IronPort: The Leader in Email SecurityIronPort: The Leader in Email Security

PROTECTING OVER 340 MILLION EMAIL BOXES WORLDWIDE

Fredrik MyrelidNordic & Baltic Technical Manager IronPort Systems, Inc.

IronPort Systems: The Leader in Email Security

• Industry-leading technology– AsyncOS, powers the world’s fastest

MTA

– SenderBase, the world’s first & largest HTTP & SMTP trafficmonitoring network

• Industry-leading customers– Over 50% of the world’s largest ISPs,

media & technology companies choose IronPort

IronPort C-SeriesEmail Security Appliance

Fixing Email: The Steps Required

IronPort is the First to Implement DomainKeys

Internet

ISPsprivate

publicDNS

1. 2. 3.IDENTITY POLICYREPUTATION

Challenges at the Email Gateway

The typical symptoms everyone headlines on….

• Email SecurityManaging volumes of SPAM and false positive issues

Viruses

Denial of Service attacks, Directory Harvesting, Fraud etc etc

• Policy & Legal Compliance

But what about the bigger picture?

• Availability of email services

• Performance & Latency issues

• Authentication

• Massive Admin & Operations overhead

• Huge Complexity

• Visibility, Reporting & Statistics

• Future-proofing the infrastructure, new services etc

Summarised as..• Lost Productivity (a management issue)

– At the desktop (users are asked to define spam)– IT Admin (to setup, fine tune and monitor spam)

• Consumption of valuable IT resource (an operational issue)– Network bandwidth (wasted on 70% spam)– CPU and memory at the gateway (could be used on genuine mail)– Disk storage (archive everything that arrives, inc. spam)– Increased real-estate (in order to scale with the right performance)

• Legal liability (a risk management issue)– Offensive content– Contravention of legislation (Data Protection, Basel II, SOX, HIPPA etc)– Spam zombies (brand risk, blacklisting)

