Ciscc 1© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco IronPortEmail & Web Security
Greg Griessel
Consulting Systems Engineer - Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco
EMAILSecurity Gateway
Application-Specific Security Gateways
SECURITY MANAGEMENT
Appliance
Internet
WEBSecurity Gateway
SensorBase(The Common
Security Database)
APPLICATION-SPECIFICSECURITY GATEWAYS
BLOCK Incoming Threats: Spam, Phishing/Fraud Viruses, Trojans, Worms Spyware, Adware Unauthorized Access
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3Cisco
Email Security, 2010
The Magic Quadrant is copyrighted 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4Cisco
Secure Web Gateway, 2011
The Magic Quadrant is copyrighted 2011 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.
Ciscc 5© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco IronPortEmail Security
Cisco Confidential 6© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Junk Mail
Viruses Regulations
Privacy & Control
Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved. CiscoSource: Cisco Threat Operations Center
More and more targeted attacks
0
50
100
150
200
250
300
2006 2007 2008 2009 2010
Daily Spam Volume (Billion)
Targeted Attacks
Spam
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8Cisco
• Statistics on more than 30% of the world’s e-mail traffic
• New threats & alerts detection• More than 200 parameters to build
reputation scores
• Data Volume• Message Structure
• Complaints• Blacklists, whitelists
• Off-line data
Reputation Score
Reputation Score• URL blacklists & whitelists
• HTML Content• Domain Info
• Known “bad” URLs• Website history…
E-Mail Reputation Filters
Web Reputation Filters
Cisco Confidential 9© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Man
agem
ent
Cisco IronPort Email Security Appliance
VirusDefense
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10Cisco
For Security, Reliability and Lower Maintenance
After Cisco IronPort
Groupware
Firewall
Cisco IronPort Email Security Appliance
Internet
Before Cisco IronPort
Anti-Spam
Anti-Virus
Policy Enforcement
Mail Routing
Internet
Firewall
Groupware
Users
Encryption PlatformMTA
DLP Scanner
DLP Policy Manager
Users
Cisco Confidential 11© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Man
agem
ent
Cisco IronPort Email Security Appliance
VirusDefense
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12Cisco
Revolutionary Email Delivery Platform
Traditional Email Gatewaysand Other Appliances
Cisco IronPort Email Security Appliances
200Connections
Low Performance/Peak Delivery Issue
Disk I/O Bottlenecks
Unable To Leverage
Full Capability
Components
CPU Limited Solely
By CPU Capacity
1K – 10KConnections
High Performance/Sure Delivery
Cisco Confidential 13© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Man
agem
ent
Cisco IronPort Email Security Appliance
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
VirusDefense
Cisco Confidential 14© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Spam Blocked Before Entering Network
> 99% Catch Rate< 1 in 1 millionFalse Positives
IronPort Anti-SpamSensorBase Reputation Filtering
Who? How?
What?Where?
