Content Security

Question 1

Cisco acquired company that created what we know today as the Cisco Web Security Appliance (WSA) and the Cisco Email Security Appliance (ESA)

Answer 1

Ironprot

Question 2

Cisco WSA and Cisco ESA can be managed by ?
This provides a solution for centralizing the management and reporting functions of multiple Cisco ESA and Cisco WSA devices

Answer 2

Cisco Security Management appliance (SMA)

Question 3

This power Cisco WSA, ESA and SMA. It is based on freeBSD based kernel. This does not have a user UNIX Shell. Administrators can configure the system using a web admin portal (or web based) or a fully scriptable command-line interface (CLI)

Answer 3

Cisco Async Operating System (AsyncOS)

Question 4

Different Web Security Appliance (WSA) feature engine

Answer 4

• web reputation engine
• web filtering
• application visibility and control (AVC)
• cloud access security
• anti virus scanning
• file reputation
• data-loss prevention
• file sandboxing
• file retrospection
• cognitive threat analysis

Question 5

Cisco WSA typically placed either on the inside of the internet edge firewall or in a demilitarized zone. Cisco WSA have one or more of the following interface types

Answer 5

• M1 : typically used for management
• P1/P2 : typically the interfaces used for web proxy traffic. each interface must be connected to different subnets
• T1/T2: Used for layer 4 traffic monitoring to listen to all TCP Ports. They are not configured with IP address because they are promiscuous monitoring ports.

Question 6

Two modes of deployment for Cisco WSA

Answer 6

• Explicit forward mode (client explicitly use proxy)
• Transparent mode (client dont know there is a proxy. Network infrastructure device are configured to forward traffic to WSA)

Question 7

On WSA traffic redirection can be done using?

Answer 7

PBR (policy based routing) on many routers

Cisco’s Web Cache Communication Protocol (WCCP) on Cisco ASA, routers and switches

Question 8

Steps in configure WCCP in Cisco ASA to redirect web traffic to Cisco WSA

Answer 8

1. Create ACL to define Http and https
   - access-list HTTP-traffic permit tcp 10.1.1.0 255.255.255.0 any eq www
   - access-list HTTPS-traffic permit tcp 10.1.1.0 255.255.255.0 any eq https
2. You can also inspect FTP traffic
   - access-list FTP traffic permit tcp 10.1.1.0 255.255.255.0 any eq ftp
   - acecss-list FTP-traffic permit tcp 10.1.1.0 255.255.255.0 ay range 1100 11006
3. creating an ACL to define where to send the traffic
   - acess-list WAA extended permit ip 10.1.2.3 any
   - wccp web-cache redirect HTTP-traffic group-list wsa
   - wccp 10 redirect-list FTP-traffic group-list WSA
   - wccp 20 redirect-list HTTPS-traffic group-list WSA
4. configuring traffic redirection on source interface
   - wccp interface inside web-cache redirect in
   - wccp interface inside 10 redirect in
   - wccp interface inside 20 redirect in

Question 9

You can configure WCCP on a Cisco Firepower Threat Defence (FTD) device by using this. It is a container of an ordered list of FlexConfig objects.

Answer 9

Cisco Firepower Management Console (FMC) Flexconfig Policies

Question 10

When Cisco WSA (a s web proxy) forward request, by default it changes the request source iP address to match it own IP. However you can change this by enabling ______ ?

Answer 10

Web proxy IP Spoofing

Question 11

Policy type that you can enable in the Cisco WSA. This policies are configured to identify user behind the web request instead of just IP address

Answer 11

Identification policies

Question 12

Cisco WSA provides different options for the AD or LDAP realm authentication. These are the available schemes

Answer 12

• basic authentication : done via web browser. not transparent
• NTLMSSP : this is transparent authentication. the web browser must be compatible and provide support for NTLMSSP.
• kerberos: primarily use for windows client. considered as more secure options

Question 13

Authentication surrogates options enable you to configure how web transactions willbe associated with a user after the user has been successfully authenticated. Here are the options

Answer 13

• IP Address : until surroages times out
• Persistent cookie : until surrogates timeout
• session cookie: until session timeout or browser is closed

Question 14

This policies in WSA map the identification profile for users. also time-based restrictions

Answer 14

Access policies

Question 15

Additional settings and customizations you can configure on WSA:

Answer 15

• you can use the AVC engine to enforce acceptable use-policy components to block or allow applications
• configure as web proxy to block file downloads on file chracacteristics
• define an access policy to apply antimalware and url reputation
• configure WSA to decrypt and evaluate SSL traffic.
• create an outbound malware policy on Cisco WSA to block malware upload
• Cisco WSA support DLP servers.

