How Does FortiMail Really Work?

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to the channel my name is Samuel barles and here we talk about networking and cyber security of course first things first all opinions this video are my own do not necessarily reflect the opinions of my employers past present or future anyone else on the planet or anyone in the universe just in case there's intelligent life outside of Planet so I want to talk a little bit about for the mail I want to kind of be an overview whether you have it today and you're looking to understand and maybe change some things that you're doing today or maybe you're looking to evaluate for the mail for your organization either way I want to help you make an informed decision that's best for your organization so we'll Jump Right In into the Florida mail email flow and how affordable processes email first thing is Access Control and really the big thing here is going to be relay control right so we have an implicit policy that's going to say if the domain is explicitly configured in Florida mail we're going to pass the information which means most Enterprises are going to be okay with just the implicit policy we're not going to relay random internet strangers emails now we can't get more granular if we want to maybe if we have a MSP or ISP environment we have lots and lots of domains behind our Florida mail we have the options there typically most Enterprise environments right are not going to dig into that so after it passes that assuming we're going to go to the IP policy which the big thing here is going to be our session profile session profile you know if we're looking for server uh reputation if we're looking for things like uh SMTP header [Music] maybe we're seeing lots of traffic we want to block that uh you know overwhelming Florida mail from one particular server we can do all that right here in IP policy under the session now we can't have other things like antivirus anti-spam uh content Etc um typically if we have our exclusive flag we can we can set these but typically we would do that after the session policy in our recipient policy so when we're talking about IP policy obviously we're filtering by IP we're looking at the server we're receiving it from whereas recipient policy can be a lot more granular for an Enterprise environment whereas the IP policy again if we're in MSP if we're in front of a bunch of tenants we may want kind of more generic stuff and we could have that exclusive flag that will add antivirus into spam whatever here now we get to the recipient policy now if we don't have this exclusive flag we're going to implement all of our you know content inspection our antivirus well let me DLP so if we're looking to maybe encrypt uh some credit card information Social Security numbers Etc or deny it we can do that there if we're looking at antivirus uh which you know we use for the guard information to you know do a scanning of they use this known bad same signatures you're getting 48 right we get all the same Telemetry we can leverage that plus of information we have uh heuristics so right we can use some some heuristics in order to detect if something's uh malicious now we can also go and send a file to ndr or sandbox now it's important to know that specifically for the ndr uh I'm not sure if we have third party sandbox integration or not uh not sure but I know it's just 4. ndr on the ndr side so 40 ndr has a neural network so that we can very very quickly with very high accuracy not as high as a full feature sandbox but much quicker that's the benefit there because we see in some environments with the sandbox inline it takes minutes to get to the end user and if you have a situation like uh say at a car dealership where someone's sitting across and they're trying to make a sale and they have to send insurance information and all this other information via email if that takes several minutes that may encourage those end users to try to find an alternate method that is not protected by all of this right and then we run into that issue of well now we're relying on another layer of security hopefully some endpoint security instead of you know all the security we have built in here that we're able to leverage so you know having that balance of you know convenience and security of course is always a struggle for organizations but something to keep in mind from sandbox or ndr possibilities there the other thing is anti-spam and this is where a lot of the filtering uh that is you know modified within organizations is really going to be an anti-spam right antivirus it's pretty straightforward we're going to want to turn most of that if not all of it on utilize ndr or sandbox if you can anti-spam there's lots and lots of options in there that's where I think the the bulk of the configuration was in Florida Mill is going to be for most Enterprises So within the anti-span profile we can do things like uh dmarc decam SPF checking right and we can say Hey you know if it fails then we'll take an action well before you know what action there's two different kinds of actions there's a final action stuff like you know redirect we want to send it a different mailbox right we could we could drop it we could deny it there's another term for that I don't remember off top of my head or you could send a message saying hey you know we didn't deliver this we also have uh quarantine right and that could be at the system level it's user level now depending on where it is right so antivirus