Nowadays, one of the main entry points for cyberthreats is the corporate email. In my years of experience I have been able to verify how phishing and malware campaigns are the main concern of CISOs
Today we are going to see how to install a Cisco ESA (Email Security Appliance) to mitigate phishing/malwae e-mails and for this we will install a useful virtual lab for AntiSpam testing.
We are going to use 3 VMs.
- Windows Server 2012: This VM will act as a DNS server and as our company mail server. Our lab company will have abc.net domain
- W10 VM: This VM will act as external mail server from xyz.net domain
- Cisco ESA VM C000V: This will be our Cisco ESA appliance which will inspect incoming emails to abc.net.
To simplify the environment we are going to connect the 3 VMs to the same LAN 192.168.0.0/24 and the Cisco ESA appliance will have only one interface. Here is the network diagram:
First of all we need to download the Cisco ESA VM from Cisco Software Download There are several VMs available, we will use the C000V model since this is for testing purpose, but there are VMs with higher requirements and higher capabilities. The virtual appliance comes into .ovf and .vmdk format to be imported directly in VMWare/ESXi.
C000V -> For Demo and testing purpose
C100V -> up to 1K users
C300V -> up to 5K users
C600V -> More than 5K users
The next step will be to deploy the .ovf on our VMWare ESXi environment.
NOTE: Thin provisioning for disk storage is supported at the hypervisor layer. Disk space and performance may be reduced if you select this option.
1. Launch the Cisco ESA VM
First time we launch the VM, it will get by default DHCP IP 192.168.42.42 and default credentials admin/ironport
The first step will be to assign a static IP address and gateway to the Management interface with the command “interfaceconfig“:
Currently configured interfaces:
1. Management (192.168.0.210/24 on Management: ironport.abc.net)
Choose the operation you want to perform:
- NEW - Create a new interface.
- EDIT - Modify an interface.
- GROUPS - Define interface groups.
- DELETE - Remove an interface.
Enter the number of the interface you wish to edit.
We follow the instructions to edit the Management interface giving an IPv4 address, assigning the Ethernet Interface (it should the 3), hostname, SSH access, HTTPS access, etc. You need to enable HTTPS access in order to configure the appliance through web GUI. We will configure the management interface with IP 192.168.0.210
NOTE: It is really important to give the interface a hostname because that hostname will be the DNS MX hostname used to receive mails through that interface:
1. Data 1
2. Data 2
Do you want to enable SSH on this interface? [Y]>
Which port do you want to use for SSH?
We configured the interface with hostname “ironport.abc.net” which will be used more later as DNS MX record.
Finally we execute the command “commit” to apply changes on the appliance.
2. Install the license
Before using the first time wizard and configure the appliance it is mandatory load the license through CLI. For that we must use the command “loadlicense” and copy paste the XML content of our .xml license file. After that press Ctrl+D and accept the license agreement.
NOTE: You can obtain an evaluation license for 60 days writing an e-mail to firstname.lastname@example.org and requesting an evaluation inbound features license with type “ESA-ESI-LIC=”
3. First time wizard
We will log into the web console: https://192.168.0.210
Enter the default credentials and go to “System Administration > System Setup Wizard”
A wizard will come up and we will chose the hostname, NTP server, admin credentials, etd. The most important part in this wizard is configuring the networking.
In this case, to simplify we are going to use a “One arm” configuration, so we will use only one interface to manage the appliance and that same interface will handle incoming and outgoing emails. This is what we will see on the networking config step:
We will check “Accept Incoming Mail” on the management interface in order to create a SMTP listener for incoming emails from outside our organization. We will put in the Domain filed the domain of our company (in this case abc.net) and the destinations will be the IP/hostname of our organization email server (in this case mail.abc.net/192.168.0.203). In this way we are creating an inbound SMTP route toward abc.net domain.
We will check also “Relay Outgoing Mail” to forward outbound e-mails coming from our company’s internal e-mail server to Internet. In this case the Mail Server will be the internal email server mail.abc.net/192.168.0.203
Finally we will check in the wizard the security services that we want to enable:
4. Activate and enable featurekeys
Now it is time to enable the security features of our appliance. Depending on the license loaded we will have access to several features. We can go to “System Administration > Featurekeys” and we will see there which Featurekeys we have active:
So, now we have to enable them on the console. By default all security featurekeys are disabled. Go to:
- Security Services > IronPort Anti-Spam > Edit Global Settings > Accept the EULA and Enable the feature
- Security Services > Anti-Virus Sophos > Edit Global Settings > Accept the EULA and Enable the feature
- Security Services > Outbreak Filters > Edit Global Settings > Accept the EULA and Enable the feature
- Security Services > URL Filtering > Edit Global Settings > Accept the EULA and Enable the feature
5. Review listeners and create the base policy
Go to “Network > Listeners” and we will see only one listener configured because we are only using one interface for incoming and outbound emails. The listener will be listening for e-mails on port 25 (SMTP):
NOTE: The HAT table is based on reputation score and we can use it as a blacklist for source IPs which we do not want to receive traffic.
