IronPort works as Proxy, URL
Filtering, Anti-Virus & Anti Phishing.
IronPort protect enterprises against
Internet threats. It was best known for IronPort AntiSpam, the SenderBase email
reputation service, and email security appliances. These appliances ran a
modified FreeBSD kernel under the trademark AsyncOS.
IronPort email and web security
gateway and management products currently referred to as Cisco Email Security
and Cisco Web Security, have now becomes an integral part of the Cisco Security
vision and strategy.
Cisco continues to deliver the
world-class email and web security that IronPort customers are used to. The
security products and technology from IronPort complement Cisco
industry-leading threat mitigation, confidential communications, policy
control, and management solutions.
History
IronPort Systems, Inc., headquartered
in San Bruno, California. IronPort was founded in December 2000, by Scott
Banister and Scott Weiss.
On November 24, 2003, IronPort
acquired the SpamCop filtering and reporting service, which it ran as a
stand-alone entity.
Cisco Systems announced on January 4,
2007 that it would buy IronPort in a deal valued at US$830 million[4][5] and
completed the acquisition on June 25, 2007. IronPort was integrated into the Cisco
Security business unit. Senderbase was renamed as Sensorbase to take account of
the input into this database that other Cisco devices provide. SensorBase
allows these devices to build a risk profile on IP addresses, therefore
allowing risk profiles to be dynamically created on http sites and SMTP email
sources.
Working
Content Security Module on Firewall
can be use instead but can be used only upto 1000 users. For more than that, we
should use Cisco IronPort. Iron port can size upto 20,000 users.
Content Security Module on ASA
Firewall uses only one Scanner, Trend Micro Scanner.
On IronPort, they use Three Scanners
One from McFee, One from Sophos and one from Webroot. MacFee and Sophos for Anti-Virus
and Anti Phishing and Webroot are for Anti Malware. Customer can choose how
many scanners he wants. He need not buy all the three.
When a packet comes in, it is sent
parallelly to multiple scanners available.
Scanners after checking the packet in their DV Engine will drop it if
there is something malicious about it. If all is well, send to Webroot for
further processing and finally send to the users.
Yet another level of Security
Feature: Sensor Based or the new name is "Sender Based". All the Data
Centres of WSA in multiple locations across the group will seek the latest
intelligence in web security.
If a new virus is found, they update
it to the Iron port. Depending on the incoming packet's source IP address (Which
is marked anywhere between -10 and +10), packet can be dropped, Quarantined or
Allowed inside by Iron port. Iron port can be configured to do so by the admin.
Granular Level Access control is
possible using Application Vectoring.
 |
| Ironport(ESA) Working |
Types of IronPort
Web Security Appliance (WSA)
 |
| IronPort S370 Web Security Appliance |
A web proxy server accepts incoming
connections destined to the web and acts as an intermediary between the clients
and the World Wide Web. Cisco IronPort Web Proxy Server Security Appliances
help enterprises secure and control internet traffic by offering multiple
layers of malware defence on a single, integrated appliance. These layers of
defence include Cisco IronPort Web Reputation Filters, multiple anti-malware
scanning engines, and the Layer 4 Traffic Monitor, which detects non-port 80
malware activities. The Cisco IronPort S-Series is also capable of intelligent
HTTPS decryption, so that all associated security and access policies can be
applied to encrypted traffic.
A web proxy is the foundation for
security by mitigating one of the biggest exposures to risk in an organization
namely the unrestricted internet access. It allows for comprehensive content
analysis, which is critical to accurately detect devious and rapidly mutating
web-based malware. Powered by the proprietary Cisco IronPort AsyncOS operating
system, the web proxy includes an enterprise-grade cache file system. This
system efficiently returns cached web content through intelligent memory, disk,
and kernel management-easily ensuring high performance and throughput for even
the largest of networks.
The Cisco WSA is the first secure web
gateway to combine leading protections to help organizations address the
growing challenges of securing and controlling web traffic. You get advanced
malware protection, application visibility and control, acceptable use policy
controls, insightful reporting, and secure mobility all on a single platform.
Advanced Threat Defense
The Cisco WSA is powered by Cisco Security Intelligence Operations (SIO), our industry-leading threat intelligence organization. Cisco SIO detects and correlates threats in real time using the largest threat detection network in the world. It monitors 100 TB of daily security intelligence, 1.6 million deployed security devices, 13 billion daily web requests, and 35 percent of worldwide email traffic.
The Cisco WSA uses multiple layers of
anti-malware technologies and intelligence from SIO updated every three to five
minutes. It protects against hidden threats by analyzing every piece of web
content accessed by the user, from HTML to images and Flash graphics.
