In our next installment of fundamental topics, we’re talking content security. It’s a content-driven world and in today’s hyper-connected Internet-driven world, how do we secure our content? Read on and let’s talk about it!

Email Security Fundamentals

Email is a very popular target for attackers. Everyone has an email address so it’s low-hanging fruit for bad actors. Spam is one of the attack angles and at its core, it’s unwanted or unsolicited email. Malicious emails often contain malware in the form of attachments or Phishing attempts which act as a trusted third party to try and gain confidential information. There are many forms of Phishing but two of the most common ones are Whaling (targeting senior-level executives) and Vishing which are Phishing attacks using voice/over the phone.

So how do we protect against such attacks? Email Security Appliance! An Email Security Appliance (or ESA for short) is an advanced solution aimed at controlling SMTP traffic.

The primary functions of an ESA include security and policy enforcement. From a security perspective, it uses a layered approach with things like reputation filtering, which is basically looking at the sender’s IP and “scoring” it for trustworthiness. Another piece ESA uses is outbreak filtering, which protects your network from large-scale virus outbreaks and smaller, non-viral attacks, such as phishing scams and malware distribution, as they occur. Lastly, Cisco AMP is used with ESA as well - more on AMP in another blog.

ESA also pushes email policy enforcement and acts as an inbound email control, which leans on rate-limiting as a key mechanism. It also acts as an outbound email control that focuses on high-performance delivery which includes DLP (Data Loss Prevention) and Encryption. Lastly, policy enforcement also can do content filtering, which includes things like URL filtering, etc.

Are you convinced yet to grab an ESA? Good! Let’s look at some of the deployment methods.

There are a few ways to deploy the ESA. An on-prem solution which, from a design perspective, it’s suggested that you put it in a DMZ. A virtual ESA (ESAv) is also available if you’re running VMware in your environment. Lastly, you guessed it, you can do a hybrid deployment which entails cloud-based for inbound email and on-prem for outbound email.

Web Security Appliance

Now that we have email secured via the ESA, let’s move on to another popular category of content - the web!

With all the junk out there on the Internet today, what’s securing our Internet traffic as we browse our favorite sites? Web Security Appliance!

Web Security Appliance is the combination of a fast web proxy and advanced content filtering solution. WSA is designed for web/HTTPS and FTP traffic with strong caching, inspection, policy enforcement, and anti-malware capabilities. The WSA relies on multiple engines and technologies to pump out all this voodoo magic.

Let’s break down some of the WSA components, shall we? First up we have URL filtering, which filters URL addresses based on categories, risk, reputation, etc. For example, you can allow a category such as guns, and military and block the drugs and alcohol category. You can also create a custom URL list and allow or block based on your company policy. Next up we have Application Visibility and Control (AVC) which uses Deep Packet Inspection (DPI) to classify roughly 1400 applications. For example, instead of allowing TCP 443, you allow an application for more granular control and more application awareness capabilities. Anti-malware scanning is another feature of the WSA. Anti-Malware scanning includes everything from Adware to more malicious threats such as Trojans, Browser Hijackers, Browser Helper Objects, Phishing, Pharming, System Monitors, Keyloggers, Worms, etc. Next is Layer 4 Traffic Manager (or L4TM for short), which can block traffic across all ports (TCP/UDP 0-65535). When the L4TM receives a packet to or from a server that matches a block rule/list, it sends a TCP RST (Reset) datagram back to the sender, hence killing the session. Lastly, HTTPS Decryption. How can the WSA see traffic that is HTTPS encrypted? The idea here is the end user reaches out to a site for its SSL certificate, and the WSA takes that and forms two SSL handshakes, one between itself and the user and then one between itself and the site the user wants to access. Essentially, the WSA is “in the middle”, the WSA reaches out to whatever site on behalf of the user, hence being able to see that traffic coming from the user.

Summary

There was a lot in this blog about content security, mainly focusing on email security and web security. Cisco offers two appliances, Email Security Appliance and Web Security Appliance, to fend off attacks and secure their respective content. Did I miss anything? Have anything to add? Feel free to comment below!