Transcription
Cisco IronPortEmail & Web SecurityFrédéric HER, CISSPSystems Engineer, AfricaCisco IronPort Solutionsfher@cisco.comPresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential1
Cisco IronPortUnparalleled Market Leadership IronPort funded in 2000,acquired by Cisco in 2007IronPort Positioned in the “Leaders”Quadrant in Magic Quadrant Report 20,000 customersglobally 400 million usersprotectedIronPort is positioned as a leadingplayer in the messaging securityappliance market 40% of Fortune 100companies 8 of the 10 largest ServiceProviders 7 of the 10 largest BanksNamed IronPort the market shareleader in the email security appliancemarket 99% customer renewalrates2
The Cisco IronPort StoryApplication-Specific Security GatewaysBLOCK Incoming Threats: Spam, Phishing/FraudViruses, Trojans, WormsSpyware, AdwareUnauthorized AccessInternetSensorBase(The CommonSecurity Database)APPLICATION-SPECIFICSECURITY GATEWAYSEMAILWEBSecurity GatewaySecurity GatewayMANAGEMENTAppliance3
Cisco IronPortEmail SecurityCisco IronPort Email Security AppliancePresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential4
Email ChallengesStandard Email does not natively offerwhat is expectedJunk MailPrivacy & ControlVirusesRegulations5
Cisco IronPort Consolidates the Network PerimeterFor Security, Reliability and Lower MaintenanceBefore Cisco IronPortAfter Cisco IronPortInternetInternetFirewallFirewallEncryption PlatformMTADLPScannerAnti-SpamAnti-VirusDLP PolicyManagerCisco IronPort Email Security AppliancePolicy EnforcementMail RoutingGroupwareUsersGroupwareUsers6
Spam Trends300 Record spam volumes and criminal botnet activity)s 250noillib(e 200muloVm150apSylia 100Degar M90nuJ90luJ90guA90peS90-tcO90voN7
Spam Sophistication IncreasingTEXT SPAMATTACHMENT SPAM(PDF, EXCEL, MP3)200520072006IMAGE SPAM2008TARGETED ATTACKSYour EquitableYour EquitableBankaccountBankaccountisclosed,callis closed,usnow at callus now at(802)354-4250(802)354-4250Your EquitableBank accountis closed, callus now at(802)354-4250Image Spam8
Cisco IronPort SensorBase Statistics on more than 30% ofthe world’s e-mail traffic New threats & alerts detection More than 200 parameters to buildreputation scores Data Volume Message StructureE-Mail Reputation FiltersReputation Score Complaints Blacklists, whitelists Off-line data URL blacklists & whitelists HTML Content Domain InfoWeb Reputation FiltersReputation Score Known “bad” URLs Website history 9
Email Security ArchitectureCisco IronPort Email Security ApplianceMAIL eCISCO IRONPORT ASYNCOSEMAIL PLATFORMData ging10
Cisco IronPort AsyncOSRevolutionary Email Delivery PlatformTraditional Email Gatewaysand Other Appliances200ConnectionsDisk I/OBottlenecksLow Performance/Peak Delivery IssueCisco IronPort Email SecurityAppliances1K – 10KConnectionsUnable To LeverageFull CapabilityComponentsCPUHigh Performance/Sure DeliveryLimited SolelyBy CPU Capacity11
Advanced Controls for Security and EfficiencyAnd to protect against the risk of being blacklistedDestination ControlsIronPort Virtual 63.24.127.4163.24.127.51.Protect internal servers1.Protects the reputation of a domain2.Rules per destination domain2.Relies on different IP addresses forsending messagesEmail Authentication (DomainKeys, DKIM, SPF, SIDF)12
Email Security ArchitectureCisco IronPort Email Security ApplianceMAIL eCISCO IRONPORT ASYNCOSEMAIL PLATFORMData ging13
Anti-Spam Defense in DepthSensorBaseReputation FilteringIronPort Anti-SpamVerdictSpam Blocked BeforeEntering Network 99% Catch Rate 1 in 1 millionFalse Positives14
SensorBase Reputation FilteringReal Time Threat Prevention Known goodis deliveredReputationFiltering Suspiciousis rate limited& spam filteredIronPortAnti-SpamIncoming Mail Known bad isblockedGood, Bad, andUnknown EmailCisco’s InternalEmail Experience:Message CategoryStopped by Reputation Filtering%Messages93.1%700,876,217Stopped as Invalid recipients0.3%2,280,104Spam Detected2.5%18,617,700Virus Detected0.3%2,144,793Stopped by Content otal Threat Messages:Clean MessagesTotal Attempted Messages:752,900,00015
