300-210 1.3.b Implement Email Encryption

Email can be encrypted / unencrypted via the following basic overview.  I will go over specific steps afterwards, but these are the basic steps:

1. Create an encryption profile that specifies characteristics of the encrypted email and connectivity information for the key server.  The key server can be one of the following:

• Cisco Registered Envelope Service (a managed service)
• Cisco Encryption appliance (a managed server

2. Create rules for the following elements to specify traffic to be encrypted:

• content filters
• data loss prevention policies
• message filters

Encryption flow

Once those basics have been configured, the encryption flow takes place as follows:

1. An outgoing message that meets the conditions of the filter is placed in the queue for encryption processing
2. Once encrypted, the encryption key is stored on the key server and the message is queued for delivery
3. If some temporary condition prevents the email from being sent, it remains in the queue and will be sent later

300-210 1.3.a Describe the features and functionality of the ESA

The ESA's job is to secure incoming / outgoing email and to protect the network from the same.

Features:

• Antivirus
• Aligns with Sophos and McAfee to protect against viral threats
• Antispam
• Use of Senderbase Reputation Filters and Cisco Anti-spam integration to find / handle spam.
• Outbreak filters
• a protection against new virus, scam, and phishing attacks that can quarantine messages until updates can be applied.
• Policy, Outbreak, and Virus Quarantines
• Provides quarantine areas for suspicious messages to reside until they are reviewed by an administrator.
• Spam Quarantine
• both on-box and off-box; allows end users access to quarantined spam / suspected spam.
• Email authentication
• ESM supports the following email authentication:
• Sender Policy Framework (SPF) - for incoming mail
• Sender ID Framework (SIDF) - for incoming mail
• DomainKeys Identified Mail (DKIM) - for incoming / outgoing mail
• Cisco Email Encryption
• Outgoing emails can be encrypted to various standards (HIPAA, GLBA, etc).  This is done using either a local key or hosted key service to encrypt.
• Email Security Manager
• A dashboard to configure / track various security services that can be performed on email traffic inbound / outbound policies to include:
• Cisco Reputation Filters
• Outbreak Filters
• Anti-Spam
• Anti-Virus
• email content policies
• On-box Quarantine areas
• self explanatory
• On-box message tracking
• Allows the user to track the status of specific email messages that have passed through the ESA.
• Mail flow monitoring
• provides visibility into ALL inbound/outbound email
• Access control
• Allows filtering of inbound email by sender IP, IP range, or domain.
• Message filtering
• allows enforcement of security policy on all messages entering / leaving the network
• filter rules identify based on:
• message / attachment content
• information about the network
• message envelope
• message headers
• message body
• filter actions allow messages to:
• be dropped
• be bounced
• be archived
• be blind carbon copied
• be altered
• generate notifications
• Message encryption via secure SMTP over Transport Layer Security
• straightforward
• Virtual gateway
• this allows the ESA to act as multiple email gateways within a single server.  This allows traffic from different sources / campaigns to be sent over different IP addresses.  

ESA is available via HTTP, HTTPS, and CLI.

ESA can be managed via the Security Management appliance if desired (best used in environments with several ESA servers)

300-210 1.2.c Cisco Web Security Appliance - Implement WSA identity and authentication, including transparent user identification

WSA identity and authentication can be done either directly, with WSA talking directly to either Active Directory or LDAP, or transparently.

Explicit Forwarding
When configuring identity, the first screen on the GUI is under Web Security Manager -> Identification Profiles.

By default nothing has been configured.  An identification profile must be created to utilize this feature.
When clicking on the "Add Identification Profile" button, the default screen looks like this:

By default a name can be given and members defined, as well as proxy ports, user agents, and URL categories (in the advanced section).  No user identification method exists by default.  This is where to go to configure direct user access identification (Active Directory / LDAP will be queried by the WSA device).

Navigating to Network -> Authentication takes us to the screen where AD/LDAP can be defined.

Adding a realm:

Give the realm a name, make sure to add the active directory server(s) (or LDAP), the domain, and click the join domain button to put in user credentials to join the domain.  Since this is a realm using Explicit Forwarding, that's all the configuration needed.  Press the "start test" button to verify configuration.  Since I used bogus credentials, my test results looked like this:

Checking DNS resolution of WSA hostname(s)...
Failure: Unable to resolve 'wsa.milbur.local' :
Unknown hostname

Checking DNS resolution of Active Directory Server(s)...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname

Checking DNS resolution of AD Server(s)' full computer name(s)...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname

Validating configured Active Directory Domain...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname

Attempting to get TGT...
Failure: Error while fetching Kerberos Tickets from server 'ad1.test.local' :
kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.LOCAL
Failure: Error while fetching Kerberos Tickets from server 'ad2.test.local' :
kinit: krb5_get_init_creds: unable to reach any KDC in realm TEST.LOCAL

Checking local WSA time and server time difference...
Warning: Cannot check system time on AD server 'ad1.test.local'
Warning: Cannot check system time on AD server 'ad2.test.local'

Attempting to fetch AD group information...
Failure: Unable to resolve 'ad1.test.local' :
Unknown hostname
Failure: Unable to resolve 'ad2.test.local' :
Unknown hostname

Test completed: Errors occurred, see details above.

