Upload
nguyendien
View
222
Download
0
Embed Size (px)
Citation preview
IronPort Messaging Security
PROTECTING OVER 350 MILLION EMAIL BOXES WORLDWIDE
Mirko Schneider, IronPort, A CISCO Business Unit
Soft-Tronik Security Day
The Evolution of Reputation Filters to Self Defending Network 3.0
Who is IronPort?
• Founded by Email pioneers from in2000 from Hotmail, ListBot, Yahoo
• idea: building the fastest and strongest gateway appliance
• HQ in California, Silicon Valley
• Worldwide 500+ employees
• 75 in Europe (UK, Germany, Sweden, France, Spain, Italy)
• revenue 2005: ~ 70m USD, 2006: ~125m USD
• With Soft-Tronik in CZ/SK since2006
Hot News:IronPort now a part of CISCO
The Principles of Industry Leadership
• Analyst Leadership– Gartner’s Magic Quadrants 2006: Leader
– IDC July 2007: market share leader
– Radicati Market Quadrants 2007: Leader
• Customer Leadership– 52 of the World’s Largest 100 Companies
– 20+% of Global 2000
– 12 of the 15 largest ISPs
• Technology Leadership– First with custom, high performance MTA
– First with Reputation Filtering
– First with Virus Outbreak Filters
Web Security | Email Security | Security Management | Encryption
IronPort® Gateway Security Products
EMAILSecurity Appliance
WEBSecurity Appliance
Security
MANAGEMENT Appliance
IronPort
SenderBase
APPLICATION-SPECIFIC
SECURITY GATEWAYS
CLIENTS
BLOCK Incoming Threats
PROTECT Corporate Assets
Data Leakage Prevention
Encryption
CENTRALIZE Administration
Internet
ENCRYPTIONAppliance
The Key
A Simple Idea
1. 2. 3.IDENTITY POLICYREPUTATION
?!
Score
IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy
• 5B+ queries daily
• 150+ Email and Web parameters
• 25% of the World’s Email Traffic
The Dominant Force in Global
Email and Web Traffic Monitoring…
80%50%
40%
IronPortCipherTrust
BorderWare
Spam Caught by Reputation
Source: www.ciphertrust.com and www.borderware.com, August 6, 2006
…Results in Accuracy and
Advanced Protection
120,0004,000
8,000
IronPortCipherTrust
BorderWare
Network Reach (Contributing Networks)
13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure
IronPortVirus Protection Lead
* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed
vendors.
Global Volume
Data
Over 100,000
organizations,
email traffic,
web traffic
Message
Composition
Data
Message size,
attachment volume,
attachment types,
URLs, host names
Spam TrapsSpamCop, ISPs,
customer
contributions
IP Blacklists &
Whitelists
SpamCop, SpamHaus
(SBL), NJABL,
Bonded Sender
Compromised
Host Lists
Downloaded files,
linking URLs,
threat heuristics
Web site
Composition
Data
SORBS, OPM,
DSBL
Other Data
Fortune 1000, length
of sending history,
location, where the
domain is hosted,
how long has it been
registered, how long
has the site been up
Complaint
Reports
Spam, phishing,
virus reports
Spamvertized URLs,
phishing URLs,
spyware sites
Domain Blacklists
& Safelists
IronPort SenderBase™ Reputation150 parameters for each IP
www.senderbase.org
Leading Edge TechnologyReputation Filtering Sets off Industry Scramble
July 21, 2003
IronPort Reputation Filters™
February 16, 2003
IronPort SenderBase™
June 28, 2004
Symantec Brightmail Reputation Service
June 4, 2004
CipherTrustTrustedSource™
November 9, 2004
Proofpoint MLX Dynamic Reputation™
June 14, 2005
Trend MicroAcquiresKelkea ReputationProduct
May 23, 2005
Recurrent Pattern Detection™
20042003 2005
The Leader in Email SecurityIronPort C-Series
IronPort Email Security Appliances
• High Performance Email Security
Appliances Stopping Spam, Viruses, and
Enforcing Compliance
IronPort C350/C650IronPort C100
IronPort X1050
Product Consolidation at
the Network PerimeterFor Security, Reliability and Lower Maintenance
Anti-Spam
Anti-Virus
Policy Enforcement