Email Security ArchitectureCisco IronPort Email Security ApplianceMAIL eCISCO IRONPORT ASYNCOSEMAIL PLATFORMData ging16
Cisco IronPort Virus Outbreak FiltersThe First Line of DefenseEarly ProtectionwithIronPort VirusOutbreak Filters17
Multi-Layer Virus DefenseZero Hour Malware Prevention and AV ScanningVirus Outbreak FiltersT 5 minsT 0-zip (exe) filesAnti-VirusT 15 mins-zip (exe) files-zip (exe) files-Size 50 to 55 KB -Size 50 to 55KB-“Price” in thefilenameAn analysis over one year:Average lead time over 13 hoursOutbreaks blocked 291 outbreaksTotal incremental protection . over 157 days18
Email Security ArchitectureCisco IronPort Email Security ApplianceMAIL eCISCO IRONPORT ASYNCOSEMAIL PLATFORMData ging19
Risks for the OrganizationTop Risk: EmployeesBiggest Impact: Customer DataTop Data Loss Types5%10%4%7%Information markedConfidential12%4%8% 4%Personal clientinformation44%21%Personnel InformationIntellectual Property20
Data Loss PreventionComprehensive, Accurate, EasyComprehensive 100 Pre-defined templates Regulatory complianceEasy One-click activation Policy enable/disableAccurate Multiple parameters Key words, proximity, etc.21
Email EncryptionInstant Deployment, Zero Management CostMessage pushed torecipientUser opens securedmessage in browserGateway encryptsmessageKey is storedUser authenticates andreceives message keyCisco Registered Envelope ServiceDecryptedmessage is displayed Automated key management No desktop software requirements No new hardware required22
Email Security ArchitectureCisco IronPort Email Security ApplianceMAIL eCISCO IRONPORT ASYNCOSEMAIL PLATFORMData ging23
Cisco IronPort Email Security ManagerSingle view of policies for the entire organizationCategories: by Domain,Username, or LDAP Allow all media files Quarantine executablesIT Mark and Deliver Spam Delete ExecutablesSALES Archive all mail Virus Outbreak Filtersdisabled for .doc filesLEGAL“IronPort Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” – PC Magazine24
Comprehensive InsightUnified Business ReportingConsolidated Reports Real Timeinsight intoemail traffic andsecurity threats Actionable drilldown reportsMultiple data points Single viewacross theorganizationEmail VolumesSpam CountersPolicy ViolationsVirus ReportsOutgoing Email DataReputation ServiceSystem Health View25
Visibility Into Email MessagesMessage TrackingWhat happened tothe email I sent 2hours ago?9Track IndividualEmail MessagesWho else receivedsimilar emails?9 Forensics toEnsure Compliance26
Email SecurityHosted OfferingsCisco IronPort Hosted Email SecurityPresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential27
Choice Maximizes FlexibilityFull Continuum of Deployment OptionsAppliancesHostedHybrid nfrastructureBest of BothWorldsFully Managedon PremisesBacked by Service Level Agreements28
Cisco IronPortWeb SecurityOverviewCisco IronPort Web Security AppliancePresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential29
Malware Threat DistributionMalware InfectionsEmail VectorWeb VectorTimeMalware infection vectors areshifting from email to Web30
Malware Evades Legacy DefensesURL classification isreactive, has low coveragePredictable,easy to classifyTraffic VolumeHundreds of millions of sitesThousands of new sites per hourSignatures are reactive andCANNOT keep upBigHeadLong Tail# of Sites31
Exploited WebsitesAn Invisible Threat32
Drive-By Scareware- Full-screen pop-up simulates real AV software, asks you to buy fullversion to clean machine.- Fakes scan of c:\ drive and pretends to find viruses even on Linux or MacOS X!33
The limits of legacy solutions Low Performance – not suitable forcurrent usage of Web High Latency Low Security: often only URL filtering .or only Antivirus and no efficientprotection against Malware34