Lots of errors there, but gives a good idea of the various checks performed.

300-210 1.2.b Cisco Web Security Appliance - Implement data security

When implementing data security, the first thing that needs to be done is to enable the Cisco Data Security Filters service (see Security Services > Data Transfer Filters).  Don't forget to commit changes.  The Data Security page looks like this initially:

A Global policy is provided by default, but has no initial rules.   Important to note, only the content filters are available out of the box.  Both URL Filtering and Web Reputation require additional licenses to enable.
Clicking the Content link opens up the following page:

Not only can the maximum http/https and FTP filesize be set, but also blocking certain file types, adding custom MIME types, and explicit file names to block.

The URL filtering options open up the following page:

This page allows the admin to either monitor or block certain types of traffic.  Common types of traffic that are blocked include pornography, gambling, and video games.

The Web Reputation link opens up the following page:

The slider can be moved back and forth to dynamically set either blocking or monitoring by the WSA based on the Web Reputation score.  The lower the number, the less trusted the site.  This slider moves between -10 and 0, however website trust goes all the way up to +10.  Sites that are above zero in reputation score are not able to be blocked.

When adding a new policy group, the screen looks like this:

The Global Policy will always be the last.  Any new policies can be ordered the way you like, above the Global Policy.  Advanced settings can be configured now, during policy creation, or afterwards, from the main Data Security page.

300-210 1.2.a Cisco Web Security Appliance - Describe features and functionality

Talos Security Intelligence
Talos provides 24/7 rule updates to protect against new threats.  Continually generates new rules to combat Zero Hour threats, and send these down to the WSA every 3 to 5 minutes.

Cisco Web Usage Controls
Web URL database of blocked sites for dynamic content filtering.  Categorizes websites based on scans of text, scoring of the text for relevancy, calculation of model document proximity.  Generates a score that can be used for trust decisions.

Advanced Malware Protection
AMP requires an additional license.  Enables malware detection and blocking, continuous analysis, and retrospective alerting. Augments the malware detection and blocking capabilities already offered in the Cisco WSA with enhanced file reputation capabilities, detailed file-behavior reporting, continuous file analysis, and retrospective verdict alerting. The Cisco AMP Threat Grid delivers malware protection through an on-premises appliance for organizations that have compliance or policy restrictions on submitting malware samples to the cloud. The Layer 4 Traffic Monitor continuously scans activity, detecting and blocking spyware “phone-home” communications. By tracking all network applications, the Layer 4 Traffic Monitor effectively stops malware that attempts to bypass classic web security solutions. It dynamically adds IP addresses of known malware domains to its list of malicious entities to block.

Cognitive Threat Analytics
A cloud-based tool that identifies the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection.  Requires an add-on license.

Application Visibility and Control (AVC)
Allows blocking/allowing applications (database is constantly updated).  Also allows customized bandwidth and time quotas per user, per group, and per policy.

Data Loss Prevention (DLP)
Creates context-based rules for basic DLP. The Cisco WSA also uses Internet Content Adaptation Protocol (ICAP) to integrate with third-party DLP solutions for deep content inspection and enforcement of DLP policies. The Cisco WSA also supports Secure ICAP to encrypt the traffic exchanged between WSA and third-party DLP solutions.
Roaming-User Protection
Integrates with AnyConnect  and Cisco ISE for VPN usage.

Centralized Management and Reporting
A centralized management tool to control operations, manage policies, and view reports. Cisco® Web Security Reporting Application is a reporting solution that rapidly indexes and analyzes logs produced by Cisco Web Security Appliances (WSA) and Cisco Cloud Web Security (CWS).
Flexible Deployment
Physical boxes and virtual device install option.  Both versions can interact with one another.

Deployment:
Two deployment options available

• Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings)
• Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers)

Licenses:

• Cisco Web Security Essentials
• Threat Intelligence via Cisco Talos
• Layer 4 traffic monitoring
• Application Visibility and Control (AVC)
• Policy management
• Actionable reporting
• URL filtering
• Third-party DLP integration via ICAP
• Cisco Anti-Malware
• Real-time malware scanning
• Cisco Web-Security Premium
• Web Security Essentials
• Real-time Malware Scanning
• Advanced Malware Protection
• AMP augments anti-malware detection and blocking capabilities with file reputation scoring and blocking, static and dynamic file analysis (sandboxing), and file retrospection for continuous analysis of threats.
• Cognitive Threat Analysis
• CTA relies on advanced statistical modeling and machine learning to independently identify new threats, learn from what it sees, and adapt over time
• McAfee Anti-Malware
• McAfee real-time malware scanning is available as a single, a-la-carte license.