Miloš Kamenický ICSP Mail and Web

IronPort Miloš Kamenický ICSP Mail and Web milos.kamenicky@alefnula.sk Session number: 202 525 549 Bezplatné číslo (volanie cez Skype): +1 866 432 9903 Lokálny tel. pre Česko: +420 221 435 100 Lokálny tel. pre Slovensko: +421 258 255 309

IronPort Email Security Appliances

IronPort Perimeter Security Appliances Internet IronPort SenderBase ENCRYPTION Appliance EMAIL Security Appliance WEB Security Appliance Security MANAGEMENT Appliance 17. 3. 2009 3

IronPort Perimeter Security Appliances Common After IronPort Internet Internet Firewall MTAs Anti-Spam Anti-Virus Firewall IronPort Email Security Appliance Policy Enforcement Mail Routing Groupware Groupware Users Users 17. 3. 2009 4

IronPort Modules MANAGEMENT TOOLS Centralized Management Email Security Manager Intuitive GUI SNMP Enterprise MIB SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION IronPort Reputation Filters Sophos Anti-Virus McAfee Anti-Virus Content Filters IronPort Email Encryption DKIM and DomainKeys Signing IronPort Bounce Verification AsyncOS MTA PLATFORM 17. 3. 2009 5

IronPort AsyncOS Unmatched Scalability and Security MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION THE IRONPORT ASYNCOS EMAIL PLATFORM AsyncOS scalable and secure OS optimized for messaging Advanced Email Controls protect reputation and downstream systems Standards-based Integration replaces legacy systems with ease 17. 3. 2009 6

IronPort AsyncOS Based on FreeBSD kernel TUNED Stackless threading model -> 10000 simultaneous connections High performance file system I/O driven sheduler optimized for asynchronous nature of messaging No end user-accessible UNIX shell AsyncOS allows the IronPort appliances to process mail over 10x more efficiently than traditional UNIX systems 17. 3. 2009 7

IronPort AsyncOS Revolutionary Email Delivery Platform Traditional Email Gateways And Other Appliances IronPort Email Security Appliance 200 Outgoing Connections Low Performance/ Peak Delivery Issue 1K 10K Outgoing Connections High Performance/ Sure Delivery Single Queue For all Destinations Queue Backup Delays All Mail Per-Destination Queues Fault-Tolerance and Custom Control 17. 3. 2009 8

Multi-layer Spam Defense Best of Breed MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION THE IRONPORT ASYNCOS EMAIL PLATFORM IronPort Reputation Filters the outer layer defense IronPort Anti-Spam -stops the broadest array of threats spam, phishing, fraud 17. 3. 2009 9

Today s Email Threat Today's email threats - Table Type Suspicious Content Viruses Percentage of Global Traffic 4.8% 0.020% Suspicious IP Legitimate E- Mail 83.7% 11.5% 17. 3. 2009 10

IronPort SenderBase Network Global Reach Yields Benchmark Accuracy The Dominant Force in Global Email and Web Traffic Monitoring Results in Accuracy and Advanced Protection Spam Caught by Reputation IronPort 80% CipherTrust BorderWare 40% 50% Network Reach (Contributing Networks) IronPort 120,000 CipherTrust BorderWare 30B+ queries daily 150+ Email and Web parameters 25% of the World s Email Traffic Virus Protection Lead IronPort McAfee, Trend, Symantec, Sophos, CA, F-Secure 13 HOURS * 6/2005 6/2006. 175 outbreaks identified. Calculated as publicly published signatures from the listed vendors. 17. 3. 2009 11

SenderBase Reputation Filtering - How is the SBRS calculated? SpamTraps Fortune 1000 Individual Blacklists Complaints Network Owner Global Volume Individual Open Proxy Lists Domain Dynamic IP Lists Length of Sending History Category of Sender Individual spam probability weights assigned for each factor Based on efficacy of factor Computes SenderBase Reputation Score Spam probability converted to 10 to +10 score Change In Sending Behavior Tracks over 150 factors Assigns spam probabilityweights Aggregates using sophisticated algorithm 17. 3. 2009 12

