IronPort: The Leader in Email Security

PROTECTING OVER 340 MILLION EMAIL BOXES WORLDWIDE

Fredrik Myrelid
Nordic & Baltic Technical Manager
IronPort Systems, Inc.
IronPort Systems:
The Leader in Email Security
IronPort C-Series
Email Security Appliance

• Industry-leading technology
– AsyncOS, powers the world’s fastest
MTA
– SenderBase, the world’s first & largest
HTTP & SMTP traffic
monitoring network
• Industry-leading customers
– Over 50% of the world’s largest ISPs,
media & technology companies choose
IronPort
Fixing Email: The Steps Required

1. IDENTITY
2. REPUTATION 3. POLICY

Internet

private ISPs

public
DNS

IronPort is the First to Implement DomainKeys

Challenges at the Email Gateway

The typical symptoms everyone headlines on….

• Email Security
Managing volumes of SPAM and false positive issues
Viruses
Denial of Service attacks, Directory Harvesting, Fraud etc etc
• Policy & Legal Compliance

But what about the bigger picture?

• Availability of email services
• Performance & Latency issues
• Authentication
• Massive Admin & Operations overhead
• Huge Complexity
• Visibility, Reporting & Statistics
• Future-proofing the infrastructure, new services etc
Summarised as..
• Lost Productivity (a management issue)
– At the desktop (users are asked to define spam)
– IT Admin (to setup, fine tune and monitor spam)
• Consumption of valuable IT resource (an operational issue)
– Network bandwidth (wasted on 70% spam)
– CPU and memory at the gateway (could be used on genuine mail)
– Disk storage (archive everything that arrives, inc. spam)
– Increased real-estate (in order to scale with the right performance)
• Legal liability (a risk management issue)
– Offensive content
– Contravention of legislation (Data Protection, Basel II, SOX, HIPPA etc)
– Spam zombies (brand risk, blacklisting)
IronPort Consolidates the Email Perimeter

Before IronPort After IronPort

Internet Internet

Firewall Firewall

MTAs

Anti-Spam

Anti-Virus
IronPort Email Security Appliance
Policy Management

Mail Routing

Groupware Groupware

Users Users
 IronPort Reduces Administration
Advanced Technology Automates Manual Tasks

Anti-spam updates:
Centralized management: make Stop viruses in average 15 hours up to 60,000 rules/day,
Changes only once Before the anti virus signature is available every 5-10 min

No fine tuning or
Lowest fales positive rates Training necessary
eliminates support calls

IronPort Email Security Appliance

No manual white- or
black lists necessary
Automatic rate limiting
protects against Denial of Service
without your intervention
Centralized & scheduled
reporting: You never
Need to sort throguh logs again
Test configuration changes
withouth making them active

“These IronPorts run themselves”

Joe Chodi, CTO of Major League Baseball
IronPort Architecture for
Multi-Layered Email Security

MANAGEMENT TOOLS

SPAM VIRUS CONTENT

DEFENSE DEFENSE SCANNING
• IronPort Reputation • IronPort Virus Outbreak • IronPort Content Filters
Filters Filters
• PostX and PGP
• Brightmail • Sophos Anti-Virus
• IronPort Anti-Spam

ASYNCOS™ MTA PLATFORM

AsyncOS:
Revolutionary MTA Platform

Traditional Email Gateways

And Other Appliances IronPort Email Security Appliance

200 High
10,000
Incoming/Outgoing Low Performance Performance,
Incoming/Outgoing
Connections and Potential DoS Predictable
Connections
Delivery

Queue Backup Fault-Tolerance

Single Queue Per-Destination
Delays All Mail and
For all Destinations Queues Custom Control

Directory Harvest Attack Virtual Gateway Intelligent Bounce

Prevention
Protects Against:
Theft of your user database by
spammers
Unique Advantage:
Integrates with
SenderBase to track global attacks
Technology
Protects Against:
Inadvertent blockage of your
corporate mail
Unique Advantage:
Provides up to 256 unique IP
addresses per appliance
Handling
Protects Against:
Blacklisting of your IPs from
intentional NDRs
Unique Advantage:
Separate IP address for NDRs, In-
conversation recipient checking
AsyncOS™
Standards Based Integration