IronPort Consolidates the Email Perimeter

Anti-Spam

Anti-Virus

Policy Management

Mail Routing

Before IronPort

IronPort Email Security Appliance

Internet

Firewall

MTAs

Groupware

Users

After IronPort

Internet

Users

Groupware

Firewall

IronPort Reduces Administration Advanced Technology Automates Manual Tasks

“These IronPorts run themselves”Joe Chodi, CTO of Major League Baseball

Centralized management: make

Changes only once

Lowest fales positive rateseliminates support calls

No manual white- orblack lists necessary

Automatic rate limitingprotects against Denial of Service

without your intervention

Stop viruses in average 15 hours

Before the anti virus signature is available

Anti-spam updates:up to 60,000 rules/day,

every 5-10 min

No fine tuning or

Training necessary

Centralized & scheduledreporting: You never

Need to sort throguh logs again

Test configuration changeswithouth making them active

IronPort Email Security Appliance

IronPort Architecture for Multi-Layered Email Security

MANAGEMENT TOOLS

ASYNCOS™ MTA PLATFORM

SPAMDEFENSE

CONTENTSCANNING

VIRUSDEFENSE

• IronPort Reputation Filters

• Brightmail• IronPort Anti-Spam

• IronPort Virus Outbreak Filters

• Sophos Anti-Virus

• IronPort Content Filters

• PostX and PGP

AsyncOS: Revolutionary MTA Platform

Traditional Email GatewaysAnd Other Appliances IronPort Email Security Appliance

200Incoming/Outgoing

Connections

Low Performanceand Potential DoS

Single QueueFor all Destinations

Queue BackupDelays All Mail

Per-DestinationQueues

Fault-Toleranceand

Custom Control

10,000Incoming/Outgoing

Connections

High Performance,Predictable

Delivery

Directory Harvest Attack Prevention

Protects Against:Theft of your user database by

spammers

Unique Advantage:Integrates with

SenderBase to track global attacks

Directory Harvest Attack Prevention

Protects Against:Theft of your user database by

spammers

Unique Advantage:Integrates with

SenderBase to track global attacks

Virtual GatewayTechnology

Protects Against:Inadvertent blockage of your

corporate mail

Unique Advantage:Provides up to 256 unique IP

addresses per appliance

Virtual GatewayTechnology

Protects Against:Inadvertent blockage of your

corporate mail

Unique Advantage:Provides up to 256 unique IP

addresses per appliance

Intelligent Bounce Handling

Protects Against:Blacklisting of your IPs from

intentional NDRs

Unique Advantage:Separate IP address for NDRs, In-

conversation recipient checking

Intelligent Bounce Handling

Protects Against:Blacklisting of your IPs from

intentional NDRs

Unique Advantage:Separate IP address for NDRs, In-

conversation recipient checking

AsyncOS™ Standards Based Integration

LDAP

DNS

AdvancedNetworking

EssentialMail

Operations

• Integrates with all standard LDAP servers including Active Directory™

• Carrier-class client and cache on-box

• High performance client resolves millions of record per hour• Configure separate DNS servers per domain

• 802.1Q VLAN Tagging for network security• NIC failover for redundancy• Loopback interfaces for load balancer integration

• Alias, masquerade, and routing tables• Powerful header operations• Store tables on box or in LDAP directory

Multi-Layered Spam & Virus Defense: Preventive + Reactive = Defense in Depth

ReactiveLayer

- Brightmail- IronPort AntiSpam

-Sophos Anti- Virus

PreventiveLayer

- IronPort Reputation

Filtering- Virus Outbreak

Filters

+

Immediate Reaction to Threats

Extremely High Performance

Coarse Outer Layer

Blocks or Rate Limits

Adapts Over Time

Computationally Intensive

Fine-grained Inner Layer

Delete or Quarantine

Black and White Lists

SenderBase®: Data Makes the Difference

• Complaint Reports

• Spam Traps

• MessageComposition Data

• Global Volume Data

• URL Lists

• Compromised Host Lists

• Web Crawlers

• IP Blacklists & Whitelists

• Additional Data

SenderBaseData

Data Analysis/Security Modeling

SenderBaseReputation Scores

-10 to +10

Parameters

Threat Prevention in Realtime

Data Breadth

• Combine HTTP & SMTP data

• Over 5 billion emails per day

• Over 90 SMTP parameters tracked

• Over 20 HTTP parameters tracked

Data Quantity

• Over 200,000 sources

• 8 of the top 10 ISPs, universities

& businesses

• Worldwide sources, including

Americas, Europe & Asia

Data Quality

• Over 3 years of experience

ensuring data integrity

• SourceRank assesses source

quality by cross correlating

multiple sources with known

benchmarks

Exchange,

Lotus/Domino,

Groupwise

80% Bad Mail STOPPED BEFORE

You have accepted connection

Clean, legitimate Mail!

IronPort Mail Flow

AntiSpam

AntiVirus

ContentFilters

VirusOutbreakFilters

SMTPClient

ReputationFilters

Work Queue

wwwIronPort

SenderBase

Nordea Phishing / Sender IP

IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….

• IronPort uses identity & reputation to apply policy• Sophisticated response to sophisticated threats

Anti-SpamEngine

Incoming MailGood, Bad, and “Grey”

or Unknown Email

Reputation Filtering

+10

Trusted Policy

Accepted Policy

Untrusted Policy

Rejected Policy

-10

Traffic Shaping:Mail Flow Control NOT Filtrering

Dell

• Dell’s challenge:– Dell receives over 26M mail per day– Only 1.5M legitimate emails– 68 existing gateways using Spam Assassin with high false

positive rates

• IronPort’s solution:– Reputation filters blocks over 19M emails per day– 5.5M emails per day scanned & removed by Brightmail– Replaced 68 servers with 8 IronPort C60s

• Accuracy of spam filtering increased 10x • Server consolidation with 70%• Operational costs reduced with over 75%

“IronPort hasincreased the

quality andreliability ofour networkoperations,

whilereducing our

costs.”-- Tim Helmsetetter

Manager, GlobalCollaborative Systems

Engineering andService Management,

Dell Corporation

IronPort Outbreak Filters Over 140 Virus Outbreaks Detected, Average Lead Time of 15 hours

“Virus Outbreak Filters helped us from the first day we had it

and it saves us significant

clean up costs during major

virus outbreaks.”