Next Generation Secure Web GatewayBefore Cisco IronPortAfter Cisco IronPortInternetFirewallInternetFirewallWeb Proxy & CachingAnti-SpywareAnti-VirusCisco IronPort WSAAnti-PhishingURL FilteringPolicy ManagementUsersUsersAll web security components in a single integrated platform35
Web Security ArchitectureCisco IronPort Web Security AppliancePROXY CACHEURLFiltersCISCO IRONPORT ASYNCOSWEB PLATFORMWeb ReputationFiltersManagementL4 TrafficMonitorAnti-MalwareSystem36
High-Performance Web ProxyConnection Management & Optimized StorageMaintainMaintain poolpool ofof persistentpersistentTCPTCP connectionsconnections (client(client andandserverserver side)side)HandleHandle extremelyextremely highhigh traffictrafficvolumesvolumesCo-relatedCo-related objectobject storagestorage andandhigh-performancehigh-performance cachingcachingSignificantlySignificantly improvedimprovedresponseresponse timestimesFacts & Figures:– 100,000 simultaneous duplex TCPconnections to easily handle trafficspikes– Average latency introduced to enduser: 5-15 milliseconds37
Web Security ArchitectureCisco IronPort Web Security AppliancePROXY CACHEURLFiltersCISCO IRONPORT ASYNCOSWEB PLATFORMWeb ReputationFiltersManagementL4 TrafficMonitorAnti-MalwareSystem38
Detecting Existing Client InfectionsUsers Cisco IronPort Layer 4 Traffic Monitor Scans all traffic, all ports, all protocolsPacket andHeader InspectionNetwork LayerAnalysis Detects malware bypassing Port 80 Prevents botnet traffic Powerful anti-malware data Automatically updated rules Real-time rule generation using“Dynamic Discovery”Cisco IronPort S-SeriesInternet39
Web Security ArchitectureCisco IronPort Web Security AppliancePROXY CACHEURLFiltersCISCO IRONPORT ASYNCOSWEB PLATFORMWeb ReputationFiltersManagementL4 TrafficMonitorAnti-MalwareSystem40
Number of WebpagesWeb: Huge, Growing and TransientDynamic WebUser Generated &Web 2.0 Content2005: Web 2.0tipping pointStatic WebTraditional Content PublishersLegacy URL Filtering Focus199828 Millionwebpages20001 Billionwebpages20081 TrillionwebpagesSource: Multiple, including Cisco SIO, Google, Wikipedia41
The Dark Web ChallengeLegacy URL Filtering Effectiveness is DecreasingURL Lookup in Databasewww.sportsbook.com/URL DatabaseGamblingUncategorizedOBSCENEPORNADULT Legacy URL filteringprimarily focuses oncrawling and manualreview/classification Databases addthousands of newURLs per day whilethe web adds a Billion 95% of the web will beuncategorized by 2015GAMBLING42
Cisco IronPort Web Usage ControlsDynamic Categorization for the Dark WebURL Lookup in Databasewww.sportsbook.com/GamblingURL Database Industry-leading URLdatabase efficacyUncategorizedURL Keyword Analysis 65 categories Updated every 5 minutes Powered by Cisco c Content Analysis EngineAnalyze Site Content Dynamic categorizationidentifies 90% of DarkWeb content in commonlyblocked categoriesGambling43
Cisco Security Intelligence Operations (SIO)Unmatched Visibility Drives Unparalleled EfficacyCisco IronPort Web Security Applianceson Customer PremisesUpdatespublishedevery 5minutesCustomerAdministratorsURL CategorizationRequestsUncategorizedURLsCisco SIOAnalysis and ProcessingMaster URLDatabaseExternal FeedsCrawler TargetingCrowd SourcingManualCategorizationWebCrawlersTraffic Data fromCisco IronPort EmailSecurity Appliances,Cisco IPS, and CiscoASA sensors44
Web Security ArchitectureCisco IronPort Web Security AppliancePROXY CACHEURLFiltersCISCO IRONPORT ASYNCOSWEB PLATFORMWeb ReputationFiltersManagementL4 TrafficMonitorAnti-MalwareSystem45
Protection For a Dynamic Web 2.0 WorldVisibility Beyond the Initial ThreatWeb Reputation Filters Scaneach object, not just the initialrequestClient PCTrusted Web Site Web pages are made up of objectscoming from different sources Objects can be images,executables, JavaScript Web servers not affiliated withthe trusted web site(e.g. ad servers) Compromised websites often grabmalicious objects from externalsources Security means looking at eachobject individually, not just theinitial request46
