IronPort Messaging Security

PROTECTING OVER 350 MILLION EMAIL BOXES WORLDWIDE

Mirko Schneider, IronPort, A CISCO Business Unit

Soft-Tronik Security Day

The Evolution of Reputation Filters to Self Defending Network 3.0

Who is IronPort?

• Founded by Email pioneers from in2000 from Hotmail, ListBot, Yahoo

• idea: building the fastest and strongest gateway appliance

• HQ in California, Silicon Valley

• Worldwide 500+ employees

• 75 in Europe (UK, Germany, Sweden, France, Spain, Italy)

• revenue 2005: ~ 70m USD, 2006: ~125m USD

• With Soft-Tronik in CZ/SK since2006

Hot News:IronPort now a part of CISCO

The Principles of Industry Leadership

• Analyst Leadership– Gartner’s Magic Quadrants 2006: Leader

– IDC July 2007: market share leader

– Radicati Market Quadrants 2007: Leader

• Customer Leadership– 52 of the World’s Largest 100 Companies

– 20+% of Global 2000

– 12 of the 15 largest ISPs

• Technology Leadership– First with custom, high performance MTA

– First with Reputation Filtering

– First with Virus Outbreak Filters

Web Security | Email Security | Security Management | Encryption

IronPort® Gateway Security Products

EMAILSecurity Appliance

WEBSecurity Appliance

Security

MANAGEMENT Appliance

IronPort

SenderBase

APPLICATION-SPECIFIC

SECURITY GATEWAYS

CLIENTS

BLOCK Incoming Threats

PROTECT Corporate Assets

Data Leakage Prevention

Encryption

CENTRALIZE Administration

Internet

ENCRYPTIONAppliance

The Key

A Simple Idea

1. 2. 3.IDENTITY POLICYREPUTATION

?!

Score

IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy

• 5B+ queries daily

• 150+ Email and Web parameters

• 25% of the World’s Email Traffic

The Dominant Force in Global

Email and Web Traffic Monitoring…

80%50%

40%

IronPortCipherTrust

BorderWare

Spam Caught by Reputation

Source: www.ciphertrust.com and www.borderware.com, August 6, 2006

…Results in Accuracy and

Advanced Protection

120,0004,000

8,000

IronPortCipherTrust

BorderWare

Network Reach (Contributing Networks)

13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure

IronPortVirus Protection Lead

* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed

vendors.

