© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
Cisco IronPortEmail & Web Security
Frédéric HER, CISSPSystems Engineer, AfricaCisco IronPort [email protected]
2
IronPort funded in 2000, acquired by Cisco in 200720,000+ customers globally400 million users protected40% of Fortune 100 companies8 of the 10 largest Service Providers7 of the 10 largest Banks99%+ customer renewal rates
Named IronPort the market share leader in the email security appliance market
IronPort is positioned as a leading player in the messaging security appliance market
IronPort Positioned in the “Leaders”Quadrant in Magic Quadrant Report
Cisco IronPortUnparalleled Market Leadership
3
EMAILSecurity Gateway
The Cisco IronPort StoryApplication-Specific Security Gateways
MANAGEMENTAppliance
Internet
WEBSecurity Gateway
SensorBase(The Common
Security Database)
APPLICATION-SPECIFICSECURITY GATEWAYS
BLOCK Incoming Threats:Spam, Phishing/FraudViruses, Trojans, WormsSpyware, AdwareUnauthorized Access
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Cisco IronPortEmail Security
Cisco IronPort Email Security Appliance
5
Email Challenges
Junk Mail
Viruses Regulations
Privacy & Control
Standard Email does not natively offer what is expected
6
Cisco IronPort Consolidates the Network Perimeter For Security, Reliability and Lower Maintenance
After Cisco IronPort
Groupware
Firewall
Cisco IronPort Email Security Appliance
Internet
Before Cisco IronPort
Anti-Spam
Anti-Virus
Policy Enforcement
Mail Routing
Internet
Firewall
Groupware
Users
Encryption PlatformMTA
DLP Scanner
DLP Policy Manager
Users
7
0
50
100
150
200
250
300
Jan-08
Feb-08
Mar-08
Apr-08
May-08
Jun-08
Jul-08
Aug-08
Sep-08
Oct-08
Nov-08
Dec-08
Jan-09
Feb-09
Mar-09
Apr-09
May-09
Jun-09
Jul-09
Aug-09
Sep-09
Oct-09
Nov-09
Average Daily Spam Volume (billions)
Month
Spam Trends
• Record spam volumes and criminal botnet activity
8
TEXT SPAM
Image Spam
ATTACHMENT SPAM (PDF, EXCEL, MP3)
TARGETED ATTACKS
Your Equitable Bank account is closed, call us now at (802)354-4250
Your Equitable Bank account is closed, call us now at (802)354-4250
Your Equitable Bank account is closed, call us now at (802)354-4250
IMAGE SPAM
Spam Sophistication Increasing
2005
2006
2007
2008
9
Cisco IronPort SensorBase
• Statistics on more than 30% of the world’s e-mail traffic
• New threats & alerts detection• More than 200 parameters to build
reputation scores
• Data Volume• Message Structure
• Complaints• Blacklists, whitelists
• Off-line data
Reputation Score
Reputation Score• URL blacklists & whitelists
• HTML Content• Domain Info
• Known “bad” URLs• Website history…
E-Mail Reputation Filters
Web Reputation Filters
10
Man
agem
ent
Email Security ArchitectureCisco IronPort Email Security Appliance
VirusDefense
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
11
Cisco IronPort AsyncOSRevolutionary Email Delivery Platform
Traditional Email Gatewaysand Other Appliances
Cisco IronPort Email Security Appliances
200Connections
Low Performance/Peak Delivery Issue
Disk I/O Bottlenecks
Unable To Leverage
Full Capability
Components
CPU Limited Solely
By CPU Capacity
1K – 10KConnections
High Performance/Sure Delivery
12
Advanced Controls for Security and EfficiencyAnd to protect against the risk of being blacklisted
1. Protects the reputation of a domain2. Relies on different IP addresses for
sending messages
1. Protect internal servers2. Rules per destination domain
Internet
?
