Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Security for SMTP Traffic
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

With the Protocol Security ModuleTM, you can create a security profile to protect SMTP traffic. The SMTP security profile provides several security checks for requests sent to a protected SMTP server. When you enable a security check, the system either generates an alarm for, or blocks, any requests that trigger the security check. The available SMTP security checks:
Disallow or allow some of the SMTP methods, such as VRFY, EXPN, and ETRN, that spam senders typically use to attack mail servers
Reject the first message from a sender, because legitimate senders retry sending the message, and spam senders typically do not.
This process is known as greylisting. The system does not reject subsequent messages from the same sender to the same recipient
You can configure security for SMTP traffic in two ways: use the default system configuration, or configure SMTP security manually, as required by your environment. For information on using the default system configuration, refer to Configuring SMTP security using the default system configuration. For information on configuring SMTP manually, refer to Configuring SMTP security manually.
The easiest way to initiate SMTP protocol security for your SMTP virtual server traffic is to use the system default settings. You do this by enabling protocol security for the system-supplied SMTP service profile, and then associating that service profile with a virtual server.
1.
On the Main tab, expand Local Traffic, and then click Profiles.
The Profiles: Services: HTTP screen opens.
2.
From the Services menu, choose SMTP.
The SMTP Profiles screen opens.
3.
In the Name column, click smtp.
The Properties screen for the system-supplied SMTP profile opens.
4.
Select the Protocol Security check box to enable SMTP security checks.
The system automatically associates a default SMTP security profile with the system-supplied SMTP service profile.
5.
Click the Update button to save any changes you have made.
If the default system configuration does not meet the requirements of your environment, you can manually configure SMTP security and traffic management, as required.
SMTP service profiles optimize SMTP traffic in the LAN. The SMTP service profile uses the SMTP security profile to scan for vulnerabilities specific to the protocol.
Note: For more information about service profiles in general, refer to BIG-IP® Local Traffic Manager: Concepts.
1.
On the Main tab, expand Local Traffic, and then click Profiles.
The Profiles: Services: HTTP screen opens.
2.
From the Services menu, choose SMTP.
The Profiles: Services: SMTP screen opens.
3.
Click the Create button.
The New SMTP Profile screen opens.
4.
For the Name setting, type a unique name for the profile.
5.
For the Parent Profile setting, select the existing SMTP protocol from which you want the new profile to inherit settings. The default setting is smtp.
6.
Select the Custom check box.
The system activates the editing mode for the individual settings.
7.
Select the Protocol Security check box to enable the SMTP security profile that you created.
8.
Click Finished.
The screen refreshes and displays the new SMTP service profile in the list.
The SMTP security profile provides the security settings that are applicable to the SMTP service. In the security profile, you also specify whether the Protocol Security Module sends violation log messages to a remote logging server. The remote logging configuration applies to all security profiles.
1.
On the Main tab, expand Protocol Security, and then click Security Profiles.
2.
On the menu bar, click SMTP.
The SMTP Security Profiles screen opens.
3.
Above the SMTP Security Profiles area, click the Create button.
The New Security Profile screen opens.
4.
In the Profile Name field, type a unique name for the profile.
5.
Select the Remote Logging check box if you want to enable remote logging for this security profile.
Note: The Remote Logging check box is only available if you have configured the remote logging server. See Configuring remote logging.
6.
In the Defense Configuration area, you can enable the blocking policy settings for the security profile violations. If you do not check either Alarm or Block for a violation, the system does not perform the corresponding security check. The online help describes each of the settings.
Check Alarm if you want the system to log any requests that trigger the security profile violation.
Check Block if you want the system to block requests that trigger the security profile violation.
Check both Alarm and Block if you want the system to perform both actions.
Tip: In the configuration area, point to the Info icon next to each violation for a description of the violation.
7.
For the Virus Detection setting, select or clear the Alarm and Block check boxes as required.
Select Alarm if you want the system to log email requests that trigger the Virus detected violation, and display them on the Protocol Security Statistics screen.
Select Block if you want the system to block email requests that trigger the Virus detected violation.
Select both Alarm and Block if you want the system to perform both actions.
8.
Click Create.
The screen refreshes, and you see the new security profile in the list.
To add anti-virus protection for email, you need to configure the Protocol Security Module to act as an ICAP client, and make sure the SMTP profile has anti-virus options selected. When configured, the system prompts an external ICAP server to inspect email and email attachments for viruses before releasing the content to the SMTP server. Email that contains a virus triggers the Virus detected violation if you check either Alarm or Block for that violation.
1.
On the Main tab, expand Protocol Security, point to Options, and click AntiVirus Protection.
The Anti-Virus Protection screen opens.
2.
For the Server Host Name setting, type the ICAP server host name in the format of a fully qualified domain name.
Provide either the servers host name or IP address. To use host name only, first configure a DNS server (System>Configuration>Device>DNS).
3.
For the Server IP Address setting, type the IP address of the report server.
4.
For the Server Port Number setting, type the port number of the ICAP server or use the default value, 514.
