info: Delivery start DCID 14 MID 24 to RID [0] Mon Mar 9 12:06:21 2009 Info: Message done DCID 14 MID 24 to RID [0] Mon Mar 9 12:06:21 2009 Info: MID 24 RID [0] Response '2.0.0 n29J6Kmr023516 Message accepted for delivery' Mon Mar 9 12:06:21 2009 Info: Message finished MID 24 done Mon Mar 9 12:06:26 2009 Info: DCID 14 close Mon Mar 9 12:06:30 2009 Info: ICID 9 close

Tracking Mail Messages with "tail mail_logs" (Continued)

New Delivery Connection ID Destination Server Outside.com

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47

Using the findevent Command

example.com> findevent Please choose which type of search you want to perform: 1. Search by envelope FROM 2. Search by Message ID 3. Search by Subject 4. Search by envelope TO [1]> 3 Enter the regular expression to search for. []> confidential Currently configured logs: 1. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll Enter the number of the log you wish to use for message tracking. []> 1 Please choose which set of logs to search: 1. All available log files 2. Select log files by date list

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48

Using the grep Command mgmt.alpha.com> grep Currently configured logs: 1. "antispam" Type: "Anti-Spam Logs" Retrieval: FTP Poll

: 13. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Pol []> 13 Enter the regular expression to grep. []> Warning Do you want this search to be case insensitive? [Y]> y Do you want to tail the logs? [N]> n Do you want to paginate the output? [N]> n

Wed Sep 26 22:12:29 2008 Warning: Your "Centralized Management" key will expire in under 30 day(s). Please contact your authorized IronPort sales representative.

mgmt.alpha.com>

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49

mgmt.bravo.com> grep -e "ENCRYPTED" mail_logs Sat Nov 1 19:36:47 2008 Info: MID 31 interim AV verdict using Sophos ENCRYPTED Sat Nov 1 19:45:09 2008 Info: MID 32 interim AV verdict using Sophos ENCRYPTED mgmt.bravo.com> findevent Please choose which type of search you want to perform: 1. Search by envelope FROM 2. Search by Message ID 3. Search by Subject 4. Search by envelope TO [1]> 2 Enter the Message ID (MID) to search for. []> 31 Sat Nov 1 19:36:47 2008 Info: New SMTP ICID 24 interface Data 1 (192.168.10.102) address 192.168.10.200 reverse dns host mail.outside.com verified yes Sat Nov 1 19:36:47 2008 Info: ICID 24 ACCEPT SG SUSPECTLIST match SBRS[-3.0:-1.0] SBRS -2.7 Sat Nov 1 19:36:47 2008 Info: Start MID 31 ICID 24 Sat Nov 1 19:36:47 2008 Info: MID 31 ICID 24 From: <Exercise6.1d@Outside.COM> Sat Nov 1 19:36:47 2008 Info: MID 31 ICID 24 RID 0 To: <brian@exchange.bravo.com> Sat Nov 1 19:36:47 2008 Info: MID 31 Subject 'Exercise 6.1d' Sat Nov 1 19:36:47 2008 Info: MID 31 ready 4088 bytes from <Exercise6.1d@Outside.COM> Sat Nov 1 19:36:47 2008 Info: MID 31 matched all recipients for per-recipient policy DEFAULT in the inbound table Sat Nov 1 19:36:47 2008 Info: ICID 24 close Sat Nov 1 19:36:47 2008 Info: MID 31 interim verdict using engine: CASE spam negative Sat Nov 1 19:36:47 2008 Info: MID 31 using engine: CASE spam negative Sat Nov 1 19:36:47 2008 Info: MID 31 interim AV verdict using Sophos ENCRYPTED Sat Nov 1 19:36:47 2008 Info: MID 31 antivirus encrypted

Using grep and findevent to search for "encrypted" in the mail logs

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50

Injection Debug & Domain Debug

  Injection Debug records the SMTP conversation for connections made to the IronPort

 Domain Debug records the SMTP conversation for connections made by the IronPort

Domain 1 Domain 2 Incoming Connections

Outgoing Connections

Injection Debug Domain

Debug

© 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51