Mail Routing
Before IronPort
IronPort Email Security Appliance
Internet
Firewall
MTAs
Groupware
Users
After IronPort
Internet
Users
Groupware
Firewall
IronPort Architecture for Multi-Layered Email Security
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
IronPort AsyncOS™
Unmatched Scalability and Security
• AsyncOS scalable and secure OS optimized for messaging
• Advanced Email Controls protect reputation and downstream systems
• Standards-based Integration replaces legacy systems with ease
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
IronPort AsyncOS™
Revolutionary Email Platform
Traditional Email GatewaysAnd Other Appliances IronPort Email Security Appliance
200Incoming/Outgoing
Connections
Low Performance/DoS Potential
Single QueueFor all Destinations
Queue BackupDelays All Mail
Per-DestinationQueues
Fault-Toleranceand
Custom Control
10,000Incoming/Outgoing
Connections
High Performance/Sure Delivery
Multi-layer Spam DefenseBest of Breed
• IronPort Reputation Filters – the outer layer defense
• IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
Spam Grows And Changes
• 100+% growth in volume per year
• Growth in size2003 : ~ 2KB per mail2007: ~ 30KB per email
• Growth in viaretiesImage Spam, PDF, Excel, …
Spam TrendsThrough Mid-July, 2007
• Spam volumes ticking up
• New spam trends emerging
– PDF spam
– Shows that spammers continue to develop new techniques at a rapid pace
• Several open source blacklists under DDOS attacks in last 4 weeks
– SURBL, Spamhaus, URIBL all affected
– SenderBase not affected
0
10
20
30
40
50
60
70
80
90
Jan-
06
Feb-
06
Mar-
06
Apr-
06
May-
06
Jun-
06
Jul-
06
Aug-
06
Sep-
06
Oct-
06
Nov-
06
Dec-
06
Jan-
07
Feb-
07
Mar-
07
Apr-
07
May-
07
Jun-
07
Jul-
07
Sp
am
Vo
lum
e (
BN
)
0
5
10
15
20
25
30
35
40
Imag
e S
pam
%
Average Daily Spam Image Spam %
New Spam Follows
PDF spam, Excel Spam, ...
MP3 Spam OutbreakOctober 17th, 2007
• Spam sent as MP3 audio files
• files named after popular songs / musicians to fool recipients
• files randomized by changing audio speed and content
• represented 1% of spam volumes on day of outbreak
Outbreak Description
IronPort Protection
MP3 Spam Example
Volume & Catch Rate
• Stopped MP3 spam within minutes through combination of several technologies
• Reputation Filters: proactively blocked majority of MP3 spam by identifying bots sending spam
• IronPort Anti-Spam: issued rules based on file type, file content, message size and other information to catch remaining spam
0
5
10
15
20
25
30
21:00 2:00 7:00 12:00 17:00 22:00
Time (GMT)
80%
85%
90%
95%
100%
Volume (thousands) IronPort Catch Rate
Future of Spam
Volume of Spam compared to worldwide e-mail traffic
2007-2011
Year Volume
2007 75%
2008 78%
2009 80%
2010 81%
2011 82%Source : Radicati Group, april 2007
Multi-Layered SecurityPreventive + Reactive = Defense in Depth
Reactive
Layer+
Immediate Reaction to Threats
Extremely High Performance
Coarse Outer Layer
Blocks or Rate Limits
Adapts Over Time
Computationally Intensive
Fine-grained Inner Layer
Delete or Quarantine
Preventive
Layer
blocks~ 80%
of spam
IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy
• 5B+ queries daily
• 150+ Email and Web parameters
• 25% of the World’s Email Traffic
The Dominant Force in Global
Email and Web Traffic Monitoring…
80%50%
40%
IronPortCipherTrust
BorderWare
Spam Caught by Reputation
Source: www.ciphertrust.com and www.borderware.com, August 6, 2006
…Results in Accuracy and
Advanced Protection
120,0004,000
8,000
IronPortCipherTrust
BorderWare
Network Reach (Contributing Networks)
13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure
IronPortVirus Protection Lead
* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed
vendors.