Global Volume

Data

Over 100,000

organizations,

email traffic,

web traffic

Message

Composition

Data

Message size,

attachment volume,

attachment types,

URLs, host names

Spam TrapsSpamCop, ISPs,

customer

contributions

IP Blacklists &

Whitelists

SpamCop, SpamHaus

(SBL), NJABL,

Bonded Sender

Compromised

Host Lists

Downloaded files,

linking URLs,

threat heuristics

Web site

Composition

Data

SORBS, OPM,

DSBL

Other Data

Fortune 1000, length

of sending history,

location, where the

domain is hosted,

how long has it been

registered, how long

has the site been up

Complaint

Reports

Spam, phishing,

virus reports

Spamvertized URLs,

phishing URLs,

spyware sites

Domain Blacklists

& Safelists

IronPort SenderBase™ Reputation150 parameters for each IP

www.senderbase.org

Leading Edge TechnologyReputation Filtering Sets off Industry Scramble

July 21, 2003

IronPort Reputation Filters™

February 16, 2003

IronPort SenderBase™

June 28, 2004

Symantec Brightmail Reputation Service

June 4, 2004

CipherTrustTrustedSource™

November 9, 2004

Proofpoint MLX Dynamic Reputation™

June 14, 2005

Trend MicroAcquiresKelkea ReputationProduct

May 23, 2005

Recurrent Pattern Detection™

20042003 2005

The Leader in Email SecurityIronPort C-Series

IronPort Email Security Appliances

• High Performance Email Security

Appliances Stopping Spam, Viruses, and

Enforcing Compliance

IronPort C350/C650IronPort C100

IronPort X1050

Product Consolidation at

the Network PerimeterFor Security, Reliability and Lower Maintenance

Anti-Spam

Anti-Virus

Policy Enforcement

Mail Routing

Before IronPort

IronPort Email Security Appliance

Internet

Firewall

MTAs

Groupware

Users

After IronPort

Internet

Users

Groupware

Firewall

IronPort Architecture for Multi-Layered Email Security

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

IronPort AsyncOS™

Unmatched Scalability and Security

• AsyncOS scalable and secure OS optimized for messaging

• Advanced Email Controls protect reputation and downstream systems

• Standards-based Integration replaces legacy systems with ease

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

IronPort AsyncOS™

Revolutionary Email Platform

Traditional Email GatewaysAnd Other Appliances IronPort Email Security Appliance

200Incoming/Outgoing

Connections

Low Performance/DoS Potential

Single QueueFor all Destinations

Queue BackupDelays All Mail

Per-DestinationQueues

Fault-Toleranceand

Custom Control

10,000Incoming/Outgoing

Connections

High Performance/Sure Delivery

Multi-layer Spam DefenseBest of Breed

• IronPort Reputation Filters – the outer layer defense

• IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

Spam Grows And Changes

• 100+% growth in volume per year

• Growth in size2003 : ~ 2KB per mail2007: ~ 30KB per email

• Growth in viaretiesImage Spam, PDF, Excel, …

Spam TrendsThrough Mid-July, 2007

• Spam volumes ticking up

• New spam trends emerging

– PDF spam

– Shows that spammers continue to develop new techniques at a rapid pace

• Several open source blacklists under DDOS attacks in last 4 weeks

– SURBL, Spamhaus, URIBL all affected

– SenderBase not affected

0

10

20

30

40

50

60

70

80

90

Jan-

06

Feb-

06

Mar-

06

Apr-

06

May-

06

Jun-

06

Jul-

06

Aug-

06

Sep-

06

Oct-

06

Nov-

06

Dec-

06

Jan-

07

Feb-

07

Mar-

07

Apr-

07

May-

07

Jun-

07

Jul-

07

Sp

am

Vo

lum

e (

BN

)

0

5

10

15

20

25

30

35

40

Imag

e S

pam

%

Average Daily Spam Image Spam %

New Spam Follows

PDF spam, Excel Spam, ...

MP3 Spam OutbreakOctober 17th, 2007

• Spam sent as MP3 audio files

• files named after popular songs / musicians to fool recipients

• files randomized by changing audio speed and content

• represented 1% of spam volumes on day of outbreak

Outbreak Description

IronPort Protection

MP3 Spam Example

Volume & Catch Rate

• Stopped MP3 spam within minutes through combination of several technologies

• Reputation Filters: proactively blocked majority of MP3 spam by identifying bots sending spam

• IronPort Anti-Spam: issued rules based on file type, file content, message size and other information to catch remaining spam

0

5

10

15

20

25

30

21:00 2:00 7:00 12:00 17:00 22:00

Time (GMT)

80%

85%

90%

95%

100%

Volume (thousands) IronPort Catch Rate

Future of Spam

Volume of Spam compared to worldwide e-mail traffic

2007-2011

Year Volume

2007 75%

2008 78%

2009 80%

2010 81%

2011 82%Source : Radicati Group, april 2007

Multi-Layered SecurityPreventive + Reactive = Defense in Depth

Reactive

Layer+

Immediate Reaction to Threats

Extremely High Performance

Coarse Outer Layer

Blocks or Rate Limits

Adapts Over Time

Computationally Intensive

Fine-grained Inner Layer

Delete or Quarantine

Preventive

Layer

blocks~ 80%

of spam

IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy

• 5B+ queries daily

• 150+ Email and Web parameters

• 25% of the World’s Email Traffic

The Dominant Force in Global

Email and Web Traffic Monitoring…

80%50%

40%

IronPortCipherTrust

BorderWare

Spam Caught by Reputation

Source: www.ciphertrust.com and www.borderware.com, August 6, 2006

…Results in Accuracy and

Advanced Protection

120,0004,000

8,000

IronPortCipherTrust

BorderWare

Network Reach (Contributing Networks)

13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure

IronPortVirus Protection Lead

* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed

vendors.