for example you can't do a user quarantine you have to do system quarantine that's because we want to protect our users right we don't want them to accidentally click on a virus that we detected right um so okay we have some final actions we have some non-final actions as well and really the one I want to focus on is the uh subject so we can add something to the subject for example if it fails to demarc dkm SPF whatever then we can go ahead and add suspicious and you can put whatever you want right but that's just kind of a good example okay so that's good we did a dmarc dkm SPF check it's suspicious there's something going on you know maybe they're not a mature organization maybe maybe it's legitimate right maybe they just don't have these these checks in place which they should have but you know not all organizations have even dedicated I.T teams some you know they may have an MSP or you know they may be just signed up for o365 and not everything was great um so you know we may not we might not have all these in place for a legitimate organization well what are our options all right we could quarantine it we could drop it whatever but we could just Market suspicious okay maybe we also have some URL filtering okay so we get a URL we want to scan the URL right we're nervous we don't want to just you know let any URLs become because it could be phishing sites right they could lead us the user to go sign in whatever we have a few options right we can actually layer the URL filtering for example so we're saying you know hey if it's known fishing no malicious then we're going to take the action of quarantine I'm gonna put qtn just to abbreviate there quarantine okay but if it's unknown you know it's a it's a new link maybe URL filtering actually picked it up it's in a URL format but it's not a URL then let's go ahead and mark the email as uh suspicious URL but this is not a final action right it's going to continue the processing so then we can go down to additional checks now these are some examples right there's lots of other checks we could do I'm not going to go into all of it right but now we can go into heuristics so with the heuristic scan it's going to leverage uh Pearl based uh Regis regular expressions from Florida guard so we're gonna get this automatic it's going to you know automatically update we're not going to manually set a bunch of things we could leverage heuristics in order to say hey um we're going to look at that information and see if it aligns with what we would see from spam from no spam right so we're finding some metrics where uh looking for similar metrics right patterns within the actual emails we're receiving so we could say Hey you know if you if you fail to hear a scan yeah let's let's go ahead and use the quarantine it maybe we want to system quarantine whatever option we have to drop it whatever option you want right completely up to you me in my environment most of the time I would rather user quarantine because uh they'll be able to sell for mediate and um but you know each organization has their own preference so again you know if we fail to dmarc we can add suspicious to the the subject line if it has bad bad URL suspicious URL it's unknown if we know it's malware right we can go ahead and quarantine it just make that easy uh we know it's fishing but if it's unknown maybe we can add a suspicious URL and then we can on top of that you know add additional checks right whatever other checks we want but we could also again do any of these final actions here we could say hey if D mark or D Kim uh fails just go ahead and put in quarantine automatically so I've been at some organizations where just bought everything from the outside went into quarantine uh user quarantine so you know just keep that in mind we have lots and lots of options lots of granularity Within fordamil so I hope this has been helpful Elvis has been informative if you have any questions feel free to drop in the comments down below reach out what have you so I'm going to try to put videos somewhere that might be also helpful to you go over maybe some other Solutions uh maybe some other uh Concepts that are in the networking and cyber security space that hopefully will be helpful to you guys and if you have any content that you think would be valuable that I don't have feel free to reach out put a comment in the description below and reach out personally and say hey I'd really love to see a video on this uh I'd love to uh help you guys some more so with that have a great day
Info
Channel: Samuel Barlass
Views: 864
Rating: undefined out of 5
Keywords:
Id: rvQy67sytVs
Channel Id: undefined
Length: 11min 25sec (685 seconds)
Published: Tue Jul 18 2023
Related Videos
How Does FortiEDR Really Work?
Samuel Barlass
2.1K
How Does FortiNAC Really Work?
Samuel Barlass
7.8K
3 Minutes on How Game Theory Will Change How You Think
Jon Law Clips
91
FortiSIEM Architecture Example
Samuel Barlass
1.7K
ZTNA - The Fortinet Way - How Zero Trust Network Access Really Works
Samuel Barlass
4.7K
How to Subnet - CCNA 1 - Getting started with 11.6.6
Samuel Barlass
1K
Fortinet 2023 NSE Certification updates.
Samuel Barlass
910
Gateway Mode Deployment in FortiMail | Fortinet Product Demo
Fortinet
5.3K
Endpoint Security - Which one should I choose? - Traditional AV, NGAV, EDR/MDR/XDR
Samuel Barlass
904
Fortinet Ethernet Switching Architecture and Overview
Tech Field Day
3.6K
Setting Up FortiMail | Fortinet Product Demo
Fortinet
12K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.