Verdict
Cisco Confidential 15© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
• Known good is delivered
• Suspicious is rate limited & spam filtered
• Known bad is blocked
IronPort Anti-Spam
Incoming MailGood, Bad, and Unknown Email
ReputationFiltering
Cisco’s Internal Email Experience:
Message Category % Messages
Stopped by Reputation Filtering 93.1% 700,876,217
Stopped as Invalid recipients 0.3% 2,280,104
Spam Detected 2.5% 18,617,700
Virus Detected 0.3% 2,144,793
Stopped by Content Filter 0.6% 4,878,312
Total Threat Messages: 96.8% 728,797,126
Clean Messages 3.2% 24,102,874
Total Attempted Messages: 752,900,000
Real Time Threat Prevention
Cisco Confidential 16© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Man
agem
ent
Cisco IronPort Email Security Appliance
VirusDefense
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
Cisco Confidential 17© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
The First Line of Defense
Early Protection with
IronPort Virus Outbreak Filters
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18Cisco
Outbreak Filtering in Action
Cisco SIO
Verdict: Suspect IP / URLAction: Send to Cloud
Verdict: Malicious ContentAction: STOP
Cisco Confidential 19© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Zero Hour Malware Prevention and AV Scanning
Virus Outbreak Filters Anti-Virus
T = 0
-zip (exe) files
T = 5 mins
-zip (exe) files-Size 50 to 55 KB
T = 15 mins
-zip (exe) files
-Size 50 to 55KB
-“Price” in the filename
An analysis over one year:
Average lead time …………………………over 13 hoursOutbreaks blocked ………………………291 outbreaksTotal incremental protection ……………. over 157 days
Cisco Confidential 20© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Man
agem
ent
Cisco IronPort Email Security Appliance
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
VirusDefense
Cisco Confidential 21© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Top Risk: Employees Biggest Impact: Customer Data
12%
10%
5% 4% 7%
Personal client information
44%
21%
4% 8% 4%
Intellectual Property
Personnel Information
Information marked Confidential
Top Data Loss Types
Cisco Confidential 22© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Comprehensive, Accurate, Easy
Comprehensive 100+ Pre-defined templates
Regulatory compliance
Multiple parameters
Key words, proximity, etc.
Accurate
One-click activation
Policy enable/disable
Easy
Cisco Confidential 23© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Comprehensive, Accurate, Easy
Comprehensive 100+ Pre-defined templates
Regulatory compliance
Multiple parameters
Key words, proximity, etc.
Accurate
One-click activation
Policy enable/disable
Easy
Cisco Confidential 24© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
“RSA has strong described content capabilities enabled by aformal knowledge-engineering process” - Gartner
Ranked as “Leader” in Gartner Magic Quadrant
Focus on accuracy:large research team staffed specifically to write and refine content polices
Cisco Confidential 25© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Reports by severity and policyReal time and
scheduled reports available
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26Cisco
Instant Deployment, Zero Management Cost
Automated key management
No desktop software requirements
No new hardware required
Gateway encrypts message
Message pushed to recipient
Cisco Registered Envelope Service
User opens secured message in browser
User authenticates and receives message key
Key is stored
Decryptedmessage is displayed
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27Cisco
No ForwardingAllowed without Permission
Confidential Contents GuaranteedRecall
Guaranteed ReadReceipts
Message Expiry
Cisco Confidential 28© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Protect CompanyFrom IdentityData Leaks
Protect EmployeesFrom Identity StealingMalware and Phishing
Inbound Security Outbound ControlCisco IronPort Email Security Solution
Anti-Spam• SensorBase Reputation Filtering• IronPort Anti-Spam
RSA Email DLP • 100+ predefined DLP policies• Accurate• Easy to Implement
Anti-Virus• Virus Outbreak Filters (VOF)• McAfee Anti-Virus • Sophos Anti-Virus
Encryption• Secure Message Delivery• Transport Layer Security
Cisco Confidential 29© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Man
agem
ent
Cisco IronPort Email Security Appliance
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
VirusDefense
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30Cisco
Single view of policies for the entire organization
• Mark and Deliver Spam• Delete Executables
• Archive all mail• Virus Outbreak Filters
disabled for .doc files
• Allow all media files• Quarantine executables
IT
SALES
LEGAL
with Delegated Administration
Global Administrator
Read-OnlyOperator Helpdesk PCI Auditor PCI Supervisor……..
