cisco ironport email & web security · outbound control mail transfer agent spam defense. 11...

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Cisco IronPortEmail & Web Security

Frédéric HER, CISSPSystems Engineer, AfricaCisco IronPort [email protected]

2

IronPort funded in 2000, acquired by Cisco in 200720,000+ customers globally400 million users protected40% of Fortune 100 companies8 of the 10 largest Service Providers7 of the 10 largest Banks99%+ customer renewal rates

Named IronPort the market share leader in the email security appliance market

IronPort is positioned as a leading player in the messaging security appliance market

IronPort Positioned in the “Leaders”Quadrant in Magic Quadrant Report

Cisco IronPortUnparalleled Market Leadership

3

EMAILSecurity Gateway

The Cisco IronPort StoryApplication-Specific Security Gateways

MANAGEMENTAppliance

Internet

WEBSecurity Gateway

SensorBase(The Common

Security Database)

APPLICATION-SPECIFICSECURITY GATEWAYS

BLOCK Incoming Threats:Spam, Phishing/FraudViruses, Trojans, WormsSpyware, AdwareUnauthorized Access


Cisco IronPortEmail Security

Cisco IronPort Email Security Appliance

5

Email Challenges

Junk Mail

Viruses Regulations

Privacy & Control

Standard Email does not natively offer what is expected

6

Cisco IronPort Consolidates the Network Perimeter For Security, Reliability and Lower Maintenance

After Cisco IronPort

Groupware

Firewall

Cisco IronPort Email Security Appliance

Internet

Before Cisco IronPort

Anti-Spam

Anti-Virus

Policy Enforcement

Mail Routing

Internet

Firewall

Groupware

Users

Encryption PlatformMTA

DLP Scanner

DLP Policy Manager

Users

7

0

50

100

150

200

250

300

Jan-08

Feb-08

Mar-08

Apr-08

May-08

Jun-08

Jul-08

Aug-08

Sep-08

Oct-08

Nov-08

Dec-08

Jan-09

Feb-09

Mar-09

Apr-09

May-09

Jun-09

Jul-09

Aug-09

Sep-09

Oct-09

Nov-09

Average Daily Spam Volume (billions)

Month

Spam Trends

• Record spam volumes and criminal botnet activity

8

TEXT SPAM

Image Spam

ATTACHMENT SPAM (PDF, EXCEL, MP3)

TARGETED ATTACKS

Your Equitable Bank account is closed, call us now at (802)354-4250



IMAGE SPAM

Spam Sophistication Increasing

2005

2006

2007

2008

9

Cisco IronPort SensorBase

• Statistics on more than 30% of the world’s e-mail traffic

• New threats & alerts detection• More than 200 parameters to build

reputation scores

• Data Volume• Message Structure

• Complaints• Blacklists, whitelists

• Off-line data

Reputation Score

Reputation Score• URL blacklists & whitelists

• HTML Content• Domain Info

• Known “bad” URLs• Website history…

E-Mail Reputation Filters

Web Reputation Filters

10

Man

agem

ent

Email Security ArchitectureCisco IronPort Email Security Appliance

VirusDefense

CISCO IRONPORT ASYNCOSEMAIL PLATFORM

Data Loss Prevention

Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

11

Cisco IronPort AsyncOSRevolutionary Email Delivery Platform

Traditional Email Gatewaysand Other Appliances

Cisco IronPort Email Security Appliances

200Connections

Low Performance/Peak Delivery Issue

Disk I/O Bottlenecks

Unable To Leverage

Full Capability

Components

CPU Limited Solely

By CPU Capacity

1K – 10KConnections

High Performance/Sure Delivery

12

Advanced Controls for Security and EfficiencyAnd to protect against the risk of being blacklisted

1. Protects the reputation of a domain2. Relies on different IP addresses for

sending messages

1. Protect internal servers2. Rules per destination domain

Internet

?