IronPort SenderBase®

Data Makes the Difference

• Complaint Reports

• Spam Traps

• MessageComposition Data

• Global Volume Data

• URL Lists

• Compromised Host Lists

• Web Crawlers

• IP Blacklists & Whitelists

• Additional Data

150 Parameters

SenderBaseData

Data Analysis/Security Modeling

SenderBaseReputation Scores

-10 to +10

Threat Prevention in Realtime

A Broad Data Set Drives Accuracy

IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….

• Known good is delivered

• Suspicious is rate limited & spam filtered

• Known bad is deleted/tagged

• Reputation Filters is a switch point

• IronPort uses identity & reputation to apply policy

• Sophisticated response to sophisticated threats

Anti-Spam

Engine(reactive)

Incoming Mail

Good, Bad, and “Grey”or Unknown Email

ReputationFiltering

(preventive)

Reputation-Based Filtering:A Powerful Technique

• Beyond blacklisting—a granular view of behavior

• Scores calculated in real-time

• Pre-configured policies applied dynamically

IronPort Reputation FiltersDell Case Study

• Dell’s challenge:– Dell currently receives 26M messages per day

– Only 1.5M are legitimate messages

– 68 existing gateways running Spam Assassin

were not accurate

• IronPort solution:– Reputation Filters block over 19M messages per day

– 5.5M messages per day scanned by

anti-spam engine

– Replaced 68 servers with 8 IronPort C60s

• Accuracy of spam filtering increased 10x

• Servers consolidated by 70%

• Operating costs reduced by 75%

“IronPort has

increased thequality and

reliability ofour network

operations,while

reducing our

costs.”

-- Tim HelmsetetterManager, Global

Collaborative Systems

Engineering and

Service Management,

DELL CORPORATION

Dell Results: One Appliance, 7 Days

96% of all Inbound Mail Rejected or Dropped

19 M Msgs Rejected

930,000 Legitimate Msgs

150,000 Remaining Spam and Virus Dropped

2.1 M Invalid Recipients

22 M Msgs Attempted

Results from live, production systems

Multi-Layered SecurityPreventive + Reactive = Defense in Depth

+

Immediate Reaction to Threats

Extremely High Performance

Coarse Outer Layer

Blocks or Rate Limits

Adapts Over Time

Computationally Intensive

Fine-grained Inner Layer

Delete or Quarantine

Preventive

LayerReactive

Layer

IronPort AntiSpam Broadens the Context with Web Reputation

• Content filtering techniques alone are inadequate

• Email reputation systems improved protection

• Combating new attacks demands Web reputation

Time

TODAYEffectiveness

Where? Web Reputation

Where does the call to action take you?

Who? Email Reputation

Who is sending you this message?

How? Message Structure

How was this message constructed?

What? Message Content

What content is included in this message?

URL

No attachment - Payload delivered via web

Anatomy of URL Spam

“Hashbuster” text –from “The Hobbit”

“Advertisement”

Call to Action URL Advertising Pharmaceutical Web Site

IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy

• 5B+ queries daily

• 150+ Email and Web parameters

• 25% of the World’s Email Traffic

The Dominant Force in Global

Email and Web Traffic Monitoring…

80%50%

40%

IronPortCipherTrust

BorderWare

Spam Caught by Reputation

Source: www.ciphertrust.com and www.borderware.com, August 6, 2006

…Results in Accuracy and

Advanced Protection

120,0004,000

8,000

IronPortCipherTrust

BorderWare

Network Reach (Contributing Networks)

13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure

IronPortVirus Protection Lead

* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed

vendors.

