IronPort Email

1
IronPort Email Web Gateway Security Solutions

• PROTECTING OVER 300 MILLION EMAIL BOXES WORLDWIDE

Frederic Benichou Director, South Europe,
Middle-East Africa IronPort Systems
2
IronPort Consolidatesthe Email Perimeter
Before IronPort
Internet
Firewall MTAs
Anti-Spam Anti-Virus Policy Management Mail
Routing
Groupware
Users
3
IronPort Industry Leadership

• Global Leadership
• Founded in 2000, based in San Bruno, CA
• 35 offices in 25 countries
• Approx 380 people
• Analyst Leadership
• Recognized as leader by Gartner, Meta, IDC,
  Forrester, Bloor
• Customer Leadership
• About 3000 customers in 75 countries
• 8 of the 12 largest ISPs
• 20 of the largest Enterprises (Global 2000)
• 300 millions mail boxes protected
• US Armed Forces Government
• Technology Leadership
• First with custom, high performance MTA
• First with Reputation Filtering (SenderBase)
• First with Virus Outbreak Filters

4
Sample customers in France
10,000bal
Cipa
1,000 bal
Comexpo
SNC Gestor
5
Case Study Société Générale
6
Multi-Layered Security Preventive Reactive
Defense in Depth
Preventive Layer
Reactive Layer

Immediate Reaction to Threats Extremely High
Performance Coarse Outer Layer Blocks or Rate
Limits
Adapts Over Time Computationally
Intensive Fine-grained Inner Layer Delete or
Quarantine
7
SenderBase / Threat Operations Center
SenderBase
TOC
Team of security experts
8
IronPort Integrated Secured Gateways

• Email Security ? C Series
• Web Security ? S Series
• Security Management ? M Series

9
IronPort Email Security Appliances

• High Performance Email Security Appliances
  Stopping Spam, Viruses and Other Email
  Threats,Enforcing Email Policies, and Reducing
  Admin Costs for Enterprises and Service Providers

IronPort X1000
IronPort C10
IronPort C300/C600
10
IronPort Architecture for Multi-Layered Email
Security
OUTILS DADMINISTRATION
MANAGEMENT TOOLS
DEFENSE AGAINST SPAMs
CONTENT PROCESSING
DEFENSE AGAINST VIRUS
EMAIL AUTHENTICATION
ASYNCOS MTA PLATFORM
ASYNCOS MTA PLATFORM
11
AsyncOS Unmatched Scalability and Security
MANAGEMENT TOOLS
DEFENSE AGAINST SPAMs
CONTENT PROCESSING
DEFENSE AGAINST VIRUS
EMAIL AUTHENTICATION
ASYNCOS MTA PLATFORM
AsyncOS scalable and secure OS optimized for
messaging Email Identity Protection secures
enterprise identity Standards-based Integration
replaces legacy systems with ease
12
AsyncOS Revolutionary MTA Platform
Traditional Email GatewaysAnd Other Appliances
IronPort Email Security Appliance
13
AsyncOS Advanced Email Identity Protection
IntelligentBounceHandling
VirtualGateway Technology
Directory HarvestAttack Prevention
Protects AgainstBlacklisting of your IPs from
intentional NDRs Unique AdvantageDistinct IPs
for NDRs,In-conversation recipient checking
Protects AgainstTheft of your user database by
spammers Unique AdvantageIntegrates
withSenderBase to track global attacks
Protects AgainstInadvertent blockage of your
corporate mail Unique AdvantageProvides up to
256 unique IP addresses per appliance
14
AsyncOS Standards Based Integration
LDAP
DNS
AdvancedNetworking
EssentialMail Operations
15
Best of Breed, Multi-layer Spam Defense
OUTILS DADMINISTRATION
MANAGEMENT TOOLS
ANTI-SPAM DEFENSE
FILTRAGE DE CONTENU
DEFENSE CONTRE VIRUS
AUTHENTIFICATION EMAIL
CONTENT PROCESSING
ANTI-VIRUS DEFENSE
EMAIL AUTHENTICATION
PREVENTIVE
REACTIVE
PLATEFORME ASYNCOS MTA
ASYNCOS MTA PLATFORM
IronPorts Reputation Filters the outer layer
defense IronPort Anti-Spam - stops the broadest
array of threats spam, phishing, fraud
16

