Presentation is loading. Please wait.

Presentation is loading. Please wait.

IronPort: The Leader in Security

Similar presentations


Presentation on theme: "IronPort: The Leader in Security"— Presentation transcript:

1 IronPort: The Leader in Email Security
PROTECTING OVER 340 MILLION BOXES WORLDWIDE Fredrik Myrelid Nordic & Baltic Technical Manager IronPort Systems, Inc.

2 IronPort Systems: The Leader in Email Security
IronPort C-Series Security Appliance Industry-leading technology AsyncOS, powers the world’s fastest MTA SenderBase, the world’s first & largest HTTP & SMTP traffic monitoring network Industry-leading customers Over 50% of the world’s largest ISPs, media & technology companies choose IronPort

3 Fixing Email: The Steps Required
1. 2. 3. IDENTITY REPUTATION POLICY Internet ISPs private public DNS DomainKeys: The domain owner (typically the team running the gateway) uses the IronPort Security Appliance to automatically generate a public/private key pair to use for signing all outgoing messages. The public key is published in DNS, and the private key is stored on the IronPort appliance. When each is sent by a specified end-user within the domain, the IronPort appliance automatically uses the stored private key to generate a digital signature of the message. This signature is then pre-pended as a header to the , and the is sent on to the target recipient's mail server. IronPort is the First to Implement DomainKeys

4 Challenges at the Email Gateway
The typical symptoms everyone headlines on…. Security Managing volumes of SPAM and false positive issues Viruses Denial of Service attacks, Directory Harvesting, Fraud etc etc Policy & Legal Compliance But what about the bigger picture? Availability of services Performance & Latency issues Authentication Massive Admin & Operations overhead Huge Complexity Visibility, Reporting & Statistics Future-proofing the infrastructure, new services etc is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed. This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small. When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS.

5 Summarised as.. Lost Productivity (a management issue)
At the desktop (users are asked to define spam) IT Admin (to setup, fine tune and monitor spam) Consumption of valuable IT resource (an operational issue) Network bandwidth (wasted on 70% spam) CPU and memory at the gateway (could be used on genuine mail) Disk storage (archive everything that arrives, inc. spam) Increased real-estate (in order to scale with the right performance) Legal liability (a risk management issue) Offensive content Contravention of legislation (Data Protection, Basel II, SOX, HIPPA etc) Spam zombies (brand risk, blacklisting) is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed. This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small. When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS.

6 IronPort Consolidates the Email Perimeter
Before IronPort After IronPort Internet Internet Firewall MTAs Firewall Anti-Spam Anti-Virus Policy Management Mail Routing is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed. This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small. When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS. IronPort Security Appliance Groupware Groupware Users Users

7 IronPort Reduces Administration Advanced Technology Automates Manual Tasks
Anti-spam updates: up to 60,000 rules/day, every 5-10 min Stop viruses in average 15 hours Before the anti virus signature is available Centralized management: make Changes only once No fine tuning or Training necessary Lowest fales positive rates eliminates support calls IronPort Security Appliance Centralized & scheduled reporting: You never Need to sort throguh logs again is the factory floor of today’s modern enterprise. If goes down, you send the company home for the day. With the criticality of increasing, so is the volume. More people are using every day, each person has more accounts though wireless and home accounts, and message sizes are growing due to attachments and HTML. And as the level of sophistication of attacks has increased, the complexity of filtering required for each message has skyrocketed. This is resulting in a rapid year-over-year growth in the throughput required at the gateway for every company that uses —big or small. When we add the fact that brute force tactics used by the bad guys out there like Denial of Service, Directory Harvest Attacks, Hit and Run spam, or worm outbreaks it becomes apparent that the gateway is under attack. Traditional systems were not designed for this scenario. Our competitor's systems were not designed for this scenario. This is why IronPort developed AsyncOS. No manual white- or black lists necessary Automatic rate limiting protects against Denial of Service without your intervention Test configuration changes withouth making them active “These IronPorts run themselves” Joe Chodi, CTO of Major League Baseball

8 IronPort Architecture for Multi-Layered Email Security
MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE CONTENT SCANNING • IronPort Reputation Filters • Brightmail • IronPort Anti-Spam • IronPort Virus Outbreak Filters • Sophos Anti-Virus • IronPort Content Filters • PostX and PGP AsyncOS MTA Platform: AsyncOS scalable and secure OS optimized for messaging Identity Protection secures enterprise identity Standards-based Integration replaces legacy systems with ease SPAM DEFENSE: IronPort’s Reputation Filters – the outer layer defense Symantec Brightmail – premium, proven solution IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud VIRUS DEFENSE: IronPort’s Virus Outbreak Filters stop outbreaks 14 hours ahead of signatures Sophos AntiVirus signature based solution with industry leading accuracy CONTENT SCANNING: IronPort Content Filters provide baseline filtering and encryption Postx and PGP provide advanced filtering and encryption MANAGEMENT TOOLS: Security Manager for unified policy management Centralized Management manage units around the world Mail Flow Monitor real time reporting Mail Flow Central centralized reporting and tracking ASYNCOS™ MTA PLATFORM

