{"id":1317,"date":"2014-12-18T14:51:45","date_gmt":"2014-12-18T14:51:45","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=1317"},"modified":"2017-02-24T15:26:48","modified_gmt":"2017-02-24T15:26:48","slug":"cisco-ironport-e-mail-security-appliance-best-practices-part-2","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/12\/2014\/cisco-ironport-e-mail-security-appliance-best-practices-part-2\/","title":{"rendered":"Cisco IronPort E-mail Security Appliance Best Practices : Part 2"},"content":{"rendered":"<p>This article is a continuation from <a title=\"Cisco IronPort E-mail Security Appliance Best Practices : Part 1\" href=\"http:\/\/emtunc.org\/blog\/06\/2014\/cisco-ironport-e-mail-security-appliance-best-practices-part-1\/\" target=\"_blank\">part 1 of the IronPort &#8216;best practices&#8217; series<\/a>.<\/p>\n<p>Here I will discuss:<\/p>\n<ul>\n<li>Implementing DNS blacklists<\/li>\n<li>DLP<\/li>\n<li>Bounce profiles<\/li>\n<li>LDAP queries<\/li>\n<\/ul>\n<p><!--more--><\/p>\n<h2>Implementing DNS Blacklists<\/h2>\n<p>So before I go in to the topic of DNS Blacklists, let me explain what they do and why you may want to implement a DNSBL.<\/p>\n<p>A DNSBL is basically a list of &#8216;bad&#8217; IP&#8217;s published by entities on the internet. These entities have honeypots set-up (some with the help of the community and email administrators) all over the internet. These honey pots are (at a very basic level) e-mail addresses that no legitimate person should ever know about. If the e-mail addresses start receiving mail then it is highly likely these e-mails and senders are spam\/malicious. That is a very basic overview and if you want to know more, see <a href=\"http:\/\/www.dnsbl.info\/\" target=\"_blank\">here<\/a> and <a title=\"Wikipedia\" href=\"http:\/\/en.wikipedia.org\/wiki\/DNSBL\" target=\"_blank\">here<\/a>.<\/p>\n<p>There are a list of DNSBL&#8217;s available at\u00a0<a href=\"http:\/\/www.dnsbl.info\/dnsbl-list.php\" target=\"_blank\">http:\/\/www.dnsbl.info\/dnsbl-list.php<\/a><\/p>\n<p>My tips are: you probably don&#8217;t want to use the &#8216;not-so-well-known&#8217; lists. Examples of popular blacklists are BarracudaCentral, Spamhaus, SORBS, Spamcop, etc. Do your research!<br \/>\nAlso, when choosing which blacklists you want to use, choose one or two. You don&#8217;t want to go overboard and have too many blacklists on your ESA. The more you have, the more chance of a false positive so it&#8217;s probably a good idea to just have one to begin with.<\/p>\n<ol>\n<li>Go to your HAT overview list and click on the BLACKLIST sender group<\/li>\n<li>Edit settings and under the DNS lists section add your chosen blacklists. I have configured mine with the following as of this post:<br \/>\n<strong>b.barracudacentral.org, zen.spamhaus.org<\/strong><\/li>\n<li>Monitor the blacklist activity by checking the mail.current log (System Administration &#8212; Log subscriptions &#8212; mail_logs) You should see something like this the below if a message has been dropped for matching a DNSBL:<\/li>\n<\/ol>\n<pre class=\"lang:default decode:true  \">Mon Nov 24 01:25:15 2014 Info: New SMTP ICID 3809767 interface InternalNet (192.168.77.11) address 87.106.139.115 reverse dns host s16895009.onlinehome-server.info verified yes\r\nMon Nov 24 01:25:15 2014 Info: ICID 3809767 REJECT SG BLACKLIST match dnslist[b.barracudacentral.org] SBRS -1.4<\/pre>\n<h2>DLP (Data Loss Prevention)<\/h2>\n<p>DLP is a very useful tool on the IronPort and I highly recommend you implement DLP in your organisation. In the context of the ESA, it will scan your outbound e-mails and attachments for specific keywords and take an action based on the keywords.<\/p>\n<p>Firstly I recommend you speak to the key figures\/management in your organisation to determine which files are confidential\/private\/internal and which ones shouldn&#8217;t be leaked outside the organisation.