ironport product pres oct 06 en
TRANSCRIPT
IronPort Email & Web Gateway Security SolutionsIronPort Email & Web Gateway Security Solutions
PROTECTING OVER 300 MILLION EMAIL BOXES WORLDWIDE
Frederic BenichouDirector, South Europe, Middle-East & AfricaIronPort Systems
IronPort Consolidatesthe Email Perimeter
Anti-Spam
Anti-Virus
Policy Management
Mail Routing
Before IronPort
Internet
Firewall
MTAs
Groupware
Users
IronPort Email Security Appliance
After IronPort
Internet
Users
Groupware
Firewall
IronPort: Industry Leadership• Global Leadership
– Founded in 2000, based in San Bruno, CA– 35 offices in 25 countries– Approx 380 people
• Analyst Leadership– Recognized as leader by Gartner,
Meta, IDC, Forrester, Bloor
• Customer Leadership– About 3000 customers in 75 countries– 8 of the 12 largest ISPs– 20%+ of the largest Enterprises (Global 2000)– 300+ millions mail boxes protected– US Armed Forces & Government
• Technology Leadership– First with custom, high performance MTA– First with Reputation Filtering (SenderBase)– First with Virus Outbreak Filters
Sample customers in France
MACSF
10,000bal
1,000 bal
Cipa
ComexpoSNC Gestor
Multi-Layered Security Preventive + Reactive = Defense in Depth
ReactiveLayer
PreventiveLayer +
Immediate Reaction to Threats
Extremely High Performance
Coarse Outer Layer
Blocks or Rate Limits
Adapts Over Time
Computationally Intensive
Fine-grained Inner Layer
Delete or Quarantine
SenderBase® / Threat Operations CenterSenderBase TOC
Team of security experts
• Global volume data
• Message composition data
• Spam traps, complaints
• Blacklists, whitelists
• Compromised host lists
• Open proxy lists
• Offline data (F500, ISP, NSP, govt.)…
Sender Reputation Score
90+Parameters
Web Reputation Score
• URL blacklists and whitelists
• HTML Content Data
• Domain Registrar Information
• Compromised Host Lists
• Network Owners
• Known Threats URLs
• Web Site History…
45+Parameters
IronPort : Integrated Secured Gateways
Email Security C Series
Web Security S Series
Security Management M Series
IronPort Email Security Appliances
High Performance Email Security Appliances Stopping Spam, Viruses and Other Email Threats,Enforcing Email Policies, and Reducing Admin Costs for Enterprises and Service Providers
IronPort C300/C600IronPort C10
IronPort X1000
IronPort Architecture for Multi-Layered Email Security
OUTILS D’ADMINISTRATION
ASYNCOS™ MTA PLATFORM
MANAGEMENT TOOLS
DEFENSEAGAINSTSPAMs
CONTENT PROCESSING
DEFENSEAGAINST
VIRUS
EMAIL AUTHENTICATION
ASYNCOS™ MTA PLATFORM
AsyncOS™ Unmatched Scalability and Security
AsyncOS scalable and secure OS optimized for messaging
Email Identity Protection secures enterprise identity
Standards-based Integration replaces legacy systems with ease
MANAGEMENT TOOLS
DEFENSEAGAINSTSPAMs
CONTENT PROCESSING
DEFENSEAGAINST
VIRUS
EMAIL AUTHENTICATION
ASYNCOS™ MTA PLATFORM
AsyncOS™ Revolutionary MTA Platform
Traditional Email GatewaysAnd Other Appliances IronPort Email Security Appliance
200Incoming/Outgoing
Connections
Low Performance/DoS Potential
Single QueueFor all Destinations
Queue BackupDelays All Mail
Per-DestinationQueues
Fault-Toleranceand
Custom Control
10,000Incoming/Outgoing
Connections
High Performance/Sure Delivery
AsyncOS™ Advanced Email Identity Protection
Directory HarvestAttack
Prevention
VirtualGateway
Technology
IntelligentBounce
Handling
Protects Against:Theft of your user
database by spammers
Unique Advantage:Integrates with
SenderBase™ to track global attacks
Protects Against:Inadvertent blockage
of your corporate mail
Unique Advantage:Provides up to 256
unique IP addresses per appliance
Protects Against:Blacklisting of your IPs from intentional
NDRs
Unique Advantage:Distinct IPs for NDRs,
In-conversation recipient checking
Best of Breed, Multi-layer Spam Defense
IronPort’s Reputation Filters – the outer layer defense
IronPort Anti-Spam - stops the broadest array of threats – spam, phishing, fraud
OUTILS D’ADMINISTRATION
FILTRAGE DECONTENU
DEFENSECONTRE
VIRUS
AUTHENTIFICATIONEMAIL
PLATEFORME ASYNCOS™ MTA
MANAGEMENT TOOLS
ASYNCOS™ MTA PLATFORM
ANTI-SPAM DEFENSE
CONTENT PROCESSING
ANTI-VIRUS DEFENSE
EMAIL AUTHENTICATION
PR
EV
EN
TIV
E
RE
AC
TIV
E
IronPort Reputation Filters Stop 80% of Hostile Mail at the Door….
