Cisco IronPort Email & Web Security€¦ · Security Gateway. Application-Specific Security...

Ciscc 1© 2010 Cisco and/or its affiliates. All rights reserved.

Cisco IronPortEmail & Web Security

Greg Griessel

Consulting Systems Engineer - Security

[email protected]

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2Cisco

EMAILSecurity Gateway

Application-Specific Security Gateways

SECURITY MANAGEMENT

Appliance

Internet

WEBSecurity Gateway

SensorBase(The Common

Security Database)

APPLICATION-SPECIFICSECURITY GATEWAYS

BLOCK Incoming Threats: Spam, Phishing/Fraud Viruses, Trojans, Worms Spyware, Adware Unauthorized Access


Email Security, 2010

The Magic Quadrant is copyrighted 2010 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.


Secure Web Gateway, 2011

The Magic Quadrant is copyrighted 2011 by Gartner, Inc. and is reused with permission. The Magic Quadrant is a graphical representation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor product or service depicted in the Magic Quadrant, and does not advise technology users to select only those vendors placed in the "Leaders” quadrant. The Magic Quadrant is intended solely as a research tool, and is not meant to be a specific guide to action. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This Magic Quadrant graphic was published by Gartner, Inc. as part of a larger research note and should be evaluated in the context of the entire report. The Gartner report is available upon request from Cisco.


Cisco IronPortEmail Security

Cisco Confidential 6© 2010 Cisco and/or its affiliates. All rights reserved. Cisco

Junk Mail

Viruses Regulations

Privacy & Control

Cisco Confidential 7© 2010 Cisco and/or its affiliates. All rights reserved. CiscoSource: Cisco Threat Operations Center

More and more targeted attacks

0

50

100

150

200

250

300

2006 2007 2008 2009 2010

Daily Spam Volume (Billion)

Targeted Attacks

Spam


• Statistics on more than 30% of the world’s e-mail traffic

• New threats & alerts detection• More than 200 parameters to build

reputation scores

• Data Volume• Message Structure

• Complaints• Blacklists, whitelists

• Off-line data

Reputation Score

Reputation Score• URL blacklists & whitelists

• HTML Content• Domain Info

• Known “bad” URLs• Website history…

E-Mail Reputation Filters

Web Reputation Filters


Man

agem

ent

Cisco IronPort Email Security Appliance

VirusDefense

CISCO IRONPORT ASYNCOSEMAIL PLATFORM

Data Loss Prevention

Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense


For Security, Reliability and Lower Maintenance

After Cisco IronPort

Groupware

Firewall


Internet

Before Cisco IronPort

Anti-Spam

Anti-Virus

Policy Enforcement

Mail Routing

Internet

Firewall

Groupware

Users

Encryption PlatformMTA

DLP Scanner

DLP Policy Manager

Users


Man

agem

ent


VirusDefense



Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense


Revolutionary Email Delivery Platform

Traditional Email Gatewaysand Other Appliances

Cisco IronPort Email Security Appliances

200Connections

Low Performance/Peak Delivery Issue

Disk I/O Bottlenecks

Unable To Leverage

Full Capability

Components

CPU Limited Solely

By CPU Capacity

1K – 10KConnections

High Performance/Sure Delivery


Man

agem

ent




Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

VirusDefense


Spam Blocked Before Entering Network

> 99% Catch Rate< 1 in 1 millionFalse Positives

IronPort Anti-SpamSensorBase Reputation Filtering

Who? How?

What?Where?

Verdict

Presenter

Presentation Notes


• Known good is delivered

• Suspicious is rate limited & spam filtered

• Known bad is blocked

IronPort Anti-Spam

Incoming MailGood, Bad, and Unknown Email

ReputationFiltering

Cisco’s Internal Email Experience:

Message Category % Messages

Stopped by Reputation Filtering 93.1% 700,876,217

Stopped as Invalid recipients 0.3% 2,280,104

Spam Detected 2.5% 18,617,700

Virus Detected 0.3% 2,144,793

Stopped by Content Filter 0.6% 4,878,312

Total Threat Messages: 96.8% 728,797,126

Clean Messages 3.2% 24,102,874

Total Attempted Messages: 752,900,000

Real Time Threat Prevention


Man

agem

ent


VirusDefense



Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense


The First Line of Defense

Early Protection with

IronPort Virus Outbreak Filters

Presenter

Presentation Notes


Outbreak Filtering in Action

Cisco SIO

Verdict: Suspect IP / URLAction: Send to Cloud

Verdict: Malicious ContentAction: STOP

Presenter

Presentation Notes

Our track record of on-premise and cloud based security is proven. Security Services – best of breed Combination of content and network based security services and tools is unique to the industry Our strengths in CSIO and Outbreak Intelligence provide customers with the highest level of accuracy across the widest range of threat vectors The success of our cloud based solution is evidenced by the deep relationships with Service Providers. We are the Service Provider vendor of choice when it comes to cloud security. Sprint, ATT and Orange Business Services are a few of the SPs who have grown to rely on Cisco for their own cloud based offering. Operational excellence is critical to any offering that leverages cloud based security. We have offered 100% uptime in 6 years. NO DOWN TIME. This is based off an architecture that is built from the ground up as well as monitoring and operational practices that are designed from day one to deliver a cloud based service.