Senderbase Query 17. 3. 2009 13

SenderBase Query 17. 3. 2009 14

SenderBase Query 17. 3. 2009 15

IronPort Reputation Filters Stop 80-90% of Hostile Mail at the Door. Known good is delivered Reputation Filtering Anti-Spam Engine Suspicious is throttled & spam filtered Incoming Mail Good, Bad, and Grey or Unknown Email Known bad is deleted/tagged IronPort uses identity & reputation to apply policy Sophisticated response to sophisticated threats 17. 3. 2009 16

What SenderBase Scores Mean An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Guaranteed to be spam. An IP on one or more reliable blacklists or belonging to a suspicious new sender with some complaints and spamtrap hits Some sending history, low or moderate complaints A known enterprise, or sender who has undergone third-party certification, with no complaints and a long sending history. -10-5 0 +10 +5 An IP address controlled by a spam house or a known open proxy generating massive volume of complaints and hitting many spamtraps. Guaranteed to be spam. May be a dynamic IP (e.g., dialup) sending direct to Internet or an email marketer with poor practices, or a legitimate enterprise with an open server Long sending history, few complaints 17. 3. 2009 17

Reputation Filtering - Report 17. 3. 2009 18

Positive & Negative Reputation 17. 3. 2009 19

SenderBase Performance Queries used DNS protocol Aggregates data from over 25 blacklist and open proxy lists 24x7 32 languages Machine Generated Rules 17. 3. 2009 20

IronPort Reputation Filters Dell Case Study Dell s challenge: Dell currently receives 26M messages per day Only 1.5M are legitimate messages 68 existing gateways running Spam Assassin were not accurate IronPort solution: Reputation Filters block over 19M messages per day 5.5M messages per day scanned by anti-spam engine Replaced 68 servers with 8 IronPort C60s Accuracy of spam filtering increased 10x Servers consolidated by 70% Operating costs reduced by 75% IronPort has increased the quality and reliability of our network operations, while reducing our costs. -- Tim Helmsetetter Manager, Global Collaborative Systems Engineering and Service Management, DELL CORPORATION 17. 3. 2009 21

Context Adaptive Scanning Engine The seccond layer of filtering AntiSpam engine WHAT -analyzing thecontentof themessage HOW the message was constructed WHO is sending the message WHERE does the call to action take you Result 98-99% SPAM catch 1 in 1milion FALSE POSITIVE RATE 17. 3. 2009 22

Context Adaptive Scanning Engine (CASE) What CASE Finds Verdict: BLOCK WHAT? HOW? WHO? Message content legitimate Message construction emulates Microsoft Outlook client IP address started sending email a day ago WHERE? Message originated from dial-up IP address IP address generating thousands of complaints Mismatch between display & target URL Website domain registered a day ago Website hosted on a compromised host Website hosted at an untrustworthy network owner Name servers located in Ukraine http://www.profusenet.com/ 17. 3. 2009 23

Technology Leadership Backed By The Industry s Most Advanced Infrastructure IronPort Threat Operations Center SenderBase SECURITY MODELING SECURITY ANALYSTS Machine Generated Rules Threat Evidence Clustering Human Generated Rules 24 x 7, 32 languages Over 100,000 updates daily Context Adaptive Scanning Engine END-USERS 17. 3. 2009 24

IronPort Image Analysis Multilayered detection 11 different detection methods (advanced edge detection, body part separation, body part layout etc.) Image types JPEG, BMP, PNG, TIFF, GIF, TGA, ICO and PCX Embedded image scanning engine can extract images from > 400 file types Configurable verdict settings Clean, Suspect, Inappropriate Policy integration 17. 3. 2009 25

IronPort Anti-Spam Zero-Maintenance Quarantine No helpdesk calls Self-service end-user spam quarantine Web UI, Digest Email, Advanced Search Authenticate users against LDAP, AD, or IMAP/POP Automatic disk space management Flexible deployment On-box quarantine or consolidated quarantine with M-Series appliance 17. 3. 2009 26

