Cisco IronPort Email & Web Security Frédéric HER, CISSP Systems Engineer, Africa Cisco IronPort Solutions [email protected] Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1 Cisco IronPort Unparalleled Market Leadership IronPort funded in 2000, acquired by Cisco in 2007 IronPort Positioned in the “Leaders” Quadrant in Magic Quadrant Report 20,000+ customers globally 400 million users protected IronPort is positioned as a leading 40% of Fortune 100 player in the messaging security companies appliance market 8 of the 10 largest Service Providers 7 of the 10 largest Banks Named IronPort the market share 99%+ customer renewal leader in the email security appliance rates market 2 The Cisco IronPort Story Application-Specific Security Gateways BLOCK Incoming Threats: Spam, Phishing/Fraud Internet Viruses, Trojans, Worms SensorBase Spyware, Adware (The Common Security Database) Unauthorized Access APPLICATION-SPECIFIC SECURITY GATEWAYS EMAIL WEB Security Gateway Security Gateway MANAGEMENT Appliance 3 Cisco IronPort Email Security Cisco IronPort Email Security Appliance Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4 Email Challenges Standard Email does not natively offer what is expected Junk Mail Privacy & Control Viruses Regulations 5 Cisco IronPort Consolidates the Network Perimeter For Security, Reliability and Lower Maintenance Before Cisco IronPort After Cisco IronPort Internet Internet Firewall Firewall Encryption Platform DLP MTA Scanner Anti-Spam Anti-Virus DLP Policy Cisco IronPort Email Security Appliance Manager Policy Enforcement Mail Routing Groupware Groupware Users Users 6 Spam Trends 300 • Record spam volumes and criminal botnet activity ) s n 250 o li il b ( e 200 m lu o V m150 a p S y il a 100 D e g ra e 50 v A 0 8 8 8 8 8 8 8 8 8 8 8 8 9 9 9 9 9 9 9 9 9 9 9 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 - - - - - - l- - - - - - - - - - - - l- - - - - n b r r y n u g p ct v c n b r r y n u g p ct v a e a p a u J u e o e a e a p a u J u e o J F M A M J A S O N D J F M A M J A S O N Month 7 Spam Sophistication Increasing TEXT SPAM ATTACHMENT SPAM (PDF, EXCEL, MP3) 2005 2007 2006 2008 IMAGE SPAM TARGETED ATTACKS Your Equitable Bank account Your Equitable BankYour Equitableaccount is closed, call isBank closed, account call usis closed, now at call (802)354-4250us now at (802)354-4250 us now at (802)354-4250 Image Spam 8 Cisco IronPort SensorBase • Statistics on more than 30% of the world’s e-mail traffic • New threats & alerts detection • More than 200 parameters to build reputation scores •Data Volume • Message Structure E-Mail Reputation Filters • Complaints Reputation Score • Blacklists, whitelists • Off-line data • URL blacklists & whitelists Web Reputation Filters • HTML Content Reputation Score • Domain Info • Known “bad” URLs • Website history… 9 Email Security Architecture Cisco IronPort Email Security Appliance INBOUND Spam Virus SECURITY Defense Defense MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging 10 Cisco IronPort AsyncOS Revolutionary Email Delivery Platform Traditional Email Gateways Cisco IronPort Email Security and Other Appliances Appliances 200 Low Performance/ 1K – 10K High Performance/ Connections Peak Delivery Issue Connections Sure Delivery Unable To Leverage Disk I/O Limited Solely Bottlenecks Full Capability CPU By CPU Capacity Components 11 Advanced Controls for Security and Efficiency And to protect against the risk of being blacklisted Destination Controls IronPort Virtual Gateways ? Internet 163.24.127.3 163.24.127.3 Internet 163.24.127.4 163.24.127.5 1. Protect internal servers 1. Protects the reputation of a domain 2. Rules per destination domain 2. Relies on different IP addresses for sending messages Email Authentication (DomainKeys, DKIM, SPF, SIDF) 12 Email Security Architecture Cisco IronPort Email Security Appliance INBOUND Spam Virus SECURITY Defense Defense MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging 13 Anti-Spam Defense in Depth SensorBase IronPort Anti-Spam Reputation Filtering Verdict > 99% Catch Rate Spam Blocked Before < 1 in 1 million Entering Network False Positives 14 SensorBase Reputation Filtering Real Time Threat Prevention • Known good is delivered • Suspicious Reputation IronPort is rate limited Filtering Anti-Spam & spam filtered Incoming Mail Good, Bad, and • Known bad is Unknown Email blocked Cisco’s Internal Message Category % Messages Stopped by Reputation Filtering 93.1% 700,876,217 Email Experience: Stopped as Invalid recipients 0.3% 2,280,104 Spam Detected 2.5% 18,617,700 Virus Detected 0.3% 2,144,793 Stopped by