Cisco Confidential 31© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
Email Volumes
Spam Counters
Policy Violations
Virus Reports
Outgoing Email Data
Reputation Service
System Health View
Single view across the organization
Real Time insight into email traffic and security threats
Actionable drill down reports
Mul
tiple
dat
a po
ints
Consolidated Reports
Unified Business Reporting
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32Cisco
Fully Managedon Premises
Managed
Award-Winning Technology
Appliances
Backed by Service Level Agreements
Dedicated SaaS
Infrastructure
Hosted
Best of Both Worlds
Hybrid Hosted
Ciscc 33© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco IronPortWeb Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34Cisco
Acceptable Use Control
MalwareProtection
Data LossPrevention
Policy
SaaS Access Control
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35Cisco
Industry Leading Secure Web Gateway
Control
Security
Acceptable Use Controls
Malware Protection
Data Security
SaaS Access Controls
Centralized Management and Reporting
InternetSecure Mobility
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36Cisco
80% of the web is uncategorized, highly dynamic or unreachable by web crawlers
Botnets Dynamic content Password protected sites User generated content Short life sites
The Known Web20% covered by URL lists
Acceptable Use Controls
Malware Protection
Data Security
SaaS Access Controls
Danger
Danger
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37Cisco
URL Keyword Analysis
www.casinoonthe.net/Gambling
Industry-leading URL database efficacy
• 65 categories• Updated every 5 minutes
Dynamic categorization identifies more than 90% of Dark Web content in commonly blocked categories
Uncategorized
Dynamic Content Analysis Engine
GamblingAnalyze Site Content
Real-time Dynamic Content Analysis
URL Lookup in Database
www.sportsbook.com/ GamblingURL Database
Uncategorized
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38Cisco
Control
Acceptable Use Controls
Data Security
SaaS Access Controls
Centralized Management and Reporting
InternetSecure Mobility
Security
Malware Protection
Industry Leading Secure Web Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39Cisco
• 237% volume increase in ‘09• Over 70% of compromised web sites are
legitimate• Vulnerabilities in Adobe PDF emerged as
the main target, followed by Flash
54% of malware encounters due to iframes and exploits
Cross-Site Scripting and SQL Injection are top attack methods
83% of websites have at least 1 serious vulnerability
Cisco Confidential 40© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
BoingBoing.net: A Popular Blog
• URLs in browser: 1
• HTTP Gets: 162• Images: 66
from 18 domains including 5 separate 1x1 pixel invisibletracking images
• Scripts: 87 from 7 domains
• Cookies: 118 from 15 domains
• 8 Flash objects from 4 domains
Cisco Confidential 41© 2010 Cisco and/or its affiliates. All rights reserved. Cisco
BoingBoing.net: A Popular Blog
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42Cisco
Cisco Network and Content Security Deployments
Predictive, Zero-day Protection
Cisco SensorBase
Threat Operations Center
AdvancedAlgorithms
Web Reputation Scores-10 to +10
Cisco Security Intelligence Operations
Threat Telemetry
Threat Telemetry
Outbreak IntelligenceExternal Feeds
Identifying Malware Lurking in the Dark Web
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43Cisco
New York Times: Victim of an Advertiser Attack!
• Seemingly legitimate ad turned malicious causing 3 redirects
• Ultimate destination: protection-check07.com
Drive By Scareware
Full-screen pop-up simulates real AV software, asks user to buy full version to clean machine.