Email Security Appliance (ESA)
 |
| Cisco Email Security Appliance C680 |
Email Security Appliance (ESA) is
easy-to-deploy solutions that defend your email system against spam, viruses,
phishing, and a wide variety of other threats. In use at eight of the ten largest
ISPs and more than 40 percent of the world's largest enterprises, these systems
have a demonstrated record of unparalleled performance, accuracy and
reliability.
Cisco IronPort email security
appliances protect enterprises of all sizes – the same code base that power our
most sophisticated customers is used in the entire product family. By reducing
the downtime associated with email-borne malware, these products simplify the
administration of corporate mail systems and reduce the burden on technical staff,
while offering insight into mail system operation.
IronPort email security appliances
provide a multilayer approach to stopping email-based threats:
- For spam protection, email and web reputation filtering technology is combined with industry-leading Cisco IronPort Anti-Spam feature.
- Cisco IronPort Outbreak Filters are paired with fully integrated traditional antivirus technology and patent pending anti-targeted attack protection to ensure users are protected from the industry’s more malicious attacks.
- Cisco Data Loss Prevention technology provides organizations with the broadest set of tools to enforce regulatory compliance and acceptable use policies accurately and efficiently.
- Cisco IronPort PXE encryption technology fulfils secure messaging, compliance, and regulatory requirements.
 |
| Shows a typical Email Security Deployment |
Cisco IronPort’s Email Security Technology Differentiators
- Cisco IronPort AsyncOS is a unique, high-performance software architecture designed to address concurrency based communications bottlenecks and the limitations of file-based queuing.
- Cisco IronPort Reputation Filters perform a real-time email threat assessment and then identify suspicious email senders. Suspicious senders are rate limited or blocked, preventing malicious traffic from entering the network.
- Cisco IronPort Anti-Spam combines best-of-breed conventional techniques with IronPort’s breakthrough context sensitive detection technology to eliminate the broadest range of known and emerging email threats.
- Cisco IronPort Outbreak Filters detect new virus outbreaks in real time, and then quarantine suspicious messages - offering protection up to 42 hours before traditional antivirus solutions.
- Cisco Data Loss Prevention technology provides comprehensive DLP policies and remediation options, unparalleled accuracy, and easy deployment and management capabilities - meeting acceptable use policy and compliance requirements readily.
- Cisco IronPort PXE encryption technology revolutionizes email encryption - meeting compliance requirements while delivering powerful business-class email features.
- The Cisco Threat Operations Center (TOC) provides a 24x7 view into global traffic activity, enabling Cisco to analyse anomalies, uncover new threats, and track traffic trends.
Management Appliance (SMA)
 |
| Content Security Management Appliance M1060 |
Centralize management and reporting functions
across multiple Cisco Email Security Appliances (ESAs) and Cisco Web Security
Appliances (WSAs) with the Cisco Content Security Management Appliance (SMA).
The integration of Cisco SMA with Cisco ESAs and WSAs simplifies the planning
and administration of email and web security, improves compliance monitoring,
makes possible a consistent enforcement of acceptable-use policies, and
enhances threat protection.
Enhanced Threat Protection
The Cisco SMA provides a comprehensive view of security for improved threat intelligence, defense, and remediation. That includes:
- Centralized management of email spam quarantine.
- Comprehensive threat monitoring across multiple web and email security gateways.
- Web reputation scoring.
- Botnet detection.
The SMA's reporting capabilities can
also be used to identify and address key activities and trends for data loss
prevention (DLP) and remediation.
Features and Benefits of the Cisco SMA and SMAV
Feature
|
Benefits
|
Centralized management and
reporting
|
The Cisco SMA simplifies
administration by publishing configurations from a single management console
to multiple Cisco ESAs and WSAs. Updates and settings are managed centrally
on that console rather than on the individual appliances. Organizations can dedicate
specific appliances to individual applications for high-volume deployments.
Fully integrated reporting
allows traffic data from multiple Cisco ESAs and WSAs to be consolidated.
|
Message tracking
|
Data is aggregated from
multiple Cisco ESAs, including data categorized by sender, recipient, message
subject, and other parameters. Scanning results, such as spam and virus
verdicts, are also displayed, as are policy violations.
|
Web tracking
|
A record of individual web
transactions is maintained, with information such as IP address, username,
domain name, time accessed, and other details. Visibility is provided into
employee use of Web 2.0 applications such as Facebook, YouTube, and instant
messaging.
|
Web reporting
|
Web tracking information
is aggregated in real time and displayed in a high-level, easy-to-use
graphical format. Reporting features help administrators determine the
websites, URL categories, and applications that employees can access on
company devices.
