1. IronPort: The Leader in Email Security
PROTECTING OVER 340 MILLION BOXES WORLDWIDE
Fredrik Myrelid
Nordic & Baltic Technical Manager
IronPort Systems, Inc.

2. IronPort Systems: The Leader in Email Security
IronPort C-Series Security Appliance
Industry-leading technology
AsyncOS, powers the world’s fastest MTA
SenderBase, the world’s first & largest HTTP & SMTP traffic monitoring network
Industry-leading customers
Over 50% of the world’s largest ISPs, media & technology companies choose IronPort

3. Fixing Email: The Steps Required1. 2. 3.
IDENTITY
REPUTATION
POLICY
Internet
ISPs
private
public
DNS
DomainKeys:
The domain owner (typically the team running the gateway) uses the IronPort Security Appliance to automatically generate a public/private key pair to use for signing all outgoing messages. The public key is published in DNS, and the private key is stored on the IronPort appliance.
When each is sent by a specified end-user within the domain, the IronPort appliance automatically uses the stored private key to generate a digital signature of the message. This signature is then pre-pended as a header to the , and the is sent on to the target recipient's mail server.
IronPort is the First to Implement DomainKeys

4. Challenges at the Email Gateway
The typical symptoms everyone headlines on….
Security
Managing volumes of SPAM and false positive issues
Viruses
Denial of Service attacks, Directory Harvesting, Fraud etc etc
Policy & Legal Compliance
But what about the bigger picture?
Availability of services
Performance & Latency issues
Authentication
Massive Admin & Operations overhead
Huge Complexity
Visibility, Reporting & Statistics
Future-proofing the infrastructure, new services etc
is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed.
This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small.
When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS.

5. Summarised as.. Lost Productivity (a management issue)
At the desktop (users are asked to define spam)
IT Admin (to setup, fine tune and monitor spam)
Consumption of valuable IT resource (an operational issue)
Network bandwidth (wasted on 70% spam)
CPU and memory at the gateway (could be used on genuine mail)
Disk storage (archive everything that arrives, inc. spam)
Increased real-estate (in order to scale with the right performance)
Legal liability (a risk management issue)
Offensive content
Contravention of legislation (Data Protection, Basel II, SOX, HIPPA etc)
Spam zombies (brand risk, blacklisting)
is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed.
This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small.
When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS.

6. IronPort Consolidates the Email Perimeter
Before IronPort
After IronPort
Internet
Internet
Firewall
MTAs
Firewall
Anti-Spam
Anti-Virus
Policy Management
Mail Routing
is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed.
This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small.
When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS.
IronPort Security Appliance
Groupware
Groupware
Users
Users

7. IronPort Reduces Administration Advanced Technology Automates Manual Tasks
Anti-spam updates: up to 60,000 rules/day, every 5-10 min
Stop viruses in average 15 hours
Before the anti virus signature is available
Centralized management: make
Changes only once
No fine tuning or
Training necessary
Lowest fales positive rates eliminates support calls
IronPort Security Appliance
Centralized & scheduled reporting: You never
Need to sort throguh logs again
is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed.
This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small.
When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS.
No manual white- or black lists necessary
Automatic rate limiting protects against Denial of Service without your intervention
Test configuration changes withouth making them active
“These IronPorts run themselves” Joe Chodi, CTO of Major League Baseball

8. IronPort Architecture for Multi-Layered Email Security
MANAGEMENT TOOLS
SPAM
DEFENSE
VIRUS
DEFENSE
CONTENT
SCANNING
• IronPort Reputation Filters
• Brightmail • IronPort Anti-Spam
• IronPort Virus Outbreak Filters
• Sophos Anti-Virus
• IronPort Content Filters
• PostX and PGP
AsyncOS MTA Platform:
AsyncOS scalable and secure OS optimized for messaging
Identity Protection secures enterprise identity
Standards-based Integration replaces legacy systems with ease
SPAM DEFENSE:
IronPort’s Reputation Filters – the outer layer defense
Symantec Brightmail – premium, proven solution
IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud
VIRUS DEFENSE:
IronPort’s Virus Outbreak Filters stop outbreaks 14 hours ahead of signatures
Sophos AntiVirus signature based solution with industry leading accuracy
CONTENT SCANNING:
IronPort Content Filters provide baseline filtering and encryption
Postx and PGP provide advanced filtering and encryption
MANAGEMENT TOOLS:
Security Manager for unified policy management
Centralized Management manage units around the world
Mail Flow Monitor real time reporting
Mail Flow Central centralized reporting and tracking
ASYNCOS™ MTA PLATFORM

