ca - cisco ironport c370 product assessment
TRANSCRIPT
Summary
Buying Criteria
Current Perspective
The IronPort C370 is threatening to competitors, because the leading e-mail security appliance provides advanced threat prevention, blocks viruses and spam, and enforces corporate e-mail policy. The product, built on the IronPort AsyncOS operating system, includes best-of-breed anti-spam technology, context-sensitive detection capabilities, data loss prevention, onboard e-mail encryption, and solid reputation and scoring intelligence stemming from a broad and diverse customer base. IronPort, a Cisco business unit since its acquisition in January 2007, is one of the leading providers of e-mail and Web security for customers including ISPs, enterprises, and SMBs, protecting over 400 million mailboxes in more than 30,000 customer accounts worldwide. IronPort is a pioneer in this industry with significant brand recognition. The IronPort C370 is targeted at medium-sized enterprises with 2,000 to 10,000 users, but it can handle traffic for many more depending on mail volumes, making it a very high-performance appliance for the price. Key strengths include the product’s accuracy via the use of IronPort Anti-Spam (IPAS), which leverages IronPort’s mature reputation filters, based on SensorBase e-mail traffic monitoring service data. IronPort has extended its e-mail reputation filtering to include Web reputation to provide customers with timely Web information based on the activities of various hosts on the Internet, also leveraging information from SensorBase. In 2008, the company enhanced its Web Reputation filters with the addition of URL Outbreak Detection and Botsite Defense. In 2009, Cisco added both a managed secure messaging services option and hybrid cloud/premises form factor to its secure messaging line, although uptake has been slower than expected.
Product Assessment: Cisco - IronPort C370Report Date: January 13, 2011
Analyst: Musich, Paula
Service:Hot Topics , Business Technology and Software
Market:Enterprise Security , Enterprise Security
Class: Secure Messaging
Current Perspective:
Although still in its infancy, Cisco believes that a third of the overall secure messaging market will adopt the hosted model, which appeals more to SMBs. Cisco will be challenged, however, to make its service cost-competitive.
Strengths and Weaknesses
Point and Counterpoint
• The IronPort C370 includes solid accuracy through IronPort Reputation Filtering, a leader in the industry that relies on the SensorBase Network security database, based on about 700,000 organizations that track spammers and identify bad URLs. Reputation Filtering often blocks more than 90% of incoming e-mail at the initial connection and without the need for contextual review. • IronPort is addressing customers’ compliance requirements through data leakage protection for structured data in motion, integrated encryption, and quarantine capabilities. The DLP add-on, based on market-leading technology from RSA, has been well received by customers, especially in the financial services and medical vertical markets. The DLP option, which complements IronPort’s existing encryption, has achieved attach rates of between 32% and 36% per month. • IronPort has made good strides in recruiting partners from Cisco’s massive sales channel. With Cisco’s backing and the help of its channel partners, Cisco grew its content security revenue in the third quarter of 2010 by 30 percent, according to Infonetics Research, with secure messaging making up about half of that increase. • The IronPort C370 benefits from the consolidated threat correlation provided by Cisco’s Security Intelligence Operations. It gathers and correlates threat data from not only web and messaging security products in the field, but also Cisco IPS and firewall products. That allows Cisco to examine and mitigate a much larger range of threats.
• IronPort does not include instant messaging (IM) protection along with its e-mail security and Web security offering, trailing behind competitors such as McAfee with its Secure Computing/CipherTrust acquisition and best-of-breed secure messaging provider Proofpoint, both of which have been offering IM protection for some time. • IronPort lacks integrated e-mail archiving. • Support in the IronPort C370 for integrated data leakage prevention monitoring was late to market compared to Cisco’s primary secure messaging competitors. • IronPort secure messaging appliances are typically more expensive than those of rival vendors.
• Some organizations believe that the best services out there for e-mail security are actually hosted solutions, coming from companies such as Google/Postini and Symantec/MessageLabs.
• What customers are looking for is a managed solution, something on which they do not have to spend time, and IronPort is a managed solution in a box. Be it an appliance form factor, a software form factor, or a hosted service form factor, a bad spam engine is a bad spam engine.