IronPort SenderBase®
Data Makes the Difference
• Complaint Reports
• Spam Traps
• MessageComposition Data
• Global Volume Data
• URL Lists
• Compromised Host Lists
• Web Crawlers
• IP Blacklists & Whitelists
• Additional Data
150 Parameters
SenderBaseData
Data Analysis/Security Modeling
SenderBaseReputation Scores
-10 to +10
Threat Prevention in Realtime
A Broad Data Set Drives Accuracy
IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….
• Known good is delivered
• Suspicious is rate limited & spam filtered
• Known bad is deleted/tagged
• Reputation Filters is a switch point
• IronPort uses identity & reputation to apply policy
• Sophisticated response to sophisticated threats
Anti-Spam
Engine(reactive)
Incoming Mail
Good, Bad, and “Grey”or Unknown Email
ReputationFiltering
(preventive)
Reputation-Based Filtering:A Powerful Technique
• Beyond blacklisting—a granular view of behavior
• Scores calculated in real-time
• Pre-configured policies applied dynamically
IronPort Reputation FiltersDell Case Study
• Dell’s challenge:– Dell currently receives 26M messages per day
– Only 1.5M are legitimate messages
– 68 existing gateways running Spam Assassin
were not accurate
• IronPort solution:– Reputation Filters block over 19M messages per day
– 5.5M messages per day scanned by
anti-spam engine
– Replaced 68 servers with 8 IronPort C60s
• Accuracy of spam filtering increased 10x
• Servers consolidated by 70%
• Operating costs reduced by 75%
“IronPort has
increased thequality and
reliability ofour network
operations,while
reducing our
costs.”
-- Tim HelmsetetterManager, Global
Collaborative Systems
Engineering and
Service Management,
DELL CORPORATION
Dell Results: One Appliance, 7 Days
96% of all Inbound Mail Rejected or Dropped
19 M Msgs Rejected
930,000 Legitimate Msgs
150,000 Remaining Spam and Virus Dropped
2.1 M Invalid Recipients
22 M Msgs Attempted
Results from live, production systems
Multi-Layered SecurityPreventive + Reactive = Defense in Depth
+
Immediate Reaction to Threats
Extremely High Performance
Coarse Outer Layer
Blocks or Rate Limits
Adapts Over Time
Computationally Intensive
Fine-grained Inner Layer
Delete or Quarantine
Preventive
LayerReactive
Layer
IronPort AntiSpam Broadens the Context with Web Reputation
• Content filtering techniques alone are inadequate
• Email reputation systems improved protection
• Combating new attacks demands Web reputation
Time
TODAYEffectiveness
Where? Web Reputation
Where does the call to action take you?
Who? Email Reputation
Who is sending you this message?
How? Message Structure
How was this message constructed?
What? Message Content
What content is included in this message?
URL
No attachment - Payload delivered via web
Anatomy of URL Spam
“Hashbuster” text –from “The Hobbit”
“Advertisement”
Call to Action URL Advertising Pharmaceutical Web Site
IronPort SenderBase® NetworkGlobal Reach Yields Benchmark Accuracy
• 5B+ queries daily
• 150+ Email and Web parameters
• 25% of the World’s Email Traffic
The Dominant Force in Global
Email and Web Traffic Monitoring…
80%50%
40%
IronPortCipherTrust
BorderWare
Spam Caught by Reputation
Source: www.ciphertrust.com and www.borderware.com, August 6, 2006
…Results in Accuracy and
Advanced Protection
120,0004,000
8,000
IronPortCipherTrust
BorderWare
Network Reach (Contributing Networks)
13 hours*McAfee, Trend, Symantec, Sophos, CA, F-Secure
IronPortVirus Protection Lead
* 6/2005 – 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed
vendors.
