DOWNLOAD PDF CISCO IRONPORT CONFIGURATION GUIDE

Size: px

Start display at page:

Download "DOWNLOAD PDF CISCO IRONPORT CONFIGURATION GUIDE"

Tyler Riley
5 years ago
Views:

1 Chapter 1 : Cisco IronPort Security Appliance Best Practices : Part 3 - emtunc's Blog Cisco IronPort AsyncOS for Security Advanced Configuration Guide (PDF - 9 MB) Cisco IronPort AsyncOS for Security Configuration Guide (PDF - 6 MB) Cisco IronPort AsyncOS for Security Daily Management Guide (PDF - 7 MB). Infrastructure Access Control Lists To protect infrastructure devices and minimize the risk, impact, and effectiveness of direct infrastructure attacks, administrators are advised to deploy infrastructure access control lists iacls to perform policy enforcement of traffic sent to infrastructure equipment. Administrators can construct an iacl by explicitly permitting only authorized traffic sent to infrastructure devices in accordance with existing security policies and configurations. For the maximum protection of infrastructure devices, deployed iacls should be applied in the ingress direction on all interfaces to which an IP address has been configured. An iacl workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address. In the following example, Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic. Whenever possible, infrastructure address space should be distinct from the address space used for user and services segments. Using this addressing methodology will assist with the construction and deployment of iacls. Infrastructure Protection Access Control Lists. Generating these messages could have the undesired effect of increasing CPU utilization on the device. ICMP unreachable message generation can be disabled using the interface configuration commands no ip unreachables and no ipv6 unreachables. ICMP unreachable rate limiting can be changed from the default using the global configuration commands ip icmp rate-limit unreachable interval-in-ms and ipv6 icmp error-interval interval-in-ms. Administrators should investigate filtered packets to determine whether they are attempts to exploit this vulnerability. Administrators can use Embedded Event Manager to provide instrumentation when specific conditions are met, such as ACE counter hits. Transit Access Control Lists To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy transit access control lists tacls to perform policy enforcement. Administrators can construct a tacl by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tacl workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address. Filtering at Your Edge. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit this vulnerability. The log-input option enables logging of the ingress interface in addition to the packet source and destination IP addresses and ports. Access control list logging can be very CPU intensive and must be used with extreme caution. The logging rate-limit rate-per-second [except loglevel] command limits the impact of log generation and transmission. Administrators are advised to investigate flows to determine whether they are attempts to exploit this vulnerability or whether they are legitimate traffic flows. It facilitates the creation of more complex configurations for traffic analysis and data export by using reusable configuration components. Although the syntax will be almost identical for the Cisco IOS Flexible NetFlow will also include nonkey field information about source and destination IPv4 addresses, protocol, ports if present, ingress and egress interfaces, and packets per flow. Cisco IOS Flexible NetFlow will also include nonkey field information about source and destination IPv6 addresses, protocol, ports if present, ingress and egress interfaces, and packets per flow. Transit Access Control Lists To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy tacls to perform policy enforcement. In addition, syslog message can provide valuable information, which includes the source and destination IP address, the source and destination port numbers, and the IP protocol for the denied packet. Firewall Access List Syslog Messages Firewall syslog message will be generated for packets denied by an access control entry ACE that does not have the log keyword present. In the following example, the show logging grep regex command Page 1

2 extracts syslog messages from the logging buffer on the firewall. These messages provide additional information about denied packets that could indicate potential attempts to exploit the vulnerability that is described in this document. It is possible to use different regular expressions with the grep keyword to search for specific data in the logged messages. Additional information about regular expression syntax is in Creating a Regular Expression. Deny tcp src outside: Page 2

3 Chapter 2 : Enabling SNMP on Cisco IronPort Rajeew's IT Blog iii Cisco IronPort AsyncOS for Configuration Guide OL CONTENTS iii CHAPTER 1 Getting Started with the IronPort Security Appliance What's New in This Release Subscribe to Blog via If you found any of my posts useful, enter your address below and be the first to receive notifications of new ones! Every environment is unique so please make sure you understand what you are doing before attempting to implement any of my suggestions below. The suggestions below are in no particular order. Quarantines It is a good idea to create separate quarantines for different items you expect to be in the quarantine. Incoming Content Filters Have a content filter to block actively exploited threats. Obviously once the exploit is patched, the content filter will be modified to reflect that. A content filter to block executables or allow ONLY certain extensions is definitely a must for an security appliance. If your IronPort sees a message from example. Add a content filter for URL filtering. Encryption Edit your encryption profile so that the encryption algorithm is AES Customise the encryption HTML template and make it a bit more personalised â company logo, policies, who to send an to if the recipient has troubles opening the encrypted attachment, etc Personally I would recommend unchecking the box for Use Decryption Applet. This one is very important and I suggest you take some time doing this properly. Ideally you will have some example sensitive attachments so you can create unique regular expressions in content filters to encrypt messages that match the sensitive keywords. I would ask the finance team for a copy of this attachment with all the actual numbers and figures blanked out. I would then look for keywords in the document or document name that would not normally be used in other documents. I would then create a regex in a content filter to match this particular keyword and encrypt all messages containing that keyword. Edit the default mail flow policy so that: Your environment may, for whatever reason, require external users more than that but it has never been an issue for me. Normal, well behaved clients should not open more than 1. Enable Directory Harvest Attack Prevention and set it to something low. I have mine set to 5. This will stop automated bots from attempting to guess and store a list of valid addresses Set TLS under Encryption and Authentication to preferred. In your sender group settings, there is a field for DNS lists. Page 3

