Filtering 7 April 2014

Transcription

1 Filtering 2014 Fortinet Inc. All rights reserved. The information contained herein is subject to change without notice. No part of this publication including text, examples, diagrams 1 or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. FGT E Module Overview The Building blocks of Filtering Methods Filtering Actions Filtering Order of Operations Filtering and Virus Scanning Submitting False-Positives through FortiGuard Creating an Filter Profile Viewing Filtering Log Messages Deployment strategies 2

2 Module Objectives By the end of this module participants will be able to:» Identify the filtering methods used on a FortiGate device» Create Firewall policies for Spam detection and scanning using Filter profiles» Modify inspection rules in order to black or white list s» State available inspection options for various transmission protocols» Describe the flow of through various transmission protocols» Use logs to view and monitor filtering activity and events 3 Basics Overview: Abbreviations & Terminology SMTP Simple Mail Transfer Protocol (RFC 821) ESMTP Extended Simple Mail Transfer Protocol (RFC 5321) POP Post Office Protocol (RFC 1939 POP3) IMAP Internet Message Access Protocol (RFC 2060 IMAP4rev1) MTA Mail Transfer Agent ( Server) MAA Mail Access Agent (User Authentication & Mail Retrieval) MUA Mail User Agent (Software like Thunderbird) MX Record Mail Exchange Record (DNS lookup) Mail Relay Intermediate Mail server Open Relay Mail server with no restrictions on destination s 4

3 The building blocks of SMTP Designed to get a message from point A to point B, without knowing anything about point B» Port 25 Clear text protocol Best effort protocol (very little is required )» Only a destination 3 Digit response codes to command requests» 2xx indicates the command was successful» 3xx command incomplete (authentication is multiple steps)» 4xx temporary failure of some kind (situation may fix itself, try again later)» 5xx permanent failure (Human intervention is required to change this) SMTPS is SMTP encapsulated in SSL encryption on port The building blocks of MX Records Used to resolve Mail domains» Can contain hostnames or IPs» Each entry contains a preference/priority (lowest first) > nslookup > server Default Server: [ ] Address: > set q=mx > google.com Server: [ ] Address: Non-authoritative answer: google.com MX preference = 50, mail exchanger = alt4.aspmx.l.google.com google.com MX preference = 10, mail exchanger = aspmx.l.google.com google.com MX preference = 20, mail exchanger = alt1.aspmx.l.google.com google.com MX preference = 40, mail exchanger = alt3.aspmx.l.google.com google.com MX preference = 30, mail exchanger = alt2.aspmx.l.google.com >nslookup > server Default Server: [ ] Address: > Set q=a+aaaaa > google.com Server: [ ] Address: Non-authoritative answer: Name: google.com Addresses: 2001:4860:4007:800::

4 The building blocks of POP & IMAP Protocols are used to receive/check » Can not be used to send POP is very basic protocol» Download & delete» data stored on client (server only has Inbox) IMAP is more robust» Create & delete mailboxes (server side folders)» Synchronize folders (inbox, sent items, etc)» Designed for accessing the same from multiple locations Secure versions are encapsulated in SSL and run on different ports» POP3S (995) IMAPS (993) 7 Basics: Overview of Message Flow ;; ANSWER SECTION: example3.com 3600 IN MX 50 relay.example2.net example3.com 3600 IN MX 100 mail.example3.com ;; ANSWER SECTION: example3.com 3600 IN MX 50 mail.example3.com example3.com 3600 IN MX 100 relay.example2.net 8

5 Spam Actions Tag to add a custom phrase/word to subject line or a MIME header and value to body of an message for use in back end or client filtering Discard to immediately drop the SMTP connection if spam is detected, sending a 5xx response Tag Subject: Free Stuff Subject: [SPAM] Free Stuff Discard 9 Filtering FortiGate unit can detect and manage spam filtering SPAM? 10