Web Reputation Data Makes the Difference
• URL Blacklists
• URL Whitelists
• URL Categorization Data
• HTML Content Data
• URL Behavior
• Global Volume Data
• Domain Registrar Information
• Dynamic IP Addresses
• Compromised Host Lists
• Web Crawler Data
• Network Owners
• Known Threats URLs
• Offline data (F500, G2000…)
• Web Site History
SenderBaseData
Data Analysis/Security Modeling
Web ReputationScores (WBRS)
-10 to +10
Parameters
THREAT PREVENTION IN REALTIME
IronPort Anti-SpamPress Reviews
2007 Technology of the Year: Best Anti-Spam
Jan 2007
Competitors tested: Symantec, Microsoft, Mirapoint, ProofPoint
“easy setup”
“excellent spam filtering”
“no tuning necessary”
“the fewest false positives of
any solution tested”
Anti-Spam Bake-Off WinnerDec 2006
Competitors tested: CipherTrust, Borderware, Sophos,
SonicWall
“The superiority of IronPort . . .
seems abundantly clear”
“We did not have to rescue a
single legitimate message”
“(IronPort) is the absolute must
from this test”
Multi-layer Virus DefenseBest of Breed
• IronPort Virus Outbreak Filters stop outbreaks 13 hours ahead of signatures
• Sophos Anti-Virus signature based solution with industry leading accuracy
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
Virus Outbreak Scenario
MyDoomBagleNetskyGaobotMaddisetc
nomoney.zipmessage.scrdetail3.zipwebcam_image.zipjokes.txt.scrstuff.txt.pifpatch.exe
Virus is propagated with a worm
Since no virus signature is available, the virus quickly passes through mail gateways across the internet.
Anti-Virus
Traditional AV Solutions Aren’t Responding Quickly Enough . . .
4:0
0
9:0
0
14
:00
19
:00
0:0
0
5:0
0
10
:00
15
:00
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Mytob-HJ: 4-19-06
9:3
0
10
:20
11
:10
12
:00
12
:50
13
:40
14
:30
15
:20
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Kukudro-A: 6-27-06
0
20
40
60
80
100
120
20
:00
23
:45
3:3
0
7:1
5
11
:00
14
:45
18
:30
22
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Bagle-GT: 4-21-06
Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
19
:00
22
:45
2:3
0
6:1
5
10
:00
13
:45
17
:30
21
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
FeebsDI-Q: 6-07-06
IronPort SenderBase® NetworkFirst, Biggest, Best Reputation System
Over 100,000 contributing networksOver 20M IP addresses tracked globally
View into over 25% of email trafficOver 150 parameters tracked
Global Email and Web Traffic Monitoring
What is going onRIGHT NOW?
Introducing Virus Outbreak Filters4
:00
9:0
0
14
:00
19
:00
0:0
0
5:0
0
10
:00
15
:00
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Mytob-HJ: 32 hrs 57 mins Lead Time!
VOF Protection
Starts
9:3
0
10
:20
11
:10
12
:00
12
:50
13
:40
14
:30
15
:20
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
VOF Protection
Starts
Kukudro-A: 3 hrs 38 mins Lead Time!
19
:00
22
:45
2:3
0
6:1
5
10
:00
13
:45
17
:30
21
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
FeebsDI-Q: 21 hrs 59 mins Lead Time!
VOF Protection
Starts
20
:00
23
:45
3:3
0
7:1
5
11
:00
14
:45
18
:30
22
:15
Tim e (GMT)
Vir
us
Vo
lum
e
First AV Signature
Available
Bagle-GT: 18 hrs 28 mins Lead Time!
VOF Protection
Starts
Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
How Virus Outbreak Filters Work
Got it
Calculate change
in threat level
“I normally see 10 x
(exe)zip files per hour”
“I see 90% increase
in (exe)zip files”
Virus Outbreak
Filters apply
SenderBase threat
level information to
incoming mail
SenderBase Network
SenderBase data collection allows statistical
analysis to spot virus outbreak trends - on average
13 hours before the signature is released!
