1

Eric Ng9/20/2004

Technical Presentation- Version 3.8

World Class Products for ISPs, Enterprises, and SMBs

The Email Security Crisis is Real

• Spam– Growth in volume remains unabated

• Email borne threats constantly evolve– New viruses, worms, and DoS attacks continue to appear

• Fraud– Phishing is a growing threat, undermining

consumer confidence in email

• The root cause is the anonymity of Simple Mail Transfer Protocol

– The ease of forgery prevents reliable identification of senders

– 20 year old protocol with no mechanism for sender authentication

“The protocol that has defined e-mail for more

than two decades may

have a fatal flaw: It trusts you.”

Paul Festa, CNET

2

Best of Best of TechEdTechEd 2004 Awards, Windows Infrastructure Solutions (HW),2004 Awards, Windows Infrastructure Solutions (HW),Windows & .Net MagazineWindows & .Net Magazine

“IronPort Systems’ C60 Gateway Appliance combines spam blocking “IronPort Systems’ C60 Gateway Appliance combines spam blocking and antiand anti--virus protection. It combines a number of different sources virus protection. It combines a number of different sources to determine if mail is real provides the best support for spam,to determine if mail is real provides the best support for spam, and and minimizes an enterprise’s exposure to threats that arrive via emminimizes an enterprise’s exposure to threats that arrive via email.”ail.”

David Chernicoff, judge and Senior Contributing Editor for Windows & .NET Magazinehttp://www.winnetmag.com/Article/ArticleID/42789/42789.html

• Revolutionary MTA Platform for High Availability

• Threat Prevention with IronPort Reputation Filters™

• Content Scanning for Policy Enforcement

• Spam Detection with Brightmail™ Anti-Spam

• Virus Detection with Sophos™ Anti-Virus

3

IronPort Customers

IronPort C-Series Products

IronPort C-SeriesMessaging Gateway™ Appliances

IronPort C60

IronPort C30

IronPort C10

4

IronPort: “Fixing Email”

• The vulnerability exposed by spam, viruses, phishing is inherent to the email protocol, SMTP

• IronPort is rebuilding the world’s email infrastructure with:

123

Advanced authentication standards

A holistic view of a sender’s traffic patterns reveals their trustworthiness

Intelligently apply filtering techniques based on the apparent threat

IDENTITY

POLICY

REPUTATION

IronPort C-Series = Server Consolidation

BEFORE IRONPORT AFTER IRONPORT

5

ROI of the IronPort C-Series Appliance

• Effective spam filtering– Enhances user productivity, reduces load on network

infrastructure

• High throughput performance and high availability features – Protection from email based DDoS attacks

• Server consolidation and ease of management– The intelligence of the IronPort C60 reduces administrative burden

by as much as 75%, allowing IT staff to do more with less

• Reputation filters prevent threats from entering your network– Enhancing network security from worms, viruses and

illicit content

The IronPort C-Series offers consolidated email security

IronPort AsyncOS Platform

6

IronPort AsyncOS™

• IronPort’s purpose-built Operating System– Stackless Threads yield over 10,000 simultaneous connections– I/O Based Scheduler efficiently assigns resources to proper

threads– AsyncFS™: Database-like file system that ensures throughput

does not drop as queues build– Hardened OS is highly secure – no stack overflow problems, no

open ports, all non-essential services removed

• Next generation Mail Transport Agent (MTA)– Built for today’s needs: security, performance, and ease of use – No legacy vulnerabilities lurking under the covers

IronPort Revolutionary MTA Platform

• Evolving threats such as MyDoom and Bagel cripple legacy MTAs

• AsyncOS™: built for email Availability– Threading model, scheduler, and file system designed

for the mail gateway

– IronPort C60 is capable of 140 messages per second, 10x that of traditional MTAs

– 10,000 simultaneous connections, 50x traditional MTAs

7

See what was happening with our customer’s system…. (which was being DoS-attacked!)

…. and what would had happened with others?

801 inbound connections!

IronPort Reputation Filters

8

Traditional Mail Gateways Treat All Mail the Same Way

• Equal treatment of mail regardless of source• Concerns with false positive require lowering of anti-

spam filter sensitivity• Reduced sensitivity results in lower capture rates

Traditional MTA

Contents Filter

Reduced capture

False Positives

Reputation Filtering Stops 75% of Hostile Mail at the Door….

• Known good is delivered

• Suspicious is throttled & spam filtered

• Known bad is deleted/tagged

• IronPort uses identity & reputation to apply policy– Trusted Known senders bypass spam filters– Suspicious Unknown senders are throttled & filtered– Hostile senders are deleted or tagged

Sophisticated Response to Email Threats

9

SenderBase:Email Traffic Monitoring Network

• 50,000 contributingorganizations

• 3 billion queries daily

• >25% of world’s Internet email

50,000 organizations

(25% of all email)

OtherData

OpenProxy Data

Blacklists

GlobalVolume

Data

SpamCop,SpamHaus(SBL), NJABL

SORBS, OPM, DSBL…

Fortune 1000 status, length of sending history, location, whether domain accepts email, etc.