Multi-layer Virus Defense Best of Breed MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION THE IRONPORT ASYNCOS EMAIL PLATFORM IronPort Virus Outbreak Filters stop outbreaks 13 hours ahead of signatures McAfee and Sophos Anti-Virus signature based solutions with industry leading accuracy 17. 3. 2009 27

Multi-layer Virus Defense Best of Breed Multiple anti-virus engines Sophos and/or McAfee Anti-virus, Trojan horses and worms Repair files 17. 3. 2009 28

McAfee + Sophos Anti-Virus Signatures Multiple Lines of Defense Integrated McAfee and Sophos anti-virus engines High performance in-line scanning using both engines in multi-scan mode for maximum security Customer selection for either Sophos OR McAfee possible Easy to deploy and manage Intuitive user interface Single view with Mail Flow Monitor Auto updates Lower TCO with integrated solution 17. 3. 2009 29

Anti-Virus Configuration Anti-virus configuration Enable/Disable AV engine Scan, Reapair messages Repaired messages Encrypted messages Unscannable messages Virus Infected Messages 17. 3. 2009 30

Virus Defense Average Response Time -- Product Name Between 0 and 2 hours------>kaspersky Between 2 and 4 hours------>bitdefender, Dr. Web, F-Secure, Norman, Sophos Between 4 and 6 hours------>antivir, Command, Ikarus, Trend Micro Between 6 and 8 hours------>f-prot, Panda Between 8 and 10 hours----->avg, Avast, etrust-ino, McAfee, VirusBuster Between 10 and 12 hours---->symantec Between 12 and 18 hours---->[none] Between 18 and 20 hours---->etrust-vet More than 20 hours----------->[none] Average Response Time -- Product Name Between 0 and 2 hours------->[none] Between 2 and 4 hours------->bitdefender, Kaspersky Between 4 and 6 hours------->antivir, Dr. Web, F-Secure, Panda, RAV Between 6 and 8 hours------->quickheal, Sophos Between 8 and 10 hours------>avg, Command, F-Prot, Norman, Trend Micro, VirusBuster Between 10 and 12 hours---->avast, etrust-ca Between 12 and 14 hours---->ikarus, McAfee Between 14 and 16 hours---->etrust-vet, Symantec http://blog.washingtonpost.com/securityfix/2005/12/ranking_response_times_for_ant.html 17. 3. 2009 31

IronPort Virus Outbreak Filters First Line of Defense Early Protection with IronPort Virus Outbreak Filters 17. 3. 2009 32

Virus Outbreak Filters in Action Temporary Quarantine SenderBase Virus Filter INTERNET Evaluates incoming mail against outbreak rules Triggers automated quarantine for suspicious attachments Releases messages for rescanning through standard filters 17. 3. 2009 33

How IronPort Virus Outbreak Filters Work Dynamic Quarantine In Action Messages Scanned & Deleted T = 0 zip (exe) files T = 5 mins -zip (exe) files -Size 50 to 55 KB. T = 10 mins zip (exe) files Size 50 to 55KB Price in the name file T = 8 hours Release messages if signature update is in place Fine-grained Rules, Multiple Parameters: Attachment Type, Attachment Size, URLs, Filenames & More 17. 3. 2009 34

How IronPort Virus Outbreak Filters Work Dynamic Quarantine In Action Sender Base Network I normally see 10.pif files per hour Calculate change in threat level I see 90% increase in.pif files Watch out For.pif Files Threat=3 SenderBase collection allows statistical analysis to spot virus Outbreak trends on avarage 13 Hours before the signature is released! 17. 3. 2009 35