• Known good is delivered
• Suspicious(ex. Score = -4 to -1):limit the rate & pass thru Anti-Spam filter
• Known bad (ex. Score = -10 to -4):connection rejected
• IronPort uses identity & reputation to apply policy• Sophisticated response to sophisticated threats
Anti-SpamEngine
Incoming MailGood, Bad, and “Grey”
or Unknown Email
Reputation Filtering
Senderbase
A wide sample of parameters, for a reliable assessment of Reputation
Good Reputation
AverageReputation
System Tolerant of Anomalies
Blacklisted
Good Sending HistoryOnly Sending to Valid Recipients
Reverse DNS Works
Poor Reputation
Volume Spike
Positive & Negative Reputation
Customer case – Marseille-Nice Universities30,000+ users
Universités Numériques Région PACA
• Leading Efficacy– CASE (Content Adaptive Scanning
Engine) optimized for blended threats– Multiple sources
• Industry leading throughput• Virtually Zero False Positives
– Approx 1 in 1 million
• No administrative burden– Install and walk away– Automatic filter updates, no tuning required– System adapts to new threats without manual tweaking of rules
IronPort Anti-Spam™: High Performance, No Administration
Score
How?
Structural Analysis
What?
Content Analysis
Where?
Web Reputation
Who?
Email Reputation
IronPort CASE™
IronPort’s Context Adaptive Scanning Engine (CASE)
IronPort
Anti-Spam
Competitive
Solutions
What? Message Content What content is included in this message?
How? Message Structure How was this message constructed?
Who? Email Reputation
Who is sending you this message?
Where? Web Reputation
Where does the call to action take you?
New types of spamMore difficult to detect
URL
Passage from a text book
100% legitimate content
URL is not that of Red Cross
Recent trends in Spam
0
10
20
30
40
50
60
70
Oct-05
Nov-05
Dec-05
Jan-06
Feb-06
Mar-06
Apr-06
May-06
Jun-06
Jul-06
Aug-06
Sep-06
Oct-06
0
5
10
15
20
25
30
Oct-05
Nov-05
Dec-05
Jan-06
Feb-06
Mar-06
Apr-06
May-06
Jun-06
Jul-06
Aug-06
Sep-06
Oct-06
Average Daily Spam Volume (billions msgs)
+110%
% Spam with an Embedded Image
+421%
Image-based spams techniques
• « Polka dots » make every message appear unique to signature-based anti-spam filters
• images broke down in sub-parts and then reassembled
• IronPort has unique techniques to detect these spams, including:
« MPR »: Multidimensional PatternRecognition
LabTests results: Catch Rate Results
Best of Breed, Multi-layerVirus Defense
IronPort’s Virus Outbreak Filters stop outbreaks 14 hours ahead of signatures
Sophos AntiVirus signature based solution with industry leading accuracy
MANAGEMENT TOOLS
PLATEFORME ASYNCOS™ MTA
PR
EV
EN
TIV
E
RE
AC
TIV
E
ANTI-VIRUS DEFENSE
ANTI-SPAM DEFENSE
CONTENT PROCESSING
EMAIL AUTHENTICATION
Today’s Anti-Virus Solutions Inadequate
CaptureVirus Sample
IssueCustomer Alert
AnalyzeVirus Sample
ReleaseSignature
UpdateSignature
Millions of infections occur during this period.
Generic signatures don’t always work.
