In this article we will talk about Content Security Appliances, and in previous article we already discussed about SSL VPNs.
Content security appliances include fine-grained control over email and web browsing for an organization’s users.
Cisco Email Security Appliance (ESA)
The Cisco Email Security Appliance (ESA) is a special device designed to monitor Simple Mail Transfer Protocol (SMTP). The Cisco ESA is constantly updated by real-time feeds from the Cisco Talos, which detects and correlates threats and solutions by using a worldwide database monitoring system. This threat intelligence data is pulled by the Cisco ESA every three to five minutes.
In the figure, a threat actor sends a phishing email.
A threat actor sends an email through the Internet to a firewall on a network. Connected to the firewall is an ESA and a switch, which has a connection to a host representing a company executive. The firewall forwards the email to an ESA which then discards it. The email is not received by the company executive.123ESACompany
- Threat actor sends a phishing attack to an important host on the network.
- The firewall forwards all email to the ESA.
- The ESA analyzes the email, logs it, and discards it.
Cisco Web Security Appliance (WSA)
The Cisco Web Security Appliance (WSA) is a mitigation technology for web-based threats. It helps organizations address the challenges of securing and controlling web traffic. The Cisco WSA combines advanced malware protection, application visibility and control, acceptable use policy controls, and reporting.
Cisco WSA provides complete control over how users access the internet. Certain features and applications, such as chat, messaging, video and audio, can be allowed, restricted with time and bandwidth limits, or blocked, according to the organization’s requirements. The WSA can perform blacklisting of URLs, URL-filtering, malware scanning, URL categorization, web application filtering, and encryption and decryption of web traffic.
In the figure, a corporate user attempts to connect to a known blacklisted site.
A user on an internal network has a smartphone with a wireless connection to an access point. The access point is connected to a firewall which is connected to the Internet. Also connected to the firewall is a WSA. The user requests a connection to a blacklisted site. The request is sent to the firewall, forwarded to the WSA, and then discarded. The request never leaves the internal network.
- A user attempts to connect to a website.
- The firewall forwards the website request to the WSA.
- The WSA evaluates the URL and determines that it is a known blacklisted site. The WSA discards the packet and sends an access denied message to the user.