IronPort Virus Outbreak Filters Advantage Virus Name Date Virus Description Lead Time (hh:mm) Kukudro-A 6/27/06 Virus that spreads via zipped word document. 3:38 Feebs.AG 6/21/06 Arrives as an email attachment claiming to be sent via "Protected E-Mail service. 17:46 Troj/Stinx-W 6/15/06 IRC backdoor Trojan. 11:12 Yabe.G 5/16/06 Trojan that attempts to download further malicious code. Bagle-GT 4/21/06 Installs backdoor and communicates via HTTP, thus bypassing firewall filters. Mytob-HJ 4/19/06 Turns off anti-virus applications of infected PC to avoid detection. 13:09 18:28 32:57 Nyxem-D (Kama Sutra) 1/16/06 Deletes most documents on third day of every month. 1:27 * June 2005 July 2006. Looksky.G 1/6/06 Installs keystroke loggers onto infected PCs. 35:40 Average lead time* over 13 hours Outbreaks blocked * 175 outbreaks Total incremental protection*.over 94 days *June 2005 July 2006. Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, F-Secure, Symantec and McAfee. If signature time is not available, first publicly published alert time is used. 17. 3. 2009 36

IronPort Virus Outbreak Filters Harnessing the Power of our 24 X 7 Threat Operations Center Publish Outbreak Rules INSIDE THE TOC Updated on a constant, rapid basis Jan Mak, Manager Threat Operations Center Expert team of skilled analysts Staffed 24 x 7 x 365 32 languages spoken Documented & verified processes State-of-the-art tools & techniques 17. 3. 2009 37

IronPort Policy Enforcement Inbound/Outbound Content Filtering for Compliance MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION THE IRONPORT ASYNCOS EMAIL PLATFORM Flexible Policy Engine from Blocking Attachments to Enforcing Regulatory Compliance Compliance Solutions and Encryption keep communications private and secure 17. 3. 2009 38

Processing the Email REPUTATION FILTERS MESSAGE FILTERS ANTI SPAM ANTI VIRUS CONTENT FILTERS VIRUS OUTBREAK FILTERS 17. 3. 2009 39

Flexible Policy Engine From Blocking Attachments to Enforcing Compliance Graphical Representation of Per- Recipient Policies LDAP Integration Reduces Need for Repetitive Modifications Customizable Notification Templates Robust Conditions and Actions 17. 3. 2009 40

IronPort Email Security Manager Single view of policies for the entire organization Categories: by Domain, Username, or LDAP Allow all media files Quarantine executables IT Mark and Deliver Spam Delete Executables SALES Email Security Manager serves as a single, versatile dashboard to manage all the services on the appliance. -- PC Magazine 2/22/05 Archive all mail Virus Outbreak Filters disabled for.doc files LEGAL 17. 3. 2009 41

Content Filters Conditions Message Size Message Body Reputation Filter Attachment Attachment File Type Envelope Sender Envelope Recipient... Actions Bounce Deliver Drop Add Header Strip Header Send Copy Quarantine... 17. 3. 2009 42

Email Authentication Superior Security and Identity Protection MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION THE IRONPORT ASYNCOS EMAIL PLATFORM DomainKey Signing -establishes and protects your identity on the Internet IronPort Bounce Verification protects from misdirected bounce attacks Directory Harvest Attack Prevention blocks attempts to steal email directory information 17. 3. 2009 43

The Misdirected Bounce Threat Makes Up 9% of all Internet Email * Zombies Recipients: joe1@enterprise.com, jane88@enterprise.com Incoming Gateway Sender: billing@yourcompany.com RETURN TO yourcompany.com Millions of Misdirected Bounces SENDER Outgoing Gateway More than 55% of of F500s have experienced disruption of of service or or a total denial of of service due to to misdirected bounces 17. 3. 2009 44

IronPort Bounce Verification Protects Against Misdirected Bounce Attacks BV Internet BV + All Outgoing Mail Stamped Allowing Legitimate Bounces to be Identified on Return Transparent to End Users, No Industry Adoption Required Eliminates Help Desk Calls and End User Confusion Another IronPort Technical First" 17. 3. 2009 45

Integrated DomainKeys Protects Your Brand and Your Customers Internet private ISPs DNS public 300M+ Email Accounts Use DomainKeys to Authenticate the Email Sender Deploys in Five Minutes No CA Issued Key Required Every enterprise needs to protect their brand with authentication 17. 3. 2009 46