163.24.127.3

163.24.127.3

163.24.127.4

163.24.127.5

Internet

IronPort Virtual GatewaysDestination Controls

Email Authentication (DomainKeys, DKIM, SPF, SIDF)

13

Man

agem

ent




Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

VirusDefense

14

Spam Blocked Before Entering Network

> 99% Catch Rate< 1 in 1 millionFalse Positives

IronPort Anti-SpamSensorBaseReputation Filtering

Verdict

Anti-Spam Defense in Depth

15

• Known good is delivered

• Suspicious is rate limited & spam filtered

• Known bad is blocked

IronPort Anti-Spam

Incoming MailGood, Bad, and Unknown Email

ReputationFiltering

Cisco’s Internal Email Experience:

Message Category % Messages

Stopped by Reputation Filtering 93.1% 700,876,217

Stopped as Invalid recipients 0.3% 2,280,104

Spam Detected 2.5% 18,617,700

Virus Detected 0.3% 2,144,793

Stopped by Content Filter 0.6% 4,878,312

Total Threat Messages: 96.8% 728,797,126

Clean Messages 3.2% 24,102,874

Total Attempted Messages: 752,900,000

SensorBase Reputation FilteringReal Time Threat Prevention

16

Man

agem

ent


VirusDefense



Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

17

Cisco IronPort Virus Outbreak FiltersThe First Line of Defense

Early Protectionwith

IronPort Virus Outbreak Filters

18

Multi-Layer Virus DefenseZero Hour Malware Prevention and AV Scanning

Virus Outbreak Filters Anti-Virus

T = 0

-zip (exe) files

T = 5 mins

-zip (exe) files-Size 50 to 55 KB

T = 15 mins

-zip (exe) files

-Size 50 to 55KB

-“Price” in the filename

An analysis over one year:

Average lead time …………………………over 13 hoursOutbreaks blocked ………………………291 outbreaksTotal incremental protection ……………. over 157 days

19

Man

agem

ent




Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

VirusDefense

20

Risks for the Organization

Top Risk: Employees Biggest Impact: Customer Data

12%

10%

5% 4% 7%

Personal client information

44%

21%

4% 8% 4%

Intellectual Property

Personnel Information

Information marked Confidential

Top Data Loss Types

21

Data Loss PreventionComprehensive, Accurate, Easy

Comprehensive100+ Pre-defined templates

Regulatory compliance

Multiple parameters

Key words, proximity, etc.

Accurate

One-click activation

Policy enable/disable

Easy

22

Email EncryptionInstant Deployment, Zero Management Cost

Automated key management

No desktop software requirements

No new hardware required

Gateway encrypts message

Message pushed to recipient

Cisco Registered Envelope Service

User opens secured message in browser

User authenticates and receives message key

Key is stored

Decryptedmessage is displayed

23

Man

agem

ent




Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

VirusDefense

24

Cisco IronPort Email Security ManagerSingle view of policies for the entire organization

• Mark and Deliver Spam

• Delete Executables

• Archive all mail• Virus Outbreak Filters

disabled for .doc files

• Allow all media files• Quarantine executables

Categories: by Domain, Username, or LDAP

IT

SALES

LEGAL

“IronPort Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” – PC Magazine

25

Email Volumes

Spam Counters

Policy Violations

Virus Reports

Outgoing Email Data

Reputation Service

System Health View

Single view across the organization

Real Time insight into email traffic and security threats

Actionable drill down reports

Mul

tiple

dat

a po

ints

Consolidated Reports

Comprehensive InsightUnified Business Reporting

26

Visibility Into Email MessagesMessage Tracking

What happened to the email I sent 2 hours ago?

Track IndividualEmail Messages

Who else received similar emails?

Forensics toEnsure Compliance


Email SecurityHosted Offerings

Cisco IronPort Hosted Email Security

28

Choice Maximizes FlexibilityFull Continuum of Deployment Options

Fully Managedon Premises

Managed

Award-Winning Technology

Appliances

Backed by Service Level Agreements

Dedicated SaaS

Infrastructure

Hosted

Best of Both Worlds

Hybrid Hosted


Cisco IronPort Web Security

Overview

Cisco IronPort Web Security Appliance

30

Malware Threat Distribution

Malware infection vectors are shifting from email to Web

Malware Infections

Time

Email Vector

Web Vector

31# of Sites

Traf

fic V

olum

e

BigHead

Long Tail

Hundreds of millions of sitesThousands of new sites per hour

Predictable,easy to classify

Signatures are reactive and CANNOT keep up

URL classification is reactive, has low coverage

Malware Evades Legacy Defenses

32

Exploited WebsitesAn Invisible Threat

33

Drive-By Scareware

- Full-screen pop-up simulates real AV software, asks you to buy full version to clean machine.

