cisco ironport infrastructure security overview

7/28/2019 Cisco IronPort Infrastructure Security Overview

http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 1/6

Cisco® IronPort Hosted Emil Security combines best-of-breed technoloies to provide the

most sclble nd sophisticted emil protection vilble tody. Bsed on the sme industry-

ledin technoloy tht protects 40 percent of Fortune 1000 compnies from inbound nd

outbound emil threts, Cisco IronPort Hosted Emil Security llows customers to reduce their

on-site dt center footprint nd out tsk the mnement of their emil security to trusted

security experts. It provides dedicted emil security infrstructure in multiple, resilient dtcenters to enble the hihest levels of service vilbility nd dt protection.

Cisco IronPort Emil Security solutions re desined to ensure the hihest levels of security

nd vilbility of the hosted infrstructure – from both physicl nd loicl ccess perspec-

tive. The desin spns spects like ccess controls to dt center buildins, processes to

protect ccess to customer dt, nd the vilbility of the hrdwre infrstructure. The ure

below hihlihts these spects.

Cisco IoPo Hosed Ei Secui

InfrstructureSecurity Overview

Secui Opeios Cee Coos

Phsic Secui D Cee Upie



P a g E 2InfraStrUCtUrE SECUrIty OvErvIEw: Cisco IoPo Hosed Ei Secui

Physicl security of the dt center is the foundtion of viilnt security infrstructure. Dt center security is supported

by stte-of-the-rt surveillnce systems, bcked by security personnel to ensure the hihest levels of physicl infrstructure

security. This includes:1. Surveillnce System

alon with Cisco’s onsite presence, diitl video surveillnce system provides for n utomted surveillnce interfce.

all xed cmers re hih-resolution color, with uto low-liht switchin cpble of viewin to .01 lux. Pn/tilt/zoom (PTZ)

cmers re used on the exterior nd res of sensitivity. all PTZs use up-the-cox protocol for immedite reloction to ny

current xed cmer loction.

Video is recorded t 720x240 pixels t 15 IPS upon motion or 30 IPS upon opertor commnd. Most video chnnels

synchronously record udio. Video is retined for pproximtely 100 dys. The dt center deploys n ctive surveillnce

system with 24x7 ofcers opertin the cmer system usin IOU (Identify, Observe nd Understnd) methodoloy. The

use of IOU increses ttentiveness to the monitors nd provides superior video product for investitions. Executive

tem members hve remote ccess to video vi PDa nd VPN lptop ccess. all video is rchived in M-JPEg formt for

minimum of 90 dys.

2. access Control/Intrusion Detection

all entrnces re centrlly monitored 24x7x365. The exterior doors were desined nd instlled for dditionl protection.

They include detection devices, ccess control nd cn be independently viewed by xed cmers. Exterior ccess points

re kept to minimum, nd (in most cses) only one door t ech fcility cn be used for entry or exit. These doors led into

specilly-enineered mntrps, constructed of 12 ue stinless steel nd strpped by ¼” luminum. all ccess points

off the mntrp require the dditionl biometric uthentiction of the crd holder nd mntrp rely loic. additionlly, the

mntrps re tted with minimum of one xed cmer nd udio surveillnce of the spce.

The ure on pe 3 describes the rchitecture of the Cisco IronPort Hosted Emil Security solution. Hihlihts of this solution

include:

1. georphiclly-diverse dt centers for disster recovery

2. SaS 70 Type II certied dt centers

3. Network connectivity, power, coolin nd bndwidth redundncy within ech dt center

4. Bndwidth to process up to 20 gb/sec of network trfc

P H y S I C a l S E C U r I t y

D a t a C E n t E r U P t I m E




Cisco IronPort Hosted Emil Security employs multiple SaS 70 Type II dt centers in n ctive-ctive deployment rchitec-

ture. By pointin multiple MX records to these dt centers the solution provides emil continuity, even in the event of n

unforeseen disster t one of the dt centers. The rchitecture, which includes multiple dt centers, ensures the hihest

level of vilbility for the Cisco IronPort Hosted Emil Security service.

Ech of the dt centers hs multiple levels of redundncy built into the infrstructure. The first is the network infrstructure

tht hs multiple crrier-rde ccess routers, distribution switches nd POD switches – ensurin tht there is no sinle

point of filure. Behind this hihly-redundnt networkin infrstructure, the solution employs multiple dedicted Cis co

IronPort emil securit y hrdwre tht is used for mil processin, reportin, trckin nd more. To prevent filure nd ensure

connectivity in the event of n unexpected incident which impcts one of the inputs, the dt centers utilize two seprte

fiber inputs tht re physiclly seprted. additionlly, these dt centers hve the bndwidth cpcity to process up to 20

gb/sec of network trffic.