Web Reputation Data Makes the Difference

• URL Blacklists

• URL Whitelists

• URL Categorization Data

• HTML Content Data

• URL Behavior

• Global Volume Data

• Domain Registrar Information

• Dynamic IP Addresses

• Compromised Host Lists

• Web Crawler Data

• Network Owners

• Known Threats URLs

• Offline data (F500, G2000…)

• Web Site History

SenderBaseData

Data Analysis/Security Modeling

Web ReputationScores (WBRS)

-10 to +10

Parameters

THREAT PREVENTION IN REALTIME

IronPort Anti-SpamPress Reviews

2007 Technology of the Year: Best Anti-Spam

Jan 2007

Competitors tested: Symantec, Microsoft, Mirapoint, ProofPoint

“easy setup”

“excellent spam filtering”

“no tuning necessary”

“the fewest false positives of

any solution tested”

Anti-Spam Bake-Off WinnerDec 2006

Competitors tested: CipherTrust, Borderware, Sophos,

SonicWall

“The superiority of IronPort . . .

seems abundantly clear”

“We did not have to rescue a

single legitimate message”

“(IronPort) is the absolute must

from this test”

Multi-layer Virus DefenseBest of Breed

• IronPort Virus Outbreak Filters stop outbreaks 13 hours ahead of signatures

• Sophos Anti-Virus signature based solution with industry leading accuracy

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

Virus Outbreak Scenario

MyDoomBagleNetskyGaobotMaddisetc

nomoney.zipmessage.scrdetail3.zipwebcam_image.zipjokes.txt.scrstuff.txt.pifpatch.exe

Virus is propagated with a worm

Since no virus signature is available, the virus quickly passes through mail gateways across the internet.

Anti-Virus

Traditional AV Solutions Aren’t Responding Quickly Enough . . .

4:0

0

9:0

0

14

:00

19

:00

0:0

0

5:0

0

10

:00

15

:00

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Mytob-HJ: 4-19-06

9:3

0

10

:20

11

:10

12

:00

12

:50

13

:40

14

:30

15

:20

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Kukudro-A: 6-27-06

0

20

40

60

80

100

120

20

:00

23

:45

3:3

0

7:1

5

11

:00

14

:45

18

:30

22

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Bagle-GT: 4-21-06

Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

19

:00

22

:45

2:3

0

6:1

5

10

:00

13

:45

17

:30

21

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

FeebsDI-Q: 6-07-06

IronPort SenderBase® NetworkFirst, Biggest, Best Reputation System

Over 100,000 contributing networksOver 20M IP addresses tracked globally

View into over 25% of email trafficOver 150 parameters tracked

Global Email and Web Traffic Monitoring

What is going onRIGHT NOW?

Introducing Virus Outbreak Filters4

:00

9:0

0

14

:00

19

:00

0:0

0

5:0

0

10

:00

15

:00

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Mytob-HJ: 32 hrs 57 mins Lead Time!

VOF Protection

Starts

9:3

0

10

:20

11

:10

12

:00

12

:50

13

:40

14

:30

15

:20

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

VOF Protection

Starts

Kukudro-A: 3 hrs 38 mins Lead Time!

19

:00

22

:45

2:3

0

6:1

5

10

:00

13

:45

17

:30

21

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

FeebsDI-Q: 21 hrs 59 mins Lead Time!

VOF Protection

Starts

20

:00

23

:45

3:3

0

7:1

5

11

:00

14

:45

18

:30

22

:15

Tim e (GMT)

Vir

us

Vo

lum

e

First AV Signature

Available

Bagle-GT: 18 hrs 28 mins Lead Time!

VOF Protection

Starts

Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

How Virus Outbreak Filters Work

Got it

Calculate change

in threat level

“I normally see 10 x

(exe)zip files per hour”

“I see 90% increase

in (exe)zip files”

Virus Outbreak

Filters apply

SenderBase threat

level information to

incoming mail

SenderBase Network

SenderBase data collection allows statistical

analysis to spot virus outbreak trends - on average

13 hours before the signature is released!