- Fakes scan of c:\ drive and pretends to find viruses even on Linux or Mac OS X!

34

The limits of legacy solutions

Low Performance – not suitable for current usage of Web

High Latency

Low Security: often only URL filtering

….or only Antivirus and no efficient protection against Malware

35

Users

Firewall

Next Generation Secure Web Gateway

Internet

After Cisco IronPort

Cisco IronPort WSA

Internet

Firewall

Users

Before Cisco IronPort

Web Proxy & Caching

Anti-Spyware

Anti-Virus

Anti-Phishing

URL Filtering

Policy Management

All web security components in a single integrated platform

36

Man

agem

ent

Web Security ArchitectureCisco IronPort Web Security Appliance

URL Filters

CISCO IRONPORT ASYNCOSWEB PLATFORM


Anti-MalwareSystem

PROXY CACHE

L4 TrafficMonitor

37

Maintain pool of persistent TCP connections (client and server side)

Maintain pool of persistent TCP connections (client and server side)

Co-related object storage and high-performance caching Co-related object storage and high-performance caching

Handle extremely high traffic volumesHandle extremely high traffic volumes

Significantly improved response timesSignificantly improved response times

High-Performance Web ProxyConnection Management & Optimized Storage

Facts & Figures:

– 100,000 simultaneous duplex TCP connections to easily handle traffic spikes

– Average latency introduced to end user: 5-15 milliseconds

38

Man

agem

ent


URL Filters



Anti-MalwareSystem

PROXY CACHE

L4 TrafficMonitor

39

Detecting Existing Client Infections

Cisco IronPort Layer 4 Traffic Monitor• Scans all traffic, all ports, all protocols• Detects malware bypassing Port 80• Prevents botnet traffic

Powerful anti-malware data• Automatically updated rules• Real-time rule generation using

“Dynamic Discovery” Internet

Users

Network Layer Analysis

Cisco IronPort S-Series

Packet and Header Inspection

40

Man

agem

ent


URL Filters



Anti-MalwareSystem

PROXY CACHE

L4 TrafficMonitor

41

Web: Huge, Growing and Transient

Num

ber o

f Web

page

s

Static WebTraditional Content PublishersLegacy URL Filtering Focus

Dynamic WebUser Generated & Web 2.0 Content

1998 28 Million webpages

20001 Billion

webpages

20081 Trillion

webpages

2005: Web 2.0 tipping point

Source: Multiple, including Cisco SIO, Google, Wikipedia

42

Legacy URL filtering primarily focuses on crawling and manual review/classification

Databases add thousands of new URLs per day…while the web adds a Billion

95% of the web will be uncategorized by 2015

The Dark Web ChallengeLegacy URL Filtering Effectiveness is Decreasing

URL Lookup in Database

www.sportsbook.com/ GamblingURL Database

Uncategorized

OBSCENE

PORN

ADULT

GAMBLING

43

URL Keyword Analysis

www.casinoonthe.net/Gambling

Cisco IronPort Web Usage ControlsDynamic Categorization for the Dark Web

Industry-leading URL database efficacy

• 65 categories• Updated every 5 minutes• Powered by Cisco SIO

Dynamic categorization identifies ~90% of Dark Web content in commonly blocked categories

Uncategorized

Dynamic Content Analysis Engine

GamblingAnalyze Site Content

URL Lookup in Database

www.sportsbook.com/ GamblingURL Database

Uncategorized

44

Cisco IronPort Web Security Appliances on Customer Premises

Cisco Security Intelligence Operations (SIO)Unmatched Visibility Drives Unparalleled Efficacy

Crowd Sourcing

Manual Categorization

Web Crawlers

External Feeds

Traffic Data from Cisco IronPort Email Security Appliances, Cisco IPS, and Cisco

ASA sensors

Customer Administrators

Analysis and Processing

Uncategorized URLs

URL Categorization Requests

Crawler Targeting

Master URL Database

Updates published every 5 minutes

Cisco SIO

45

Man

agem

ent


URL Filters



Anti-MalwareSystem

PROXY CACHE

L4 TrafficMonitor

46

Protection For a Dynamic Web 2.0 WorldVisibility Beyond the Initial Threat

Web pages are made up of objects coming from different sources

Objects can be images, executables, JavaScript…

Trusted Web SiteClient PCWeb servers not affiliated with

the trusted web site (e.g. ad servers)