NOTE: The RAT table define which incoming domains aare we accepting. In this case we will accept only e-mails to @abc.net domain.
Now we can configure our first Incoming Mail Policy. Go to “Mail Policies > Incoming Mail Policies” and add a new Policy with Sender ANY and Recipients @abc.net. So this policy will match all incoming mails to our organization.
Click in Submit and after that we have to Commit the changes in the appliance.
6. Create content filters for the base policy
Now the last step to have our first email policy complete is create incoming content filters and assing them to the policy we created on the previous step.
Content filters are the most important part of the policy since with them we can take actions on e-mails based on the content of subject, body, sender, headers, etc.
For that go to “Mail Policies > Incoming Content Filters” click “Add Filter…” and now we will configure whatever filters we want. In this example we created 2 content filters:
- Add a tag to the subject when email comes from outside our organization
- Modify URLs to be redirected to Cisco proxy in this way when an user click on a URL this will be redirected to Cisco and it will be blocked if is a malicious URL categorized by Cisco Threat Intelligence.
Content Filter 1:
Content Filter 2:
Finally we will need to assign these 2 content filters to the policy created before. For that we will go to “Mail Policies > Incoming Mail Policies” and click on the “Content Filters tab” and assign them:
Now thatwe have properly installed and configured our Cisco ESA appliance the next step is to configure the other 2 VMs of our lab:
Configuring the DNS server
We will install the DNS server on our Windows Server 2012 VM.
We will enable DNS Forwarding to Google DNS server for example and we will create 2 Direct Lookup Zones. One for our company domain “abc.net” and another zone for the external domain “xyz.net”.
We will need 2 A records for the internal email server (mail.abc.net) and the Cisco ESA appliance (ironport.abc.net) and another MX record pointing to our Cisco ESA. In this way incoming emails will arrive to the Cisco ESA first instead of going directly to the internal email server.
We will need one A records for the external email server (mail.xyz.net) and another MX record pointing to the external server. In this way emails to @xyz.net will go directly to our external mail server.
Now if we perform a nslookup MX query for abc.net we will get the Cisco ESA as email server:
Configuring the internal mail server
On our Windows Server 2012 we will install “hMailServer” software which is a quite good simple Email server for Windows.
NOTE: For Linux, a really good alternative for E-mail servers is Postfix + Rainloop. You may find here a good tutorial.
After install it, we will configure a new domain called “abc.net” and we will add 1 or 2 test mail accounts:
After that we will configure the SMTP protocol, and we will configure the relayer MTA to our Cisco ESA:
In the same server we can install an IMAP email client such us Thunderbird and connect with our test accounts to our mail server to send and receive emails:
Configuring the external mail server
In this case, we will use our remaining W10 VM to configure an email server (@xyz.net). We will use the same software “hMailServer”.
NOTE: It is importante to configure the DNS of our W10 machine with the IP of our lab DNS (192.168.0.203).
The external mail server will look like this:
In this W10 machine we will install alse Thunderbird as an IMAP email client to send and receive emails.
Sending a test malicious email
Now we have all set to test our Cisco ESA appliance. So we are going to send an e-mail from “email@example.com” to “firstname.lastname@example.org” and we will include a malicious URL on the body of the message.
And this is what user email@example.com receives after Cisco ESA inspection and content filtering rules that we created:
As we can see, the [EXT] tag was added to the email subject because it comes from an external sender, and the URL was modified in order to be redirected to “secure-web.cisco.com”.
So now, if the recipient click on the modified URL, the access will be blocked because it is a malicious URL and the user will get warned:
Finally, we can review the email trace logs on our Cisco ESA. Go to “Monitor > Message tracking” and there you can search for emails. Once it is found, you can see the details clicking in “Show details”:
There we can see details such as the sender IP reputation score, the Sophos AV veredict, the Anti-Spam engine veredict, the policy that matched, etc:
Well, I think it is enough for today.
I hope this is useful and helpful in protecting your corporate email.