IronPort Reputation Filters Stop 80 of Hostile
Mail at the Door.
Known good is delivered
Suspicious(ex. Score -4 to -1)limit the
rate pass thru Anti-Spam filter
Reputation Filtering
Anti-Spam Engine
Incoming Mail Good, Bad, and Grey or Unknown
Email
Known bad (ex. Score -10 to -4)connection
rejected
Senderbase

• IronPort uses identity reputation to apply
  policy
• Sophisticated response to sophisticated threats

17
A wide sample of parameters, for a reliable
assessment of Reputation
Good Reputation
Only Sending to Valid Recipients
Good Sending History
Reverse DNS Works
Average Reputation
Volume Spike
Blacklisted
System Tolerant of Anomalies
Poor Reputation
18
Positive Negative Reputation
19
Customer case Marseille-Nice Universities30,000
users
Universités Numériques Région PACA
20
IronPort Reputation Filters Dell Case Study

• Dells challenge
• Dell currently receives 26M messages per day
• Only 1.5M are legitimate messages
• 68 existing gateways running Spam Assassin were
  not accurate
• IronPort solution
• Reputation filters block over 19M messages per
  day
• 5.5M messages per day scanned by Symantec
  Brightmail
• Replaced 68 servers with 8 IronPort C60s
• Accuracy of spam filtering increased 10x
• Servers consolidated by 70
• Operating costs reduced as much as 75

IronPort hasincreased thequality
andreliability ofour networkoperations,whiler
educing ourcosts. -- Tim HelmsetetterManager,
GlobalCollaborative SystemsEngineering
andService Management,Dell Corporation
21
IronPort Anti-Spam High Performance, No
Administration

• Leading Efficacy
• CASE (Content Adaptive Scanning Engine)
  optimized for blended threats
• Multiple sources
• Industry leading throughput
• Virtually Zero False Positives
• Approx 1 in 1 million
• No administrative burden
• Install and walk away
• Automatic filter updates, no tuning required
• System adapts to new threats without manual
  tweaking of rules

22
IronPorts Context Adaptive Scanning Engine (CASE)
Competitive Solutions
IronPort Anti-Spam
What? Message Content What content is included
in this message? How? Message Structure How was
this message constructed? Who? Email Reputation
Who is sending you this message? Where? Web
Reputation Where does the call to action take
you?
23
New types of spamMore difficult to detect
URL is not that of Red Cross
URL
100 legitimate content
Passage from a text book
24
Recent trends in Spam
Average Daily Spam Volume (billions msgs)
110
Spam with an Embedded Image
421
25
Image-based spams techniques

• Polka dots make every message appear unique
  to signature-based anti-spam filters
• images broke down in sub-parts and then
  reassembled
• IronPort has unique techniques to detect these
  spams, including
• MPR Multidimensional PatternRecognition

26
LabTests results Catch Rate Results
27
Termination of IP-Symc partnership

• Letter sent by IronPort to customers on Friday,
  Oct. 19
• Almost all customers migrated to IPAS by now for
  quality reasons
• In Q3 6 BM attach rate 91 IPAS attach rate
• IPAS technical superiority, as confirmed by the
  tests conducted by independent lab LabTests

28
The IronPort Spam Quarantine (ISQ)and the
M-Series appliance

• No helpdesk calls
• Self-service end-user spam quarantine
• Web UI, Digest Email, Advanced Search
• Authenticate users with LDAP, AD, or IMAP/POP
• Automatic disk space management
• Flexible deployment
• On-box or centralized quarantine with IronPort
  M-Series appliance

29
Best of Breed, Multi-layerVirus Defense
MANAGEMENT TOOLS
ANTI-VIRUS DEFENSE
ANTI-SPAM DEFENSE
CONTENT PROCESSING
EMAIL AUTHENTICATION
PREVENTIVE
REACTIVE
PLATEFORME ASYNCOS MTA
IronPorts Virus Outbreak Filters stop outbreaks
14 hours ahead of signatures Sophos AntiVirus
signature based solution with industry leading
accuracy
30
Todays Anti-Virus Solutions Inadequate
Millions of infections occur during this period.
Anti-Virus Signature Release Timeline
Capture Virus Sample
Issue Customer Alert
Analyze Virus Sample
Release Signature
Update Signature
Generic signatures dont always work.
See booklet The New Anti-Virus Formula by
John Dickinsonwww.ironport.com/guide
31
How Virus Outbreak Filters WorkIronPort Threat
Operations Center (TOC)

• Continuous monitoring analysis
• Real-time historical data visualization
• Automated alerts
• Human verification
• The IronPort gateway downloads the updated rules
  from the TOC every 5 minutes,
• and puts the concerned messages in the
  Quarantine (queue in the MTA)

Manager, Threat Operations Center
INSIDE THE TOC

• Expert team of skilled analysts
• Staffed 24 x 7 x 365
• 32 languages spoken
• Documented verified processes
• State-of-the-art tools techniques

32
How Virus Outbreak Filters WorkDynamic
Quarantine In Action
Messages Scanned Deleted

• T 0
• zip (exe) files

• T 5 mins
• -zip (exe) files-Size 50 to 55 KB.