4 Chapter 3 : Cisco IronPort (SNMP) THWACK IronPort best practices and configuration guide Hi there, I manage a Cisco IronPort ESA appliance for my organisation and made a quick blog post last night about things I thought should be a best practice for a new ESA appliance. Install these products together to access reports and dashboards that give you visual insight into the performance and effectiveness of your Cisco IronPort WSA implementations. This will bring you to the Setup page for the add-on. See "Getting data into the add-on," below for more information about this page. One way to do this is to configure your Cisco IronPort WSA appliance to export its access logs to a directory that is accessible by your Splunk implementation. Follow these steps to set up a log subscription in the Cisco IronPort WSA appliance, have it push the log to a place where Splunk can get it, and then configure Splunk to get the log data and process it so that it is usable by the Splunk for Cisco IronPort WSA add-on. You can configure the appliance to format these logs in either Squid or W3C format. In general it is best to use the Squid format if possible because it reduces the number of steps required to configure the inputs for the Splunk for Cisco IronPort WSA add-on. Note that the Squid logging option provides a fixed format. If you decide to go with the W3C format, note that in order for the W3C format to work with Splunk for Cisco Ironport WSA, you need to supply the field header to Splunk in order to properly extract fields. Ensure that the logs are being sent to a directory on a machine that is accessible by your Splunk implementation. For more information about configuring a monitor input for a file or directory data source, see "Monitor files and directories" in the Getting Data In Manual. Alternatively you can take a look at the recipe in the same Manual. When you configure the inputs for the Cisco for IronPort WSA add-on in Manager, you should override the source types that would ordinarily automatically be assigned to them. Set up additional configurations, as required, and as described in the following subsections. If you export your Cisco IronPort logs in the Squid format but require an alternative name for your source type due to naming conventions within your organization, or if you have already indexed your Cisco IronPort WSA access logs with different source types and cannot reindex them, you will need to manually configure search-time field extractions and event types for your IronPort data. If you export your Cisco IronPort access logs in W3C format, you need to create a special search-time field extraction in order for Splunk to process it properly. Depending on your situation, you must either rename the existing source type OR map the required search-time field extractions and event type to your source type. You do not need to perform both sets of actions. Rename your existing source type To rename the existing source type, simply add the following stanza to props. Map your existing source type to the required field extractions and event type To map your existing source type to the lookup-based field extractions and event type, add the following stanza to props. For more information about event types, see "About event types" in the Knowledge Manager Manual. The field names must match up with the order in which the fields were selected in the management interface of the Cisco IronPort WSA appliance. Alternatively, you can determine the field values by viewing the the top of the W3C-formatted access log file. To create this field extraction, add the following entry to props. Chapter 4 : Set up Splunk for Cisco IronPort Web Security Appliance - Splunk Wiki Can someone guide me in the right direction where I can access a IronPort Reporting Reference Guide? Something that shows me how to configure custom reporting on the IronPort or how to modify the canned reports such as Executive Summary. Chapter 5 : How to setup TLS on IronPort - [SOLVED] enterprise IT You must wait five minutes for the system to The Cisco IronPort Appliance requires at least one IP address to send Your Cisco IronPort Appliance is designed to serve as your SMTP initialize the very first time you power up before moving on to Step 5. Page 4

5 Chapter 6 : Troubleshooting Ironport - Cisco Community Ironport Configuration. Navigate to Network -> Transparent Redirection. Make the type WCCP v2 Router. Add a service with a name of WEB_CACHE, a router IP of (ASA Inside IP) and port 80 (Standard). Chapter 7 : Cisco IronPort Products and Solutions theinnatdunvilla.com I've cheekily phrased this blog article as a best practice guide to setting up/configuring your Cisco IronPort security appliance. However I must make clear that the below is what I deem to be best practices/configuration. Chapter 8 : Security with Cisco IronPort SNMP - The best friend of a System Admin. This guide will show you how to enable SNMP on Cisco Iron Port devices. I will be working with Cisco IronPort C in this guide, but it is pretty much same for other models as well. Chapter 9 : Initial configuration of a Cisco ASA and Ironport WSA using WCCP - TunnelsUP Cisco IronPort ESA CLI Reference Card release, by Jens Roesen Default user & password, batch command mode and contacts The default username is admin and it's password is ironport. Page 5

Configuring Logging for Access Lists

Configuring Logging for Access Lists CHAPTER 20 This chapter describes how to configure access list logging for extended access lists and Webytpe access lists, and it describes how to manage deny flows. This chapter includes the following