Cisco IronPort Email & Web Security
Frédéric HER, CISSP Systems Engineer, Africa Cisco IronPort Solutions [email protected]
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Cisco IronPort Unparalleled Market Leadership IronPort funded in 2000, acquired by Cisco in 2007 IronPort Positioned in the “Leaders” Quadrant in Magic Quadrant Report 20,000+ customers globally 400 million users protected IronPort is positioned as a leading 40% of Fortune 100 player in the messaging security companies appliance market 8 of the 10 largest Service Providers 7 of the 10 largest Banks Named IronPort the market share 99%+ customer renewal leader in the email security appliance rates market 2 The Cisco IronPort Story Application-Specific Security Gateways
BLOCK Incoming Threats: Spam, Phishing/Fraud Internet Viruses, Trojans, Worms SensorBase Spyware, Adware (The Common Security Database) Unauthorized Access
APPLICATION-SPECIFIC SECURITY GATEWAYS EMAIL WEB Security Gateway Security Gateway
MANAGEMENT Appliance
3 Cisco IronPort Email Security
Cisco IronPort Email Security Appliance
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Email Challenges
Standard Email does not natively offer what is expected
Junk Mail Privacy & Control
Viruses Regulations
5 Cisco IronPort Consolidates the Network Perimeter For Security, Reliability and Lower Maintenance
Before Cisco IronPort After Cisco IronPort
Internet Internet
Firewall Firewall
Encryption Platform DLP MTA Scanner
Anti-Spam
Anti-Virus DLP Policy Cisco IronPort Email Security Appliance Manager Policy Enforcement
Mail Routing
Groupware Groupware
Users Users
6 Spam Trends
300 • Record spam volumes and criminal botnet activity ) s n 250 o li il b ( e 200 m lu o V m150 a p S y il a 100 D e g ra e 50 v A
0 8 8 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 ------l------l- - - - - n b r r y n u g p ct v c n b r r y n u g p ct v a e a p a u J u e o e a e a p a u J u e o J F M A M J A S O N D J F M A M J A S O N
Month 7 Spam Sophistication Increasing
TEXT SPAM ATTACHMENT SPAM (PDF, EXCEL, MP3) 2005 2007
2006 2008
IMAGE SPAM TARGETED ATTACKS
Your Equitable Bank account Your Equitable BankYour Equitableaccount is closed, call isBank closed, account call usis closed, now at call (802)354-4250us now at (802)354-4250 us now at (802)354-4250
Image Spam
8 Cisco IronPort SensorBase
• Statistics on more than 30% of the world’s e-mail traffic • New threats & alerts detection • More than 200 parameters to build reputation scores
•Data Volume • Message Structure E-Mail Reputation Filters • Complaints Reputation Score • Blacklists, whitelists • Off-line data
• URL blacklists & whitelists Web Reputation Filters • HTML Content Reputation Score • Domain Info • Known “bad” URLs • Website history…
9 Email Security Architecture Cisco IronPort Email Security Appliance
INBOUND Spam Virus SECURITY Defense Defense
MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM
Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging
10 Cisco IronPort AsyncOS Revolutionary Email Delivery Platform
Traditional Email Gateways Cisco IronPort Email Security and Other Appliances Appliances
200 Low Performance/ 1K – 10K High Performance/ Connections Peak Delivery Issue Connections Sure Delivery
Unable To Leverage Disk I/O Limited Solely Bottlenecks Full Capability CPU By CPU Capacity Components
11 Advanced Controls for Security and Efficiency And to protect against the risk of being blacklisted
Destination Controls IronPort Virtual Gateways
?