Zero Hour Malware Prevention and AV Scanning

Virus Outbreak Filters Anti-Virus

T = 0

-zip (exe) files

T = 5 mins

-zip (exe) files-Size 50 to 55 KB

T = 15 mins

-zip (exe) files

-Size 50 to 55KB

-“Price” in the filename

An analysis over one year:

Average lead time …………………………over 13 hoursOutbreaks blocked ………………………291 outbreaksTotal incremental protection ……………. over 157 days

Presenter

Presentation Notes


Man

agem

ent




Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

VirusDefense


Top Risk: Employees Biggest Impact: Customer Data

12%

10%

5% 4% 7%

Personal client information

44%

21%

4% 8% 4%

Intellectual Property

Personnel Information

Information marked Confidential

Top Data Loss Types


Comprehensive, Accurate, Easy

Comprehensive 100+ Pre-defined templates

Regulatory compliance

Multiple parameters

Key words, proximity, etc.

Accurate

One-click activation

Policy enable/disable

Easy

Presenter

Presentation Notes


“RSA has strong described content capabilities enabled by aformal knowledge-engineering process” - Gartner

Ranked as “Leader” in Gartner Magic Quadrant

Focus on accuracy:large research team staffed specifically to write and refine content polices


Reports by severity and policyReal time and

scheduled reports available


Instant Deployment, Zero Management Cost

Automated key management

No desktop software requirements

No new hardware required

Gateway encrypts message

Message pushed to recipient

Cisco Registered Envelope Service

User opens secured message in browser

User authenticates and receives message key

Key is stored

Decryptedmessage is displayed


No ForwardingAllowed without Permission

Confidential Contents GuaranteedRecall

Guaranteed ReadReceipts

Message Expiry


Protect CompanyFrom IdentityData Leaks

Protect EmployeesFrom Identity StealingMalware and Phishing

Inbound Security Outbound ControlCisco IronPort Email Security Solution

Anti-Spam• SensorBase Reputation Filtering• IronPort Anti-Spam

RSA Email DLP • 100+ predefined DLP policies• Accurate• Easy to Implement

Anti-Virus• Virus Outbreak Filters (VOF)• McAfee Anti-Virus • Sophos Anti-Virus

Encryption• Secure Message Delivery• Transport Layer Security


Man

agem

ent




Secure Messaging

INBOUND SECURITY

OUTBOUND CONTROL

MAIL TRANSFERAGENT

SpamDefense

VirusDefense


Single view of policies for the entire organization

• Mark and Deliver Spam• Delete Executables

• Archive all mail• Virus Outbreak Filters

disabled for .doc files

• Allow all media files• Quarantine executables

IT

SALES

LEGAL

with Delegated Administration

Global Administrator

Read-OnlyOperator Helpdesk PCI Auditor PCI Supervisor……..


Email Volumes

Spam Counters

Policy Violations

Virus Reports

Outgoing Email Data

Reputation Service

System Health View

Single view across the organization

Real Time insight into email traffic and security threats

Actionable drill down reports

Mul

tiple

dat

a po

ints

Consolidated Reports

Unified Business Reporting


Fully Managedon Premises

Managed

Award-Winning Technology

Appliances

Backed by Service Level Agreements

Dedicated SaaS

Infrastructure

Hosted

Best of Both Worlds

Hybrid Hosted


Cisco IronPortWeb Security


Acceptable Use Control

MalwareProtection

Data LossPrevention

Policy

SaaS Access Control


Industry Leading Secure Web Gateway

Control

Security

Acceptable Use Controls

Malware Protection

Data Security

SaaS Access Controls

Centralized Management and Reporting

InternetSecure Mobility


80% of the web is uncategorized, highly dynamic or unreachable by web crawlers

Botnets Dynamic content Password protected sites User generated content Short life sites

The Known Web20% covered by URL lists


Malware Protection

Data Security


Danger

Danger


URL Keyword Analysis

www.casinoonthe.net/Gambling

Industry-leading URL database efficacy

• 65 categories• Updated every 5 minutes

Dynamic categorization identifies more than 90% of Dark Web content in commonly blocked categories

Uncategorized

Dynamic Content Analysis Engine

GamblingAnalyze Site Content

Real-time Dynamic Content Analysis

URL Lookup in Database

www.sportsbook.com/ GamblingURL Database

Uncategorized


Control


Data Security




Security

Malware Protection



• 237% volume increase in ‘09• Over 70% of compromised web sites are

legitimate• Vulnerabilities in Adobe PDF emerged as

the main target, followed by Flash

54% of malware encounters due to iframes and exploits

Cross-Site Scripting and SQL Injection are top attack methods

83% of websites have at least 1 serious vulnerability


BoingBoing.net: A Popular Blog

• URLs in browser: 1

• HTTP Gets: 162• Images: 66

from 18 domains including 5 separate 1x1 pixel invisibletracking images

• Scripts: 87 from 7 domains

• Cookies: 118 from 15 domains

• 8 Flash objects from 4 domains


BoingBoing.net: A Popular Blog


Cisco Network and Content Security Deployments

Predictive, Zero-day Protection

Cisco SensorBase

Threat Operations Center

AdvancedAlgorithms

Web Reputation Scores-10 to +10

Cisco Security Intelligence Operations

Threat Telemetry

Threat Telemetry

Outbreak IntelligenceExternal Feeds

Identifying Malware Lurking in the Dark Web


New York Times: Victim of an Advertiser Attack!