<\/p>\n<p>For example, should someone be notified if a file containing employee salary and bonus details gets out? Probably &#8211; but it depends on your organisation and its policies. It&#8217;s usually not for IT to decide what is confidential and what isn&#8217;t; that&#8217;s a management decision to be made.<\/p>\n<p>The Cisco IronPort has a lot of default DLP policies such as searching e-mails for credit card numbers, passport information, etc.<\/p>\n<p>Another default that I like to use is called\u00a0<em>Suspicious Transmission &#8211; Documents to Webmail<\/em><\/p>\n<p>I have configured mine so that any e-mails with attachments to public e-mail hosting domains (such as hotmail, gmail, etc) will be flagged up for me to look over. I do not quarantine any of the files as you can sometimes get false positives.<\/p>\n<p>&nbsp;<\/p>\n<h2>Bounce Profiles<\/h2>\n<p>Bounce profiles determine retry periods, maximum time in queue and other time limits for messages that have problems connecting to the recipient e-mail server. By default the IronPort doesn&#8217;t try to re-send e-mails more than a few times over a short period &#8211; to be fair, it isn&#8217;t designed to store e-mails but instead just process them.<\/p>\n<p>Depending on your environment you may want e-mails to be queued for a longer period on your IronPort. We had an e-mail outage over the weekend a while ago and found that by Monday morning, almost all e-mails had hard-bounced. After this incident, I configured the IronPort to hold mail in the queue for 7 days before failing.<\/p>\n<p>You can find the bounce profile settings under <strong>Network &#8211;&gt; Bounce Profiles<\/strong><\/p>\n<p>Please see the <a title=\"ESA 8.5.6 User Guide\" href=\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/docs\/security\/esa\/esa8-5-6\/ESA_8-5-6_User_Guide.pdf\" target=\"_blank\">latest user guide<\/a> under the bounce profile section for a thorough explanation of all the bounce profile options. Start from page 623.<\/p>\n<p>&nbsp;<\/p>\n<h2>LDAP Queries<\/h2>\n<p>Setting up LDAP lookups on your IronPort is a very good idea as it can greatly reduce the number of spam e-mails your organisation receives as the IronPort will check (using LDAP) for a valid recipient before letting the connection through.<\/p>\n<p>By using LDAP queries you can also prevent e-mail harvesting by stopping malicious bots\/users from guessing all the valid users in your organisation.<\/p>\n<p>I recommend configuring an LDAP profile on your IronPorts. Turn on SSL and lookup valid e-mail addresses using the query:<\/p>\n<p>(|(mail={a})(proxyAddresses=smtp:{a}))<\/p>\n<p>Configure the\u00a0<em>Directory Harvest Attack Prevention (DHAP) <\/em>options in the HAT policies.<\/p>\n<p>&nbsp;<\/p>\n<p>I hope that has been useful! I will continue to post anything useful I come across in the IronPort including more information about the content filters that I use in our environment.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This article is a continuation from part 1 of the IronPort &#8216;best practices&#8217; series. Here I will discuss: Implementing DNS blacklists DLP Bounce profiles LDAP queries<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[135,138,136],"class_list":["post-1317","post","type-post","status-publish","format-standard","hentry","category-tech","tag-cisco-ironport","tag-email-security","tag-esa"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-lf","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1317","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=1317"}],"version-history":[{"count":8,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1317\/revisions"}],"predecessor-version":[{"id":2486,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1317\/revisions\/2486"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=1317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=1317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=1317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}