CISCO ESA - spam and antivirus e-mail filter
E-mail is currently one of the key IT infrastructure elements used in every company. Basically the e-mail service can be handed over to the cloud provider and use the Exchange Online servers or install an on-promise version on the external company servers. In each case we can use CISCO ESA (Email Security Appliance) – IronPort to protect our messages.
Why should we filter the e-mail traffic?
E-mail is one of the key work tools in every company. It is used by almost every firm employee. That is why the channel is so eagerly used by criminals for the attempts of the IT system infiltration by sending infected software in the attachment or by sharing its link hoping that it will be clicked on by the employee and used to infect the whole company computer network. Additionally, a vast majority of e-mail messages is classified as SPAM or unwanted messages.
How can we protect the e-mail server against SPAM or viruses?
E-mail servers do not include any anti- SPAM or malicious software protection. Their task is only message reception according to the SMTP protocol and deliver it to the data storage so that the message is available for the recipient. No matter if we use the free open-source e-mail solutions based on the Linux system or commercial systems like Microsoft Exchange we need an external content control system in order to verify the e-mail messages in the context of viruses or SPAM.
How does the CISCO ESA – IronPort spam filter work?
The CISCO ESA – IronPort e-mail solution can be purchased in the hardware version as server or as the virtual machine software. Irregardless of the form CISCO ESA filter constitutes the entry point of the company e-mail messages. The messages are scanned and depending on the result rejected or delivered to the proper e-mail server. CISCO ESA can change the e-mail content itself, i.e. delete a virus or protect the URL links leading to suspicious content. These mechanisms protect the company against sophisticated attack forms where the URL software links are used and just the harmless file content is replaced in the hyperlink by a virus after the e-mail transition through the antivirus check. CISCO ESA changing the link to a proxy checks the content hiding under the hyperlink the second it is clicked by the user and not when it is checked by the antivirus system. ESA software uses for the analysis the CISCO Talos global reputation and threat database. Cisco Talos is a dynamically updated database including among others:
- A set of e-mail server IP addresses together with their assigned reputation – the address reputation is mainly the level of trust to a certain e-mail server. The server reputation is built based on the spam amount sent on the Internet from a certain IP address.
- A set of cryptographic files – Talos collects global threat data. In its database it has the attack vectors that were already used in other ESA system instances. Sharing the data we obtain a high detection rate of malicious software sent in the attachments or pointed in the URL links
Using the advanced CISCO ESA mechanisms we have the possibility of automatic sending of the attachment or the URL link data to Talos for analysis. The attachment is opened in the cloud environment on CISCO resources or the so-called sendbox, strictly monitored IT environment. The effects of running the application are checked and based on them the decision is made if the software is safe or if it should be marked as malicious software.
CISCO ESA system is also a gateway for the outgoing company e-mail and the DLP (Data Loss Prevention) functionality is worth noticing. It is a confidential data leak protection system, such as the RODO-protected data or credit card numbers. Based on the defined rules the system checks the content of every message and classifies it according to the patterns.
CISCO ESA spam filter deployment
Our company deploys IT solutions and offers its IT company services. The e-mail server configuration and administration is among others our area of expertise. We use CISCO ESA as the company and server protection element against SPAM or viruses. We run IT audit of the current solution and help you choose the anti-spam system version and license types. Currently CISCO allows for a test deployment of the solution based on the virtualization of which a trial license can be obtained for 45 days.