• Seemingly legitimate ad turned malicious causing 3 redirects

• Ultimate destination: protection-check07.com

Drive By Scareware

Full-screen pop-up simulates real AV software, asks user to buy full version to clean machine.

Cisco Web Rep Score: -9.3 Default Action: BLOCK

NYT site allowed but malicious redirect blocked


Dynamic Vectoring and Streaming

Signature and Heuristic Analysis

Wide coverage with multiple signature scanning engines

Identify encrypted malicious traffic by decrypting and scanning SSL traffic

Seamless user experience with parallel scanning

Latest coverage with automated updates

Heuristics DetectionIdentify unusual behaviors

DVS Engine

Parallel Scans, Stream Scanning

Signature InspectionIdentify known behaviors


Internet

Users

Cisco IronPort S-Series

Network Layer Analysis

PowerfulAnti-Malware Data

Preventing“Phone-Home” Traffic

Scans all traffic, all ports, all protocols

Detects malware bypassing Port 80

Prevents Botnet traffic

Automatically updated rules

Real-time rule generation using, “Dynamic Discovery”

Layer 4 Traffic Monitor

Packet and Header

Inspection

Also available on the ASA as Botnet Traffic Filter






Security

Malware Defense

Control

Data Security



Documents

Allow, block, log based on file metadata, URL category, user and web reputation

Multi-protocol: HTTP(s), FTP, HTTP tunneled

Documents

On-Box Common Sense Security

DLP Vendor Box

Internet

Partner site

Webmail

Internet

Deep content inspection: Structured and unstructured data matching Performance optimized: Works in tandem with accelerated on-box policies

Log

AllowBlock

Log

AllowBlock

Off-Box Advanced Data Security


Control

Data Security



Security

Malware Defense





Identity

Job Sites

Instant Message

P2P

Streaming Media

Human Resource

No FileTransfer

All

100 kbps/User

Facebook Lunch hour Time

Object

Application

Location

Priority


Granular control over HTTP, HTTP(s), FTP applications

Dynamic signature updates maintained by Cisco SIO

Granular Control over Application Usage

Employee in Finance

Access Control Policy Access Control Violation

Instant MessagingFacebook: Limited Apps

Video: 512 kbps max

File Transfer over IMFacebook Chat, Email

P2P


Block Malware like ‘Farm Town’ app ad that redirects users to fake antivirus software

Allow/Block thousands of Facebook Apps

Allow/Block features like Chat, Messaging, Video & audio bandwidth


Control


Data Security



Security

Malware Defense




Visibility | Centralized Enforcement | Single Source Revocation

Regaining Visibility and Control Through Identity

Branch Office

Corporate Office

Home Office

SaaS Single Sign On

AnyConnect Secure Mobility Client

SaaS Single Sign OnRedirect @ Login

User Directory

No Direct Access

X


Control

Security


Malware Defense

Data Security






On-Box Centralized Reporting and TrackingCentralized Management

Centralized Policy Management

Delegated Administration

InsightAcross Threats,

Data and Applications

ControlConsistent Policy Across Offices

and for Remote Users

VisibilityVisibility Across Different Devices,

Services, and Network Layers

In-Depth Threat Visibility

Extensive Forensic Capabilities

Security Management Appliance


Multi-CoreOptimization

Integrated Identity and Authentication

NTLM/Active Directory

LDAP

Secure LDAP

Addresses latency issues associated with anti-virus scanning

Enables multi-scan features for improved security efficacy

Optimized for rich web content

Identity Based Policies

Transparent, single sign-on (SSO) authentication against Active Directory

Guest Policies, Re-Auth


Customers

Awards

Partners

Pioneer in SaaS Web Security

Over 34% market share in SaaS Web Security (IDC)

Multi-award winning product portfolio

Millions of users

Billions of Web requests scanned every day

100% Availability


AnyConnect Secure Mobility

Internet Traffic

VPN – Internal Traffic(optional)

With AnyConnect 3.0


Internet

Corporate Office

Blocked URLs

Blocked Files

Blocked Content

ApprovedContent

Branch/Retail or Home Office

ISR G2 with ScanSafe Connector SW

RADIUS/LDAP

Thank you.

Cisco IronPort Email & Web Security€¦ · Security Gateway. Application-Specific Security...

Documents

Transcript of Cisco IronPort Email & Web Security€¦ · Security Gateway. Application-Specific Security...