Watch out for (exe)zip files”

How IronPort Virus Outbreak Filters WorkDynamic Quarantine In Action

T = 0–zip (exe) files

T = 5 mins-zip (exe) files

-Size 50 to 55 KB.

T = 10 mins–zip (exe) files

–Size 50 to 55KB

–“Price” in the name file

T = 8 hours–Release messages

if signature update is in place

Messages

Scanned &

Deleted

preventive protection reactive protection

Virus Outbreak Filters Advantage

Average lead time*…………………………over 13 hours

Major Outbreaks blocked * ………………………175 outbreaks

Total incremental protection*…………….over 94 days

* June 2005 –July 2006. Calculated as publicly published signatures from the following vendors: Sophos, McAfee , Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.

Virus Name Date Virus Description Lead Time (hh:mm)

Troj/Dloadr-BCK 7/24/07 Installs spyware on infected PCs. 10:06

Troj/Yar-A 5/24/07 Widely-spammed out email teaser promising a trailer of the film

"Pirates of the Caribbean 3“. Downloads spyware onto infected

computers.

3:20

Trojan.Dropper 5/10/07 Trojan that attempts to download malicious code. 10:40

W32.Virut!dr 4/12/07 Spammed email that asks recipients to open spyware attachments

entitled “document.txt.exe” and “video.zip”. 31:12

Troj/DwnLdr-GFN 3/4/07 Installs backdoor and communicates via HTTP, thus bypassing

firewall filters.17:31

W32/WowPWS-AU 3/3/07 Mass mailing worm that sends emails with the subject: "Chinese

test missile obliterates satellite!“. Asks users to open spyware

infected file.

6:51

Troj_Agent.JAW 1/14/07 Spammed email message that contains PDF attachment. Once

attachment is opened, backdoor is installed for remote hackers to

access the PC.

20:08

IronPort Policy EnforcementInbound/Outbound Content Filtering for Compliance

• Flexible Policy Engine from Blocking Attachments to Enforcing Regulatory Compliance

• Compliance Solutions and Encryption keep communications private and secure

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

Powered By IronPort PXE EncryptionEasiest to Use, Easiest to Deploy

�Gateway encrypts message

�User opens IronPort

PXE in browser

�User authenticates &

gets message key

IronPort Hosted Keys

Password

�Decrypted

message

displayed

Message pushed

to Recipient

Key

Stored

Email AuthenticationSuperior Security and Identity Protection

• DomainKey Signing - establishes and protects your identity on the Internet

• IronPort Bounce Verification – protects from misdirected bounce attacks

• Directory Harvest Attack Prevention –blocks attempts to steal email directory information

MANAGEMENT TOOLS

THE IRONPORT ASYNCOS™ EMAIL PLATFORM

SPAMDEFENSE

POLICY ENFORCEMENT

VIRUSDEFENSE

EMAIL AUTHENTICATION

The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*

*Source: IronPort Threat Operations Center,

INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.

Misdirected Bounces Not

Discernible From

Legitimate Bounces

Misdirected Bounces Not

Discernible From

Legitimate Bounces

End User Confusion:

“Why did I receive this

message?”

The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*

*Source: IronPort Threat Operations Center,

INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.

“Zombies”

joe1@enterprise.com,jane88@enterprise.com

billing@yourcompany.com

Recipients:

Sender:

Incoming Gateway

yourcompany.comOutgoingGateway

RETURN TO

SENDER

Millions of Misdirected Bounces

More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces

More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces

IronPort Bounce Verification™

Protects Against Misdirected Bounce Attacks

• All Outgoing Mail Stamped Allowing Legitimate Bounces to

be Identified on Return

• Transparent to End Users, No Industry Adoption Required

• Eliminates Help Desk Calls and End User Confusion

• Another IronPort Technical “First"

BV

Internet

BV+

The Challenger in Web SecurityIronPort S-Series

IronPort S-Series

S350/S650

Web Traffic: Clear & Present Risks

• Over 75% of all Enterprises

are infected with Spyware &

Malware

• 35-40% of Web usage is

non-business related (IDC

Research)

• Malware threats & AUP

violations result in

compliance & legal

exposure

The Circle of Risk

Web

Traffic

Current Systems Not Designed for Today’s Problems

• Low accuracy

• High latency /

throughput

• Limited visibility to security threats

“Not the right toolfor the job.”