Strengths Weaknesses
Point Counterpoint
Anti-spamming Functionality
• IronPort C370 provides protection from a range of known threats including spam, phishing, and virus outbreak attacks, as well as protection from short-lived/hit-and-run attacks and image spam. The product relies on the best-of-breed IronPort Anti-Spam engine. It includes anti-virus technology from McAfee and Sophos and IronPort’s own Virus Outbreak Filters (VOF). IronPort has no plans to add to, subtract from, or otherwise change its AV partners. • IronPort’s anti-spam technology is based on the IronPort Reputation Filters, which claim to stop up to 90% of incoming spam at the connection level. The filters are linked to IronPort’s SensorBase network security database, which analyzes and scores incoming e-mail’s IP addresses before allowing, throttling back, or rejecting the message. SensorBase is a key differentiator because its effectiveness is based on its broad bank of e-mail traffic coming from a large and diverse collection of customers, along with data from thousands of additional
If users are spending a lot of time searching through a quarantine and looking for important messages that were lost, then it does not matter if it was an appliance or a service. In either case, that is not a managed solution which is driving down a user’s cost and making their business more effective. At the same time, Cisco is working to ramp up its new hosted message security services to exploit the faster growth rates in that form factor.
• IronPort’s appliance is expensive to manufacture and sell, which presents a competitive opportunity for other companies.
• When users examine the pricing models IronPort has introduced, including the bundles for companies with up to 5,000 users, that is not an issue anymore. IronPort has an appliance that costs $99,950, but that is a carrier-grade platform supporting ISPs with tens of millions of users. For individual companies that price-out the product over three years, taking into account the cost of management, subscription costs, hardware, and headcount, IronPort comes out on par with pretty much all the other solutions out there (and definitely with the managed services). In addition, IronPort has the reputation of being a premium product.
• Large security vendors competing in this space, such as Symantec, tout a larger, globally based research and response team better able to respond to security threats.
• When it comes to accuracy, IronPort Anti-Spam has low false-positives, but it also has new technology in Web reputation that makes it more effective in stopping things such as image spam, which has been a huge problem for customers. IronPort filters more than 3 trillion messages each month, maintains more than 1 million spamtraps, and manages eight security operations centers worldwide.
Buying/Selecting Criteria
Point Counterpoint
Point Counterpoint
contributors. Therefore, while some competitors also use reputation data filtering, IronPort’s is considered one of the largest in the industry. • In response to the evolving spam/malware threat, IronPort’s Web reputation technology rates Web links in e-mails to increase protection against junk mail and links to malicious sites. The reputation technology performs a number of checks on the Web links included in an e-mail and provides a score, based on IP addresses, host names, and URLs, on information gleaned from SensorBase. IronPort has added what it calls URL Outbreak Detection and Botsite Defense to its Web reputation services. • IronPort was one of the first anti-spam providers to begin including protection from image spam, a continuing threat in the anti-spam battle. Protection is provided through IronPort’s Context Adaptive Scanning Engine (CASE), which examines the complete context of a message. The scanning engine protects against “rapid start” spam attacks.
Architecture
• The IronPort appliances are positioned at the network perimeter and powered by IronPort's proprietary operating system, AsyncOS, which allows each appliance to support more than 10,000 simultaneous connections. The operating system is built on a UNIX-based kernel. • The AsyncOS is designed to allow multiple processes to run in parallel on different processors, allowing the software to exploit advances in multi-core processing. Competing secure messaging platforms run through a single CPU or process at a time and cannot fully exploit the horsepower of multi-core processors. • IronPort includes an update service to ensure the anti-spam appliances are running the most up-to-date anti-spam and anti-virus engines. This eliminates the need for ongoing tuning and maintenance to ensure timely protection. The C370 will also check for operating system updates and provide a simple function to install them. • The IronPort appliances support a unique rate-limiting capability, which strategically slows down suspicious senders, reducing the spam and malware while avoiding the risk of false-positives. • The IronPort C370 starts at $29,950 for hardware, support, and anti-spam updates for one year for 1,000 to 5,000 users. Special pricing is available for government and educational organizations, and three-year contracts are available. • Cisco supplements its enterprise-focused C370 appliances with the scaled-down C160 appliance for SMBs as well as new hosted secure messaging services and a hybrid form factor.
