LAB‎ > ‎Device Configs‎ > ‎

Ironport









You cannot disable the admin account (like problem with MARS) and there are no password complexity requirements yet (will be available in version 7.5)
you can point user authentication to LDAP/Active Directory/Radius for all other users.

* When RADIUS external authentication is enabled, local user accounts are disabled. If all RADIUS services fail, local user accounts will be used for authentication.
Activating Radius workes and is pointed to TACACS server, but this did not disable the local admin account.




He had several other questions that I was not able to answer. 

Could you please help answer these initial questions:

 

 

What OS is the ironport appliances based on, and what patch levels are the service components running at?  Is there access to the base system via the console or SSH?

 AsyncOS is a custom, purpose-built, hardened OS. There is no access to the base OS by the customer through the serial console or through SSH. There is no keyboard/monitor connectivity to the appliance. Customer Support and software developers do have access to the underlying OS for advanced troubleshooting but access to SSH, a support tunnel, or serial connectivity must be granted by the customer.

 

For Messages/data that is stored locally (i.e. quarantined messages and such) are they encrypted?  If so how are those keys for encryption/decryption managed and protected?

 Let me dig on this one…

 

For local accounts is there a way to specify password complexity rules, reuse, expiration etc?

 Not yet. This is coming in the Encore release – May/June timeframe. This was on the slide I showed you during our brief WebEx chat.

 

We did a basic test to see if message body text data that might contain Credit card information gets written to log files and did not find any problems, do you know if there are cases where it would or any other data locations?

 There are over 20 different logs on the ESA. None of them contain any PII (Personally Identifiable Information). HOWEVER – It *is* possible for customers to create a Message Filter via the CLI that could log a message containing PII to a custom mbox log file. This would be something the customer would have to configure to happen and is something that is *NOT* going to happen by the default rules, filters, or logging on the appliance.

 

For the various Logs that are written, there are only the 5 simplified levels to choose from, is there an explanation of what information each of those levels include?

 All of this is in the product documentation which can be found here: https://private.ironport.com/pm/docs/product/#esa

 https://private.ironport.com/pm/docs/product/7.3Email/ESA_7.3_Daily_Management_Guide.pdf page 5-208







Comments