6 Filtering Methods The FortiGate unit uses a number of techniques to help detect spam» Some use the FortiGuard Antispam service (requires a subscription) IP, , URL, Checksum» Others use DNS servers or filters created on the device HELO DNS Return » Manually configured options Black/White listed IPs Black/White listed s (py IP, by name: domain or ) MIME Headers Banned word 11 Filtering Methods: FortiGuard IP Connecting IP address is checked FortiGuard is a reputation database» IP behavior is tracked by volume (historically)» More queries about an IP s activity to the FortiGuard network makes the reputation worse» IPs have a reputation score, the higher the better 1 is permanently black listed (score will not change, without FortiGuard interaction) 3 or less is considered spam 12

7 Filtering Methods: FortiGuard URL and Address Visit our web site at to learn more about this great offer or send an to What language or character set is the in?» KB Article ID: FD Filtering Methods: FortiGuard Checksum The FortiGate unit sends a hash of the message to the FortiGuard Antispam Service FortiGuard Antispam Service compares the hash received to hashes of known spam messages Our online pharmacy offers great prices on all your prescription medications. hash 14

8 Filtering Methods: Black/White List (IP) The FortiGate unit compares the IP address of the sender of an message to the IP addresses specified in the filter profile» An administrator can add to or edit the IP addresses and configure the action to take Possible actions on a match» Spam (use configured spam action)» Clear (consider as not Spam)» Reject (SMTP Only, force 5xx response regardless of spam action) 15 Filtering Methods: Black/White List ( ) The FortiGate unit compares the address of the sender of an message to the addresses specified in the filter profile» An administrator can add to or edit the addresses and configure the action to take» Wild card and regular expressions can be used to define the address From: bsmith@acme.com Mark as Spam Mark as Clear 16

9 Filtering Methods: HELO DNS 220 mail.server.com ESMTP service ready EHLO server.example.com DNS resolves? 250- mail.server.com says hello 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250-8BITMIME 250-SIZE Confirms that client EHLO response resolves to an IP address 17 Filtering Methods: Return DNS Confirms that sending domain from the reply-to field resolves to an IP Address» Domain the gets sent to, should resolve to an IP Does NOT perform any kind of comparison to sender s IP 18

10 Filtering Methods: Banned Word FortiGate unit blocks based on words or patterns in the message A weight is assigned to any banned words in the message If threshold is exceeded, the message is marked as spam Define using Wildcards and regular expressions Patterns only count towards total score once Let us fill all your prescription drugs. Visit our online pharmacy for great prices on prescription medications. We offer the widest selection of popular drugs. Banned words Drugs Score=10 Pharmacy Score=5 Prescription Score=5 Threshold= = Filtering Methods: MIME Headers The FortiGate unit can check the MIME header information of incoming messages» If a match is found in the header list configured on the device, the corresponding action is taken Configured through CLI only # config spamfilter mheader # edit (id) # config entries # edit (entry_id) # set action [spam clear] # set fieldbody (pattern) # set fieldname (pattern) # end 20

11 Filtering Methods: DNSBL and ORDBL The FortiGate unit can compare the IP address or domain name of incoming message against third-party DNSBL and ORDBL lists» Match IP addresses or domain names of known spammers Configured through CLI only # config spamfilter dnsbl # edit [id] # config entries # edit [entry_id] # set action [spam reject] # set server [destination] # set status [enable disable] # end 21 Checking all MTAs an passed through IP based checks only look at the connecting IP of the session to determine if is blacklisted (default) Every time an passes through a mail server an entry should be added to the Received MIME header (depends on mailserver) FortiGate can walk through receive header and check all IPs New Servers should be added to the beginning of the list FortiGate can walk through receive header and check all IPs Can cause issues if DNS is slow ( s can pass through multiple servers) # config spamfilter profile # edit <profile_name> # config [pop imap smtp] # set hdrip [enable disable(default)] # end 22