Management Features
• IronPort C370 is an enterprise networking device, so the product comes with full management capabilities including SNMP support, a full command line interface, and a Web user interface. Additionally, the product uses a unique centralized management feature, which includes a peer-to-peer architecture so users do not need a separate management host. Instead, every unit talks to every other unit, so there is no single point of failure for managing clusters and groups of appliances. • IronPort supports a number of APIs for its mainly large enterprise customer base, in order to ease integration of the appliance into IT management systems. So, for example, customers are able to use Tivoli to monitor the system and provisioning systems for updates. Every function is available through the Web UI as well, and the company has made efforts to make that easier to use with smaller customers in mind. • IronPort provides at least 28 different reports as part of its real-time and centralized reporting capabilities. Reports are comprehensive; so, for example, one formatted report will include information on mail traffic history, composition of traffic (how much was spam, virus, cleaned), and where threats originated. Customers can subscribe to specific reports and review them through the integrated PDF output.
• IronPort’s E-mail Security Manager includes policy management capabilities, including best practices, providing the ability to write rules on inbound/outbound content based on subject, attachments, keywords, and dictionaries along with the ability to take action on those rules. Administrators can set user and group-level policies. A recent re-architecting of the CASE anti-spam rules engine allowed IronPort to double the performance for rules processing. • The IronPort PXE encryption technology, integrated with content filters in the C-Series, supports encrypted e-mail delivery regardless of the recipients’ e-mail client. Although IronPort PXE is an extra-cost add-on to the C-Series appliances, about one third of secure messaging customers buy it. • End users can access the IronPort Spam Quarantine to check and manage messages. Users have the ability to route missed spam directly to the IronPort Threat Operation Center for review using a Microsoft Outlook or Lotus Notes plug-in.
Vendor Support
• IronPort provides 24/7 support capabilities through its customer support organizations, delivered through several support centers based around the world. IronPort’s support and distribution arms have been drastically broadened since its acquisition by Cisco. • IronPort’s Global Threat Operations Center publishes real-time rule updates to help guard against new spam and malware attacks and it includes research data for over 32 different languages. • SensorBase data represents about a third of the world’s e-mail traffic, according to IronPort, and it represents data from more than 100,000 ISPs, universities, and corporations around the world. • With the launch of its hosted secure messaging service, Cisco introduced an aggressive service level agreement that specifies five-nines availability. Some rivals only offer three-nines availability.
Anti-spam Performance
Messaging Security Functionality
Metrics
Claimed Effectiveness
>99%
Claimed Accuracy
< .000001%
Email Accounts/Volume Limits
No limits, the system is horizontally expandable and in production at numerous ISPs each with tens of millions of mailboxes
Encryption Yes; includes message-level encryption with IronPort PXE and gateway-to-gateway encryption with TLS controls
DoS Attack Detection and Prevention
Yes, each appliance can handle 10,000 simultaneous connections and tracks and rate limits excessive connections from individual hosts and networks
DHA Attack Detection and Prevention
Yes, directory-integrated recipient validation with rate-limiting and tarpit functionality for DHA connections
SMTP Yes, advanced control for both inbound and
Anti-spam Functionality
Connection Management
outbound SMTP connections
Header Analysis
Yes, Context Adaptive Scanning Engine (CASE) takes header composition and content into account when scanning messages.
"Reputation" Filters
Yes, SenderBase reputation data is used both for SMTP connection management and to improve the accuracy and effectiveness of IronPort Anti-Spam. On average, SenderBase Reputation Filters block more than 90% of the spam messages at connection level.
Heuristics Yes, heuristic rules are generated automatically by machine learning systems and also published by analysts in IronPort's 24x7 Operations Center
URL Filters Yes, SenderBase powers the next-generation Web Reputation System that tracks not just bad URL's but the infrastructure hosting these URL's
Content Scanning
Yes, message bodies, attachments, and embedded objects are scanned for spam, virus, and policy violations.
Real Time DNS Block List
Yes, block list information is incorporated into SenderBase reputation scores and administrators can choose to add 3rd-party blocklists.