• Integrates with all standard LDAP servers including

LDAP Active Directory™
• Carrier-class client and cache on-box

• High performance client resolves millions of record per hour

DNS
• Configure separate DNS servers per domain

• 802.1Q VLAN Tagging for network security

Advanced
• NIC failover for redundancy
Networking
• Loopback interfaces for load balancer integration

Essential • Alias, masquerade, and routing tables

Mail • Powerful header operations
Operations • Store tables on box or in LDAP directory
Multi-Layered Spam & Virus Defense:
Preventive + Reactive = Defense in Depth

Preventive Reactive
Layer Layer
- IronPort - Brightmail
Reputation
Filtering
+ - IronPort
AntiSpam
- Virus Outbreak -Sophos Anti
Filters - Virus

Immediate Reaction Adapts Over Time

to Threats
Extremely High Computationally
Performance Intensive
Coarse Outer Layer Fine-grained Inner Layer
Blocks or Rate Limits Delete or Quarantine
Black and White Lists
SenderBase : ®

Data Makes the Difference

Parameters
• Complaint Reports
• Spam Traps
• Message Threat Prevention in Realtime
Composition Data
• Global Volume Data
• URL Lists
• Compromised
Host Lists
• Web Crawlers
SenderBase
SenderBase Data Analysis/ Reputation Scores
• IP Blacklists Security Modeling
& Whitelists Data -10 to +10

• Additional Data
Data Quantity Data Quality
Data Breadth

• Combine HTTP & SMTP data
• Over 5 billion emails per day
• Over 90 SMTP parameters tracked
• Over 20 HTTP parameters tracked
• Over 200,000 sources
• 8 of the top 10 ISPs, universities
& businesses
• Worldwide sources, including
Americas, Europe & Asia
• Over 3 years of experience
ensuring data integrity
• SourceRank assesses source
quality by cross correlating
multiple sources with known
benchmarks
IronPort Mail Flow

80% Bad Mail www

IronPort
STOPPED BEFORE SenderBase
You have accepted
connection

Work Queue

Reputation Anti Anti Content Virus SMTP

Filters Spam Virus Filters Outbreak Client
    Filters  

Exchange,
Lotus/Domino,
Groupwise
Clean, legitimate Mail!
Nordea Phishing / Sender IP
IronPort Reputation Filters Stop
80% of Hostile Mail at the Door….

+10
Trusted Policy

Reputation Anti-Spam
Accepted Policy
Filtering Engine
Untrusted Policy
Incoming Mail Rejected Policy
Good, Bad, and “Grey”
or Unknown Email -10

• IronPort uses identity & reputation to apply policy

• Sophisticated response to sophisticated threats
Traffic Shaping:
Mail Flow Control NOT Filtrering
Dell
• Dell’s challenge:
– Dell receives over 26M mail per day “IronPort has
increased the
– Only 1.5M legitimate emails
quality and
– 68 existing gateways using Spam Assassin with high false
reliability of
positive rates
our network
• IronPort’s solution: operations,
– Reputation filters blocks over 19M emails per day while
– 5.5M emails per day scanned & removed by Brightmail reducing our
– Replaced 68 servers with 8 IronPort C60s costs.”
-- Tim Helmsetetter
• Accuracy of spam filtering increased 10x Manager, Global
Collaborative Systems
• Server consolidation with 70% Engineering and
Service Management,
• Operational costs reduced with over 75% Dell Corporation
IronPort Outbreak Filters
Over 140 Virus Outbreaks Detected, Average Lead Time of 15 hours

“Virus Outbreak
Filters helped us from
the first day we had it
and it saves us
significant
clean up costs during
major
virus outbreaks.”