12 The Received MIME Header Normal contents can include: Date/time, ID, Transmitting Mail info (EHLO & IP), Receiving Mail info (Name and IP), TLS information, Protocol Exact format varies based on server software and configuration Received: from mail.fortinet.com ( ) by FGT-EXCH-CAS212.fortinet-us.com ( ) with Microsoft SMTP Server id ; Thu, 20 Feb :58: Received: from mailrelay.fortinet.com (mailrelay.fortinet.com [ ]) by mail.fortinet.com (8.14.4/8.14.4) with ESMTP id s1l3wwr for Thu, 20 Feb :58: Received: from smtp.fortinet.com (smtp.fortinet.com [ ]) by mailrelay.fortinet.com (8.13.8/8.13.8) with ESMTP id s1l3wwep for < >; Thu, 20 Feb :58: Received: from mail-qg0-f47.google.com (mail-qg0-f47.google.com [ ]) by smtp.fortinet.com with ESMTP id s1l3wub s1l3wub (version=tlsv1.0 cipher=rc4-sha bits=128 verify=cafail) for < >; Thu, 20 Feb :58: Received: by mail-qg0-f47.google.com with SMTP id 63so qgz.6 for < >; Thu, 20 Feb :58: (PST) 23 Filtering Order: SMTP IP BWL Check DNSBL & ORDBL FortiGuard IP HELO DNS MIME Header BWL Banned word (on Body) IP BWL Check (Receive Header) Banned word (on Subject) Return DNS FortiGuard URL FortiGuard Checksum DNSBL & ORDBL (Receive Header) filter checks continue until EITHER A check comes back with an action All checks are passed 24

13 Filtering Order: POP3 & IMAP MIME Header BWL Banned Word (on Subject) IP BWL Check Not all SMTP based spam checks are available!! POP3/IMAP used between Mail server and client checking SMTP used for delivering Return DNS FortiGuard IP FortiGuard URL FortiGuard Checksum DNSBL & ORDBL Banned word (on Body) 25 FortiGuard: Query cache Caching reduces FortiGuard requests; can improve performance Small % of system memory dedicated to cache Query results cached until TTL setting is reached Alternate port 8888 for access to FortiGuard servers Cache IP address: URL: Message checksum: x65fsd34c # config system fortiguard # set antispam-cache [enable disable] # set antispam-cache-ttl ( ) # set antispam-cache-mpercent (1-15%) # end 26

14 FortiGuard: Connectivity #diagnose spamfilter fortishield servers Locale : english License : Contract Expiration : Mon Apr 28 16:00: =- Server List (Thu Feb 20 14:09: ) -=- IP Weight RTT Flags TZ Packets Curr Lost Total Lost DI D Request Removal From FortiGuard Spam filtering is best effort, so there can be false positives that occur periodically» FortiGuard Antispam Portal: 28

15 Filter Profile Filter security feature disabled by default» To configure profile, first go to System > Status and set Filter to ON 29 SSL Options SMTPS is SSL encapsulated SMTP» Decoding requires SSL/SSH Inspection profile ESMTP contains StartTLS command (if supported by server)» Encrypts communication from that point» No SSL/SSH Inspection profile means no inspection or log. 30

16 Combining AV & Filtering If virus scan is enabled the scan happens as the last filter check» Clear actions associated with the DO NOT BYPASS the virus scan White listed senders can still get infected with a virus» Spam actions associated with the DO NOT BYPASS the virus scan Unless the action is DISCARD Spam passing through could also have a virus If a virus is found, the is considered spam (even with a clear action)» Spam Action Tag: Infection is removed and replaced with TXT file containing the AV block message» Spam Action Discard: SMTP connection is blocked with 5x response 31 Reading Log entries: Forward Traffic log Filter log entries appear in Traffic Log > Forward Traffic log by default» Intended to be brief/summary only 32

17 Reading Log entries: Filter log # set extended-utm-log enable» logs show under Security Log> Filter as well» More detailed» Additional info means additional resources to create/store log 33 Deployment Strategies: Multiple Spamfiltering devices Multiple Spam filtering devices/software» Enable checks that are not available on other devices» Only Last device should be able to effect mail flow (discard/quarantine s) 34

18 Deployment Strategies: Geographic Considerations Geographic IP address object can block source IPs» Not all mail servers are located within their countries Mail BWL can block based on domain suffix ( Not all mail domains have suffix for their country of origin Business considerations need to be remembered # set pattern ".*\\.[ru bz]" # set pattern-type regexp # set score 1000 # language western 35 Labs Lab 1: Filtering» Ex 1: Configuring FortiGuard AntiSpam 36

19 Classroom Lab Topology 37