Most dt centers tody re fced with severe issues resultin from improper mnement nd control of equipment-en-

erted het. The dt centers re desined with the most dvnced desins for spce nd power in the industry. They hve

100 percent power vilbility, delivered vi very s ophisticted power rid rchitecture tht includes primry power circuits

nd filover power connections, both of which come from two completely seprte N+2 power systems. Ech of these sys-

tems hs seprte UPS btteries, enertors, PDUs, nd RPPs, nd re delivered to ech rck vi color-coded receptcles.

This ensures consistent uptime for the emil securi ty infrstructure tht is plued into the system.

D ata C E n t E r U P t I m E ( C O n t I n U E D )

Cisco IronPort Hosted Email Security Data Center Architecture

ISP

U t i l i t i e

s P o w

e r

E n t r a n

c e # 1

ISP

MXMX U t i

l i t i e s P

o w e r

E n t r a n

c e # 2

Internet

Data Center 1 Data Center 2

Fiber Entrance #2

Fiber Entrance #1

Generator #2

Generator #1

Email SecurityInfrastructure

Distribution

Switches

Large AccessRouters

PODSwitches

Outside Air Cooling(Air Exchange)

Chilled Water Cooling(Chilled Towers)

Swamp Cooling

(Utility Water)

Freon Cooling

M u l t i p l e U P S S y s t e m s




as server densities hve incresed, the demnd on coolin systems hs rown sinificntly. Ech dt center fcility hs

enouh primry nd bckup coolin to ensure tht the het enerted by the emil security infrstructure is ppropritely

dissipted nd mple bckup coolin is vilble in cse of filure with one of the coolin systems. The coolin infrstruc-

ture is delivered throuh Freon, swmp, chilled wter nd outside ir mechnisms.

Specifictions of the infrstructure t work in powerin the dt center re listed below.

1. Power Specifictions

2. Environmentl Controls

D ata C E n t E r U P t I m E ( C O n t I n U E D )

17 KiloWtts Power nd coolin per rck UPS bckup power

120/208V aC nd -48V DC vilble Volte output 480 trnsformed to 120/208 V

100% enertor bckup -48 Volt DC Bttery Plnt

genertor cpcity desined to 1200 mp expndble to 10,000 mp

multiple 1 to 2 MWtt enertors

Size of fuel tnk 1,000 to 2,000 llons 2-hour bttery reserve non-redundnt,4 hours redundnt

genertor both uto strt nd uto trnsfer. True a/B power feeds

Isoltion bypss feture on utomtic

trnsfer switch.

Minimum 24-hour run time fuel cpcity groundin in ccordnce with NFPa 70

Two-hour response for fuel delivery

Under-oor coolin provided by Coolin not less thn 200 BTU/h per squre

computer-room rde equipment foot with n N+1 redundncy

Temperture mintined t 72 derees In the event of power interruption, HVaC

F dry bulb t aSHRaE 1% systems (nd entire fcility) operte

on diesel enertors.

30% to 60% humidity non-condensin. Humidity c ontrol delivered

throuh aTS/Liebert units vi infrred humidier.




The Cisco Security Opertions Center (SOC) is run by the Cisco Remote Opertions Services (ROS) orniztion. In order

to ensure world-clss level of security oversiht, Cisco ROS implements continul mnement nd internl uditin of

employees, processes nd tools. This helps deliver pece of mind to Cisco customers, s well s the hihest level of secure

service delivery stndrds.

1. Network Security

With combintion of security devices nd pplictions, ddin to defense-in-depth desin, the Cisco SOC uses lyered

pproch to security. additionl lyers include multiple rewlls to control inbound ccess to Cisco ROS. This strtey llows

users to only ccess informtion tht is leitimte to their purpose (lest privilee).

Intrusion detection systems (ctin s sensors) re strteiclly plced throuhout the network to monitor trfc nd detect

security events. Detected events re mned by the Cisco Security Mnement Service. Intrusion detection is used t

vrious points within the network, monitorin the trfc between the ser vice delivery network nd customer networks for

suspicious or mlicious ptterns.

a security event mner provides event nd thret correltion of the security devices throuhout the service deliverynetwork. Diitl certictes re used to secure ccess to customer web portls nd systems tht require both internl nd

externl ccess.

2. Systems Security

Cisco ROS uses multiple controls to ensure the securit y of mned systems. These include both physicl controls nd

vulnerbility detection scns.

. Physicl Controls

Cisco provides photo identiction to ll employees nd contrctors, which must be worn visibly within the buildin. all

visitors must obtin visitor’s bde nd be escorted within the buildin.

Entrnces to controlled dt centers nd wirin closets re ccessible only from internl corporte spce. access is

rnted bsed on business need. Corporte spce is lso controlled, requirin proper bde ccess to enter.