9 AsyncOS: Revolutionary MTA Platform
Traditional Gateways And Other Appliances IronPort Security Appliance 200 Incoming/Outgoing Connections Low Performance and Potential DoS 10,000 Incoming/Outgoing Connections High Performance, Predictable Delivery Single Queue For all Destinations Queue Backup Delays All Mail Per-Destination Queues Fault-Tolerance and Custom Control Directory Harvest Attack Prevention Protects Against: Theft of your user database by spammers Unique Advantage: Integrates with SenderBase to track global attacks Virtual Gateway Technology Protects Against: Inadvertent blockage of your corporate mail Unique Advantage: Provides up to 256 unique IP addresses per appliance Intelligent Bounce Handling Protects Against: Blacklisting of your IPs from intentional NDRs Unique Advantage: Separate IP address for NDRs, In-conversation recipient checking

10 AsyncOS™ Standards Based Integration
LDAP Integrates with all standard LDAP servers including Active Directory™ Carrier-class client and cache on-box DNS High performance client resolves millions of record per hour Configure separate DNS servers per domain Advanced Networking 802.1Q VLAN Tagging for network security NIC failover for redundancy Loopback interfaces for load balancer integration Essential Mail Operations Alias, masquerade, and routing tables Powerful header operations Store tables on box or in LDAP directory

11 Multi-Layered Spam & Virus Defense: Preventive + Reactive = Defense in Depth
- IronPort Reputation Filtering Virus Outbreak Filters Reactive Layer - Brightmail - IronPort AntiSpam Sophos Anti - Virus + Traditional security is REACTIVE - E.g., content filtering for spam - E.g., virus scanning based on known signatures - These methods require that the threat has been seen before, and the filter gets updated with that information REACTIVE filter are not enough because: - You need this because threats are changing so fast, reactive services don’t always move fast enough - the load on the infrastructure requires that you do high- performance filtering BEFORE the CPU intensive content filtering PREVENTIVE filters provide much faster response times and higher performance Best approach is a cocktail of the two Higher accuracy of REACTIVE filters allows definitive actions (like deleting the message The question now is how is IronPort able to create these Preventive Filters? Immediate Reaction to Threats Extremely High Performance Coarse Outer Layer Blocks or Rate Limits Adapts Over Time Computationally Intensive Fine-grained Inner Layer Delete or Quarantine

12 Black and White Lists

13 SenderBase®: Data Makes the Difference
Parameters • Complaint Reports • Spam Traps • Message Composition Data • Global Volume Data • URL Lists • Compromised Host Lists • Web Crawlers • IP Blacklists & Whitelists • Additional Data Threat Prevention in Realtime SenderBase Reputation Scores -10 to +10 SenderBase Data Data Analysis/ Security Modeling Data Quantity Over 200,000 sources 8 of the top 10 ISPs, universities & businesses Worldwide sources, including Americas, Europe & Asia Data Quality Over 3 years of experience ensuring data integrity SourceRank assesses source quality by cross correlating multiple sources with known benchmarks Data Breadth Combine HTTP & SMTP data Over 5 billion s per day Over 90 SMTP parameters tracked Over 20 HTTP parameters tracked

14 IronPort Mail Flow AsyncOS MTA Platform:
80% Bad Mail STOPPED BEFORE You have accepted connection Work Queue Reputation Filters Anti Spam Anti Virus Content Filters Virus Outbreak Filters  SMTP Client AsyncOS MTA Platform: AsyncOS scalable and secure OS optimized for messaging Identity Protection secures enterprise identity Standards-based Integration replaces legacy systems with ease SPAM DEFENSE: IronPort’s Reputation Filters – the outer layer defense Symantec Brightmail – premium, proven solution IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud VIRUS DEFENSE: IronPort’s Virus Outbreak Filters stop outbreaks 14 hours ahead of signatures Sophos AntiVirus signature based solution with industry leading accuracy CONTENT SCANNING: IronPort Content Filters provide baseline filtering and encryption Postx and PGP provide advanced filtering and encryption MANAGEMENT TOOLS: Security Manager for unified policy management Centralized Management manage units around the world Mail Flow Monitor real time reporting Mail Flow Central centralized reporting and tracking Exchange, Lotus/Domino, Groupwise Clean, legitimate Mail!