Content Filter 0.6% 4,878,312 Total Threat Messages: 96.8% 728,797,126 Clean Messages 3.2% 24,102,874 Total Attempted Messages: 752,900,000 15 Email Security Architecture Cisco IronPort Email Security Appliance INBOUND Spam Virus SECURITY Defense Defense MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging 16 Cisco IronPort Virus Outbreak Filters The First Line of Defense Early Protection with IronPort Virus Outbreak Filters 17 Multi-Layer Virus Defense Zero Hour Malware Prevention and AV Scanning Virus Outbreak Filters Anti-Virus T = 15 mins T = 5 mins T = 0 -zip (exe) files -zip (exe) files -zip (exe) files -Size 50 to 55 KB -Size 50 to 55KB -“Price” in the filename An analysis over one year: Average lead time …………………………over 13 hours Outbreaks blocked ………………………291 outbreaks Total incremental protection ……………. over 157 days 18 Email Security Architecture Cisco IronPort Email Security Appliance INBOUND Spam Virus SECURITY Defense Defense MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging 19 Risks for the Organization Top Risk: Employees Biggest Impact: Customer Data Top Data Loss Types 4% 7% 8% 4% 5% 4% 10% Information marked 44% Personal client Confidential 12% information 21% Personnel Information Intellectual Property 20 Data Loss Prevention Comprehensive, Accurate, Easy Comprehensive 100+ Pre-defined templates Regulatory compliance Easy One-click activation Policy enable/disable Accurate Multiple parameters Key words, proximity, etc. 21 Email Encryption Instant Deployment, Zero Management Cost Message pushed to recipient User opens secured message in browser Gateway encrypts message Key is stored User authenticates and receives message key Decrypted Cisco Registered Envelope Service message is displayed Automated key management No desktop software requirements No new hardware required 22 Email Security Architecture Cisco IronPort Email Security Appliance INBOUND Spam Virus SECURITY Defense Defense MAIL TRANSFER CISCO IRONPORT ASYNCOS AGENT EMAIL PLATFORM Data Loss Secure Management OUTBOUND CONTROL Prevention Messaging 23 Cisco IronPort Email Security Manager Single view of policies for the entire organization Categories: by Domain, Username, or LDAP • Allow all media files • Quarantine executables IT • Mark and Deliver Spam SALES • Delete Executables • Archive all mail • Virus Outbreak Filters LEGAL disabled for .doc files “IronPort Email Security Manager serves as a single, versatile dashboard to manage all the services on the appliance.” – PC Magazine 24 Comprehensive Insight Unified Business Reporting Consolidated Reports Single view across the organization Email Volumes Spam Counters Real Time insight into Policy Violations email traffic and Virus Reports security threats Outgoing Email Data Multiple data points Reputation Service Actionable drill System Health View down reports 25 Visibility Into Email Messages Message Tracking What happened to the email I sent 2 hours ago? 9Track Individual Email Messages Who else received similar emails? 9 Forensics to Ensure Compliance 26 Email Security Hosted Offerings Cisco IronPort Hosted Email Security Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27 Choice Maximizes Flexibility Full Continuum of Deployment Options Appliances Hosted Hybrid Hosted Managed Award-Winning Dedicated Best of Both Fully Managed Technology SaaS Worlds on Premises Infrastructure Backed by Service Level Agreements 28 Cisco IronPort Web Security Overview Cisco IronPort Web Security Appliance Presentation_ID © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29 Malware Threat Distribution Malware Infections Email Vector Web Vector Time Malware infection vectors are shifting from email to Web 30 Malware Evades Legacy Defenses URL classification is reactive, has low coverage Predictable, easy to classify Hundreds of millions of sites Thousands of new sites per hour Signatures are reactive and Big CANNOT keep up Head Long Tail Traffic Volume # of Sites 31 Exploited Websites An Invisible Threat 32 Drive-By Scareware - Full-screen pop-up simulates real AV software, asks you to buy full version to clean machine. - Fakes scan of c:\ drive and pretends to find viruses even on Linux or Mac OS X! 33 The limits of legacy solutions Low Performance – not suitable for current usage of Web High Latency Low Security: often only URL filtering ….or only Antivirus and no efficient protection against Malware 34 Next Generation Secure Web Gateway Before Cisco IronPort After Cisco IronPort Internet Internet Firewall Firewall Web Proxy & Caching Anti-Spyware Anti-Virus Cisco IronPort WSA Anti-Phishing