Web TrafficThe Long Tail Gets Longer

Predictable traffic, well known domains

# of Sites

Tra

ffic

Volu

me

Growing fast, harbors suspect content & malware

“Big Head + Long Tail”

• ~110 Million sites

• ~10-12 Billion Web Pages

• Growing at 35-40% annually

“Big Head + Long Tail”

• ~110 Million sites

• ~10-12 Billion Web Pages

• Growing at 35-40% annually

Big

Head

Long Tail

IronPort S-SeriesAddressing the Entire Spectrum of Web Traffic

Solution: URL Filtering

# of Sites

Tra

ffic

Volu

me

Solution: Web Reputation Filters +

Signature-based Anti-Malware Defense

• Protects against known & unknown sites

• Best of breed signature scanning

Big

Head

Long Tail

IronPort Web Security Appliance

IronPort S-Series

• Control & secure Web

traffic

• Comprehensive

management & visibility

• Industry-leading accuracy against Web-

based threats

• Carrier-class

performance

IronPort Web Security Appliance

Next Generation Web Security Platform

AsyncOS for Web™

Next Generation Architecture

Legacy Platforms AsyncOS for Web™

Application Layer Proxying

Network Layer Monitoring

Integrated

Scanning Engine

AsyncOS™

Unmatched Scalability

MANAGEMENT TOOLS

Web Reputation

Filters

URL

Filters

Anti-Malware

System

IronPort AsyncOS Web Security Platform

L4 Traffic

Monitor

Industry-leading PerformanceOptimized for Throughput & Latency

Simultaneous TCP Connections

• 100,000 duplex Handles significant traffic spikes

HTTP Transactions/Hour

• 10M (unburdened)

• 5M-7M (burdened)

Serves up to 10-25K users

(depending on traffic load)

Average Latency • 5 to 15 millisecondsNo impact to end-user browsing

experience

IronPort Web Security Appliance

L4 Traffic MonitorIntegrated Network Monitoring

MANAGEMENT TOOLS

IronPort AsyncOS Web Security Platform

Web Reputation

Filters

URL

Filters

Anti-Malware

System

L4 Traffic

Monitor

Integrated L4 Traffic MonitorWire Speed Network Layer Scanning for Malware

• Scans all 65,535

ports at wire speed

(~1 Gbps)

• Detects rogue

phone home activity

• Catches malware

that attempts to bypass Port 80

Users

Network Layer Analysis

AsyncOS for WebAsyncOS for Web

L4 Traffic MonitorL4 Traffic Monitor

110111110011100100100101110011001010111011001000011010011001110010000

110111110011100100100101110011001010111011001000011010011001110010000

TCP Headers

& Packets

TCP Headers

& Packets

Internet

MANAGEMENT TOOLS

IronPort AsyncOS Web Security Platform

IronPort URL FiltersAccuracy & Control

Web Reputation

Filters

URL

Filters

Anti-Malware

System

L4 Traffic

Monitor

IronPort URL FiltersLeading Accuracy and Control

• Biggest, broadest and best database

– 52 categories, over

21M sites, ~3.5B web

pages

– 1/3rd of the database

is international

• 24 x 7 monitoring

• Regular, automated updates

Categories

Advertisements & PopUps

Arts

Blogs & Forums

Business

Chat

Computing & Internet

Downloads

Education

Entertainment

Fashion & Beauty

Finance & Investment

Food & Dining

Games

Government

Health & Medicine

Hobbies & Recreation

Hosting Sites

Categories

Infrastructure

Intimate Apparel & Swimwear

Job Search & Career Development

Kids Sites

Motor Vehicles

News

Peer-to-Peer

Personals & Dating

Philanthropic & Professional Orgs.