Anti-Virus Signature Release Timeline
See booklet « The New Anti-Virus Formula » by John Dickinson:www.ironport.com/guide
How Virus Outbreak Filters WorkIronPort Threat Operations Center (TOC)
• Continuous monitoring & analysis– Real-time & historical data visualization
– Automated alerts
– Human verification
• The IronPort gateway downloads the updated rules from the TOC every 5 minutes,…
• …and puts the concerned messages in the Quarantine (queue in the MTA)
INSIDE THE TOC
• Expert team of skilled analysts • Staffed 24 x 7 x 365• 32 languages spoken • Documented & verified processes• State-of-the-art tools & techniques
Manager, Threat Operations Center
How Virus Outbreak Filters WorkDynamic Quarantine In Action
T = 0–zip (exe) files
T = 5 mins-zip (exe) files
-Size 50 to 55 KB.
T = 10 mins–zip (exe) files
–Size 50 to 55KB–“Price” in the
name file
T = 8 hours–Release messages
if signature update is in place
Messages
Scanned &
Deleted
The Virus Outbreak Filters advantage
Medium additional protection time……………….. 14 hours
Out of a total of blocked attacks……………………175 outbreaks
* Feb 2005 –January 2006 **GMT
Virus Name Date IronPort Protection Starts**
First Anti-virus Signature Available**
Outbreak Filter Lead Time
Looksky.G 1/6/06 2:32 PM 2:12 AM (two days later) 35:40 hours
Nyxem-D (Kama Sutra) 1/16/06 2:36 PM 3:22 PM 1:27 hours
Sober-Z 11/21/05 8:07 PM 12:45 AM (the next day) 4:38 hours
Mabutu-A 11/17/05 12:58 AM 1:24 PM 12:26 hours
Zotob.C 8/16/05 1:56 AM 4:47 AM 2:51 hours
Sober-N 5/5/05 3:58 PM 5:19 PM 1:21 hours
MyTob.G 3/24/05 11:30 PM 12:58 PM (the next day) 13:28 hours
Multiple Bagle variants 2/27/05 10:39 AM 4:22 AM (2 days later!) 41:43 hours
Mydoom.BB 2/15/05 6:08 PM 10:54 PM (the next day) 28:46 hours
Wurmark-D 1/10/05 10:02 AM 6:09 AM (the next day) 20:05 hours
Virus Outbreak Filters recent results:eWEEK Review: September, 2006
Review Overview
• 5 month test by eWEEK, large independent, weekly IT magazine
• 1217 virus positive emails stopped before AV signatures were available
• 48 separate virus variants blocked
• 0 false positives reported
Review Quotes
“We never saw a false positive”
“(Virus Outbreak Filters) effectively blocked messages containing viruses
for which signatures didn't already exist”
- Mike Caton, Technical Writer
0
300
600
900
May June July Aug Sept
1217 virus positive messages stopped in 5
months
Viral Messages Stopped: By Month
Clagger
Stration
Dowdec
Goldun
othergeneric
downloeder
Viral Messages Stopped: By Variant
VOF blocked 100% of the new virus outbreaks in the past 5 months
IronPort Content ScanningInbound/Outbound Message Filtering for Compliance
MANAGEMENT TOOLS
SPAM DEFENSECONTENT
PROCESSING
VIRUS DEFENSE EMAIL
AUTHENTICATION
ASYNCOS™ MTA PLATFORM
Content filteringCompliance (e.g. SOX)Digital Rights Management – information leakage preventionRules per user groupsEncryption: IronPort acquires PostX
PostX: One Platform, Three Solutions
PostX SecureEmailSecure Desktop Messaging
“Push”
1
PostX SecureDocumentStatements, Invoices, etc.
2
PostX MessageCentreIntegrated CustomerService Communication
3
PostX EnvelopeOffline, Registered and signed
PostX S/MIME or PostX OpenPGP
Certificate based mail
“Pull”
PostX WebSafeWebmail
PostX MessagingApplication Platform
Email Authentication
MANAGEMENT TOOLS
DEFENSEAGAINSTSPAMs
CONTENT PROCESSING
DEFENSEAGAINST
VIRUS
EMAIL AUTHENTICATION
ASYNCOS™ MTA PLATFORM
• DomainKey Signing – Protection of Corporate Identity• IronPort Bounce Verification – protection against bounce redirection attacks • Directory Harvest Attack Prevention
IronPort DomainKeysProtects domain identity and protects against phishing
• Ensures the proper identity of the source domain• More than 200 million mail boxes use DomainKeys • Easy deployment (private key & DNS-based public key)
Internet
ISPsprivate
publicDNS
IronPort Bounce Verification™
Protects against bounce-message attacks
• All outgoing messages are stamped.
