Be up against the UTM Dedicated Content Security solutions from Cisco

(1)

(2)

Be up against the UTM

Dedicated Content Security solutions from Cisco

Istvan Segyik – Systems Engineer

CCIE Security #47531

(3)

Security solutions Cisco Public

Topics



E-mail threats



A few things to do for safer e-mail with no $$ investment



Cisco E-mail Security Appliance (ESA)



Web threats

(4)

(5)

E-mail Threats



SPAM - unsolicited e-mail, usually advertising:

– Causes employee productivity issues;

– May cause Denial of Service issues in the e-mail infrastructure;

– Can be used to spread malware.



SCAM – unsolicited e-mail with forged sender address:

– Usually used for advertising;

– Many times spreads malware;

– Many times used for ‚Phishing attack’ = Phishing SCAM;

– The victim is not the recipient only but the legal owner of the sender address (domain).



Malware in e-mail (doesn’t have to be SPAM or SCAM).



Confidential data leakage.

(6)

Phishing SCAM



Starts with a forged e-mail:

– Sender identity has been forged;

– Internal content resembles to a company’s brand (typically banks or governmental organizations).



Forging senders:

– Simply changing sender addresses and using open SMTP relay servers that don’t check source addresses;

– Compromising the e-mail servers of the real owner of the sending domain.



The goal of the attack is to ask the addressee to visit a portal

(e.g. forged banking portal) and hand over login credentials or

credit card data.



The legal owner of the sender usually suffers serious loss of

reputation so becomes secondary victim.

(7)

(8)

SCAM example: the alleged sender

(9)

(10)

(11)

SCAM example: who are the victims?



In this example:

– The person who lost its credit card details.

– The property agency in Hong Kong whose e-mail system was compromised.

– The clothing company whose web site was compromised.



Worldwide:

– Manufacturing: 8%

– Other industry: 8%

– Design and development agencies: 8%

– Utility (e.g. energy): 19%

(12)

What can we do?



Educate users.



Apply industry’s best practices to secure our e-mail infrastructure:

– SPF, DKIM, DMARC;

– Upgrading, patching systems;

– IPS/IDS systems.



Use advanced e-mail security solutions – such as Cisco E-mail Security

Appliance (ESA).

(13)

(14)

DKIM, SPF, DMARC in general

 With these techniques configured on both sender and receiver sides, sender forging can be prevented.

 The recipient server can verify the sender server’s identity and authority.

Your Company DNS Server SIGNED SIGNED



Verified

Trusted_Partner.com Trusted_Partner.com

Imposter

Recipient server Drop/Quarantine

(15)

Sender Policy Framework - SPF



RFC7208



The sender makes the recipient able to verify if a certain SMTP server is

authorized to send e-mails from a domain or not.



The recipient server can verify the HELO and MAIL FROM addresses.



The sender can instruct the recipient how to interpret and what to react in case

of a violation.



Example (cisco.com):

"v=spf1 ip4:173.37.147.224/27 ip4:173.37.142.64/26 ip4:173.38.212.128/27 ip4:173.38.203.0/24 ip4:64.100.0.0/14 ip4:72.163.7.160/27 ip4:72.163.197.0/24 ip4:144.254.0.0/16 ip4:66.187.208.0/20 ip4:173.37.86.0/24 ip4:64.104.206.0/24 ip4:64.104.15.96/27 ip4:64.102.19.192/26 ip4:144.254.15.96/27 ip4:173.36.137.128/26 ip4:173.36.130.0/24 mx:res.cisco.com mx:sco.cisco.com ~all"

(16)

Question: what does it mean?

(17)

SPF shortcomings



Doesn’t protect against intra-domain forgery.



Doesn’t inspect inner header.

(18)

Domain Key Identified e-Mail - DKIM



RFC5585, RFC6376, RFC5863, RFC5617 (ADSP)



The sender SMTP host creates an SHA-1 or SHA-256 hash of the message

and signs the hash with a private key.



The public key is stored in a DNS record.



DNS record example:

c3po._domainkey.altn.com text = "v=DKIM1; k=rsa;

p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCjVRK3kPX17DWAX

uYa/66/qgzu/R/7325HXqhG8poaQMn3jzpagh9GDAOCDzxbtNBQKKNoJmkkCzr41Xb4h3U5reinBbQ8G rfYnP3n6S2kz2LWWwpSsAVdgtOTcuXqt+pWEsda7C0z5V2axgG76ygYh8b504Gv+YhAxURQXNbZQwIDA QAB"

(19)

DKIM shortcomings



Requires significant processing power. Can be optimized but that reduces

security:

– Header and content simplification;

– Use of SHA-1 instead of SHA-256.