Mark S. DialE-Messaging Team,

Tellabs

Virus Date Virus Threat Level Raised

First Anti-virus Signature Available

Outbreak Filter Lead Time

Bagle.BO 5/31/2005 14:32 PM 16:34 PM 2:02 hours

Bagle BB 2/27/2005 10:39 AM (2/27) 4:22 AM (3/1) 41:43 hours

Mydoom.BL 4/28/2005 19:52 PM 21:43 PM 1:51 hours

MyTob.V 4/3/2005 4:19 AM 9:36 AM 5:17 hours

MyTob.J 3/24/2005 23:30 PM 22:38 PM (the next day) 23:08 hours

Sober.L 3/7/2005 16:10 PM 18:28 PM 2:18 hours

Sober.K 2/21/2005 5:58 AM 7:00 AM 1:02 hours

Mydoom.BB 2/15/2005 18:08 PM 22:54 PM (the next day) 28:46 hours

Sober.J 1/30/2005 22:58 PM 9:21 AM (the next day) 10:22 hours

Bagle.BJ 1/26/2005 19:00 PM 19:32 PM 0:32 hours

Mugly A 11/30/2004 2:57 AM (11/30) 9:08 AM (12/1) 30:11 hours

How Virus Outbreak Filters WorkDynamic Quarantine In Action

T = 0– zip (exe) files

T = 5 mins- zip (exe) files

- Size 50 to 55 KB.

T = 10 mins– zip (exe) files

– Size 50 to 55KB– “Price” in the

name file

T = 8 hours– Release messages

if signature update is in place

Messages

Scanned &

Deleted

Industry Leading Signaturesfrom Sophos Anti-Virus

• Integrated Sophos® anti-virus engine

– High performance in-line scanning

• Easy to deploy and manage

– Intuitive user interface– Single view with Mail Flow

Monitor– Auto updates– Lower TCO with integrated

solution

Easy Custom Filter GenerationProtect your intellectual property & enforce acceptable use

HighPerformance

Flexible

Fine Grained

IronPort Content Scanning Engine

Encrypt

Archive

BCC to Compliance Officer

Notify Legal Personnel

Remove Attachment

Return to Sender

Bounce Email

Drop Email

LDAP Server Queries

Pre- defined HIPAA, GLB, SOX Filters

Customer Specific Filters

Incoming / Outgoing Mail

IronPort Email Security ManagerSingle view of policies for the entire organization

IT

SALES

LEGAL

• Mark and Deliver Spam

• Delete Executables

• Archive all mail

• Virus Outbreak Filters disabled for .doc files

• Allow all media files

• Quarantine executables

Domain, Email Address,

or LDAP Group

IronPort Centralized Management

• Log in anywhere, control everywhere– New systems automatically configure themselves– Mesh network = no single point of failure

• Elegant solution for two systems to 100– Simple interface highlights configuration anomalies– Apply changes to a machine, group, or cluster

IRONPORT CLUSTER

San Jose Group

SJ1 Machine SJ2 Machine

SJ3 Machine

Dublin Group

D1 Machine D2 Machine

D3 Machine

Tokyo Group

T1 Machine T2 Machine

T3 Machine

Enterprise Reporting & Management

• Easy integration with existing monitoring

– Alert Center (via email)

– SNMP

– Reporting API

• Choice of management interfaces

– Effortless Graphical User Interface (GUI)

– Powerful Command Line Interface (CLI)

• Proves the IronPort ROI– Show effectiveness of

reputation, spam, and virus filtering

• In-depth reporting on all senders

– Includes global traffic data from SenderBase

The IronPort Advantage

The IronPort C-Series offers comprehensive & consolidated email security

• IronPort Minimizes the Total Cost of Ownership for your E-mail Infrastructure

– Administrative burden reduced with more than 75%, let’s IT staff do more with less– Increased User productivity– Powerful Management & Reporting tools for small to global organizations, as well as ISP’s– Server consolidation– Reduced load on the network infrastructure– Ease of use– Flexible Filtering solutions – Tailored to your needs

• IronPort increases the availability of your email– Protection against Denial of Service Attacks, Directory Harvesting

• IronPort makes you sleep better at night!– Industry leading Anti-Virus Protection – 15 hours ahead of competition– Multi dimentional Anti-Spam Protection

• Most accurate for the broadest span of threats• Powered by SenderBase (www.senderbase.org)

– Unmatched performance – Scalability from the smallest organization to largest ISP’s

Thank you

The IronPort C-Series offers comprehensive & consolidated email security

Fredrik Myrelid

IronPort Systems, Inc.

fmyrelid@ironport.com