15 Nordea Phishing / Sender IP

16 Good, Bad, and “Grey” or Unknown Email
IronPort Reputation Filters Stop 80% of Hostile Mail at the Door…. +10 Trusted Policy Accepted Policy Untrusted Policy Rejected Policy -10 Reputation Filtering Anti-Spam Engine Incoming Mail Good, Bad, and “Grey” or Unknown IronPort uses identity & reputation to apply policy Sophisticated response to sophisticated threats

17 Traffic Shaping: Mail Flow Control NOT Filtrering

18 Dell Dell’s challenge: IronPort’s solution:
Dell receives over 26M mail per day Only 1.5M legitimate s 68 existing gateways using Spam Assassin with high false positive rates IronPort’s solution: Reputation filters blocks over 19M s per day 5.5M s per day scanned & removed by Brightmail Replaced 68 servers with 8 IronPort C60s Accuracy of spam filtering increased 10x Server consolidation with 70% Operational costs reduced with over 75% “IronPort has increased the quality and reliability of our network operations, while reducing our costs.” -- Tim Helmsetetter Manager, Global Collaborative Systems Engineering and Service Management, Dell Corporation

19 IronPort’s CASE: Examining Full Message Context
Anti-Spam Competitive Solutions What? Message Content What content is included in this message? How? Message Structure How was this message constructed? Who? Reputation Who is sending you this message? Where? Web Reputation Where does the call to action take you?

20 Traditional “Content Filters”
What CONTENT FILTERS Find Verdict: UNKNOWN WHAT? Message content legitimate.

21 Context Adaptive Scanning
What CASE Finds Verdict: BLOCK WHAT? Message content legitimate. HOW? Message construction emulates Microsoft Outlook client. WHO? Sudden surge in volume of being sent. Server does not accept mail in return. Mail server located in Ukraine. WHERE? Mismatch between display & target URL Web site domain registered a day ago. Web site hosted on consumer broadband network. “Whois” data shows domain owner as known spammer.

22 Göteborgs Universitet
Göteborgs Universitet’s challenge: 440 domains 125+ mail servers with more than 55,000 users Distributed & Complex infrastructure Over 80% spam with high false positives using MailMarshal & others Each institution managing their own infrastructure = high administrative overhead IronPort solution: Reputation filters block over 80% of all inbound mail 90% server (gateway & mail servers) consolidation (2+1 IronPort C600) Virtually zero false positive Minimal admin & ops Extensive visibility & reporting of mailflow

23 IronPort Outbreak Filters Over 140 Virus Outbreaks Detected, Average Lead Time of 15 hours
“Virus Outbreak Filters helped us from the first day we had it and it saves us significant clean up costs during major virus outbreaks.” Mark S. Dial E-Messaging Team, Tellabs Virus Date Virus Threat Level Raised First Anti-virus Signature Available Outbreak Filter Lead Time Bagle.BO 5/31/2005 14:32 PM 16:34 PM 2:02 hours Bagle BB 2/27/2005 10:39 AM (2/27) 4:22 AM (3/1) 41:43 hours Mydoom.BL 4/28/2005 19:52 PM 21:43 PM 1:51 hours MyTob.V 4/3/2005 4:19 AM 9:36 AM 5:17 hours MyTob.J 3/24/2005 23:30 PM 22:38 PM (the next day) 23:08 hours Sober.L 3/7/2005 16:10 PM 18:28 PM 2:18 hours Sober.K 2/21/2005 5:58 AM 7:00 AM 1:02 hours Mydoom.BB 2/15/2005 18:08 PM 22:54 PM (the next day) 28:46 hours Sober.J 1/30/2005 22:58 PM 9:21 AM (the next day) 10:22 hours Bagle.BJ 1/26/2005 19:00 PM 19:32 PM 0:32 hours Mugly A 11/30/2004 2:57 AM (11/30) 9:08 AM (12/1) 30:11 hours

24 How Virus Outbreak Filters Work Dynamic Quarantine In Action
Messages Scanned & Deleted T = 0 zip (exe) files T = 5 mins - zip (exe) files - Size 50 to 55 KB. T = 10 mins zip (exe) files Size 50 to 55KB “Price” in the name file T = 8 hours Release messages if signature update is in place

25 Industry Leading Signatures from Sophos Anti-Virus
Integrated Sophos® anti-virus engine High performance in-line scanning Easy to deploy and manage Intuitive user interface Single view with Mail Flow Monitor Auto updates Lower TCO with integrated solution