5.
If you want to perform virus checking even if it may slow down the web application, select the Guarantee Enforcement check box.
6.
Click Save to save the ICAP server configuration.
7.
On the menu bar, click Advanced Configuration.
The Advanced Configuration screen opens showing internal parameters.
8.
Ensure that the values of the icap_uri and virus_header_name internal parameters correspond your ICAP servers settings.
By default, the system supports an ICAP server with McAfee anti-virus protection. If your company uses a different ICAP server, update the parameters and save your changes.
9.
On the Main tab, point to Security Profiles, then click SMTP.
11.
Near the bottom of the screen, for the Virus Detection setting, select the Alarm and Block boxes as required.
Select Alarm if you want the system to log email requests that trigger the Virus detected violation, and display them on the Protocol Security Statistics screen.
Select Block if you want the system to block email requests that trigger the Virus detected violation.
Select both Alarm and Block if you want the system to perform both actions.
12.
Click Create to create a new profile, or Update to update an existing one.
Modifying associations between SMTP service profiles and SMTP security profiles
When you enable the Protocol Security setting on an SMTP service profile, the system automatically assigns the first-listed SMTP security profile to the service profile. If you have more than one security profile configured, you can change the associations on the Profiles Assignment screen in the Protocol Security Module. On the Profiles Assignment screen, you can review the current associations, including the SMTP service profile, the virtual server that uses the service profile, and the SMTP security profile.
1.
On the Main tab, expand Protocol Security, and then click Profiles Assignment.
The Profiles Assignment: HTTP screen opens.
3.
In the Assigned Security Profile column, for each service profile, select the SMTP security profile that you want the service profile to use.
4.
Click Save to retain any changes you may have made.
Note: If you have not yet created a virtual server that uses the SMTP service profile, no virtual servers appear in the list.
You configure a local traffic virtual server and a default pool for the SMTP servers, and associate the SMTP service profile that you created. This automatically associates the SMTP security profile with the virtual server. The result is that when the virtual server receives SMTP traffic, the SMTP security profile in the Protocol Security Module scans the SMTP traffic for security vulnerabilities, and then the local traffic virtual server load balances any traffic that passes the scan.
Note: For more information about virtual servers in general, refer to BIG-IP® Local Traffic Manager: Concepts.
1.
On the Main tab, expand Local Traffic, and then click Virtual Servers.
The Virtual Servers screen opens.
2.
Click the Create button.
The New Virtual Server screen opens.
3.
For the Name setting, type a unique name for the virtual server.
4.
For the Destination setting, select the type, and type an address, or an address and mask, as appropriate for your network.
5.
For the Service Port setting, either type 25 in the field, or select SMTP from the list.
6.
Next to Configuration, select Advanced.
The screen refreshes, and displays additional configuration options.
7.
For the SMTP Profile setting, select either the system-supplied profile (smtp), or the profile that you created.
8.
For the SNAT Pool setting, if your network configuration requires address translation, select Auto Map.
9.
In the Resources area, for the Default Pool setting, click the Create button.
The New Pool screen opens.
10.
On the New Pool screen, in the Configuration area, for the Name setting, type a unique name for the pool.
11.
In the Resources area, for the New Members setting, you can add members to the pool by typing the IP addresses and ports, or by selecting addresses from a list.
Select New Address to type the address and port of any SMTP servers that you want to add to the configuration. (Note that the system automatically adds them as nodes, too.)
Select Node List to select addresses from a list of servers that already exist in the local traffic configuration.
12.
For the Service Port setting, select SMTP from the list.
13.
Click the Add button to add each node or address to the New Members list.
14.
Click Finished.
The screen refreshes, and returns you to the New Virtual Server screen. The new pool should be listed in the Default Pool setting.
15.
Click Finished on the New Virtual Server screen.
The screen refreshes, and you see the new virtual server in the list.
The system is now ready to scan SMTP traffic for vulnerabilities common to that protocol. See Reviewing violations statistics for SMTP security profiles, for information on reviewing the SMTP security attacks that the system detects.
After you finish configuring the system and traffic is flowing to the SMTP server, the Protocol Security Module provides statistics and other information about requests that trigger SMTP security violations. If you have enabled the Alarm flag for a violation, and an incoming request triggers a violation, the Protocol Security Module logs the request, which you can review from the Statistics screen. If you have enabled the Block flag for any of the SMTP security violations, then the Protocol Security Module blocks the request.
Important: The Protocol Security Module stores security violations in system memory rather than on disk. As a result, if you are using a redundant system configuration, the violations data does not replicate to the other unit when you perform the ConfigSync operation.
1.
On the Main tab, expand Protocol Security, then click Statistics.
The Statistics screen opens listing HTTP, FTP, and SMTP violations and the number of occurrences.
2.
For violations that the system has detected, the violation name becomes a hyperlink. Click the link to see details about the offending requests.
3.
On the Statistics screen, in the left column, you can review information regarding the SMTP traffic volume.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)