• T 10 mins
• zip (exe) files
• Size 50 to 55KB
• Price in the name file

• T 8 hours
• Release messages if signature update is in place

33
The Virus Outbreak Filters advantage
Virus Name Date IronPort Protection Starts First Anti-virus Signature Available Outbreak Filter Lead Time
Looksky.G 1/6/06 232 PM 212 AM (two days later) 3540 hours
Nyxem-D (Kama Sutra) 1/16/06 236 PM 322 PM 127 hours
Sober-Z 11/21/05 807 PM 1245 AM (the next day) 438 hours
Mabutu-A 11/17/05 1258 AM 124 PM 1226 hours
Zotob.C 8/16/05 156 AM 447 AM 251 hours
Sober-N 5/5/05 358 PM 519 PM 121 hours
MyTob.G 3/24/05 1130 PM 1258 PM (the next day) 1328 hours
Multiple Bagle variants 2/27/05 1039 AM 422 AM (2 days later!) 4143 hours
Mydoom.BB 2/15/05 608 PM 1054 PM (the next day) 2846 hours
Wurmark-D 1/10/05 1002 AM 609 AM (the next day) 2005 hours
Medium additional protection time.. 14
hours Out of a total of blocked
attacks175 outbreaks
Feb 2005 January 2006 GMT
34
Virus Outbreak Filters recent resultseWEEK
Review September, 2006
VOF blocked 100 of the new virus outbreaks in
the past 5 months

• Review Overview
• 5 month test by eWEEK, large independent, weekly
  IT magazine
• 1217 virus positive emails stopped before AV
  signatures were available
• 48 separate virus variants blocked
• 0 false positives reported

Viral Messages Stopped By Month
Viral Messages Stopped By Variant
Review Quotes We never saw a false
positive (Virus Outbreak Filters) effectively
blocked messages containing viruses for which
signatures didn't already exist - Mike Caton,
Technical Writer
35
IronPort Content ScanningInbound/Outbound
Message Filtering for Compliance
MANAGEMENT TOOLS
VIRUS DEFENSE
SPAM DEFENSE
CONTENT PROCESSING
EMAIL AUTHENTICATION
ASYNCOS MTA PLATFORM
Content filtering Compliance (e.g. SOX) Digital
Rights Management information leakage
prevention Rules per user groups Encryption
IronPort acquires PostX
36
PostX One Platform, Three Solutions
1
PostX SecureEmail Secure Desktop Messaging
PostX Envelope Offline, Registered and signed
Push
PostX MessagingApplication Platform
37
Email Authentication
MANAGEMENT TOOLS
DEFENSE AGAINST VIRUS
DEFENSE AGAINST SPAMs
CONTENT PROCESSING
EMAIL AUTHENTICATION
ASYNCOS MTA PLATFORM
DomainKey Signing Protection of Corporate
Identity IronPort Bounce Verification
protection against bounce redirection attacks
Directory Harvest Attack Prevention
38
IronPort DomainKeysProtects domain identity and
protects against phishing

• Ensures the proper identity of the source domain
• More than 200 million mail boxes use DomainKeys
• Easy deployment (private key DNS-based public
  key)

39
IronPort Bounce VerificationProtects against
bounce-message attacks

• All outgoing messages are stamped.
• Legitimate bounce messages coming back are
  recognized by this stamp
• Transparent and autonomous

40
Management tools Reduction in admin costs
MANAGEMENT TOOLS
DEFENSE AGAINST VIRUS
DEFENSE AGAINST SPAMs
CONTENT PROCESSING
EMAIL AUTHENTICATION
ASYNCOS MTA PLATFORM
Email Security Manager for unified policy
management Centralized Management manage units
around the world Mail Flow Monitor real time
reporting Mail Flow Central centralized reporting
and tracking
41
IronPort Email Security ManagerSingle view of
policies for the entire organization
Categories by Domain, Username, or LDAP