9. AsyncOS: Revolutionary MTA Platform
Traditional Gateways And Other Appliances
IronPort Security Appliance
200
Incoming/Outgoing
Connections
Low Performance and Potential DoS
10,000 Incoming/Outgoing
Connections
High Performance, Predictable Delivery
Single Queue
For all Destinations
Queue Backup Delays All Mail
Per-Destination Queues
Fault-Tolerance and Custom Control
Directory Harvest Attack Prevention
Protects Against: Theft of your user database by spammers
Unique Advantage: Integrates with SenderBase to track global attacks
Virtual Gateway Technology
Protects Against: Inadvertent blockage of your corporate mail
Unique Advantage: Provides up to 256 unique IP addresses per appliance
Intelligent Bounce Handling
Protects Against: Blacklisting of your IPs from intentional NDRs
Unique Advantage: Separate IP address for NDRs, In-conversation recipient checking

10. AsyncOS™ Standards Based Integration
LDAP
Integrates with all standard LDAP servers including Active Directory™
Carrier-class client and cache on-box
DNS
High performance client resolves millions of record per hour
Configure separate DNS servers per domain
Advanced Networking
802.1Q VLAN Tagging for network security
NIC failover for redundancy
Loopback interfaces for load balancer integration
Essential Mail Operations
Alias, masquerade, and routing tables
Powerful header operations
Store tables on box or in LDAP directory

11. Multi-Layered Spam & Virus Defense: Preventive + Reactive = Defense in Depth
- IronPort
Reputation
Filtering
Virus Outbreak
Filters
Reactive
Layer
- Brightmail
- IronPort
AntiSpam
Sophos Anti
- Virus +
Traditional security is REACTIVE
- E.g., content filtering for spam
- E.g., virus scanning based on known signatures
- These methods require that the threat has been seen before, and the filter gets updated with that information
REACTIVE filter are not enough because:
- You need this because threats are changing so fast, reactive services don’t always move fast enough
- the load on the infrastructure requires that you do high- performance filtering BEFORE the CPU intensive content filtering
PREVENTIVE filters provide much faster response times and higher performance
Best approach is a cocktail of the two
Higher accuracy of REACTIVE filters allows definitive actions (like deleting the message
The question now is how is IronPort able to create these Preventive Filters?
Immediate Reaction to Threats
Extremely High Performance
Coarse Outer Layer
Blocks or Rate Limits
Adapts Over Time
Computationally Intensive
Fine-grained Inner Layer
Delete or Quarantine

12. Black and White Lists

13. SenderBase®: Data Makes the Difference
Parameters
• Complaint Reports
• Spam Traps
• Message Composition Data
• Global Volume Data
• URL Lists
• Compromised Host Lists
• Web Crawlers
• IP Blacklists & Whitelists
• Additional Data
Threat Prevention in Realtime
SenderBase Reputation Scores
-10 to +10
SenderBase
Data
Data Analysis/
Security Modeling
Data Quantity
Over 200,000 sources
8 of the top 10 ISPs, universities & businesses
Worldwide sources, including Americas, Europe & Asia
Data Quality
Over 3 years of experience ensuring data integrity
SourceRank assesses source quality by cross correlating multiple sources with known benchmarks
Data Breadth
Combine HTTP & SMTP data
Over 5 billion s per day
Over 90 SMTP parameters tracked
Over 20 HTTP parameters tracked

14. IronPort Mail Flow AsyncOS MTA Platform:
80% Bad Mail STOPPED BEFORE
You have accepted connection
Work Queue
Reputation
Filters 
Anti
Spam 
Anti
Virus 
Content
Filters 
Virus
Outbreak
Filters 
SMTP
Client 
AsyncOS MTA Platform:
AsyncOS scalable and secure OS optimized for messaging
Identity Protection secures enterprise identity
Standards-based Integration replaces legacy systems with ease
SPAM DEFENSE:
IronPort’s Reputation Filters – the outer layer defense
Symantec Brightmail – premium, proven solution
IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud
VIRUS DEFENSE:
IronPort’s Virus Outbreak Filters stop outbreaks 14 hours ahead of signatures
Sophos AntiVirus signature based solution with industry leading accuracy
CONTENT SCANNING:
IronPort Content Filters provide baseline filtering and encryption
Postx and PGP provide advanced filtering and encryption
MANAGEMENT TOOLS:
Security Manager for unified policy management
Centralized Management manage units around the world
Mail Flow Monitor real time reporting
Mail Flow Central centralized reporting and tracking
Exchange,
Lotus/Domino,
Groupwise
Clean, legitimate Mail!

