SMTP AND ESMTP INSPECTION feature in Cisco ASA
Internet-based e-mail systems have been widely known to be an easy way of hacking
into your network. The reason is that these e-mail systems are based on SMTP (Simple
Mail Transport Protocol) and ESMTP (extended SMTP), which are well documented.
However, many extensions have been added, including proprietary extensions by certain
vendors. Sendmail is one of the more popular UNIX SMTP e-mail systems, and its
source code is open to the public, which means that hackers have spent a lot of time
figuring out the weaknesses in this application.
SMTP and ESMTP Inspection Features
To prevent e-mail attacks, appliances implement ESMTP inspection by default. Prior to
version 7, only the SMTP protocol was supported. Staring in version 7, ESMTP was added.
This feature only allows certain SMTP commands or messages, defined in RFC 821,
section .4.5.1, and certain ESMTP commands on an e-mail connection. All other commands
in SMTP connections are changed to Xs, which the internal e-mail server will
reject. Supported SMTP commands include DATA, HELO, MAIL, NOOP, QUIT, RCPT,
and RSET. Supported ESMTP commands include AUTH, EHLO, ETRN, HELP, SAML,
SEND, SOML, and VRFY.
Other security features are also implemented to protect the e-mail server, including
the following:
· Mask the e-mail server banner to asterisks (“*”) to hide/obfuscate the banner, which might give information to the hacker about the type of e-mail server you are using.
· Monitor e-mail commands and responses and the sequence they occur in to make sure that the e-mail connection is acting according to the RFCs.
· Look for a pipe (“|”) in a MAIL or RCPT command and close the e-mail session. (This was a bug in some e-mail implementations that allowed hackers to have the e-mail server execute programs and redirect the output.)
· Create an audit trail of specified actions against the e-mail.
NOTE:- SMTP and ESMTP inspection only applies to inbound (lower to higher level) traffic.
SMTP and ESMTP Policy Configuration
Layer 7 policy maps allow you to define policies about what you want to allow for e-mail
connections based on what is in the SMTP and/or ESTMP payload. Layer 7 class maps
are unsupported for further classification. When creating a layer 7 policy map for e-mail
inspection, you have the following commands available to you:
ciscoasa(config)#policy-map type inspect esmtp L7_policy_map_name
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# mail-relay domain_name action [drop-connection] [log]
ciscoasa(config-pmap-p)# mask-banner
ciscoasa(config-pmap-p)# exit
ciscoasa(config-pmap)# match body length gt bytes
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match body line length gt bytes
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match cmd RCPT count gt #_of_recipients
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match cmd line length gt bytes
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match cmd verb command1 […commandX]
ciscoasa(config-pmap-c)# [rate-limit #_per_second | drop-connection | reset] [log]
ciscoasa(config-pmap)# match ehlo-reply-parameter parameter
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match header length gt bytes
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match header line length gt bytes
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match header to-fields count gt #_of_recipients
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match invalid-recipients count gt #_of_recipients
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match [not] mime encoding type
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match [not] mime filename length gt bytes
ciscoasa(config-pmap)# match [not] mime filetype regex {class regex_class_name |regex_name}
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match sender-address length gt bytes
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
ciscoasa(config-pmap)# match [not] sender-address regex
class regex_class_name
ciscoasa(config-pmap-c)# [drop-connection | reset] [log]
Two options are under the parameters subcommand mode.
The mail-relay command allows you to restrict what domain name you’ll allow for your e-mail servers— this is used to prevent relaying of mail via a rogue server.
The mask-banner command obfuscates (changes) the server e-mail banner, thereby making it harder for an attacker to learn information about your server.
The remaining policies are configured with the match command. When executing this
command, you are taken into a second subcommand mode where you can specify your
policy: drop the connection, log the match, reset the TCP connection, and, with certain
match commands, rate-limit the e-mail commands sent on the connection.
Once you are done with your layer 7 policies, you must associate them with an
inspect esmtp command in a layer 3/4 policy map:
ciscoasa(config)# policy-map L3/4_policy_map_name
ciscoasa(config-pmap)# class L3/4_class_map_name
ciscoasa(config-pmap-c)# inspect esmtp [L7_policy_map_name]
SMTP and ESMTP Example Configuration
Let’s look at an example to illustrate how to use layer 7 policy maps with e-mail inspection.
I’ll use the following example:
ciscoasa(config)# regex BAD_SENDER1 @abc\.com
ciscoasa(config)# class-map type regex match-any BAD_SENDERS
ciscoasa(config-cmap)# match regex BAD_SENDER1
ciscoasa(config)# policy-map type inspect esmtp L7_EMAIL_MAP
ciscoasa(config-pmap)# match body length gt 35000
ciscoasa(config-pmap-c)# drop-connection log
ciscoasa(config-pmap)# match sender-address regex class BAD_SENDERS
ciscoasa(config-pmap-c)# drop-connection
ciscoasa(config)# access-list email permit tcp any any eq 25
ciscoasa(config)# class-map L3_email_class_map
ciscoasa(config-cmap)# match access-list email
ciscoasa(config)# policy-map L3_outside_policy
ciscoasa(config-pmap)# class L3_email_class_map
ciscoasa(config-pmap-c)# inspect esmtp L7_EMAIL_MAP
ciscoasa(config)# service-policy L3_outside_policy interface outside
In this example, a regular expression (“abc.com”) is referenced in a regular expression
class map. The layer 7 ESMTP policy map (L7_EMAIL_MAP) will drop any e-mails that
have a body greater than 35,000 characters or an e-mail coming from “abc.com.” A layer
3/4 class map (L3_email_class_map) was created that looks for any inbound TCP port
25 connection. A layer 3/4 policy map (L3_outside_policy) is created to do inspection
of ESMTP, qualifying it with the layer 7 policy map. This is activated on the outside
interface of the appliance.
No comments:
Post a Comment