Watch out for (exe)zip files”
How IronPort Virus Outbreak Filters WorkDynamic Quarantine In Action
T = 0–zip (exe) files
T = 5 mins-zip (exe) files
-Size 50 to 55 KB.
T = 10 mins–zip (exe) files
–Size 50 to 55KB
–“Price” in the name file
T = 8 hours–Release messages
if signature update is in place
Messages
Scanned &
Deleted
preventive protection reactive protection
Virus Outbreak Filters Advantage
Average lead time*…………………………over 13 hours
Major Outbreaks blocked * ………………………175 outbreaks
Total incremental protection*…………….over 94 days
* June 2005 –July 2006. Calculated as publicly published signatures from the following vendors: Sophos, McAfee , Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
Virus Name Date Virus Description Lead Time (hh:mm)
Troj/Dloadr-BCK 7/24/07 Installs spyware on infected PCs. 10:06
Troj/Yar-A 5/24/07 Widely-spammed out email teaser promising a trailer of the film
"Pirates of the Caribbean 3“. Downloads spyware onto infected
computers.
3:20
Trojan.Dropper 5/10/07 Trojan that attempts to download malicious code. 10:40
W32.Virut!dr 4/12/07 Spammed email that asks recipients to open spyware attachments
entitled “document.txt.exe” and “video.zip”. 31:12
Troj/DwnLdr-GFN 3/4/07 Installs backdoor and communicates via HTTP, thus bypassing
firewall filters.17:31
W32/WowPWS-AU 3/3/07 Mass mailing worm that sends emails with the subject: "Chinese
test missile obliterates satellite!“. Asks users to open spyware
infected file.
6:51
Troj_Agent.JAW 1/14/07 Spammed email message that contains PDF attachment. Once
attachment is opened, backdoor is installed for remote hackers to
access the PC.
20:08
IronPort Policy EnforcementInbound/Outbound Content Filtering for Compliance
• Flexible Policy Engine from Blocking Attachments to Enforcing Regulatory Compliance
• Compliance Solutions and Encryption keep communications private and secure
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
Powered By IronPort PXE EncryptionEasiest to Use, Easiest to Deploy
�Gateway encrypts message
�User opens IronPort
PXE in browser
�User authenticates &
gets message key
IronPort Hosted Keys
Password
�Decrypted
message
displayed
Message pushed
to Recipient
Key
Stored
Email AuthenticationSuperior Security and Identity Protection
• DomainKey Signing - establishes and protects your identity on the Internet
• IronPort Bounce Verification – protects from misdirected bounce attacks
• Directory Harvest Attack Prevention –blocks attempts to steal email directory information
MANAGEMENT TOOLS
THE IRONPORT ASYNCOS™ EMAIL PLATFORM
SPAMDEFENSE
POLICY ENFORCEMENT
VIRUSDEFENSE
EMAIL AUTHENTICATION
The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*
*Source: IronPort Threat Operations Center,
INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.
Misdirected Bounces Not
Discernible From
Legitimate Bounces
Misdirected Bounces Not
Discernible From
Legitimate Bounces
End User Confusion:
“Why did I receive this
message?”
The Misdirected Bounce ThreatMakes Up 9% of all Internet Email*
*Source: IronPort Threat Operations Center,
INTERNET EMAIL TRAFFIC EMERGENCY: SPAM “BOUNCE” MESSAGES ARE COMPROMISING NETWORKS, April 2006.
“Zombies”
[email protected],[email protected]
Recipients:
Sender:
Incoming Gateway
yourcompany.comOutgoingGateway
RETURN TO
SENDER
Millions of Misdirected Bounces
More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces
More than 55% of F500s have experienced disruption of service ora total denial of service due to misdirected bounces
IronPort Bounce Verification™
Protects Against Misdirected Bounce Attacks
• All Outgoing Mail Stamped Allowing Legitimate Bounces to
be Identified on Return
• Transparent to End Users, No Industry Adoption Required
• Eliminates Help Desk Calls and End User Confusion
• Another IronPort Technical “First"
BV
Internet
BV+
The Challenger in Web SecurityIronPort S-Series
IronPort S-Series
S350/S650
Web Traffic: Clear & Present Risks
• Over 75% of all Enterprises
are infected with Spyware &
Malware
• 35-40% of Web usage is
non-business related (IDC
Research)
• Malware threats & AUP
violations result in
compliance & legal
exposure
The Circle of Risk
Web
Traffic
Current Systems Not Designed for Today’s Problems
• Low accuracy
• High latency /
throughput
• Limited visibility to security threats
“Not the right toolfor the job.”