Video cmers re locted t ech buildin entry nd monitored nd mned by the 24x7 Security Fcilities

Opertion Center.

Primry power to the fcility is provided by the locl utility. Bckup power is provided to criticl res by stndby

UPS systems nd enertors. Bckup power systems re routinely checked nd tested. Preventive mintennce is

performed qurterly nd full lod tests re conducted nnully.

b. Vulnerbility Scns

The Cisco ROS ser vice delivery network is routinely scnned to ssess risks nd vulnerbilities. Results from these

ssessments re used to crete internl IT incident cses for necessry remedition.

S E C U r I t y O P E r at I O n S C E n t E r

Cisco Security Operations Center Help Desk




3. Humn Controls

Informtion security, nd the protection of informtionl ssets nd intellectul property, beins with wreness nd eduction.

To develop nd preserve culture of security, successful orniztions reconize tht responsibility nd ccountbility resides

with ll employees.

at Cisco, the executive tem hs embedded securit y into corporte inititives nd its code of business conduct, nd employ-

ees re ssimiltin security in their dily ctivities. With employees educted bout the importnce of security wreness

throuhout the orniztion, everyone works toether towrd the common ol of keepin the compny (nd its prtners nd

customers) secure.

Humn controls re becomin n impor tnt spect of dt center security. The im for these controls is to protect customer

dt inst security threts tht my rise from within the service provider. Cisco ROS hs number of different controls in

plce tht help ensure customer dt security. Cisco conducts bckround screenins s prt of the hirin process for ll

full-time nd contrct employees. Job descriptions outline roles nd responsibilities within Cisco ROS, nd the rule of lest

privilee is pplied to ensure proper ccess to customer networks nd informtion.

additionl humn controls utilized by Cisco ROS include:

. auditin nd Testin

Cisco ROS employs ve-step process to mitite exposure to network-bsed threts. This process includes utilizin

dened security policy, ssessin complince, monitorin for policy violtions, nd routinely testin the policy to mini-

mize exposure. The nl step includes routine overview of ll identied threts nd exposures to improve the overll

security of the network.

b. Chne Control

Chne control is criticl to the opertion of ny IT environment nd Cisco ROS service delivery tems. Cisco

ROS chne control is prtnership with customers to estblish proper uthoriztion for requestin, schedulin,

implementin nd vlidtin ll chnes within the customer environment.

S E C U r I t y O P E r a t I O n S C E n t E r ( C O n t I n U E D )

P/N 435-0255-1 6 /

Cisco IronPort Hosted Emil Security is bcked by stte-of-the-rt dt centers tht enble the hihest vilble physicl,

utility nd dt redundncy under one roof. The support of the Cisco Security Opertions Center provides n dditionl

lyer of security, ensurin secure service delivery. Throuh these mens, Cisco is ble to offer the hihest levels of ser-

vice vilbility nd dt protection.

C O n C l U S I O n

aeics HedquesCisco Systems, Inc.Sn Jose, Ca

asi Pcic HedquesCisco Systems (USa) Pte. Ltd.Sinpore

Euope HedquesCisco Systems Interntionl BVamsterdm, The Netherlnds

Cisco hs more thn 200 ofces worldwide. addresses, phone numbers, nd fx numbers re listed on the Cisco website t .cisco.co/go/oces

CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StdiumVision, Cisco TelePresence, Cisco WebEx, the Cisco loo, DCE, nd Welcome to the Humn Network re trdemrks; Chnin the Wy We Wor

Live, Ply, nd Lern nd Cisco Store re service mrks; nd access Reistrr, aironet, asyncOS, Brinin the Meetin To You, Ctlyst, CCDa, CCDP, CCIE, CCIP, CCNa, CCNP, CCSP, CCVP, Cisco, the Cisco Certie

Internetwork Expert loo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Cpitl, the Cisco Systems loo, Cisco Unity, Collbortion Without Limittion, EtherFst, EtherSwitch, Event Center, Fst Step, Follo

Me Browsin, FormShre, giDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort loo, LihtStrem, Linksys, MediTone, MeetinPlce, MeetinPlce Chime Sound, MgX, Networke

Networkin acdemy, Network Reistrr, PCNow, PIX, PowerPnels, ProConnect, ScriptShre, SenderBse, SMaRTnet, Spectrum Expert, StckWise, The Fstest Wy to Increse Your Internet Quotient, TrnsPth, WebE

nd the WebEx loo re reistered trdemrks of Cisco Systems, Inc. nd/or its flites in the United Sttes nd certin other countries.

all other trdemrks mentioned in this document or website re the property of their respective owners. The use of the word prtner does not imply prtnership reltionship between Cisco nd ny other compny

(0809R)

cisco ironport infrastructure security overview

Documents