ironport
TRANSCRIPT
IronPort
IronPort works as Proxy, URL Filtering, Anti-Virus & Anti Phishing.
IronPort protect enterprises against Internet threats. It was best
known for IronPort AntiSpam, the SenderBase email reputation
service, and email security appliances. These appliances ran a
modified FreeBSD kernel under the trademark AsyncOS.
IronPort email and web security gateway and management
products currently referred to as Cisco Email Security and Cisco
Web Security, have now becomes an integral part of the Cisco
Security vision and strategy.
Cisco continues to deliver the world-class email and web security that IronPort customers are used to.
The security products and technology from IronPort complement Cisco industry-leading threat
mitigation, confidential communications, policy control, and management solutions.
1. History
IronPort Systems, Inc., headquartered in San Bruno, California. IronPort was founded in December 2000,
by Scott Banister and Scott Weiss.
On November 24, 2003, IronPort acquired the SpamCop filtering and reporting service, which it ran as a
stand-alone entity.
Cisco Systems announced on January 4, 2007 that it would buy IronPort in a deal valued at US$830
million[4][5] and completed the acquisition on June 25, 2007. IronPort was integrated into the Cisco
Security business unit. Senderbase was renamed as Sensorbase to take account of the input into this
database that other Cisco devices provide. SensorBase allows these devices to build a risk profile on IP
addresses, therefore allowing risk profiles to be dynamically created on http sites and SMTP email
sources.
2. Working
Content Security Module on Firewall can be use instead but can be used only upto 1000 users. For more
than that, we should use Cisco IronPort. Iron port can size upto 20,000 users.
Content Security Module on ASA Firewall uses only one Scanner, Trend Micro Scanner.
On IronPort, they use Three Scanners One from McFee, One from Sophos and one from Webroot.
MacFee and Sophos for Anti-Virus and Anti Phishing and Webroot are for Anti Malware. Customer can
choose how many scanners he wants. He need not buy all the three.
IronPort
When a packet comes in, it is sent parallelly to multiple scanners available. Scanners after checking the
packet in their DV Engine will drop it if there is something malicious about it. If all is well, send to
Webroot for further processing and finally send to the users.
Yet another level of Security Feature: Sensor Based or the new name is "Sender Based". All the Data
Centres of WSA in multiple locations across the group will seek the latest intelligence in web security.
If a new virus is found, they update it to the Iron port. Depending on the incoming packet's source IP
address (Which is marked anywhere between -10 and +10), packet can be dropped, Quarantined or
Allowed inside by Iron port. Iron port can be configured to do so by the admin.
Granular Level Access control is possible using Application Vectoring.
3. Types of IronPort
3.1. Web Security Appliance (WSA)
A web proxy server accepts
incoming connections destined to
the web and acts as an intermediary
between the clients and the World
Wide Web. Cisco IronPort Web
Proxy Server Security Appliances
help enterprises secure and control
internet traffic by offering multiple layers of malware defence on a single, integrated appliance.
These layers of defence include Cisco IronPort Web Reputation Filters, multiple anti-malware
Figure 1 Ironport(ESA) Working
Figure 2 IronPort S370 Web Security Appliance
IronPort
scanning engines, and the Layer 4 Traffic Monitor, which detects non-port 80 malware activities.
The Cisco IronPort S-Series is also capable of intelligent HTTPS decryption, so that all associated
security and access policies can be applied to encrypted traffic.
A web proxy is the foundation for security by mitigating one of the biggest exposures to risk in an
organization namely the unrestricted internet access. It allows for comprehensive content
analysis, which is critical to accurately detect devious and rapidly mutating web-based malware.
Powered by the proprietary Cisco IronPort AsyncOS operating system, the web proxy includes an
enterprise-grade cache file system. This system efficiently returns cached web content through
intelligent memory, disk, and kernel management-easily ensuring high performance and
throughput for even the largest of networks.
The Cisco WSA is the first secure web gateway to combine leading protections to help
organizations address the growing challenges of securing and controlling web traffic. You get
advanced malware protection, application visibility and control, acceptable use policy controls,
insightful reporting, and secure mobility all on a single platform.
3.1.1. Advanced Threat Defense
The Cisco WSA is powered by Cisco Security Intelligence Operations (SIO), our industry-
leading threat intelligence organization. Cisco SIO detects and correlates threats in real time
using the largest threat detection network in the world. It monitors 100 TB of daily security
intelligence, 1.6 million deployed security devices, 13 billion daily web requests, and 35
percent of worldwide email traffic.
The Cisco WSA uses multiple layers of anti-malware technologies and intelligence from SIO
updated every three to five minutes. It protects against hidden threats by analyzing every
piece of web content accessed by the user, from HTML to images and Flash graphics.