Internet 163.24.127.3
163.24.127.3
Internet 163.24.127.4
163.24.127.5
1. Protect internal servers 1. Protects the reputation of a domain 2. Rules per destination domain 2. Relies on different IP addresses for sending messages
Email Authentication (DomainKeys, DKIM, SPF, SIDF) 12 Email Security Architecture Cisco IronPort Email Security Appliance
INBOUND Spam Virus SECURITY Defense Defense
MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM
Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging
13 Anti-Spam Defense in Depth
SensorBase IronPort Anti-Spam Reputation Filtering
Verdict
> 99% Catch Rate Spam Blocked Before < 1 in 1 million Entering Network False Positives
14 SensorBase Reputation Filtering Real Time Threat Prevention
• Known good is delivered
• Suspicious Reputation IronPort is rate limited Filtering Anti-Spam & spam filtered
Incoming Mail Good, Bad, and • Known bad is Unknown Email blocked
Cisco’s Internal Message Category % Messages Stopped by Reputation Filtering 93.1% 700,876,217 Email Experience: Stopped as Invalid recipients 0.3% 2,280,104 Spam Detected 2.5% 18,617,700 Virus Detected 0.3% 2,144,793 Stopped by Content Filter 0.6% 4,878,312 Total Threat Messages: 96.8% 728,797,126 Clean Messages 3.2% 24,102,874
Total Attempted Messages: 752,900,000 15 Email Security Architecture Cisco IronPort Email Security Appliance
INBOUND Spam Virus SECURITY Defense Defense
MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM
Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging
16 Cisco IronPort Virus Outbreak Filters The First Line of Defense
Early Protection with IronPort Virus Outbreak Filters
17 Multi-Layer Virus Defense Zero Hour Malware Prevention and AV Scanning
Virus Outbreak Filters Anti-Virus
T = 15 mins T = 5 mins T = 0 -zip (exe) files -zip (exe) files -zip (exe) files -Size 50 to 55 KB -Size 50 to 55KB
-“Price” in the filename
An analysis over one year:
Average lead time …………………………over 13 hours Outbreaks blocked ………………………291 outbreaks Total incremental protection ……………. over 157 days 18 Email Security Architecture Cisco IronPort Email Security Appliance
INBOUND Spam Virus SECURITY Defense Defense
MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM
Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging
19 Risks for the Organization
Top Risk: Employees Biggest Impact: Customer Data
Top Data Loss Types 4% 7% 8% 4% 5% 4% 10% Information marked 44% Personal client Confidential 12% information
21% Personnel Information
Intellectual Property
20 Data Loss Prevention Comprehensive, Accurate, Easy
Comprehensive 100+ Pre-defined templates Regulatory compliance
Easy One-click activation Policy enable/disable
Accurate Multiple parameters Key words, proximity, etc.
21 Email Encryption Instant Deployment, Zero Management Cost
Message pushed to recipient
User opens secured message in browser
Gateway encrypts message
Key is stored User authenticates and receives message key
Decrypted Cisco Registered Envelope Service message is displayed
Automated key management No desktop software requirements No new hardware required
22 Email Security Architecture Cisco IronPort Email Security Appliance
INBOUND Spam Virus SECURITY Defense Defense
MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM
Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging
23 Cisco IronPort Email Security Manager Single view of policies for the entire organization
Categories: by Domain, Username, or LDAP
• Allow all media files • Quarantine executables IT
• Mark and Deliver Spam
SALES • Delete Executables
• Archive all mail • Virus Outbreak Filters LEGAL disabled for .doc files
“IronPort Email Security Manager serves as a single, versatile dashboard to manage all the services on the appliance.” – PC Magazine 24 Comprehensive Insight Unified Business Reporting
Consolidated Reports
Single view across the organization Email Volumes
Spam Counters Real Time insight into Policy Violations email traffic and Virus Reports security threats Outgoing Email Data
Multiple data points Reputation Service
Actionable drill System Health View down reports
25 Visibility Into Email Messages Message Tracking
What happened to the email I sent 2 hours ago? 9Track Individual Email Messages
Who else received similar emails? 9 Forensics to Ensure Compliance
26 Email Security Hosted Offerings
Cisco IronPort Hosted Email Security
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Choice Maximizes Flexibility Full Continuum of Deployment Options
Appliances Hosted Hybrid Hosted Managed
Award-Winning Dedicated Best of Both Fully Managed Technology SaaS Worlds on Premises Infrastructure
Backed by Service Level Agreements