Signatures Yes, developed both by automatic rule as well as human rule-writers that cover 40+ languages worldwide
Custom Domain Safe/Block Lists
Yes, available on-box or from a centralized console
End User Safe and Block Lists
Yes
Keyword and Phrase Lexicon
Yes, including the ability to weigh different words and phrases appropriately
Bulkmail Checking
Yes, in both CLI and GUI
Baysian Filtering
Yes, used by the Operations Center for spam engine training and message classification
Tuning necessary
No, all engine tuning is fully managed by IronPort with no work required of local administrators
Block Non-English Spam
Yes, with operational spam feeds from 40+ countries
Languages supported
All languages are supported with no restrictions. Languages in primary markets include: English, Arabic, Armenian, Basque, Belarusian, Bengali, Bulgarian, Catalan, Chinese (simplified & traditional), Croatian, Czech, Danish, Dutch, Estonian, Farsi/Persian, Filipino, Finnish, French,
Message Disposition Options
Anti-virus Filtering
German, Greek, Georgian, Gujarati, Gurmukhi, Hebrew, Hindi, Hungarian, Icelandic, Indonesian, Italian, Japanese, Kazakh, Korean, Macedonian, Marathi, Malay, Norwegian, Polish, Portuguese, Romanian, Russian, Sinhala, Slovak, Slovene, Spanish, Swedish, Syriac, Tamil, Thai, Turkish, Ukrainian, Urdu, and Vietnamese.
Blocks Phishing Messages
Yes, including real-time Web reputation data from SenderBase
Realtime Look-up on Messages
The appliance does one real-time query to collect sender reputation data. All other data is pushed locally to the appliance to optimize performance.
Spam Filter Updates
Every five minutes per the default configuration. The update frequency can be adjusted in the configuration.
Number of New Rules/Day
Over 900,000
Outbound Anti-Spam
Yes, it is included as part of IronPort Anti-Spam.
Message Disposition
Deliver, Drop, Bounce, Quarantine, Annotate Subject, Add Custom Header, Redirect, Archive, Encrypt
Central/End-user Quarantine
Yes, End-User Quarantine available both on-box as well as on a centralized management appliance
Email Digest Sent to Users
Yes, with configurable templates
Release Quarantine w/Email Digest
Yes, End-User Quarantine available both on-box as well as on a centralized management appliance
Configurable Scoring Sys for Spam
Yes, with scores from 1 to 100 for both Positive and Suspect spam
Configurable at Group/User Level
Yes
Disposition Configurable
Administrator
Antivirus Signature Supplier(s)
IronPort Virus Outbreak Filters for preventive protection, Sophos and McAfee Anti-Virus for reactive signature-based scanning
Virus Protection
Yes
End User Controls
Administration
Virus Filter Updates
Every five minutes per the default configuration. The update frequency can be adjusted in the configuration.
Mass-mailing Worm Auto Deletion
Yes
Virus Signature Updates
Outbreak signatures and Sophos and McAfee signature updates are updated directly via Cisco IronPort.
Attachment type Filter by Extension
Yes
Emerging Threat Detection
Yes, with IronPort Virus Outbreak Filters (VOF)
Message Content/Subject Filter
Yes
Outbound Anti-virus
Yes, no extra charge
End User Access to Quarantine
Yes, through the e-mail digest or through the Web interface
End User Mgmt of Safe/Block List
Yes, through the e-mail digest or through the Web interface
End User Mgmt of Spam Policy
End users can white and blacklist certain e-mail addresses or domains and report spam that got through.
E-mail Aliases Supported
Yes, including support for LDAP aliasing
Policy Control Levels
Yes, all spam, virus, DLP, content, and remediation policies can be applied on a per-domain, group, or individual level through Email Security Manager.
Event-driven Alerts
Yes, through email and SNMP
Multiple servers/Single Mgmt Console
Yes. IronPort's Centralized Management uses a peer-to-peer architecture that elemenates any risk of a single point of failure for management
GUI Web-based Mgmt Console
Yes, as well as a full command line interface (CLI)
Multiple Administrator
Yes
Authentication Support
Content Filtering
Reports
Roles
Directory Support
LDAP/Active Directory supported for recipient validation, mail policy control, address rewriting, and mail routing
Automated/Manual Update Service
Directory requests are made automatically as needed and cached locally
Failover across Multiple Servers
Yes, through DNS MX records
Proprietary MTA or 3rd Party
Proprietary AsyncOS MTA
SPF Support Yes, for both inbound and outbound mail. Plus, SenderBase incorporates e-mail authentication data into its reputation scores.