15. Nordea Phishing / Sender IP

16. Good, Bad, and “Grey” or Unknown Email
IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….
+10
Trusted Policy
Accepted Policy
Untrusted Policy
Rejected Policy
-10
Reputation Filtering
Anti-Spam
Engine
Incoming Mail
Good, Bad, and “Grey” or Unknown
IronPort uses identity & reputation to apply policy
Sophisticated response to sophisticated threats

17. Traffic Shaping: Mail Flow Control NOT Filtrering

18. Dell Dell’s challenge: IronPort’s solution:
Dell receives over 26M mail per day
Only 1.5M legitimate s
68 existing gateways using Spam Assassin with high false positive rates
IronPort’s solution:
Reputation filters blocks over 19M s per day
5.5M s per day scanned & removed by Brightmail
Replaced 68 servers with 8 IronPort C60s
Accuracy of spam filtering increased 10x
Server consolidation with 70%
Operational costs reduced with over 75%
“IronPort has increased the quality and reliability of our network operations, while reducing our costs.”
-- Tim Helmsetetter Manager, Global Collaborative Systems Engineering and Service Management, Dell Corporation

19. IronPort’s CASE: Examining Full Message Context
Anti-Spam
Competitive
Solutions
What? Message Content What content is included in this message?
How? Message Structure How was this message constructed?
Who? Reputation
Who is sending you this message?
Where? Web Reputation
Where does the call to action take you?

20. Traditional “Content Filters”
What CONTENT FILTERS Find
Verdict: UNKNOWN
WHAT?
Message content legitimate.

21. Context Adaptive Scanning
What CASE Finds
Verdict: BLOCK
WHAT?
Message content legitimate.
HOW?
Message construction emulates Microsoft Outlook client.
WHO?
Sudden surge in volume of being sent.
Server does not accept mail in return.
Mail server located in Ukraine.
WHERE?
Mismatch between display & target URL
Web site domain registered a day ago.
Web site hosted on consumer broadband network.
“Whois” data shows domain owner as known spammer.

22. Göteborgs Universitet
Göteborgs Universitet’s challenge:
440 domains
125+ mail servers with more than 55,000 users
Distributed & Complex infrastructure
Over 80% spam with high false positives using MailMarshal & others
Each institution managing their own infrastructure = high administrative overhead
IronPort solution:
Reputation filters block over 80% of all inbound mail
90% server (gateway & mail servers) consolidation (2+1 IronPort C600)
Virtually zero false positive
Minimal admin & ops
Extensive visibility & reporting of mailflow

23. IronPort Outbreak Filters Over 140 Virus Outbreaks Detected, Average Lead Time of 15 hours
“Virus Outbreak Filters helped us from the first day we had it and it saves us significant
clean up costs during major
virus outbreaks.”
Mark S. Dial
E-Messaging Team, Tellabs
Virus
Date
Virus Threat Level Raised
First Anti-virus Signature Available
Outbreak Filter Lead Time
Bagle.BO
5/31/2005
14:32 PM
16:34 PM
2:02 hours
Bagle BB
2/27/2005
10:39 AM (2/27)
4:22 AM (3/1)
41:43 hours
Mydoom.BL
4/28/2005
19:52 PM
21:43 PM
1:51 hours
MyTob.V
4/3/2005
4:19 AM
9:36 AM
5:17 hours
MyTob.J
3/24/2005
23:30 PM
22:38 PM (the next day)
23:08 hours
Sober.L
3/7/2005
16:10 PM
18:28 PM
2:18 hours
Sober.K
2/21/2005
5:58 AM
7:00 AM
1:02 hours
Mydoom.BB
2/15/2005
18:08 PM
22:54 PM (the next day)
28:46 hours
Sober.J
1/30/2005
22:58 PM
9:21 AM (the next day)
10:22 hours
Bagle.BJ
1/26/2005
19:00 PM
19:32 PM
0:32 hours
Mugly A
11/30/2004
2:57 AM (11/30)
9:08 AM (12/1)
30:11 hours

24. How Virus Outbreak Filters Work Dynamic Quarantine In Action
Messages
Scanned &
Deleted
T = 0
zip (exe) files
T = 5 mins
- zip (exe) files - Size 50 to 55 KB.
T = 10 mins
zip (exe) files
Size 50 to 55KB
“Price” in the name file
T = 8 hours
Release messages if signature update is in place

25. Industry Leading Signatures from Sophos Anti-Virus
Integrated Sophos® anti-virus engine
High performance in-line scanning
Easy to deploy and manage
Intuitive user interface
Single view with Mail Flow Monitor
Auto updates
Lower TCO with integrated solution