26 Easy Custom Filter Generation Protect your intellectual property & enforce acceptable use
IronPort Content Scanning Engine Encrypt Archive BCC to Compliance Officer Notify Legal Personnel Remove Attachment Return to Sender Bounce Drop High Performance Flexible Fine Grained Incoming / Outgoing Mail The content filtering engine provides an easy-to-use point-and-click interface to create custom content filtering rules for the company. In addition, the content filtering engine supports foreign character sets so that filters can be written for employees that don’t speak English. IronPort also differentiates itself by allowing scanning for content in international character sets. Note that this is full content scanning support in multiple languages — not simply anti-spam or anti-virus signatures. An easy-to-use GUI rule builder allows customers to quickly develop the flexible filtering rules their businesses require. IronPort appliances also have an integrated administrative quarantine that allows administrators to easily review the content of messages that trigger specific filter rules. Messages founds with the content scanning engine can also be sent to IronPort’s system quarantine. Administrators can create custom quarantines and limit viewing and releasing privileges to individuals, like compliance officers, HR personnel, or specific administrators. As you know, the primary goal of smart lexicons and content dictionaries is to filter any outgoing message that contains sensitive personal information. Let’s discuss IronPort’s content dictionaries using HIPAA as an example (because HIPAA has one of the most ‘strict’ set of rules for compliance). <<The rest of the notes focus on HIPAA specifically>> The Challenge: The real answer for 100% security is to simply encrypt ALL outgoing messages. However, this is not a viable option. Therefore, the challenge is to create an effective solution that mitigates risk, but also: Interoperates with existing technology Does not over encrypt (false positives) Has minimal maintenance requirements The natural tendency (and currently accepted model) is to use brute force and attempt to build an “all inclusive” medically related word list. This is not effective because: The list could never be truly all inclusive Would require constant maintenance Takes an inordinate amount of CPU time to process HIPAA does not require protection of the information simply because it is “medical” in nature, but does require it when that medical information could reasonably be tied to a single “identifiable” individual Notes on the lexicons: Personal Identifiers – based on the 18 classification for patient identifiers as outlined in Each of these is assigned a weight of “2” Crossover Words – common words you would expect to find between an identifier and a medical condition flag. Assigned a weight of “3” Medical Condition Flags – common medical condition flags that when standing alone do not require protection. Assigned a weight of “1 or 2” depending on its frequency of use in non-medical conversation. The Lexicon itself is not the all-inclusive safety net, but rather a best practices methodology and tool for adhering to the core premise of compliance – taking reasonable and appropriate action. LDAP Server Queries Pre- defined HIPAA, GLB, SOX Filters Customer Specific Filters

27 IronPort Email Security Manager Single view of policies for the entire organization
Domain, Address, or LDAP Group Allow all media files Quarantine executables IT Mark and Deliver Spam Delete Executables SALES Archive all mail Virus Outbreak Filters disabled for .doc files LEGAL

28 IronPort Centralized Management
Log in anywhere, control everywhere New systems automatically configure themselves Mesh network = no single point of failure Elegant solution for two systems to 100 Simple interface highlights configuration anomalies Apply changes to a machine, group, or cluster SJ1 Machine SJ2 Machine D1 Machine D2 Machine T1 Machine T2 Machine SJ3 Machine D3 Machine T3 Machine San Jose Group Dublin Group Tokyo Group IRONPORT CLUSTER

29 Enterprise Reporting & Management
Proves the IronPort ROI Show effectiveness of reputation, spam, and virus filtering In-depth reporting on all senders Includes global traffic data from SenderBase Easy integration with existing monitoring Alert Center (via ) SNMP Reporting API Choice of management interfaces Effortless Graphical User Interface (GUI) Powerful Command Line Interface (CLI)

30 The IronPort Advantage
IronPort Minimizes the Total Cost of Ownership for your Infrastructure Administrative burden reduced with more than 75%, let’s IT staff do more with less Increased User productivity Powerful Management & Reporting tools for small to global organizations, as well as ISP’s Server consolidation Reduced load on the network infrastructure Ease of use Flexible Filtering solutions – Tailored to your needs IronPort increases the availability of your Protection against Denial of Service Attacks, Directory Harvesting IronPort makes you sleep better at night! Industry leading Anti-Virus Protection – 15 hours ahead of competition Multi dimentional Anti-Spam Protection Most accurate for the broadest span of threats Powered by SenderBase (www.senderbase.org) Unmatched performance – Scalability from the smallest organization to largest ISP’s The IronPort C-Series offers comprehensive & consolidated security

31 Thank you Fredrik Myrelid IronPort Systems, Inc. fmyrelid@ironport.com
The IronPort C-Series offers comprehensive & consolidated security


Download ppt "IronPort: The Leader in Security"

Similar presentations


Ads by Google