Email Verification... SPF/SIDF Verification DNS Verification -PTR Record DNS Verification -Envelope Sender Bounce Verification 17. 3. 2009 47

Šifrovánie E-mail pomocou IronPort PXE IronPort Hosted Key Service IronPort Hosted Keys Prihlásenie užívateľov, overenie a doručenie dešifrovacieho kľúča Nie je potrebné implementovať žiadnu infraštruktúru pre distribúciu kľúčov IronPort C-Series IronPort Encryption Appliance IronPort Encryption Appliance IronPort C-Series Content Filters identifikujú správy, které majú byť zašifrované IronPort Encryption Appliance zašifruje správu, vrátí IronPort PXE správu IronPort C-Series, který ju doručí. 17. 3. 2009 48

Šifrování zpráv Snadné používání i nasazení Brána šifruje správu Správa doručena príjemcovi Uživateľ otvára zašifrovanú správu v prehliadači Uloženie kľúča Password Uživateľ sa overuje & získa kľúč IronPort Hostované kľúče 17. 3. 2009 49

Management for the Largest Enterprises MANAGEMENT TOOLS SPAM DEFENSE VIRUS DEFENSE POLICY ENFORCEMENT EMAIL AUTHENTICATION THE IRONPORT ASYNCOS EMAIL PLATFORM Email Security Manager unified policy management Email Security Monitor enterprise-class reporting system Management Interfaces simple integration and increased productivity 17. 3. 2009 50

IronPort Email Security Monitor Advanced Reporting System Integrated Real-Time Graphical Reports CSV Export Scheduled Delivery Search by Domain Email Security Monitor 17. 3. 2009 51

Management Interfaces Productivity Enhanced using User-Centered Design Refined Through User Feedback and Testing Centralized Management Saves Time and Mistakes Choice of Web Interface or CLI Trace Command Centralized Management Commit Model 5-Step System Setup 17. 3. 2009 52

Message Tracking 17. 3. 2009 53

Message Tracking 17. 3. 2009 54

Message Trace 17. 3. 2009 55

Message Trace 17. 3. 2009 56

IronPort LDAP LDAP Accept Queries Group Queries Determine Inbound Mail Policy, Content Filters, Mail Routing in Exchange Env. Routing & Masquerading Rewrite Mailbox, Replace Envelope-From Address SMTP Authentication Relay Privileges To Off-Network Users LDAP and the IronPort Spam Quarantine 17. 3. 2009 57

IronPort -System Administration Reboot, Shutdown Feature Keys licences Users (local-ldap-radius) Backup Configuration File Wizards System Upgrade 17. 3. 2009 58

IronPort Hardware IronPort C150 Up to 1000 mailbox RAID 1 2x80GB HDD RAM 2GB IronPort C360 Up to 2000 mailbox RAID 1 2x300 GB SCSI 35 GB queue capacity Redundant power supplies IronPort C660 2 x multicore CPU RAID 1+0, 4x300 GB SCSI 70 GB queue capacity Redundant power supplies IronPort X1060 17. 3. 2009 59

IronPort Deployment Internet Internet Firewall Firewall LAN LAN Groupware Groupware Users Users 17. 3. 2009 60

Global Telecom & ISP Customers Global Europe Over 70 ISPs globally 17. 3. 2009 61

The Principles of Industry Leadership Technology Leadership Bespoke OS for Email Innovator of Reputation Filtering with SenderBase Analyst Leadership Recognized as the leader by Gartner, Meta, Radicati, IDC, Forrester, Bloor Customer Leadership 46 of the World s Largest 100 Companies 10 of the 12 largest ISPs Over 70 ISP s globally Global Leadership Operations in 45 countries and 75 cities globally 600+ partners IronPort infrastructure currently operating in 75+ countries 17. 3. 2009 62

IronPort E-mail Appliance Ďakujem za pozornosť milos.kamenicky@alefnula.sk stanislav.hrda@alefnula.sk 17. 3. 2009 63