Cisco IronPort E-mail Security Appliance Best Practices : Part 3

In this article I will talk about some recommended security configurations, new features I have come across in the new AsyncOS 9.0/9.1 series and more about the Advanced Malware Protection (AMP) features introduced in AsyncOS 8.5.

If you haven’t already, have a look at part 1 and part 2 of this series šŸ™‚

SSL Configuration

It is generally considered best practice to disable insecure SSL methods and ciphers from your appliances in order to protect them from vulnerabilities such asĀ POODLE andĀ FREAK.

I strongly recommend you read through the OWASP TLS protection cheat sheet as this gives more insight in to what protocols are considered weak and why.

  • Ā In the GUI, go to System Administration –> SSL Configuration. Click Edit and uncheck SSLv2 and SSLv3 – essentially only leaving TLS v1 enabled for everything
  • (new command as of AsyncOS 9.1) Log-on to the CLI and type sslv3config. Disable SSLv3 for all services listed.

File Reputation and Analysis

In later versions of AsyncOS, Cisco has added support for scanning more file types. You can look at these and add those you wish to have scanned by going to:

  • Security Services –> File Reputation and Analysis

It is a good idea to change the query time out to something slightly higher like 15 seconds as the default can be too low at times when the service is busy.

AsyncOS 9.1 now supports automatically quarantiningĀ unknown attachments and releasing them if the outcome is clean. You can enable this feature by going to:

  • Mail Policies –> Incoming Mail Policies –> Advanced Malware Protection

Under the section labelledĀ Messages with File Analysis PendingĀ set the action to beĀ Quarantine.

Note that a new File Analysis quarantine was introducedĀ in AsyncOS 9.0 to cater for this new feature.

What this means is that if an attachment is unknown to the AMP service, it will be sent over HTTPS (default) for sandboxing and analysis. If the attachment is found to be clean then it will be released from quarantine to the user. In my personal experience of using this feature on a virtual IronPort, the time between a requested analysis and completed analysis of an unknown attachment is between 10 and 20 minutes.

If required, you can also manually release a message from theĀ File Analysis quarantine.

Virtual IronPort Appliance

As of release 9.1, the latest supported Hypervisor and version is:

  • ESXi 5.5

Any other release or Hypervisor (including Hyper-V) you use will be at your own risk and Cisco will only provideĀ best effort support. Not something I can recommend in a production environment.

Disk Space and Logging

It’s worth double checking theĀ Disk ManagementĀ screen to ensure your quarantines, logs, reporting, etc have enough capacity to function correctly.

I noticed the disk quota after an upgrade was unusually low so I had to change this.

Disk Management can be found in the System Administration menu.

I hope this has been helpful and I will continue to post new articles as more information/new releases come out!