Cisco IronPort DVS EngineDynamic Vectoring and StreamingSpywareAdwareWebrootTrojansWebroot McAfeeWormsVirusesMcAfee 35% Additional Coverage Multiple integrated verdict engines McAfee and Webroot Decrypt & scan SSL traffic Selectively, based on category &reputation Accelerated signature scanning Parallel scans Stream scanning Automated updates47
Cisco IronPort DVS EngineMulti-Layered Malware Defense Deep content inspection High-performancescanning- Parallel scans- Stream scanning Multiple verdict enginesWebrootIRONPORTIRONPORTDVSDVS ENGINEENGINEMcAfeeVERDICTENGINE“N”- Integrated, on-box- Supported engines:Webroot, McAfeePolicyPolicy ManagementManagement48
Usage of Ports 80 & 443 has changed A lot of applications traversing port 80 are not “web browsing” A lot of applications using port 80 are not business-related Nearly all companies include Webmail users– Malicious attached files? Instant Messaging is found in all companies– How do you keep it open while ensuring your network is not atrisk? Web-based file transfer is growing fast (MegaUpload, Rapidshare ) Peer-to-Peer is still used heavily49
Web Application Controls Native control for HTTP,HTTP(s), FTP applications Selective decryption ofSSL traffic for security andpolicyFile TransferProtocol Policy enforcement forapplications tunneled overHTTP—FTP, IM, video Application traversal usingpolicy-based HTTPCONNECTUnderstanding Web Traffic5050
HTTPS ScanningSelective, Based on TrustDecrypted Inspected Re-encryptedSelectively on TRUST, Category, ted Inspected Re-encryptedSelectively on Category, Source51
Cisco IronPort WSAComplete Data Security On-box Common Sense Security Allow, block, log based on file metadata, URL category, user and web reputation Multi-protocol: HTTP(s), FTP, HTTP tunneledPartner siteLogAllowDocumentsInternetBlockWebmail Off-box Advanced Data Security Deep content inspection: Structured and unstructured data matching Performance optimized: Works in tandem with accelerated on-box ctDLP Vendor Box52
Web Security ArchitectureCisco IronPort Web Security AppliancePROXY CACHEURLFiltersCISCO IRONPORT ASYNCOSWEB PLATFORMWeb ReputationFiltersManagementL4 TrafficMonitorAnti-MalwareSystem53
Cisco IronPort Web Security ManagerSingle View of Policies for the Entire OrganizationGroup by LDAP,Active Directory,Network Block FTP Allow Media files Allow all URL categoriesMarketing Block executables Block gambling sites Block all malwareSales Allow Skype Monitor all traffic Allow executablesIT Allow all applications Allow all protocols54
Delegated AdministrationFlexibility to Support Organizational RequirementsGlobal administratordefines roles andaccess permissionsITNo MediaNo FTPSALESNo WebmailPolicy officer sets rulesfor users they manageLEGAL Assign administrators for groups of users,appliances, subnets, or destinations Fine-grained, role-based access control55
Comprehensive Reporting In-depth Threat Visibility- Web Traffic Overview- Layer 4 Traffic Monitor- Anti-Malware Category and Threat Details- Client Malware Risk & Activity Detail- Website Activity and Detail Extensive Forensic Capabilities- Investigate acceptable use violations- Drill down for further analysis- Satisfy compliance requirements Detailed off-box analysis- Offload extensive data crunching- Top N and trend reporting for malware- Client, Source, Malware Name and Categoryfor IronPort56
Web SecurityHosted OfferingsScanSafe SaaS Web Securityis now part of CiscoPresentation ID 2009 Cisco Systems, Inc. All rights reserved.Cisco Confidential57
The leading SaaS Web security solution PioneerAwards Leadership position: 34.5%Market Share (IDC)Security productof the year 2008 30Bn Web requests monthly Millions of usersCustomers Customers in 100 countries 100% availability 200 million threats blockedmonthlyPartners Award-winning58
59
Secure Messaging INBOUND SECURITY OUTBOUND CONTROL MAIL TRANSFER AGENT Spam Defense. 11 Cisco IronPort AsyncOS . message Message pushed to recipient Cisco Registered Envelope Service User opens secured message in browser User authenticates and rece