Web TrafficThe Long Tail Gets Longer
Predictable traffic, well known domains
# of Sites
Tra
ffic
Volu
me
Growing fast, harbors suspect content & malware
“Big Head + Long Tail”
• ~110 Million sites
• ~10-12 Billion Web Pages
• Growing at 35-40% annually
“Big Head + Long Tail”
• ~110 Million sites
• ~10-12 Billion Web Pages
• Growing at 35-40% annually
Big
Head
Long Tail
IronPort S-SeriesAddressing the Entire Spectrum of Web Traffic
Solution: URL Filtering
# of Sites
Tra
ffic
Volu
me
Solution: Web Reputation Filters +
Signature-based Anti-Malware Defense
• Protects against known & unknown sites
• Best of breed signature scanning
Big
Head
Long Tail
IronPort Web Security Appliance
IronPort S-Series
• Control & secure Web
traffic
• Comprehensive
management & visibility
• Industry-leading accuracy against Web-
based threats
• Carrier-class
performance
IronPort Web Security Appliance
Next Generation Web Security Platform
AsyncOS for Web™
Next Generation Architecture
Legacy Platforms AsyncOS for Web™
Application Layer Proxying
Network Layer Monitoring
Integrated
Scanning Engine
AsyncOS™
Unmatched Scalability
MANAGEMENT TOOLS
Web Reputation
Filters
URL
Filters
Anti-Malware
System
IronPort AsyncOS Web Security Platform
L4 Traffic
Monitor
Industry-leading PerformanceOptimized for Throughput & Latency
Simultaneous TCP Connections
• 100,000 duplex Handles significant traffic spikes
HTTP Transactions/Hour
• 10M (unburdened)
• 5M-7M (burdened)
Serves up to 10-25K users
(depending on traffic load)
Average Latency • 5 to 15 millisecondsNo impact to end-user browsing
experience
IronPort Web Security Appliance
L4 Traffic MonitorIntegrated Network Monitoring
MANAGEMENT TOOLS
IronPort AsyncOS Web Security Platform
Web Reputation
Filters
URL
Filters
Anti-Malware
System
L4 Traffic
Monitor
Integrated L4 Traffic MonitorWire Speed Network Layer Scanning for Malware
• Scans all 65,535
ports at wire speed
(~1 Gbps)
• Detects rogue
phone home activity
• Catches malware
that attempts to bypass Port 80
Users
Network Layer Analysis
AsyncOS for WebAsyncOS for Web
L4 Traffic MonitorL4 Traffic Monitor
110111110011100100100101110011001010111011001000011010011001110010000
110111110011100100100101110011001010111011001000011010011001110010000
TCP Headers
& Packets
TCP Headers
& Packets
Internet
MANAGEMENT TOOLS
IronPort AsyncOS Web Security Platform
IronPort URL FiltersAccuracy & Control
Web Reputation
Filters
URL
Filters
Anti-Malware
System
L4 Traffic
Monitor
IronPort URL FiltersLeading Accuracy and Control
• Biggest, broadest and best database
– 52 categories, over
21M sites, ~3.5B web
pages
– 1/3rd of the database
is international
• 24 x 7 monitoring
• Regular, automated updates
Categories
Advertisements & PopUps
Arts
Blogs & Forums
Business
Chat
Computing & Internet
Downloads
Education
Entertainment
Fashion & Beauty
Finance & Investment
Food & Dining
Games
Government
Health & Medicine
Hobbies & Recreation
Hosting Sites
Categories
Infrastructure
Intimate Apparel & Swimwear
Job Search & Career Development
Kids Sites
Motor Vehicles
News
Peer-to-Peer
Personals & Dating
Philanthropic & Professional Orgs.