3.2. Email Security Appliance (ESA)
Email Security Appliance (ESA) is easy-to-deploy solutions that defend your email system against
spam, viruses, phishing, and a wide variety of other threats. In use at eight of the ten largest ISPs
and more than 40 percent of the world's largest enterprises, these systems have a demonstrated
record of unparalleled performance, accuracy and reliability.
Cisco IronPort email security
appliances protect enterprises of all
sizes – the same code base that
power our most sophisticated
customers is used in the entire
product family. By reducing the
downtime associated with email-borne malware, these products simplify the administration of
Figure 3 Cisco Email Security Appliance C680
IronPort
corporate mail systems and reduce the burden on technical staff, while offering insight into mail
system operation.
IronPort email security appliances provide a multilayer approach to stopping email-based
threats:
For spam protection, email and web reputation filtering technology is combined with
industry-leading Cisco IronPort Anti-Spam feature.
Cisco IronPort Outbreak Filters are paired with fully integrated traditional antivirus
technology and patent pending anti-targeted attack protection to ensure users are
protected from the industry’s more malicious attacks.
Cisco Data Loss Prevention technology provides organizations with the broadest set of
tools to enforce regulatory compliance and acceptable use policies accurately and
efficiently.
Cisco IronPort PXE encryption technology fulfils secure messaging, compliance, and
regulatory requirements.
3.2.1. Cisco IronPort’s Email Security Technology Differentiators
Cisco IronPort AsyncOS is a unique, high-performance software architecture
designed to address concurrency based communications bottlenecks and the
limitations of file-based queuing.
Cisco IronPort Reputation Filters perform a real-time email threat assessment and
then identify suspicious email senders. Suspicious senders are rate limited or
blocked, preventing malicious traffic from entering the network.
Cisco IronPort Anti-Spam combines best-of-breed conventional techniques with
IronPort’s breakthrough context sensitive detection technology to eliminate the
broadest range of known and emerging email threats.
Cisco IronPort Outbreak Filters detect new virus outbreaks in real time, and then
quarantine suspicious messages - offering protection up to 42 hours before
traditional antivirus solutions.
Figure 4 Shows a typical Email Security Deployment
IronPort
Cisco Data Loss Prevention technology provides comprehensive DLP policies and
remediation options, unparalleled accuracy, and easy deployment and management
capabilities - meeting acceptable use policy and compliance requirements readily.
Cisco IronPort PXE encryption technology revolutionizes email encryption - meeting
compliance requirements while delivering powerful business-class email features.
The Cisco Threat Operations Center (TOC) provides a 24x7 view into global traffic
activity, enabling Cisco to analyse anomalies, uncover new threats, and track traffic
trends.
3.3. Management Appliance (SMA)
The Cisco Content Security Management
Appliance (SMA) centralizes management
and reporting functions across multiple
Cisco email and web security appliances. It
simplifies administration and planning,
improves compliance monitoring, helps to
enable consistent enforcement of policy, and enhances threat protection.
Centralize management and reporting functions across multiple Cisco Email Security Appliances
(ESAs) and Cisco Web Security Appliances (WSAs) with the Cisco Content Security Management
Appliance (SMA). The integration of Cisco SMA with Cisco ESAs and WSAs simplifies the planning
and administration of email and web security, improves compliance monitoring, makes possible
a consistent enforcement of acceptable-use policies, and enhances threat protection.
3.3.1. Enhanced Threat Protection
The Cisco SMA provides a comprehensive view of security for improved threat intelligence,
defense, and remediation. That includes:
Centralized management of email spam quarantine
Comprehensive threat monitoring across multiple web and email security gateways
Web reputation scoring
Botnet detection
The SMA's reporting capabilities can also be used to identify and address key activities and
trends for data loss prevention (DLP) and remediation.
Figure 5 Content Security Management Appliance M1060
IronPort
3.3.2. Features and Benefits of the Cisco SMA and SMAV
Feature Benefits
Centralized management
and reporting
The Cisco SMA simplifies administration by publishing configurations from a single management
console to multiple Cisco ESAs and WSAs. Updates and settings are managed centrally on that
console rather than on the individual appliances. Organizations can dedicate specific appliances to
individual applications for high-volume deployments.
Fully integrated reporting allows traffic data from multiple Cisco ESAs and WSAs to be
consolidated.
Message tracking Data is aggregated from multiple Cisco ESAs, including data categorized by sender, recipient,
message subject, and other parameters. Scanning results, such as spam and virus verdicts, are also
displayed, as are policy violations.
Web tracking A record of individual web transactions is maintained, with information such as IP address,
username, domain name, time accessed, and other details. Visibility is provided into employee use
of Web 2.0 applications such as Facebook, YouTube, and instant messaging.