Web Reputation Filters Scan each object, not just the initial

request

Compromised websites often grab malicious objects from external sources

Security means looking at each object individually, not just the initial request

47

Cisco IronPort DVS EngineDynamic Vectoring and Streaming

Accelerated signature scanning• Parallel scans

• Stream scanning

Automated updates

McAfeeWebroot Webroot + McAfee

~35% Additional Coverage

Adware Spyware Trojans Worms Viruses

Multiple integrated verdict engines• McAfee and Webroot

Decrypt & scan SSL traffic• Selectively, based on category &

reputation

48

Policy ManagementPolicy Management

Webroot

McAfeeIRONPORT

DVS ENGINEIRONPORT

DVS ENGINE

VERDICTENGINE

“N”

Cisco IronPort DVS EngineMulti-Layered Malware Defense

Deep content inspection

High-performance scanning- Parallel scans

- Stream scanning

Multiple verdict engines- Integrated, on-box

- Supported engines:Webroot, McAfee

49

Usage of Ports 80 & 443 has changed

A lot of applications traversing port 80 are not “web browsing”

A lot of applications using port 80 are not business-related

Nearly all companies include Webmail users

– Malicious attached files?

Instant Messaging is found in all companies

– How do you keep it open while ensuring your network is not at risk?

Web-based file transfer is growing fast (MegaUpload, Rapidshare…)

Peer-to-Peer is still used heavily

50

Web Application Controls

File Transfer Protocol

Understanding Web TrafficUnderstanding Web Traffic50

Native control for HTTP, HTTP(s), FTP applications

Selective decryption of SSL traffic for security and policy

Policy enforcement for applications tunneled over HTTP—FTP, IM, video

Application traversal using policy-based HTTP CONNECT

51

HTTPS ScanningSelective, Based on Trust

Users

Decrypted • Inspected • Re-encryptedSelectively on Category, Source

Web Server

Decrypted • Inspected • Re-encryptedSelectively on TRUST, Category, Source

Cisco IronPort

WSA

Internet

52

Cisco IronPort WSAComplete Data Security

On-box Common Sense Security • Allow, block, log based on file metadata, URL category, user and web reputation• Multi-protocol: HTTP(s), FTP, HTTP tunneled

Off-box Advanced Data Security • Deep content inspection: Structured and unstructured data matching• Performance optimized: Works in tandem with accelerated on-box policies

DocumentsInternet

Partner site

Webmail

Log

Allow

Block

DLP Vendor Box

DocumentsInternet

Log

Allow

Block

Content Verdict

53

Man

agem

ent


URL Filters



Anti-MalwareSystem

PROXY CACHE

L4 TrafficMonitor

54

• Block executables• Block gambling sites• Block all malware

• Allow Skype• Monitor all traffic• Allow executables• Allow all applications• Allow all protocols

• Block FTP• Allow Media files• Allow all URL categories

Group by LDAP, Active Directory, Network

Marketing

IT

Sales

Cisco IronPort Web Security ManagerSingle View of Policies for the Entire Organization

55

Delegated AdministrationFlexibility to Support Organizational Requirements

IT

SALES

LEGAL

No Media

No FTP

No Webmail

Assign administrators for groups of users, appliances, subnets, or destinations

Fine-grained, role-based access control

Global administrator defines roles and access permissions

Policy officer sets rules for users they manage

56

Comprehensive Reporting

In-depth Threat Visibility- Web Traffic Overview- Layer 4 Traffic Monitor- Anti-Malware Category and Threat Details- Client Malware Risk & Activity Detail- Website Activity and Detail

Extensive Forensic Capabilities- Investigate acceptable use violations- Drill down for further analysis- Satisfy compliance requirements

Detailed off-box analysis- Offload extensive data crunching- Top N and trend reporting for malware- Client, Source, Malware Name and Category

for IronPort


Web SecurityHosted Offerings

ScanSafe SaaS Web Security

is now part of Cisco

58

The leading SaaS Web security solution

PioneerLeadership position: 34.5% Market Share (IDC)30Bn Web requests monthly Millions of usersCustomers in 100+ countries100% availability200 million threats blocked monthlyAward-winning

Customers

Security product of the year 2008

Awards

Partners