|
Spam quarantining
|
Spam and marketing
messages are stored centrally with the easy-to-use self-service Cisco Spam
Quarantine solution. Large enterprises with multiple Cisco ESAs can offload
their spam traffic to one location for easier tracking and provide a single
point for employee access.
|
Threat monitoring
|
Data about web-based
threats is provided in real time, including, for example, which users are
encountering the most blocks or warnings, and which websites and URL
categories pose the biggest risks. Malware and other threats that Cisco WSAs
have detected and blocked are also reported.
|
Reputation scoring
|
This feature provides
detailed information about the reputation scores of the websites that users
access. These scores are based on data provided by Cisco WSAs, which analyze
web server behavior and assign a score to each URL that reflects the
likelihood that it contains malware.
|
Botnet detection
|
Ports and systems with
potential malware connections are displayed. Data from the Layer 4 traffic
monitoring feature on Cisco WSAs can help organizations detect and remediate
botnet-infected hosts.
|
Modes of IronPort
Two modes of working:
- Explicit Proxy/Mode
- Transparent Proxy/Mode
When a Web browser uses a proxy, the
protocol between the browser and the Web proxy is slightly different from the
one a browser uses straight to a Web server. Thus, the best interoperability
between Web browser and Internet Web servers occurs when the browser is aware
of the proxy.
If the proxy server is inserted
transparently between the client and the server, without any special browser
configuration, then several problems quickly creep up. Some of the problems are
show-stoppers. For example, if the proxy attempts to decrypt SSL traffic, the
browser will raise alerts. If the proxy requires authentication to
differentiate different types of users or for accounting, this can be
incompatible with other Web pages that also require authentication. There's a
whole RFC (RFC-3143) listing problems with Web proxies.
On the other hand, if you want
perfect interoperability, you have to get the proxy configuration information
to the Web browser somehow. Several semi-automatic methods exist under the
rubric of Web Proxy Auto-Discovery Protocol (WPAD), or, you could manually load
the proxy configuration information into the PC.
Explicit Proxy/Mode
In Explicit mode, the packet is by default send to IronPort. Proxy server ip is configured in IE or Firefox. Traffic flow from PC or Laptop to Access Switch to Core Switch to WSA (IronPort) back to Core Switch to Firewall to Router to Internet. Intelligence in this case is built in to the IE or Firefox using a PAC file or something like that. But if many users are there working outside office, this mode may not be useful as IE needs access to the IronPort and if outside office, needs VPN to office infrastructure.
Transparent Proxy/Mode
Transparent mode works on the port requested by PC or Laptop. All the intelligence in this case is in Core Switch.
Transparent Proxy (also called
"Intercepting Proxy") which doesn't require touching the Web browser,
but also doesn't work all the time, vs. Explicit Proxy that requires Web Proxy
Auto-Discovery Protocol (WPAD) and a cooperating device, but which works much
better.
Global Deployment
Cisco deployed the Cisco IronPort
S670 WSA in three phases:
- Proof of Concept (POC): Cisco CSIRT led a 300-user POC, conducted over six months in one building of the Cisco campus in Research Triangle Park (RTP), North Carolina. The appliances inspected all web-bound traffic, as well as the return traffic from the web to Cisco users' devices. Cisco CSIRT enabled WCCP on each desktop VLAN to redirect traffic with destination port 80/TCP to the IronPort WSAs. WCCP enables the IronPort WSA to inspect a user's web traffic, making it unnecessary for Cisco IT or employees themselves to configure the web browser to use the IronPort proxy. Not requiring a specific browser configuration supports Cisco IT's any-device strategy. "During the POC, we validated that reputation filtering blocked malicious traffic that malware filtering missed," Bollinger says. No outages occurred during the POC.
- Pilot: Next, from early 2009 to early 2011, Cisco CSIRT extended the solution to all 3000 employees on the RTP campus. Every web request initiated over a wired or wireless network was redirected to one of four Cisco IronPort WSAs. During the pilot, the IronPort appliances blocked one percent of all web traffic, representing four million objects that otherwise might have infected the network or led to information leakage.
- Enterprise Deployment: Cisco IT has been begun deploying the Cisco IronPort WSAs in other large campus sites, beginning with offices whose Internet traffic is routed through RTP. "Scaling from 3000 to 30,000 users only requires changing an access list, enabling WCCP on the routers, and pointing the routers to the IronPort WSAs," says Bollinger. IronPort WSAs are also currently in production on the San Jose, California and Bangalore campuses. Users do not notice any change when their web requests are sent through the proxy server.
----
@NetwaxLab
No comments:
Post a Comment