28 Cisco IronPort Web Security Overview
Cisco IronPort Web Security Appliance
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Malware Threat Distribution
Malware Infections
Email Vector
Web Vector
Time
Malware infection vectors are shifting from email to Web
30 Malware Evades Legacy Defenses
URL classification is reactive, has low coverage
Predictable, easy to classify
Hundreds of millions of sites Thousands of new sites per hour
Signatures are reactive and Big CANNOT keep up Head Long Tail Traffic Volume
# of Sites 31 Exploited Websites An Invisible Threat
32 Drive-By Scareware
- Full-screen pop-up simulates real AV software, asks you to buy full version to clean machine. - Fakes scan of c:\ drive and pretends to find viruses even on Linux or Mac OS X! 33 The limits of legacy solutions
Low Performance – not suitable for current usage of Web High Latency Low Security: often only URL filtering ….or only Antivirus and no efficient protection against Malware
34 Next Generation Secure Web Gateway
Before Cisco IronPort After Cisco IronPort
Internet Internet
Firewall Firewall
Web Proxy & Caching
Anti-Spyware
Anti-Virus Cisco IronPort WSA Anti-Phishing
URL Filtering
Policy Management
Users Users
All web security components in a single integrated platform 35 Web Security Architecture Cisco IronPort Web Security Appliance
L4 Traffic URL Monitor Filters
PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM
Web Reputation Anti-Malware Management Filters System
36 High-Performance Web Proxy Connection Management & Optimized Storage
MaintainMaintain poolpool ofof persistentpersistent HandleHandle extremelyextremely highhigh traffictraffic TCPTCP connectionsconnections (client(client andand volumesvolumes serverserver side)side)
Co-relatedCo-related objectobject storagestorage andand SignificantlySignificantly improvedimproved high-performancehigh-performance cachingcaching responseresponse timestimes
Facts & Figures: – 100,000 simultaneous duplex TCP connections to easily handle traffic spikes – Average latency introduced to end user: 5-15 milliseconds
37 Web Security Architecture Cisco IronPort Web Security Appliance
L4 Traffic URL Monitor Filters
PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM
Web Reputation Anti-Malware Management Filters System
38 Detecting Existing Client Infections
Users
Cisco IronPort Layer 4 Traffic Monitor Packet and • Scans all traffic, all ports, all protocols Header Inspection • Detects malware bypassing Port 80 Network Layer Analysis • Prevents botnet traffic
Powerful anti-malware data • Automatically updated rules Cisco IronPort S-Series • Real-time rule generation using “Dynamic Discovery” Internet
39 Web Security Architecture Cisco IronPort Web Security Appliance
L4 Traffic URL Monitor Filters
PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM
Web Reputation Anti-Malware Management Filters System
40 Web: Huge, Growing and Transient
Dynamic Web User Generated & 2005: Web 2.0 Web 2.0 Content tipping point Number of Webpages Static Web Traditional Content Publishers Legacy URL Filtering Focus
1998 2000 2008 28 Million 1 Billion 1 Trillion webpages webpages webpages
Source: Multiple, including Cisco SIO, Google, Wikipedia 41 The Dark Web Challenge Legacy URL Filtering Effectiveness is Decreasing
URL Lookup in Database Legacy URL filtering primarily focuses on Gambling www.sportsbook.com/ URL Database crawling and manual
Uncategorized review/classification Databases add thousands of new URLs per day…while the web adds a Billion OBSCENE ADULT 95% of the web will be uncategorized by 2015
PORN GAMBLING
42 Cisco IronPort Web Usage Controls Dynamic Categorization for the Dark Web
URL Lookup in Database
Gambling www.sportsbook.com/ URL Database Industry-leading URL Uncategorized database efficacy
URL Keyword Analysis • 65 categories • Updated every 5 minutes • Powered by Cisco SIO Gambling www.casinoonthe.net/ Dynamic categorization Uncategorized identifies ~90% of Dark Web content in commonly Dynamic Content Analysis Engine blocked categories
Analyze Site Content Gambling
43 Cisco Security Intelligence Operations (SIO) Unmatched Visibility Drives Unparalleled Efficacy
Cisco IronPort Web Security Appliances on Customer Premises
Updates published every 5 Customer minutes Administrators URL Categorization Uncategorized Requests URLs Cisco SIO
Analysis and Processing
Master URL Database
External Feeds Crawler Targeting
Traffic Data from Crowd Sourcing Cisco IronPort Email Security Appliances, Manual Web Cisco IPS, and Cisco 44 Categorization Crawlers ASA sensors Web Security Architecture Cisco IronPort Web Security Appliance
L4 Traffic URL Monitor Filters
PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM
Web Reputation Anti-Malware Management Filters System
45 Protection For a Dynamic Web 2.0 World Visibility Beyond the Initial Threat
Web Reputation Filters Scan each object, not just the initial request Web servers not affiliated with Client PC Trusted Web Site the trusted web site (e.g. ad servers)
Web pages are made up of objects Compromised websites often grab coming from different sources malicious objects from external sources Objects can be images, executables, JavaScript… Security means looking at each object individually, not just the initial request
46 Cisco IronPort DVS Engine Dynamic Vectoring and Streaming
Adware Spyware Trojans Worms Viruses
Webroot + Webroot McAfee McAfee
~35% Additional Coverage
Multiple integrated verdict engines Accelerated signature scanning • McAfee and Webroot • Parallel scans Decrypt & scan SSL traffic • Stream scanning • Selectively, based on category & Automated updates reputation
47 Cisco IronPort DVS Engine Multi-Layered Malware Defense
Deep content inspection
High-performance Webroot scanning McAfee - Parallel scans IRONPORTIRONPORT DVSDVS ENGINEENGINE - Stream scanning
VERDICT Multiple verdict engines ENGINE “N” - Integrated, on-box - Supported engines: PolicyPolicy ManagementManagement Webroot, McAfee
48 Usage of Ports 80 & 443 has changed
A lot of applications traversing port 80 are not “web browsing” A lot of applications using port 80 are not business-related Nearly all companies include Webmail users – Malicious attached files? Instant Messaging is found in all companies – How do you keep it open while ensuring your network is not at risk? Web-based file transfer is growing fast (MegaUpload, Rapidshare…) Peer-to-Peer is still used heavily
49 Web Application Controls
Native control for HTTP, HTTP(s), FTP applications Selective decryption of SSL traffic for security and policy Policy enforcement for applications tunneled over File Transfer HTTP—FTP, IM, video Protocol Application traversal using policy-based HTTP CONNECT
Understanding Web Traffic 50 50 HTTPS Scanning Selective, Based on Trust
Decrypted • Inspected • Re-encrypted Selectively on TRUST, Category, Source
Web Internet Server
Cisco IronPort Users WSA Decrypted • Inspected • Re-encrypted Selectively on Category, Source
51 Cisco IronPort WSA Complete Data Security
On-box Common Sense Security • Allow, block, log based on file metadata, URL category, user and web reputation • Multi-protocol: HTTP(s), FTP, HTTP tunneled Partner site Log
Allow Internet Documents Block Webmail
Off-box Advanced Data Security • Deep content inspection: Structured and unstructured data matching • Performance optimized: Works in tandem with accelerated on-box policies
Log
Allow Internet Documents Block
Content Verdict
DLP Vendor Box 52 Web Security Architecture Cisco IronPort Web Security Appliance
L4 Traffic URL Monitor Filters
PROXY CACHE CISCO IRONPORT ASYNCOS WEB PLATFORM
Web Reputation Anti-Malware Management Filters System
53 Cisco IronPort Web Security Manager Single View of Policies for the Entire Organization
Group by LDAP, Active Directory, Network • Block FTP • Allow Media files • Allow all URL categories Marketing
• Block executables • Block gambling sites • Block all malware Sales
• Allow Skype • Monitor all traffic • Allow executables IT • Allow all applications • Allow all protocols
54 Delegated Administration Flexibility to Support Organizational Requirements
Global administrator IT defines roles and No Media access permissions
No FTP SALES
No Webmail
Policy officer sets rules for users they manage LEGAL
Assign administrators for groups of users, appliances, subnets, or destinations Fine-grained, role-based access control 55 Comprehensive Reporting
In-depth Threat Visibility - Web Traffic Overview - Layer 4 Traffic Monitor - Anti-Malware Category and Threat Details - Client Malware Risk & Activity Detail - Website Activity and Detail Extensive Forensic Capabilities - Investigate acceptable use violations - Drill down for further analysis - Satisfy compliance requirements Detailed off-box analysis - Offload extensive data crunching - Top N and trend reporting for malware - Client, Source, Malware Name and Category
for IronPort 56 Web Security Hosted Offerings
ScanSafe SaaS Web Security
is now part of Cisco
Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 57 The leading SaaS Web security solution
Pioneer Awards Leadership position: 34.5% Security product Market Share (IDC) of the year 2008 30Bn Web requests monthly Customers Millions of users Customers in 100+ countries 100% availability 200 million threats blocked monthly Partners Award-winning
58 59