Cisco Web Rep Score: -9.3 Default Action: BLOCK
NYT site allowed but malicious redirect blocked
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44Cisco
Dynamic Vectoring and Streaming
Signature and Heuristic Analysis
Wide coverage with multiple signature scanning engines
Identify encrypted malicious traffic by decrypting and scanning SSL traffic
Seamless user experience with parallel scanning
Latest coverage with automated updates
Heuristics DetectionIdentify unusual behaviors
DVS Engine
Parallel Scans, Stream Scanning
Signature InspectionIdentify known behaviors
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45Cisco
Internet
Users
Cisco IronPort S-Series
Network Layer Analysis
PowerfulAnti-Malware Data
Preventing“Phone-Home” Traffic
Scans all traffic, all ports, all protocols
Detects malware bypassing Port 80
Prevents Botnet traffic
Automatically updated rules
Real-time rule generation using, “Dynamic Discovery”
Layer 4 Traffic Monitor
Packet and Header
Inspection
Also available on the ASA as Botnet Traffic Filter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46Cisco
Acceptable Use Controls
SaaS Access Controls
Centralized Management and Reporting
InternetSecure Mobility
Security
Malware Defense
Control
Data Security
Industry Leading Secure Web Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47Cisco
Documents
Allow, block, log based on file metadata, URL category, user and web reputation
Multi-protocol: HTTP(s), FTP, HTTP tunneled
Documents
On-Box Common Sense Security
DLP Vendor Box
Internet
Partner site
Webmail
Internet
Deep content inspection: Structured and unstructured data matching Performance optimized: Works in tandem with accelerated on-box policies
Log
AllowBlock
Log
AllowBlock
Off-Box Advanced Data Security
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48Cisco
Control
Data Security
Centralized Management and Reporting
InternetSecure Mobility
Security
Malware Defense
Acceptable Use Controls
SaaS Access Controls
Industry Leading Secure Web Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49Cisco
Identity
Job Sites
Instant Message
P2P
Streaming Media
Human Resource
No FileTransfer
All
100 kbps/User
Facebook Lunch hour Time
Object
Application
Location
Priority
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50Cisco
Granular control over HTTP, HTTP(s), FTP applications
Dynamic signature updates maintained by Cisco SIO
Granular Control over Application Usage
Employee in Finance
Access Control Policy Access Control Violation
Instant MessagingFacebook: Limited Apps
Video: 512 kbps max
File Transfer over IMFacebook Chat, Email
P2P
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51Cisco
Block Malware like ‘Farm Town’ app ad that redirects users to fake antivirus software
Allow/Block thousands of Facebook Apps
Allow/Block features like Chat, Messaging, Video & audio bandwidth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52Cisco
Control
Acceptable Use Controls
Data Security
Centralized Management and Reporting
InternetSecure Mobility
Security
Malware Defense
SaaS Access Controls
Industry Leading Secure Web Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53Cisco
Visibility | Centralized Enforcement | Single Source Revocation
Regaining Visibility and Control Through Identity
Branch Office
Corporate Office
Home Office
SaaS Single Sign On
AnyConnect Secure Mobility Client
SaaS Single Sign OnRedirect @ Login
User Directory
No Direct Access
X
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54Cisco
Control
Security
Acceptable Use Controls
Malware Defense
Data Security
SaaS Access Controls
Centralized Management and Reporting
InternetSecure Mobility
Industry Leading Secure Web Gateway
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55Cisco
On-Box Centralized Reporting and TrackingCentralized Management
Centralized Policy Management
Delegated Administration
InsightAcross Threats,
Data and Applications
ControlConsistent Policy Across Offices
and for Remote Users
VisibilityVisibility Across Different Devices,
Services, and Network Layers
In-Depth Threat Visibility
Extensive Forensic Capabilities
Security Management Appliance
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56Cisco
Multi-CoreOptimization
Integrated Identity and Authentication
NTLM/Active Directory
LDAP
Secure LDAP
Addresses latency issues associated with anti-virus scanning
Enables multi-scan features for improved security efficacy
Optimized for rich web content
Identity Based Policies
Transparent, single sign-on (SSO) authentication against Active Directory
Guest Policies, Re-Auth
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57Cisco
Customers
Awards
Partners
Pioneer in SaaS Web Security
Over 34% market share in SaaS Web Security (IDC)
Multi-award winning product portfolio
Millions of users
Billions of Web requests scanned every day
100% Availability
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58Cisco
AnyConnect Secure Mobility
Internet Traffic
VPN – Internal Traffic(optional)
With AnyConnect 3.0
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59Cisco
Internet
Corporate Office
Blocked URLs
Blocked Files
Blocked Content
ApprovedContent
Branch/Retail or Home Office
ISR G2 with ScanSafe Connector SW
RADIUS/LDAP
Thank you.