Sender ID Support
Yes, for both inbound and outbound mail. Plus, SenderBase incorporates sender ID data into its reputation scores.
Domain Keys Support
Yes, for inbound and outbound mail, both DomainKeys and DKIM. Plus, SenderBase incorporates e-mail authentication data into its reputation scores.
Content Compliance
Yes, configurable through Content Filters and appliable at a domain, group, and individual level
Customize Content Filters
Yes, no extra charge
E-mail Part Inspection
SMTP connection, envelope, headers, body, attachments, and embedded objects
Attachment Filters (Content/File Type)
Both
Dictionary Filters
Yes
Custom Disclaimers
Yes
Attachment Blocking
Yes
Archiving Yes
Notifications Yes
Outbound Content-Filtering
Yes
Product Delivery Model
Pricing
Stored Reporting Data
Yes
Default Reports Available
26 integrated reports tracking over 120 different parameters
Published/Emailed Reports
Both, including PDF export
Database Type Supported
Embedded database for storage on the appliance, with APIs to retrieve data and store in any external storage
Single Database for Multi Servers
Yes, using the IronPort M-Series Appliance
Report Aggregation (All Servers)
Yes
Automatic Report Generation
Yes
Support for Auto-export of Logs
Yes, through FTP, SCP (push and pull) , or Syslog
Form Factor Appliance, cloud-based offering, hybrid
Other Form Factor Availability
No
Appliance Models
C160 - $6,950, up to 1000 users; C370 - $29,950, 1,000 to 5,000 users; C670 - $69,950, over 5000 users; X1070 - $99,950, carrier-grade platform. Sizing varies by customer traffic patterns. Bundle pricing available for up to 5,000 users; discounts available for educational and government customers.
Appliance Operating System
IronPort AsyncOS
Hardware Manufacturer
Dell
Operating Systems on Software
N/A
Price of Update Service Included
Yes
Major Product
Yes
Support & Maintenance
Infrastructure
All materials Copyright 1997-2011 Current Analysis, Inc. Reproduction prohibited without express written consent. Current Analysis logos are
trademarks of Current Analysis, Inc. The information and opinions contained herein have been based on information obtained from sources believed to
be reliable, but such accuracy cannot be guaranteed. All views and analysis expressed are the opinions of Current Analysis and all opinions expressed
are subject to change without notice. Current Analysis does not make any financial or legal recommendations associated with any of its services,
information, or analysis and reserves the right to change its opinions, analysis, and recommendations at any time based on new information or revised
analysis.
Current Analysis, Inc.
21335 Signal Hill Plaza, Second Floor, Sterling, VA 20164
Tel: 877-787-8947
Fax: +1 (703) 404-9300
Upgrades Included
2-year List Price for 1,000 Users
Contact IronPort, pricing sold in 1 or 3 year increments
Anti-virus Pricing for Above
Contact IronPort, pricing sold in 1 or 3 year increments
2-year List Price for 5,000 Users
Contact IronPort, pricing sold in 1 or 3 year increments
Anti-virus Pricing for Above
Contact IronPort, pricing sold in 1 or 3 year increments
Other Options Available
Per-user, per-year modules include: IronPort Anti-Spam, Virus Outbreak Filters, Sophos AV, McAfee AV, Image Analysis, Multiscan, and Email Encryption. Also optional are spare appliances, training, and support.
Length of Warranty/Maintenance
One-year warranty; ongoing support covers hardware issues and software upgrades
24/7/365 Support
Yes
Response Centers Worldwide
Yes
Number of Honeypot Email Accounts
More than 1 million
Total Messages Filtered per Month
3 trillion
Number of Operations Centers
Eight
Current Analysis, Inc.
2 rue Troyon, 92316 Sevres Cedex, Paris, France
Tel: +33 (1) 41 14 83 17
http://www.currentanalysis.com