Content Security Flashcards
Cisco acquired company that created what we know today as the Cisco Web Security Appliance (WSA) and the Cisco Email Security Appliance (ESA)
Ironprot
Cisco WSA and Cisco ESA can be managed by ?
This provides a solution for centralizing the management and reporting functions of multiple Cisco ESA and Cisco WSA devices
Cisco Security Management appliance (SMA)
This power Cisco WSA, ESA and SMA. It is based on freeBSD based kernel. This does not have a user UNIX Shell. Administrators can configure the system using a web admin portal (or web based) or a fully scriptable command-line interface (CLI)
Cisco Async Operating System (AsyncOS)
Different Web Security Appliance (WSA) feature engine
- web reputation engine
- web filtering
- application visibility and control (AVC)
- cloud access security
- anti virus scanning
- file reputation
- data-loss prevention
- file sandboxing
- file retrospection
- cognitive threat analysis
Cisco WSA typically placed either on the inside of the internet edge firewall or in a demilitarized zone. Cisco WSA have one or more of the following interface types
- M1 : Typically used for management
- P1/P2 : Typically the interfaces used for web proxy traffic. Each interface must be connected to different subnets
- T1/T2: Used for layer 4 traffic monitoring to listen to all TCP Ports. They are not configured with IP address because they are promiscuous monitoring ports.
Two modes of deployment for Cisco WSA
- Explicit forward mode (client explicitly use proxy)
- Transparent mode (client’s dont know there is a proxy. Network infrastructure device are configured to forward traffic to WSA)
On WSA traffic redirection can be done using?
PBR (policy based routing) on many routers
Cisco’s Web Cache Communication Protocol (WCCP) on Cisco ASA, routers and switches
Steps in configure WCCP in Cisco ASA to redirect web traffic to Cisco WSA
- Create ACL to define HTTP and HTTPS
- access-list HTTP-traffic permit tcp 10.1.1.0 255.255.255.0 any eq www
- access-list HTTPS-traffic permit tcp 10.1.1.0 255.255.255.0 any eq https
- You can also inspect FTP traffic
- access-list FTP traffic permit tcp 10.1.1.0 255.255.255.0 any eq ftp
- acecss-list FTP-traffic permit tcp 10.1.1.0 255.255.255.0 ay range 1100 11006
- Creating an ACL to define where to send the traffic
- acess-list WAA extended permit ip 10.1.2.3 any
- wccp web-cache redirect HTTP-traffic group-list wsa
- wccp 10 redirect-list FTP-traffic group-list WSA
- wccp 20 redirect-list HTTPS-traffic group-list WSA
- Configuring traffic redirection on source interface
- wccp interface inside web-cache redirect in
- wccp interface inside 10 redirect in
- wccp interface inside 20 redirect in
You can configure WCCP on a Cisco Firepower Threat Defence (FTD) device by using this. It is a container of an ordered list of FlexConfig objects.
Cisco Firepower Management Console (FMC) Flexconfig Policies
When Cisco WSA (a web proxy) forwards request, by default it changes the request source iP address to match it own IP. However you can change this by enabling ______ ?
Web Proxy IP Spoofing
Policy type that you can enable in the Cisco WSA. This policies are configured to identify user behind the web request instead of just IP address
Identification policies
Cisco WSA provides different options for the AD or LDAP realm authentication. These are the available schemes
- Basic authentication : Done via web browser. Not transparent
- NTLMSSP : This is transparent authentication. The web browser must be compatible and provide support for NTLMSSP.
- Kerberos: Primarily use for windows client. Considered as a more secure options
Authentication surrogates options enable you to configure how web transactions willbe associated with a user after the user has been successfully authenticated. Here are the options
- IP Address : until surroages times out
- Persistent cookie : until surrogates timeout
- session cookie: until session timeout or browser is closed
This policies in WSA map the identification profile for users. also time-based restrictions
Access policies
Additional settings and customizations you can configure on WSA:
- you can use the AVC engine to enforce acceptable use-policy components to block or allow applications
- configure as web proxy to block file downloads on file chracacteristics
- define an access policy to apply antimalware and url reputation
- configure WSA to decrypt and evaluate SSL traffic.
- create an outbound malware policy on Cisco WSA to block malware upload
- Cisco WSA support DLP servers.
This can be deployed as physical or virtual appliance or cloud service. This acts as email gateway to organizations, controlling the transfer of all email connections, accepting messages and relaying messages to appropriate email servers. Can handle all email smtp connections
Cisco Email Security Appliance (ESA)
Most important email concepts
- Mail transfer agent : know as MTA, responsible for transfering emails from sender to recepient
- Mail Delivery Agent : MDA, A component of MTA responsible for the final delivery of an email message.
- Mail User Agent: MUA, email client or email reader installed on user system or mobile devices
- Mail Submission Agent : MSA, a component of MTA that accepts new mail messages.
- Internet Message Access Protocol : IMAP, email client communications protocol that allow users to keep messages on the server
- Post Office Protocol - POP, an application layer protocol used by an email client retrieve or download email from server
Used to route the mail traffic on the internet
DNS MX records.
Example of Cisco ESA deployment
- The sender sends an email to boo@secret.com
- The sending mail server lookups the MX record
- The sending mail server opens an SMTP connection to Cisco ESA
- The Cisco ESA inspects the email transaction
- The email recepeint retrieves the email from the internal mail server
Cisco ESA use this to handle incoming SMTP connection request. Determine the email processing service configured on an Cisco ESA interface
Cisco ESA Listeners
Is a reputation service that enables you to control the messages that come through the Cisco ESA email gateway based on the sender trustworthiness (reputation)
Cisco SenderBase
Concept of Cisco ESA. This are enable by default and provide a dynamic quarantine (also called delay quarantine).
Outbreak filters
Is a Cisco ESA term that defines which recipients are accepted by a public listener
Recipient Access Table (RAT)
Cisco ESA feature that allows you to secure your sensitive, proprieatry information and intellectual property, preventing this data from leaving your network such ash marketing messages, spam, graymail, malware phishing, confidential data, personally identifiable information (PII)
Cisco ESA Data Loss Protection
Enable recipients to verify Sender IP Address by looking up DNS records that authorized mail gateways for a particular domain. Also this is a industry standard defined in RFC 4408. Uses DNS TXT resource records
Sender Policy Framework (SPF)
Is an industry standard defined in RFC 5585. Provides a means for gateway based cryptographic signing of outgoing messages. Allows you to embed verification data in an email header and for recipients to verify the integrity of the email messages
DKIM (domain keys identified mail)
Dashboard in Cisco SMA
- Cisco SMA Monitoring FLow Summary : can see email message and email categorized as threats
- Advanced Malware Protection (AMP) Summary Dashboard : show incoming file with email messages. Statistic about disposition of each file is displayed
- Cisco SMA File Analysis Dashboard : the dashboard shows the time and verdict for each file send to analysis
- File Retrospection Dashboard : list the file processed by the Cisco ESA for which verdict has change since the message was received
- DLP Incident dashboard : includes the incidents of DLP policy violation occurring in outgoing email
You can use File Analysis view of AMP dashboard to view the following
- the number of outgoing files that are uploaded for file analysis by the File Analysis of the AMP engine
- a list of incoming and outgoing files that have completed file analysis request
- A list of incoming and outgoing file the have pending file analysis request
DLP incident summary page contains two main sections
- DLP incident trend graphs sumarizing the top DLP incidents by severity (low, medium, high critical) and policy matches
- DLP incident detail listing
Proxy server configuration can be provisioned to clients through what DHCP Options
DHCP Options 252