163.24.127.3
163.24.127.3
163.24.127.4
163.24.127.5
Internet
IronPort Virtual GatewaysDestination Controls
Email Authentication (DomainKeys, DKIM, SPF, SIDF)
13
Man
agem
ent
Email Security ArchitectureCisco IronPort Email Security Appliance
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
VirusDefense
14
Spam Blocked Before Entering Network
> 99% Catch Rate< 1 in 1 millionFalse Positives
IronPort Anti-SpamSensorBaseReputation Filtering
Verdict
Anti-Spam Defense in Depth
15
• Known good is delivered
• Suspicious is rate limited & spam filtered
• Known bad is blocked
IronPort Anti-Spam
Incoming MailGood, Bad, and Unknown Email
ReputationFiltering
Cisco’s Internal Email Experience:
Message Category % Messages
Stopped by Reputation Filtering 93.1% 700,876,217
Stopped as Invalid recipients 0.3% 2,280,104
Spam Detected 2.5% 18,617,700
Virus Detected 0.3% 2,144,793
Stopped by Content Filter 0.6% 4,878,312
Total Threat Messages: 96.8% 728,797,126
Clean Messages 3.2% 24,102,874
Total Attempted Messages: 752,900,000
SensorBase Reputation FilteringReal Time Threat Prevention
16
Man
agem
ent
Email Security ArchitectureCisco IronPort Email Security Appliance
VirusDefense
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
17
Cisco IronPort Virus Outbreak FiltersThe First Line of Defense
Early Protectionwith
IronPort Virus Outbreak Filters
18
Multi-Layer Virus DefenseZero Hour Malware Prevention and AV Scanning
Virus Outbreak Filters Anti-Virus
T = 0
-zip (exe) files
T = 5 mins
-zip (exe) files-Size 50 to 55 KB
T = 15 mins
-zip (exe) files
-Size 50 to 55KB
-“Price” in the filename
An analysis over one year:
Average lead time …………………………over 13 hoursOutbreaks blocked ………………………291 outbreaksTotal incremental protection ……………. over 157 days
19
Man
agem
ent
Email Security ArchitectureCisco IronPort Email Security Appliance
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
VirusDefense
20
Risks for the Organization
Top Risk: Employees Biggest Impact: Customer Data
12%
10%
5% 4% 7%
Personal client information
44%
21%
4% 8% 4%
Intellectual Property
Personnel Information
Information marked Confidential
Top Data Loss Types
21
Data Loss PreventionComprehensive, Accurate, Easy
Comprehensive100+ Pre-defined templates
Regulatory compliance
Multiple parameters
Key words, proximity, etc.
Accurate
One-click activation
Policy enable/disable
Easy
22
Email EncryptionInstant Deployment, Zero Management Cost
Automated key management
No desktop software requirements
No new hardware required
Gateway encrypts message
Message pushed to recipient
Cisco Registered Envelope Service
User opens secured message in browser
User authenticates and receives message key
Key is stored
Decryptedmessage is displayed
23
Man
agem
ent
Email Security ArchitectureCisco IronPort Email Security Appliance
CISCO IRONPORT ASYNCOSEMAIL PLATFORM
Data Loss Prevention
Secure Messaging
INBOUND SECURITY
OUTBOUND CONTROL
MAIL TRANSFERAGENT
SpamDefense
VirusDefense
24
Cisco IronPort Email Security ManagerSingle view of policies for the entire organization
• Mark and Deliver Spam
• Delete Executables
• Archive all mail• Virus Outbreak Filters
disabled for .doc files
• Allow all media files• Quarantine executables
Categories: by Domain, Username, or LDAP
IT
SALES
LEGAL
“IronPort Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” – PC Magazine
25
Email Volumes
Spam Counters
Policy Violations
Virus Reports
Outgoing Email Data
Reputation Service
System Health View
Single view across the organization
Real Time insight into email traffic and security threats
Actionable drill down reports
Mul
tiple
dat
a po
ints
Consolidated Reports
Comprehensive InsightUnified Business Reporting
26
Visibility Into Email MessagesMessage Tracking
What happened to the email I sent 2 hours ago?
Track IndividualEmail Messages
Who else received similar emails?
Forensics toEnsure Compliance
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 27
Email SecurityHosted Offerings
Cisco IronPort Hosted Email Security
28
Choice Maximizes FlexibilityFull Continuum of Deployment Options
Fully Managedon Premises
Managed
Award-Winning Technology
Appliances
Backed by Service Level Agreements
Dedicated SaaS
Infrastructure
Hosted
Best of Both Worlds
Hybrid Hosted
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 29
Cisco IronPort Web Security
Overview
Cisco IronPort Web Security Appliance
30
Malware Threat Distribution
Malware infection vectors are shifting from email to Web
Malware Infections
Time
Email Vector
Web Vector
31# of Sites
Traf
fic V
olum
e
BigHead
Long Tail
Hundreds of millions of sitesThousands of new sites per hour
Predictable,easy to classify
Signatures are reactive and CANNOT keep up
URL classification is reactive, has low coverage
Malware Evades Legacy Defenses
32
Exploited WebsitesAn Invisible Threat
33
Drive-By Scareware
- Full-screen pop-up simulates real AV software, asks you to buy full version to clean machine.
- Fakes scan of c:\ drive and pretends to find viruses even on Linux or Mac OS X!