26. Easy Custom Filter Generation Protect your intellectual property & enforce acceptable use
IronPort Content Scanning Engine
Encrypt
Archive
BCC to Compliance Officer
Notify Legal Personnel
Remove Attachment
Return to Sender
Bounce
Drop
High Performance
Flexible
Fine Grained
Incoming / Outgoing Mail
The content filtering engine provides an easy-to-use point-and-click interface to create custom content filtering rules for the company. In addition, the content filtering engine supports foreign character sets so that filters can be written for employees that don’t speak English. IronPort also differentiates itself by allowing scanning for content in international character sets. Note that this is full content scanning support in multiple languages — not simply anti-spam or anti-virus signatures.
An easy-to-use GUI rule builder allows customers to quickly develop the flexible filtering rules their businesses require. IronPort appliances also have an integrated administrative quarantine that allows administrators to easily review the content of messages that trigger specific filter rules. Messages founds with the content scanning engine can also be sent to IronPort’s system quarantine. Administrators can create custom quarantines and limit viewing and releasing privileges to individuals, like compliance officers, HR personnel, or specific administrators.
As you know, the primary goal of smart lexicons and content dictionaries is to filter any outgoing message that contains sensitive personal information. Let’s discuss IronPort’s content dictionaries using HIPAA as an example (because HIPAA has one of the most ‘strict’ set of rules for compliance).
<<The rest of the notes focus on HIPAA specifically>>
The Challenge:
The real answer for 100% security is to simply encrypt ALL outgoing messages. However, this is not a viable option. Therefore, the challenge is to create an effective solution that mitigates risk, but also:
Interoperates with existing technology
Does not over encrypt (false positives)
Has minimal maintenance requirements
The natural tendency (and currently accepted model) is to use brute force and attempt to build an “all inclusive” medically related word list. This is not effective because:
The list could never be truly all inclusive
Would require constant maintenance
Takes an inordinate amount of CPU time to process
HIPAA does not require protection of the information simply because it is “medical” in nature, but does require it when that medical information could reasonably be tied to a single “identifiable” individual
Notes on the lexicons:
Personal Identifiers – based on the 18 classification for patient identifiers as outlined in Each of these is assigned a weight of “2”
Crossover Words – common words you would expect to find between an identifier and a medical condition flag. Assigned a weight of “3”
Medical Condition Flags – common medical condition flags that when standing alone do not require protection. Assigned a weight of “1 or 2” depending on its frequency of use in non-medical conversation.
The Lexicon itself is not the all-inclusive safety net, but rather a best practices methodology and tool for adhering to the core premise of compliance – taking reasonable and appropriate action.
LDAP Server Queries
Pre- defined HIPAA, GLB, SOX Filters
Customer Specific Filters

27. IronPort Email Security Manager Single view of policies for the entire organization
Domain, Address,
or LDAP Group
Allow all media files
Quarantine executables IT
Mark and Deliver Spam
Delete Executables
SALES
Archive all mail
Virus Outbreak Filters disabled for .doc files
LEGAL

28. IronPort Centralized Management
Log in anywhere, control everywhere
New systems automatically configure themselves
Mesh network = no single point of failure
Elegant solution for two systems to 100
Simple interface highlights configuration anomalies
Apply changes to a machine, group, or cluster
SJ1 Machine
SJ2 Machine
D1 Machine
D2 Machine
T1 Machine
T2 Machine
SJ3 Machine
D3 Machine
T3 Machine
San Jose Group
Dublin Group
Tokyo Group
IRONPORT CLUSTER

29. Enterprise Reporting & Management
Proves the IronPort ROI
Show effectiveness of reputation, spam, and virus filtering
In-depth reporting on all senders
Includes global traffic data from SenderBase
Easy integration with existing monitoring
Alert Center (via )
SNMP
Reporting API
Choice of management interfaces
Effortless Graphical User Interface (GUI)
Powerful Command Line Interface (CLI)

30. The IronPort Advantage
IronPort Minimizes the Total Cost of Ownership for your Infrastructure
Administrative burden reduced with more than 75%, let’s IT staff do more with less
Increased User productivity
Powerful Management & Reporting tools for small to global organizations, as well as ISP’s
Server consolidation
Reduced load on the network infrastructure
Ease of use
Flexible Filtering solutions – Tailored to your needs
IronPort increases the availability of your
Protection against Denial of Service Attacks, Directory Harvesting
IronPort makes you sleep better at night!
Industry leading Anti-Virus Protection – 15 hours ahead of competition
Multi dimentional Anti-Spam Protection
Most accurate for the broadest span of threats
Powered by SenderBase (
Unmatched performance – Scalability from the smallest organization to largest ISP’s
The IronPort C-Series offers comprehensive & consolidated security

31. Thank you Fredrik Myrelid IronPort Systems, Inc. fmyrelid@ironport.com
The IronPort C-Series offers comprehensive & consolidated security