• Legitimate bounce messages coming back are recognized by this stamp
• Transparent and autonomous
BV
Internet
BV+
Management tools Reduction in admin costs
MANAGEMENT TOOLS
DEFENSEAGAINSTSPAMs
CONTENT PROCESSING
DEFENSEAGAINST
VIRUS
EMAIL AUTHENTICATION
ASYNCOS™ MTA PLATFORM
Email Security Manager for unified policy management
Centralized Management manage units around the world
Mail Flow Monitor real time reporting
Mail Flow Central centralized reporting and tracking
IronPort Email Security ManagerSingle view of policies for the entire organization
IT
SALES
LEGAL
• Mark and Deliver Spam
• Delete Executables
• Archive all mail
• Virus Outbreak Filters disabled for .doc files
• Allow all media files
• Quarantine executables
“Email Security Manager serves as a single,versatile dashboard to manage all theservices on the appliance.” -- PC Magazine 2/22/05
Categories: by Domain, Username, or LDAP
IronPort Centralized Management
• Log in anywhere, control everywhere• Interface assures configuration consistency• Apply changes to a machine, group, or cluster• Test on single system, “promote” to cluster
IRONPORT CLUSTER
San Jose Group
SJ1 Machine SJ2 Machine
SJ3 Machine
Dublin Group
D1 Machine D2 Machine
D3 Machine
Tokyo Group
T1 Machine T2 Machine
T3 Machine
Mail Flow Monitor
Customer case – Comverse6,000 users
IronPort : Integrated Secured Gateways
Email Security C Series
Web Security S Series
Security Management M Series
Malware: exploding phenomenon
Source: iDefense Labs, November 2005
Growth in Keyloggers 2000-2005
To
tal R
epo
rted
Source : State Of Spyware Report, 2006
Number of spyware (in thousands)
• Spywares, Keyloggers, Chevaux de Troie, Botnets & Zombies, etc.
• 65% growth in 2005 vs. 2004
• Cost of a malware : 150$+ per PC per year+ commercial risk+ legal responsability
IronPort S Series: Web protection at 3 levels
Filters content against
Spyware
Web
Filtre leMalware
Prevents « phone-home » calls to hosts
outside
Blocks access to infected sites
Architecture for a multi-layer Web security
MANAGEMENT TOOLS
IronPortL4 Traffic Monitor
IronPortAnti-Malware
System
IronPortWeb Reputation
Filters
IronPort AsyncOS Web Security Platform
IronPortPolicy Filters
1. Blocks access to infected sites: Web Reputation
Blocks connection - infected sites
- phishing- etc.
Allows connection(“good” sites)
Anti-Malware scanning
2. Filters malicious content:IronPort Anti-Malware System
• Anti-malware engine• “DVS Engine”, supporting multiple verdict engines
– Webroot
– others
• High accuracy level• Very high performance for scanning on the fly
(content streaming)• Zero administration
REPUTATION-BASED VERDICT CACHINGREPUTATION-BASED VERDICT CACHING
VERDICTENGINE 1
VERDICT ENGINE 2
IRONPORTDVS™ ENGINE
IRONPORTDVS™ ENGINE
VERDICT ENGINE N
3. Detects & Blocks communications to outsite host servers:L4 monitor
• Detects any spyware or keylogger activity to an outsite host (“phone home”)– On any of the 65,535 ports
– Working around port 80
• 2 modes:“monitor only or “monitor & block”
L4 TRAFFICMONITOR
PROXY
IronPort S-Series
Firewall
• Internet
Port 80
X X
X X
IronPort : Integrated Secured Gateways
Email Security C Series
Web Security S Series
Security Management M Series
• Centralized Spam Quarantine
• Centralized statistics / reporting / tracking for C and S Series
IronPort M Series : management for C and S Series
DO NOT BELIEVE OUR WORD…
CHECK IT OUT BY YOURSELF !!
Free evaluation in production Be informed of all new virus alerts by registering on:
http://www.ironport.com/toc/ For all information:
Questions - Answers
The IronPort advantage
• New generation MTA– Performance, robustness, intelligence, easy integration to architecture
• Multi-layer Anti-Spam Protection – “Reputation Filters”: 70% of traffic blocked before entering the network
– Content-level AS : efficient; no False Positive; zero administration; efficient against image-based spams; advanced Web Reputation concept
• Preventive Protection against viruses– On average 14 hours additional protection ahead of AV
• Dramatic decrease in Email administration costs– Administrative costs typically divided by 10
• Market leadership and continued innovation