34
The limits of legacy solutions
Low Performance – not suitable for current usage of Web
High Latency
Low Security: often only URL filtering
….or only Antivirus and no efficient protection against Malware
35
Users
Firewall
Next Generation Secure Web Gateway
Internet
After Cisco IronPort
Cisco IronPort WSA
Internet
Firewall
Users
Before Cisco IronPort
Web Proxy & Caching
Anti-Spyware
Anti-Virus
Anti-Phishing
URL Filtering
Policy Management
All web security components in a single integrated platform
36
Man
agem
ent
Web Security ArchitectureCisco IronPort Web Security Appliance
URL Filters
CISCO IRONPORT ASYNCOSWEB PLATFORM
Web Reputation Filters
Anti-MalwareSystem
PROXY CACHE
L4 TrafficMonitor
37
Maintain pool of persistent TCP connections (client and server side)
Maintain pool of persistent TCP connections (client and server side)
Co-related object storage and high-performance caching Co-related object storage and high-performance caching
Handle extremely high traffic volumesHandle extremely high traffic volumes
Significantly improved response timesSignificantly improved response times
High-Performance Web ProxyConnection Management & Optimized Storage
Facts & Figures:
– 100,000 simultaneous duplex TCP connections to easily handle traffic spikes
– Average latency introduced to end user: 5-15 milliseconds
38
Man
agem
ent
Web Security ArchitectureCisco IronPort Web Security Appliance
URL Filters
CISCO IRONPORT ASYNCOSWEB PLATFORM
Web Reputation Filters
Anti-MalwareSystem
PROXY CACHE
L4 TrafficMonitor
39
Detecting Existing Client Infections
Cisco IronPort Layer 4 Traffic Monitor• Scans all traffic, all ports, all protocols• Detects malware bypassing Port 80• Prevents botnet traffic
Powerful anti-malware data• Automatically updated rules• Real-time rule generation using
“Dynamic Discovery” Internet
Users
Network Layer Analysis
Cisco IronPort S-Series
Packet and Header Inspection
40
Man
agem
ent
Web Security ArchitectureCisco IronPort Web Security Appliance
URL Filters
CISCO IRONPORT ASYNCOSWEB PLATFORM
Web Reputation Filters
Anti-MalwareSystem
PROXY CACHE
L4 TrafficMonitor
41
Web: Huge, Growing and Transient
Num
ber o
f Web
page
s
Static WebTraditional Content PublishersLegacy URL Filtering Focus
Dynamic WebUser Generated & Web 2.0 Content
1998 28 Million webpages
20001 Billion
webpages
20081 Trillion
webpages
2005: Web 2.0 tipping point
Source: Multiple, including Cisco SIO, Google, Wikipedia
42
Legacy URL filtering primarily focuses on crawling and manual review/classification
Databases add thousands of new URLs per day…while the web adds a Billion
95% of the web will be uncategorized by 2015
The Dark Web ChallengeLegacy URL Filtering Effectiveness is Decreasing
URL Lookup in Database
www.sportsbook.com/ GamblingURL Database
Uncategorized
OBSCENE
PORN
ADULT
GAMBLING
43
URL Keyword Analysis
www.casinoonthe.net/Gambling
Cisco IronPort Web Usage ControlsDynamic Categorization for the Dark Web
Industry-leading URL database efficacy
• 65 categories• Updated every 5 minutes• Powered by Cisco SIO
Dynamic categorization identifies ~90% of Dark Web content in commonly blocked categories
Uncategorized
Dynamic Content Analysis Engine
GamblingAnalyze Site Content
URL Lookup in Database
www.sportsbook.com/ GamblingURL Database
Uncategorized
44
Cisco IronPort Web Security Appliances on Customer Premises
Cisco Security Intelligence Operations (SIO)Unmatched Visibility Drives Unparalleled Efficacy
Crowd Sourcing
Manual Categorization
Web Crawlers
External Feeds
Traffic Data from Cisco IronPort Email Security Appliances, Cisco IPS, and Cisco
ASA sensors
Customer Administrators
Analysis and Processing
Uncategorized URLs
URL Categorization Requests
Crawler Targeting
Master URL Database
Updates published every 5 minutes
Cisco SIO
45
Man
agem
ent
Web Security ArchitectureCisco IronPort Web Security Appliance
URL Filters
CISCO IRONPORT ASYNCOSWEB PLATFORM
Web Reputation Filters
Anti-MalwareSystem
PROXY CACHE
L4 TrafficMonitor
46
Protection For a Dynamic Web 2.0 WorldVisibility Beyond the Initial Threat
Web pages are made up of objects coming from different sources
Objects can be images, executables, JavaScript…
Trusted Web SiteClient PCWeb servers not affiliated with
the trusted web site (e.g. ad servers)