Photo Searches

Politics

Proxies & Translators

Real Estate

Reference

Pre-defined & Custom Categories

MANAGEMENT TOOLS

IronPort AsyncOS Web Security Platform

IronPort Web Reputation FiltersThe Outer Layer of Defense

Web Reputation

Filters

URL

Filters

Anti-Malware

System

L4 Traffic

Monitor

IronPort SenderBase NetworkLargest Email & Web Traffic Monitoring Network

Largest: over 25% of traffic from 120,000+ sources

Broadest: 150 cross-protocol parameters

Best: Two year “head start” vs. alternative systems

Largest: over 25% of traffic from 120,000+ sources

Broadest: 150 cross-protocol parameters

Best: Two year “head start” vs. alternative systems

Web Reputation FiltersData Makes the Difference

• URL Blacklists

• URL Whitelists

• URL Categorization Data

• HTML Content Data

• URL Behavior

• Global Volume Data

• Domain Registrar Information

• Dynamic IP Addresses

• Compromised Host Lists

• Web Crawler Data

• Network Owners

• Known Threats URLs

• Offline data (F500, G2000…)

• Web Site History

SenderBaseData

Data Analysis/Security Modeling

Web ReputationScores (WBRS)

-10 to +10

Parameters

THREAT PREVENTION IN REALTIME

Dynamic Application of Policies

• IronPort Web Reputation Filters is a powerful first layerof defense

• IronPort Anti-Malware System provides a sophisticated second layerof defense

Requested

URLs

Known good sites

aren’t scanned

Unknown sites are

scanned

Known bad sites are

blocked

IRONPORT

WEB REPUTATION

FILTERS

IRONPORT

WEB REPUTATION

FILTERS

IRONPORT

ANTI-MALWARE

SYSTEM

IRONPORT

ANTI-MALWARE

SYSTEM

MANAGEMENT TOOLS

IronPort AsyncOS Web Security Platform

IronPort Anti-Malware SystemRapid Scanning with IronPort DVS™ Engine

Web Reputation

Filters

URL

Filters

Anti-Malware

System

L4 Traffic

Monitor

IronPort DVS™ EngineFast, Multi-Signature Scanning

• Rapid object parsing & vectoring

• Stream scanning

• Dynamic early exit

• Reputation-based

verdict caching

Preserves User Browsing Experience

Signature

Type 1

Signature

Type 2

STREAMING

SCANNER

REPUTATION-BASED VERDICT CACHINGREPUTATION-BASED VERDICT CACHING

IRONPORT

DVS™

ENGINE

IRONPORT

DVS™

ENGINE

Stream Scanning

Processes objects in parallel to minimize latency

Where will it lead us?

The present and the future

• IDC: market share leader SCM appliances

• Gartner: “This acquisition (by Cisco) makes

SenderBase the de facto reputation

standard“

• Radicati: “leading provider of email security

appliances”, “strong solution for customers

looking for “self-defending networks”

Self Defending Network 3.0

• Wide Traffic Inspection

• Firewalls, routers, email appliances, web

appliances, end point security agents

• sharing data across multiple protocols,

across multiple network egress points, and

across multiple networks world wide

IronPort Evaluation Policy

• Free evaluation for 30 days– starts with activation of keys on unit

– can be extended on request

• any size and any way– you get the right unit for your individual needs

– different ways of testing (life/ stealth, parallel, offline)

– full support, full functionality

• About 85% of users who evaluate become happy

customers!

Get In Contact

Mirko Schneider IronPort Systems

Territory Manager Munich / Germany

Eastern Europe & Russia

Tel: +49 - 89 - 45 22 27 32

Fax: +49 - 89 - 45 22 27 10

Mobile: +49 - 172 - 83 96 04 7

Web: www.ironport.com

Email: mschneider@ironport.com