If an e-mail was not signed, its verification would be ignored.



„Author Domain Signing Practices” (ADSP) could mitigate the problem above,

but rarely implemented, because:

– Can handle DKIM only;

– Doesn’t ensure feedback channel to the sending party.

(20)

Domain-based Message Authentication, Reporting & Conformance



The DMARC protocol:

– Unifies the instructions for SPF and DKIM verifications at the recipient side;

– The sender can sign to the recipient what to do with SPF and DKIM errors;

– The following actions can be requested by the sender: none|reject|quarantine;

– Provides feedback channels: for every single error message OR for aggregate error reports.



Not surprisingly – uses a DNS record.



More complicated than ADSP but there are on-line tools that help you, e.g.:

https://dmarcian.com/dmarc-inspector/



A DNS record example:

v=DMARC1; p=quarantine; pct=100; rua=mailto:[email protected]; ruf=mailto:[email protected]

(21)

DMARC visualized

DNS Server SIGNED SIGNED



Verified

Trusted_Partner.com Trusted_Partner.com

Imposter

Cisco ESA Drop/Quarantine Report DMARC p=reject

(22)

(23)

Cisco Ironport E-mail Security Appliance – ESA

www.cisco.com/go/esa



Virtual (on Cisco UCS hardware + VMware) and hardware appliance.



Main features:

– E-mail traffic normalization;

– SPF, DKIM, DMARC verification, DKIM signing;

– Sender reputation filtering;

– Anti-SPAM;

– Anti-malware engines (Sophos, McAfee, FireAMP);

– Integrated RSA DLP engine;

– Outbreak Filter (automatically enforced Cisco Talos rules);

– Real-time URL analysis;

– Local or off-box (Management Appliance) e-mail quarantine;

– E-mail encryption (Cisco Secure Envelope Services or S/MIME).



Can be managed over its embedded GUI or through a Content Security Management

(24)

Simplified incoming mail verification flow

Cisco® Talos

SenderBase Reputation Filtering Anti-Spam

Anti-Virus

Outbreak Filters

Real-time URL Analysis

Deliver Quarantine Re-write

URLs Drop

Drop

Drop/Quarantine

Quarantine/Re-write

Advanced Malware Protection AMP Drop/Quarantine

cws

Normalization, SFP/DKIM/ DMARC, recipient

(25)

Cisco Senderbase reputation filtering



Big-big data:

– More than 1.6 million sensors;

– Covers approximately 35% of the World’s e-mail traffic;

– Inspects over 13 billion Web requests per day;

– More than 200 web and e-mail parameters are analysed for hosts and domains.



The result is a reputation score between -10 and +10 for SMTP servers and

web sites which is used as a condition in rules.



It is inspected for incoming mails only.



The reputation score in Senderbase cannot be modified manually. The owner

of the domain or host must comply!

(26)

Anti-SPAM



ESA has two Anti-SPAM engines.



You may run both using „Intelligent Multi-Scan”.



It can be applied on both outgoing and incoming e-mails.



ESA may put suspected SPAM messages into quarantine, drop or just mark them.



There is an approximate 99% catch rate. The categories into which an e-mail may fall

into:

– Not SPAM;

– Unwanted marketing e-mail from a legitimate source;

– Suspected SPAM;

– Positively identified SPAM.



The system gives integrated feedback channel to Cisco in case of false positive or

(27)

Anti-virus on ESA



There are two traditional A/V engines on ESA: Sophos and McAfee.



One or both can be run in the same time on the same message.



Both engines can do traditional pattern matching and heuristic analysis.



Infected messages can be disinfected or quarantined.



Messages with attachments that cannot be inspected can be quarantined or

tagged.

(28)

FireAMP on ESA



Called ‚File Reputation and File Analysis engine’ in ESA.



Can be used to inspect incoming messages only.



Requires continuous access to Sourcefire cloud.



At the moment it uses cloud Sandboxing (Threat Grid in AMP cloud).

Integrated Sandboxing is on roadmap.



Comprehensive reporting and audit functionality.



File tracking with alerting and reporting on false negatives (initially missed

malware).

(29)

FireAMP on ESA

VRT Sandboxing

File Reputation Query

AMP Cloud Unknown File F ile Repu tat ion update AMP Client Local Cache

Upload for Sandboxing

From Anti-Virus To Content Filters Ma il F low P ipe

line Sha256 checksum

+SPERO fingerprint for WinPE files Verdict

(30)

Outbreak Filter



Automated intervention point for Cisco Talos.