Web Reputation Filters Scan each object, not just the initial
request
Compromised websites often grab malicious objects from external sources
Security means looking at each object individually, not just the initial request
47
Cisco IronPort DVS EngineDynamic Vectoring and Streaming
Accelerated signature scanning• Parallel scans
• Stream scanning
Automated updates
McAfeeWebroot Webroot + McAfee
~35% Additional Coverage
Adware Spyware Trojans Worms Viruses
Multiple integrated verdict engines• McAfee and Webroot
Decrypt & scan SSL traffic• Selectively, based on category &
reputation
48
Policy ManagementPolicy Management
Webroot
McAfeeIRONPORT
DVS ENGINEIRONPORT
DVS ENGINE
VERDICTENGINE
“N”
Cisco IronPort DVS EngineMulti-Layered Malware Defense
Deep content inspection
High-performance scanning- Parallel scans
- Stream scanning
Multiple verdict engines- Integrated, on-box
- Supported engines:Webroot, McAfee
49
Usage of Ports 80 & 443 has changed
A lot of applications traversing port 80 are not “web browsing”
A lot of applications using port 80 are not business-related
Nearly all companies include Webmail users
– Malicious attached files?
Instant Messaging is found in all companies
– How do you keep it open while ensuring your network is not at risk?
Web-based file transfer is growing fast (MegaUpload, Rapidshare…)
Peer-to-Peer is still used heavily
50
Web Application Controls
File Transfer Protocol
Understanding Web TrafficUnderstanding Web Traffic50
Native control for HTTP, HTTP(s), FTP applications
Selective decryption of SSL traffic for security and policy
Policy enforcement for applications tunneled over HTTP—FTP, IM, video
Application traversal using policy-based HTTP CONNECT
51
HTTPS ScanningSelective, Based on Trust
Users
Decrypted • Inspected • Re-encryptedSelectively on Category, Source
Web Server
Decrypted • Inspected • Re-encryptedSelectively on TRUST, Category, Source
Cisco IronPort
WSA
Internet
52
Cisco IronPort WSAComplete Data Security
On-box Common Sense Security • Allow, block, log based on file metadata, URL category, user and web reputation• Multi-protocol: HTTP(s), FTP, HTTP tunneled
Off-box Advanced Data Security • Deep content inspection: Structured and unstructured data matching• Performance optimized: Works in tandem with accelerated on-box policies
DocumentsInternet
Partner site
Webmail
Log
Allow
Block
DLP Vendor Box
DocumentsInternet
Log
Allow
Block
Content Verdict
53
Man
agem
ent
Web Security ArchitectureCisco IronPort Web Security Appliance
URL Filters
CISCO IRONPORT ASYNCOSWEB PLATFORM
Web Reputation Filters
Anti-MalwareSystem
PROXY CACHE
L4 TrafficMonitor
54
• Block executables• Block gambling sites• Block all malware
• Allow Skype• Monitor all traffic• Allow executables• Allow all applications• Allow all protocols
• Block FTP• Allow Media files• Allow all URL categories
Group by LDAP, Active Directory, Network
Marketing
IT
Sales
Cisco IronPort Web Security ManagerSingle View of Policies for the Entire Organization
55
Delegated AdministrationFlexibility to Support Organizational Requirements
IT
SALES
LEGAL
No Media
No FTP
No Webmail
Assign administrators for groups of users, appliances, subnets, or destinations
Fine-grained, role-based access control
Global administrator defines roles and access permissions
Policy officer sets rules for users they manage
56
Comprehensive Reporting
In-depth Threat Visibility- Web Traffic Overview- Layer 4 Traffic Monitor- Anti-Malware Category and Threat Details- Client Malware Risk & Activity Detail- Website Activity and Detail
Extensive Forensic Capabilities- Investigate acceptable use violations- Drill down for further analysis- Satisfy compliance requirements
Detailed off-box analysis- Offload extensive data crunching- Top N and trend reporting for malware- Client, Source, Malware Name and Category
for IronPort
© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 57
Web SecurityHosted Offerings
ScanSafe SaaS Web Security
is now part of Cisco
58
The leading SaaS Web security solution
PioneerLeadership position: 34.5% Market Share (IDC)30Bn Web requests monthly Millions of usersCustomers in 100+ countries100% availability200 million threats blocked monthlyAward-winning
Customers
Security product of the year 2008
Awards
Partners
59