Photo Searches
Politics
Proxies & Translators
Real Estate
Reference
Pre-defined & Custom Categories
MANAGEMENT TOOLS
IronPort AsyncOS Web Security Platform
IronPort Web Reputation FiltersThe Outer Layer of Defense
Web Reputation
Filters
URL
Filters
Anti-Malware
System
L4 Traffic
Monitor
IronPort SenderBase NetworkLargest Email & Web Traffic Monitoring Network
Largest: over 25% of traffic from 120,000+ sources
Broadest: 150 cross-protocol parameters
Best: Two year “head start” vs. alternative systems
Largest: over 25% of traffic from 120,000+ sources
Broadest: 150 cross-protocol parameters
Best: Two year “head start” vs. alternative systems
Web Reputation FiltersData Makes the Difference
• URL Blacklists
• URL Whitelists
• URL Categorization Data
• HTML Content Data
• URL Behavior
• Global Volume Data
• Domain Registrar Information
• Dynamic IP Addresses
• Compromised Host Lists
• Web Crawler Data
• Network Owners
• Known Threats URLs
• Offline data (F500, G2000…)
• Web Site History
SenderBaseData
Data Analysis/Security Modeling
Web ReputationScores (WBRS)
-10 to +10
Parameters
THREAT PREVENTION IN REALTIME
Dynamic Application of Policies
• IronPort Web Reputation Filters is a powerful first layerof defense
• IronPort Anti-Malware System provides a sophisticated second layerof defense
Requested
URLs
Known good sites
aren’t scanned
Unknown sites are
scanned
Known bad sites are
blocked
IRONPORT
WEB REPUTATION
FILTERS
IRONPORT
WEB REPUTATION
FILTERS
IRONPORT
ANTI-MALWARE
SYSTEM
IRONPORT
ANTI-MALWARE
SYSTEM
MANAGEMENT TOOLS
IronPort AsyncOS Web Security Platform
IronPort Anti-Malware SystemRapid Scanning with IronPort DVS™ Engine
Web Reputation
Filters
URL
Filters
Anti-Malware
System
L4 Traffic
Monitor
IronPort DVS™ EngineFast, Multi-Signature Scanning
• Rapid object parsing & vectoring
• Stream scanning
• Dynamic early exit
• Reputation-based
verdict caching
Preserves User Browsing Experience
Signature
Type 1
Signature
Type 2
STREAMING
SCANNER
REPUTATION-BASED VERDICT CACHINGREPUTATION-BASED VERDICT CACHING
IRONPORT
DVS™
ENGINE
IRONPORT
DVS™
ENGINE
Stream Scanning
Processes objects in parallel to minimize latency
Where will it lead us?
The present and the future
• IDC: market share leader SCM appliances
• Gartner: “This acquisition (by Cisco) makes
SenderBase the de facto reputation
standard“
• Radicati: “leading provider of email security
appliances”, “strong solution for customers
looking for “self-defending networks”
Self Defending Network 3.0
• Wide Traffic Inspection
• Firewalls, routers, email appliances, web
appliances, end point security agents
• sharing data across multiple protocols,
across multiple network egress points, and
across multiple networks world wide
IronPort Evaluation Policy
• Free evaluation for 30 days– starts with activation of keys on unit
– can be extended on request
• any size and any way– you get the right unit for your individual needs
– different ways of testing (life/ stealth, parallel, offline)
– full support, full functionality
• About 85% of users who evaluate become happy
customers!
Get In Contact
Mirko Schneider IronPort Systems
Territory Manager Munich / Germany
Eastern Europe & Russia
Tel: +49 - 89 - 45 22 27 32
Fax: +49 - 89 - 45 22 27 10
Mobile: +49 - 172 - 83 96 04 7
Web: www.ironport.com
Email: [email protected]