Spam filtering

- [Instructor] We now want to begin our look at email security specifically using the Cisco ESA. The Email Security Appliance. When we deploy the ESA, the best placement recommendation is to place that behind your firewall device between this edge device and your mail server. The ESA will act as a mail transfer agent, meaning that your public MX records for the domain should point to the Cisco ESA's public IP address. Let's say we have an external email sender attempting to email our domain. In this example, they would be trying to send a message to support@kwtrain.com. This message reaches their sending email server where this server will perform an MX record search returning the host name of our Cisco ESA. In this example, that host name is mail.kwtrain.com. This email server will also query a DNS server for the IP address associated with mail.kwtrain.com. Once this information is obtained, the sending mail server will open an SMTP connection with our Cisco ESA in order to send the message. The Cisco ESA will inspect the mail and if it conforms to any configured security policies and if that message passes inspection, it will be determined that the message is not malicious and that will be forwarded to the internal email server. From there, an internal user's email client will retrieve the email from the internal mail server using POP or IMAP. Let's look at how we can enable spam filtering now on the Cisco ESA. The anti-spam processes will scan incoming and outgoing messages based on the policies that we configure. These scanning engines will assign a score to each message where the higher the score is, the greater likelihood that the message is spam. If we go under the security services tab here from the main administrator portal, and by the way, I'll point out that this looks very similar to the Cisco WSA portal that we've already looked at. So this should be familiar to look around and see these menus inside. But regardless if we go under the security services tab under the anti-spam section, we have IronPort Anti-Spam. So let's click on that and you'll see that IronPort Anti-Spam is currently disabled globally. So we need to click this enable button. Let's do that. Now we're told that we have successfully enabled IronPort Anti-Spam scanning. Or in other words, that is now available on the appliance. You can see some of our options here. Let's first look at editing our global settings. By doing that, you can see we're able to set scanning thresholds. We can indicate the message size that we want to always scan or never scan. We see timeout scanning settings as well and we can choose a scanning profile, which is set to normal by default. Let's go back to the top under the mail policies tab and let's select our incoming mail policies. Under the anti-spam column, you'll notice that we're told that this is disabled. So even though we've enabled anti-spam globally, we still need to do that at a policy level. Before we do that, in order to open up some more options, let's go to a different area. So you can see under the anti-spam column, even though we've enabled anti-spam globally, we still need to do that at a policy level. If we click on that, that we can see our anti-spam settings. So first thing, let's enable this for our incoming policy. Once we do that, we can affect our other settings. So if we click use IronPort Anti-Spam service, it opens up our other set of options. So under the first area, we have the ability to choose an action for positively identified spam settings. You can see that we can choose to either deliver, drop or bounce the message. At the moment, we don't have an option to quarantine the message. So we need to configure the spam quarantine settings first before we would have that available. Let me show you how to do that. Let's go back to the top and you'll see that we have a monitor tab, which is our first tab on the left and near the very bottom if we scroll down, we can choose the spam quarantine menu option. So we need to configure our spam quarantine settings here first. You can see that this is currently disabled. Let's go ahead and click the enable button beside that. And on the following page, we have some more options that we can configure. This is going to give us an additional action option in our mail policies. So first, we can set a schedule for quarantined a message deletion if we want to do that. We can choose to send a copy of the message to Cisco for analysis if those messages are released. That's an option that we can take. We can change the appearance of our spam quarantine and we can define administrative users for quarantine management. We also have the ability to allow end-user quarantine access. We can click that to enable this option. That's a common option. This is going to allow users to release any messages that they have, which have been inadvertently or incorrectly quarantine by the ESA. And you can see that we can choose how users authenticate to access that spam quarantine web UI. We can do that through either LDAP or through mailbox credentials or we can turn off authentication completely which obviously is not a good practice. Underneath that, we also have the option to hide message bodies if we choose. And finally, the spam notifications. We can enable spam notifications. When I do that, you'll see it opens up a much larger window. Let me collapse that just for a moment while we talk about those spam notifications. This would enable a spam summary email digest and this would alert users about any messages that have been quarantined. Again, this is a very common practice because otherwise, users may miss important messages that have gotten trapped by the quarantine filter. It also takes some of the administrative load off of the email administrators. So that we don't have to go in and release messages for individual users. Notice at the end of this spam notifications area, we can click see example to take a look at what that would look like for a user. And we have an example email digest that would be sent out to an end user. This has a list of quarantined messages that they can choose to release if desired. We'll close that out. And if we enable this notification, again, lots of options that we can take under here. We can go ahead and personalize how often those are sent out, we can deliver bounce messages to a particular address. Lots of things we can do just for the sake of ease here. I'm going to turn that off and I'm going to click submit so that we can progress on. So now, we have a success message at the top and we can see our current storage status over here to the right, by the way, which tells us it is 0% full, not a surprise here in this lab environment. And we have a message at the top letting us know that we can also change the disc space allocation if we need more room. I'll also point out that if we wanted to use LDAP authentication, we're told here that we need to set up LDAP authentication in the same manner, essentially, as we did in the Cisco WSA. So we want to be sure that we are set up and configured, interconnected to an active directory domain as an example if we want to use LDAP authentication. Otherwise, we could just use those username and email authentications for users to access their quarantine portal. If we go back to our mail policies tab here at the top and we once again choose the incoming mail policy and under anti-spam, we want to click disabled and we want to turn that service on once again. And now, we're going to have an additional action option for spam quarantine. Notice before, we only had deliver, drop and bounce. Now we have the option for spam quarantine as well. And of course, if we go under mail policies, we can do the same thing for our outgoing mail policies as well. We're going to see the same settings here for the outgoing mail policies, click on that. If we go to anti-spam and we enable that. We again, have the spam quarantine option that we can enable and we can choose our actions based on the scanning results. So that's a look at spam filtering with the Cisco ESA.