Web reporting Web tracking information is aggregated in real time and displayed in a high-level, easy-to-use
graphical format. Reporting features help administrators determine the websites, URL categories,
and applications that employees can access on company devices.
Spam quarantining Spam and marketing messages are stored centrally with the easy-to-use self-service Cisco Spam
Quarantine solution. Large enterprises with multiple Cisco ESAs can offload their spam traffic to
one location for easier tracking and provide a single point for employee access.
Threat monitoring Data about web-based threats is provided in real time, including, for example, which users are
encountering the most blocks or warnings, and which websites and URL categories pose the
biggest risks. Malware and other threats that Cisco WSAs have detected and blocked are also
reported.
Reputation scoring This feature provides detailed information about the reputation scores of the websites that users
access. These scores are based on data provided by Cisco WSAs, which analyze web server
behavior and assign a score to each URL that reflects the likelihood that it contains malware.
Botnet detection Ports and systems with potential malware connections are displayed. Data from the Layer 4 traffic
monitoring feature on Cisco WSAs can help organizations detect and remediate botnet-infected
hosts.
IronPort
4. Modes of IronPort
Two modes of working:
Explicit Proxy/Mode
Transparent Proxy/Mode
When a Web browser uses a proxy, the protocol between the browser and the Web proxy is slightly
different from the one a browser uses straight to a Web server. Thus, the best interoperability between
Web browser and Internet Web servers occurs when the browser is aware of the proxy.
If the proxy server is inserted transparently between the client and the server, without any special
browser configuration, then several problems quickly creep up. Some of the problems are show-
stoppers. For example, if the proxy attempts to decrypt SSL traffic, the browser will raise alerts. If the
proxy requires authentication to differentiate different types of users or for accounting, this can be
incompatible with other Web pages that also require authentication. There's a whole RFC (RFC-3143)
listing problems with Web proxies.
On the other hand, if you want perfect interoperability, you have to get the proxy configuration
information to the Web browser somehow. Several semi-automatic methods exist under the rubric of
Web Proxy Auto-Discovery Protocol (WPAD), or, you could manually load the proxy configuration
information into the PC.
4.1. Explicit Proxy/Mode
In Explicit mode, the packet is by default send to IronPort. Proxy server ip is configured in IE or
Firefox. Traffic flow from PC or Laptop to Access Switch to Core Switch to WSA (IronPort) back to
Core Switch to Firewall to Router to Internet. Intelligence in this case is built in to the IE or
Firefox using a PAC file or something like that. But if many users are there working outside office,
this mode may not be useful as IE needs access to the IronPort and if outside office, needs VPN
to office infrastructure.
4.2. Transparent Proxy/Mode
Transparent mode works on the port requested by PC or Laptop. All the intelligence in this case
is in Core Switch.
Transparent Proxy (also called "Intercepting Proxy") which doesn't require touching the Web
browser, but also doesn't work all the time, vs. Explicit Proxy that requires Web Proxy Auto-
Discovery Protocol (WPAD) and a cooperating device, but which works much better.
IronPort
5. Global Deployment
Cisco deployed the Cisco IronPort S670 WSA in three phases:
Proof of Concept (POC): Cisco CSIRT led a 300-user POC, conducted over six months in one
building of the Cisco campus in Research Triangle Park (RTP), North Carolina. The appliances
inspected all web-bound traffic, as well as the return traffic from the web to Cisco users' devices.
Cisco CSIRT enabled WCCP on each desktop VLAN to redirect traffic with destination port 80/TCP
to the IronPort WSAs. WCCP enables the IronPort WSA to inspect a user's web traffic, making it
unnecessary for Cisco IT or employees themselves to configure the web browser to use the
IronPort proxy. Not requiring a specific browser configuration supports Cisco IT's any-device
strategy. "During the POC, we validated that reputation filtering blocked malicious traffic that
malware filtering missed," Bollinger says. No outages occurred during the POC.
Pilot: Next, from early 2009 to early 2011, Cisco CSIRT extended the solution to all 3000
employees on the RTP campus. Every web request initiated over a wired or wireless network was
redirected to one of four Cisco IronPort WSAs. During the pilot, the IronPort appliances blocked
one percent of all web traffic, representing four million objects that otherwise might have
infected the network or led to information leakage.
Enterprise Deployment: Cisco IT has been begun deploying the Cisco IronPort WSAs in other
large campus sites, beginning with offices whose Internet traffic is routed through RTP. "Scaling
from 3000 to 30,000 users only requires changing an access list, enabling WCCP on the routers,
and pointing the routers to the IronPort WSAs," says Bollinger. IronPort WSAs are also currently
in production on the San Jose, California and Bangalore campuses. Users do not notice any
change when their web requests are sent through the proxy server.