Mark S. Dial
E-Messaging Team,
Tellabs

Virus Date Virus Threat Level First Anti-virus Signature Outbreak Filter
Raised Available Lead Time
Bagle.BO 5/31/2005 14:32 PM 16:34 PM 2:02 hours
Bagle BB 2/27/2005 10:39 AM (2/27) 4:22 AM (3/1) 41:43 hours
Mydoom.BL 4/28/2005 19:52 PM 21:43 PM 1:51 hours
MyTob.V 4/3/2005 4:19 AM 9:36 AM 5:17 hours
MyTob.J 3/24/2005 23:30 PM 22:38 PM (the next day) 23:08 hours
Sober.L 3/7/2005 16:10 PM 18:28 PM 2:18 hours
Sober.K 2/21/2005 5:58 AM 7:00 AM 1:02 hours
Mydoom.BB 2/15/2005 18:08 PM 22:54 PM (the next day) 28:46 hours
How Virus Outbreak Filters Work
Dynamic Quarantine In Action

Messages
Scanned &
Deleted

T=0 T = 5 mins T = 10 mins T = 8 hours

– zip (exe) files – zip (exe) files – Release messages
- zip (exe) files
– Size 50 to 55KB if signature
- Size 50 to 55 KB. update is in place
– “Price” in the
name file
Industry Leading Signatures
from Sophos Anti-Virus

• Integrated Sophos®
anti-virus engine
– High performance in-line
scanning

• Easy to deploy and

manage
– Intuitive user interface
– Single view with Mail Flow
Monitor
– Auto updates
– Lower TCO with integrated
solution
Easy Custom Filter Generation
Protect your intellectual property
& enforce acceptable use

IronPort Content
Scanning Engine
Encrypt
Archive
High BCC to Compliance
Performance Officer
Notify Legal Personnel
Flexible Remove Attachment
Fine Grained Return to Sender
Bounce Email
Incoming / Outgoing Drop Email
Mail

LDAP Server Pre- defined Customer

Queries HIPAA, GLB, Specific
SOX Filters Filters
IronPort Email Security Manager
Single view of policies for the entire organization

Domain, Email Address,

or LDAP Group

• Allow all media files

• Quarantine executables
IT

• Mark and Deliver Spam

• Delete Executables SALES

• Archive all mail

• Virus Outbreak Filters LEGAL
disabled for .doc files
IronPort Centralized Management

• Log in anywhere, control everywhere

– New systems automatically configure themselves
– Mesh network = no single point of failure
• Elegant solution for two systems to 100
– Simple interface highlights configuration anomalies
– Apply changes to a machine, group, or cluster

SJ1 Machine SJ2 Machine D1 Machine D2 Machine T1 Machine T2 Machine

SJ3 Machine D3 Machine T3 Machine

San Jose Group Dublin Group Tokyo Group

IRONPORT CLUSTER
 Enterprise Reporting & Management

• Proves the IronPort ROI • Easy integration with existing • Choice of

– Show effectiveness of monitoring management
reputation, spam, and – Alert Center (via email) interfaces
virus filtering – SNMP – Effortless
• In-depth reporting on all – Reporting API Graphical User
senders Interface (GUI)
– Includes global traffic – Powerful
data from SenderBase Command Line
Interface (CLI)
 The IronPort Advantage

• IronPort Minimizes the Total Cost of Ownership for your E-mail

Infrastructure
– Administrative burden reduced with more than 75%, let’s IT staff do more with less
– Increased User productivity
– Powerful Management & Reporting tools for small to global organizations, as well as ISP’s
– Server consolidation
– Reduced load on the network infrastructure
– Ease of use
– Flexible Filtering solutions – Tailored to your needs
• IronPort increases the availability of your email
– Protection against Denial of Service Attacks, Directory Harvesting
• IronPort makes you sleep better at night!
– Industry leading Anti-Virus Protection – 15 hours ahead of competition
– Multi dimentional Anti-Spam Protection
• Most accurate for the broadest span of threats
• Powered by SenderBase (www.senderbase.org)
– Unmatched performance – Scalability from the smallest organization to largest ISP’s

The IronPort C-Series offers comprehensive &

consolidated email security
 Thank you

Fredrik Myrelid
IronPort Systems, Inc.
fmyrelid@ironport.com

The IronPort C-Series offers comprehensive &

consolidated email security