Can be used on both incoming and outgoing e-mails.



Virus, Malware and Phishing SCAM protection.



Ways of intervention:

– May quarantine or drop harmful messages;

– Suspected messages can be hold back until an anti-virus system declares it clean;

– Modification of the message, e.g.: Tagging the URL, delete or rewrite the URL, redirect to Cisco Cloud Web Security (CWS) proxy.



End users cannot write custom rules for the Outbreak Filter engine.



The default poll time is 5 minutes.

(31)

Real-time URL analysis in ESA



The embedded URLs in an e-mail can be analysed automatically.



This may be used for both incoming and outgoing e-mails.



The category and the web reputation score of the URL (host) can be verified.



Above message drop and quarantine, the following actions can be done:

– Tag the URL (so they are not parsed as valid URL);

– Replace the URL (can even redirect to Cisco Cloud Web Security (CWS) proxy);

– Overwrite the URL with any text.



Note: many such phishing URLs point to new web sites with currently neutral

(0) reputation.

See our previous example!

(32)

Real-time URL analysis in ESA

Rewrite

Email Contains URL

URL Categorization

Cisco Talos

BLOCKEDwww.playboy.comBLOCKED BLOCKEDwww.proxy.orgBLOCKED

Tag

Replace “This URL is blocked by policy”

(33)

Inspection of outgoing e-mails



The previously mentioned bi-directional inspection functions are:

– Normalization;

– Anti-SPAM;

– Legacy anti-virus;

– Outbreak filter;

– URL analysis.



One not yet mentioned bi-directional function: decryption with S/MIME.



Above the above-mentioned:

– RSA DLP engine;

– E-mail encryption using either Cisco Registered Envelope Service (CRES) or S/MIME;

(34)

Cisco Registered Envelope Service (CRES)

• Automated key management on a local server or in cloud.

• The e-mail content is never processed in the cloud, encrypted on ESA. • Policy driven encryption, can be transparent at the sender side.

• Alternative solution #1: TLS encrypted SMTP between servers. Supported on ESA. • Alternative solution #2: S/MIME. End-to-end or encryption done on ESA.

• FAQ: https://res.cisco.com/websafe/help?topic=FAQ Cisco Email Security Appliance Recipient Sender Controls Message Key

(35)

S/MIME on ESA – NEW in version 9.0



Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard based

method for integrity checking (signing) and encryption.



RFCs: 3369, 3370, 3850, 3851, 5750 and 5751.



The ESA can (on gateway level with common key materials):

– Sign, encrypt, or sign and encrypt messages using S/MIME;

– Verify, decrypt, or decrypt and verify messages using S/MIME.



May work together with CRES.



ESA can generate self-signed or use imported certificates for signing and

decryption.

(36)

S/MIME on ESA – NEW in version 9.0



Encryption requires ESA having the public key of the recipient:

– It can be added manually;

– ESA can try to harvest them.



Public key harvesting:

– ESA can automatically collect the public keys from incoming e-mails;

– The maximum storage size for that purpose is 512 Mbytes per appliance;

– Oldest keys are deleted when the storage space fills up;

– The HAT (Host Access Table) can be fine tuned to allow/disallow harvesting for certain e-mail categories.



Outgoing S/MIME signing and encryption can be controlled in policy.



S/MIME challenges:

– Requires PKI;

(37)

Some deployment considerations



ESA should be connected into the DMZ.



Logically ESA must be in front of the Groupware/E-mail server.



Redundancy and load-balancing can be achieved via:

– Multiple MX records in the DNS zone;

– Load-balancer.

(38)

Dedicated E-mail security vs. UTM/NGFW



Dedicated E-mail security solutions offer:

–

More controls;

–

Defense in depth (e.g. Multiple anti-virus/malware engines);

–

More processing power for features like DKIM, S/MIME, etc..

–

Better reporting on E-mail related data;

(39)

(40)

Common Web Threats



#1 Malware



Visiting phishing sites.



Productivity issues: employees spending time with visiting non-productive web

sites.



Bandwidth issues: employees downloading large files (bad files or good files

but big size and bad timing).

(41)

Malware



Web Malware related attack vectors:

– Browser exploit;

– Browser plugin exploit;

– Downloaded file hides malware;

– Harmful web applications;

– Etc.



The attack vector is increasingly sophisticated:

– The web site that hosts the harmful code is many times accessed via multiple redirections and hidden links;

– The initially run code downloads and/or creates other files – it can be the fourth, fifth, etc. level that implements the real harmful activity;

– SSL/TLS encrypted channels can be used.