Question 16

This can be deployed as physical or virtual appliance or cloud service. This acts as email gateway to organizations, controlling the transfer of all email connections, accepting messages and relaying messages to appropriate email servers. Can handle all email smtp connections

Answer 16

Cisco Email Security Appliance (ESA)

Question 17

Most important email concepts

Answer 17

• Mail transfer agent : know as MTA, responsible for transfering emails from sender to recepient
• Mail Delivery Agent : MDA, A component of MTA responsible for the final delivery of an email message.
• Mail user Agent: MUA, email client or email reader installed on user system or mobile devices
• Mail Submission Agent : MSA, a component of MTA that accepts new mail messages.
• Internet Message Access Protocol : IMAP, email client communications protocol that allow users to keep messages on the server
• Post Office Protocol - POP, an application layer protocol used by an email client retrieve or download email from server

Question 18

Used to route the mail traffic on the internet

Answer 18

DNS MX records.

Question 19

Example of Cisco ESA deployment. Steps

Answer 19

1. the sender send email to boo@secret.com
2. the sending mail server lookups the MX record
3. the sending mail server opens an SMTP connection to Cisco ESA
4. the Cisco ESA inspect email transaction
5. the email recepeint retrieves the email from the internal mail server

Question 20

Cisco ESA use this to handle incoming SMTP connection request. Determine the email processing service configured on a Cisco ESA interface

Answer 20

Cisco ESA Listeners

Question 21

Is a reputation service that enables you to control the messages that come through the Cisco ESA email gateway based on the sender trustworthiness (reputation)

Answer 21

Cisco SenderBase

Question 22

Concept of Cisco ESA. This are enable by default and provide a dynamic quarantine (also called delay quarantine).

Answer 22

Outbreak filters

Question 23

Is a Cisco ESA term that defines which recipients are accepted by a public listener

Answer 23

Recipient Access Table (RAT)

Question 24

Cisco ESA feature that allows you to secure your sensitive, proprieatry information and intellectual property, preventing this data from leaving your network such ash marketing messages, spam, graymail, malware phishing, confidential data, personally identifiable information (PII)

Answer 24

Cisco ESA Data Loss Protection

Question 25

Enable recipients to verify Sender IP Address by looking up DNS records that authorized mail gateways for a particular domain. Also this is a industry standard defined in RFC 4408. Uses DNS TXT resource records

Answer 25

Sender Policy Framework (SPF)

Question 26

Is an industry standard defined in RFC 5585. Provides a means for gateway based cryptographic signing of outgoing messages. Allows you to embed verification data in an email header and for recipients to verify the integrity of the email messages

Answer 26

DKIM (domain keys identified mail)

Question 27

Dashboard in Cisco SMA

Answer 27

• Cisco SMA Monitoring FLow Summary : can see email message and email categorized as threats
• Advanced Malware Protection (AMP) Summary Dashboard : show incoming file with email messages. Statistic about disposition of each file is displayed
• Cisco SMA File Analysis Dashboard : the dashboard shows the time and verdict for each file send to analysis
• File Retrospection Dashboard : list the file processed by the Cisco ESA for which verdict has change since the message was received
• DLP Incident dashboard : includes the incidents of DLP policy violation occurring in outgoing email

Question 28

You can use File Analysis view of AMP dashboard to view the following

Answer 28

• the number of outgoing files that are uploaded for file analysis by the File Analysis of the AMP engine
• a list of incoming and outgoing files that have completed file analysis request
• A list of incoming and outgoing file the have pending file analysis request

Question 29

DLP incident summary page contains two main sections

Answer 29

• DLP incident trend graphs sumarizing the top DLP incidents by severity (low, medium, high critical) and policy matches
• DLP incident detail listing

Question 30

Proxy server configuration can be provisioned to clients through what DHCP Options

Answer 30

DHCP Options 252