• Allow all media files
• Quarantine executables

IT

• Mark and Deliver Spam
• Delete Executables

SALES

• Archive all mail
• Virus Outbreak Filters disabled for .doc files

LEGAL
Email Security Manager serves as a
single,versatile dashboard to manage all
theservices on the appliance. -- PC Magazine
2/22/05
42
IronPort Centralized Management

• Log in anywhere, control everywhere
• Interface assures configuration consistency
• Apply changes to a machine, group, or cluster
• Test on single system, promote to cluster

SJ1 Machine
SJ2 Machine
D1 Machine
D2 Machine
T1 Machine
T2 Machine
SJ3 Machine
D3 Machine
T3 Machine
San Jose Group
Dublin Group
Tokyo Group
IRONPORT CLUSTER
43

Mail Flow Monitor
44
(No Transcript)
45
Customer case Comverse6,000 users
46
Example of protection at Danone
1
Attempted SMTP connections
Ironport chez Groupe DANONE
2
Same origin ?
Same IP?
3
47
Zooming on the specific domain
Informations from Reputation Filtersand from
SenderBase
Ironport chez Groupe DANONE
48
Graphe
A single IP address tried to send 130,450 messages
Administrator check case to blacklist the IP
1
2
Ironport chez Groupe DANONE
49
Reduction in admin costs at Danone

• Administration
• Administration is reduced to alert monitoring and
  update follow-up
• Fast Email Tracking to search for any email
  message

Ironport chez Groupe DANONE
50
Example of Tracking Result
Ironport chez Groupe DANONE
51
IronPort Integrated Secured Gateways

• Email Security ? C Series
• Web Security ? S Series
• Security Management ? M Series

52
Malware exploding phenomenon
Growth in Keyloggers 2000-2005
Number of spyware (in thousands)
Total Reported
Source iDefense Labs, November 2005
Source State Of Spyware Report, 2006

• Spywares, Keyloggers, Chevaux de Troie, Botnets
  Zombies, etc.
• 65 growth in 2005 vs. 2004
• Cost of a malware 150 per PC per year
  commercial risk legal responsability

53
IronPort S Series Web protection at 3 levels
54
Architecture for a multi-layer Web security
MANAGEMENT TOOLS
IronPort L4 Traffic Monitor
IronPort Anti-Malware System
IronPort Web Reputation Filters
IronPort Policy Filters
IronPort AsyncOS Web Security Platform
55
1. Blocks access to infected sites Web
Reputation

• Blocks connection
• infected sites
• phishing
• etc.

Anti-Malware scanning
Allows connection (good sites)
56
2. Filters malicious contentIronPort
Anti-Malware System

• Anti-malware engine
• DVS Engine, supporting multiple verdict engines
• Webroot
• others
• High accuracy level
• Very high performance for scanning on the
  fly(content streaming)
• Zero administration

VERDICT ENGINE 1
VERDICT ENGINE 2
IRONPORT DVS ENGINE
VERDICT ENGINE N
REPUTATION-BASED VERDICT CACHING
57
3. Detects Blocks communications to outsite
host serversL4 monitor

• Detects any spyware or keylogger activity to an
  outsite host (phone home)
• On any of the 65,535 ports
• Working around port 80
• 2 modesmonitor only or monitor block

• Internet

X
X
Firewall
Port 80
IronPort S-Series
PROXY
L4 TRAFFICMONITOR
X
X
58
IronPort Integrated Secured Gateways

• Email Security ? C Series
• Web Security ? S Series
• Security Management ? M Series

59
IronPort M Series management for C and S Series

• Centralized Spam Quarantine
• Centralized statistics / reporting / tracking
  for C and S Series

60
Questions - Answers

• DO NOT BELIEVE OUR WORD
• CHECK IT OUT BY YOURSELF !!
• Free evaluation in production
• Be informed of all new virus alerts by
  registering on http//www.ironport.com/toc/
• For all information fr-info_at_ironport.com

61
The IronPort advantage

• New generation MTA
• Performance, robustness, intelligence, easy
  integration to architecture
• Multi-layer Anti-Spam Protection
• Reputation Filters 70 of traffic blocked
  before entering the network
• Content-level AS efficient no False Positive
  zero administration efficient against
  image-based spams advanced Web Reputation
  concept
• Preventive Protection against viruses
• On average 14 hours additional protection ahead
  of AV
• Dramatic decrease in Email administration costs
• Administrative costs typically divided by 10
• Market leadership and continued innovation