(42)

Cisco Ironport Web Security Appliance – WSA

www.cisco.com/go/wsa



Virtual (Cisco UCS + VMware or KVM) or hardware appliance formats.



Features:

– HTTP(S), FTP(S) proxy, caching and TCP optimization;

– TLS decryption and re-encryption (MITM);

– Dynamic URL category and reputation filtering;

– Content filtering (file type);

– Simple in-box DLP engine, ICAP interface for external engines;

– Web Application Visibility and Control (AVC) engine;

– Anti-malware engines (Sophos, McAfee, Webroot and FireAMP);

– Botnet Activity Filtering (L4TM) inspection over the whole TCP/UDP port range;

– User Authentication, quota control, user-based reporting.



Can be managed over its embedded GUI and CLI or over the centrally through

a Content Security Management Appliance.

(43)

WSA TLS Proxy



The SSL/TLS encryption blinds the content analysis engines.



URL Filtering can still work. How?



WSA supports „Man In The Middle” (MITM) style SSL/TLS decryption and

re-encryption.



It can be transparent to the end user:

– The proxy (e.g. WSA) receives the request;

– The proxy opens a new encrypted session towards the web server;

– The proxy generates and signs a new certificate which is very similar to the original certificate of the server;

– If the proxy’s certificate comes from a „Trusted CA”, the client browser won’t raise any alert.



For effective use of this function a signing certificate must be installed on the

WSA that comes from a Trusted Root CA server.

(44)

WSA TLS Proxy - certificates

An example for a decrypted session.

The banking site in the example is 100% safe and used by the author daily.

(45)

Latest additions to WSA



FireAMP anti-malware (File reputation and analysis):

– May block file download;

– Has extensive file tracking and reporting;

– Retrospective analysis and alerting;

– Approximately 6-16% extra load.



Cisco Identity Services Engine (ISE) pxGrid API integration:

– An additional transparent user authentication method (in addition to the CDA method for AD);

– Maps the username and the Security Group Tag to the source IP address;

– The SGT is used in the Web Access Policy as a condition;

– Can identify non-AD users and non-user endpoints;

– At the moment unidirectional but automated remediation initiated by the WSA over ISE is on roadmap.

(46)

Some WSA deployment considerations



WSA fully inspects HTTP(s) and FTP(s) only.

The rest of the traffic can be inspected by the Botnet Traffic Filter function over different in-line or promiscuous ports only.



The (selective) traffic redirection can be done in the following ways:

– Explicit Proxy settings in the OS or in the browser (manual or PAC file);

– Transparent (to end user) redirection:

 WCCP;

 Policy Based Routing (PBR);

 Destination NAT (breaks SSL/TLS proxy).



Normally WSA uses its proxy IP address as the source IP for sending traffic out

to the Internet. It can be changed to preserve the source IP address.

(47)

Some WSA deployment considerations



The L4TM (Botnet Traffic Filter) is working on separate interfaces (in-line or

promiscuous).



The Load-balancing and redundancy options are:

– WCCP;

– Multiple proxies configured in the PAC file;

– Load-balancer.



Web Cache Communication Protocol (WCCP)

– Content routing protocol developed by Cisco;

– Redirects traffic AND provides: fail-open, redundancy, load-balancing and signalling;

– There are Layer 2 and Layer 3 (GRE) redirection methods;

– Redirection is supported on Cisco switches, IOS routers, ASA firewalls and 3rd party devices;

(48)

Dedicated Web proxy vs. UTM/NGFW



Pros:

– Do caching as well, ideal for low-bandwidth connections;

– The deployment requires no- or minimal change in the existing firewall system;

– Has enough processing power for defense in depth kind of processing (e.g. multiple anti-virus/malware engines).



Cons:

– There are no IPS functions;

– Fully inspects HTTP(s) and FTP(s) only;

(49)

Dedicated Web proxy – customer scenario



The customer:

– Multinational pathological microscope and x-ray developer;

– Low bandwidth Internet uplink (20 Mbps for 300 employees);

– Existing corporate standard 3rd party Firewall with IPS license;

– The existing firewall’s web security features didn’t satisfy the needs but has PBR functionality.



Requirements:

– #1 Malware filtering even in SSL/TLS encrypted traffic;

– Authenticated user access primarily for reporting;

– URL filtering to increase productivity and decrease the load on the Internet uplink;

– Caching would be a nice to have feature.

(50)

THANK

YOU!

(51)