Authenticated Unknown Sender

3rd party email accreditation

Reputation Established

MessageComposition

Data

Message size, number of attachments,

attachment types

Extensive network of “invalid”accounts

SpamCop, ISP abuse data, BondedSender abuse data

Spamtraps& Complaint

Data

SenderBaseLeading Email Reputation Service

• Free and open service to anti-spam community

• Provides “credit report” on senders

• Data from 20,000 networks• Open, Transparent and

Objective• Tracks 30 million IP

addresses, 600,000 domains• Used by 30,000 mail

administrators• Data tightly integrated with

IronPort C-series appliances

Visit SenderBase today: Visit SenderBase today: www.senderbase.orgwww.senderbase.org

10

IronPort Reputation Filtering

• SenderBase Reputation Service returns a score based on the probability that a message from a given source is spam

– The SenderBase Reputation Score (SBRS) is a numeric value assigned to an IP address based on information from the SenderBase Reputation Service

• Objective data in the Mail Flow Monitor user interface– Allows mail administrators to get a more complete picture of who is

sending them email

• Action applied to SBRS ranges– Drop, accept, add footprint, etc

SenderBase SenderBase Reputation Score Reputation Score

(SBRS)(SBRS)--1010 +10+10

Intelligent Protection for Dell

• Dell’s challenge:– Dell currently receives 26M messages per day– Only 1.5M are legitimate messages– 68 existing gateways running Spam Assassin were not

accurate

• IronPort solution:– Reputation filters block over 19M messages per day– 5.5M messages per day scanned by Symantec Brightmail– Replaced 68 servers with 8 IronPort C60s

• Accuracy of spam filtering increased 10x• Servers consolidated by 70%• Operating costs reduced as much as 75%

“IronPort hasincreased the

quality andreliability ofour networkoperations,

whilereducing our

costs.”-- Tim Helmsetetter

Manager, GlobalCollaborative Systems

Engineering andService Management,

Dell Corporation

11

SBRS In Action

SBRS -5.5

This IP is listed in multiple blacklists / open proxy lists

12

Email Traffic Control - Throttling

• Base on SenderBase Reputation Score (SBRS) or Domain / IP:– Max messages per session– Max recipients per message– Max recipients per hour– Max message size– Max concurrent connections

• E.g.:

No other concurrent email connection

No other concurrent email connection

1MB message size1KB message size

10 recipient per hour2 recipient per hour

5 recipient per message1 recipient per message

1 message per connection1 message per connection

UnknownBad reputation senders (SBRS < -4)

IronPort Appliances Apply Policy Based on Sender Reputation

Customers:10MB atch, no filters

Vendors:2MB atch, no filters, TLS

Unknown:1MB atch, spam filters, throttle

Hostile:TCP refuse

• Enhances network security with perimeter based policies• Tailor mail flow policies to meet the diverse needs

of large corporations

13

Phased Approach to Reputation Filter

Applied PolicyApplied PolicySBRSSBRS

TRUSTEDTRUSTED6 to 106 to 10

DefaultDefault--1 to 51 to 5

THROTTLETHROTTLEDefaultDefault--6 to 6 to --22

BLOCKBLOCKTHROTTLETHROTTLE--10 to 10 to --77

Phase 2Phase 2Phase 1Phase 1

Joe-Jobbing

SpammerSpammer

goat.comgoat.com

VictimVictimtarget@acme.comtarget@acme.com

From: From: target@acme.comtarget@acme.comTo: To: bill@goat.combill@goat.com

To: To: target@acme.comtarget@acme.com“No such user, here’s “No such user, here’s

your *original* your *original* message”message”

1. Spam is sent with target@acme.com as a forged envelope sender address – target@acme.com is the victim!

2. Spam is sent to an invalid email address which the server will “bounce” the original message to the forged envelop sender

3. target@acme.com received the spam as bounced message4. target@acme.com sees that the spam is from goat.com

14

Misdirected – Bounces / Joe-Job

• This is a DDoS attack using a normal company's email system as a launch site for NDRs.

• The company's email servers would do the right thing for non-existent recipients, that is to bound them back to the MAIL FROM.

• If you put the DDOS target's email address there, you could use this company’s server to flood that target with NDRs. Hundreds or thousands per second.

Email Acceptance by LDAP

• Lookup to the LDAP directory server• Determine if the email is sent to a valid recipient• Drop or bounce emails to those invalid recipients

LDAP Directory

Email drops if the recipient name

doesn’t exist in the LDAP directory

Internet emails

User mailbox

15

Policy Management and Content Scanning

Content Scanningfor Policy Enforcement

• High performance content scanning engine– Standard content scanning systems cripple gateways

• Flexible message scanning– Scan headers, bodies, attachment type, size, encryption– Open and recursively scan attachments – Powerful regular expression searches find any matching content

• Actions include: remove inappropriate attachments, notify appropriate personnel, return to sender, archive

• Distinct policies for internal groups through LDAP

“IronPort’s content scanning engineis the most scaleable we’ve ever tested.”

-- SG Cowen

16

Filter Samples

• Filter rule to identify emails that spoof my domain:catch_my_domain_spoof:If ((mail-from == “my_domain.com”) AND

(remote-ip != “192.168.1.1”)) {strip-header(“Subject”);insert-header(“[My_Domain_Spoof] $Subject”);alt-rcpt(“admin@acme.com);deliver();

}

• Filter rule to block emails that have nothing in “From”:block_null_addresses: if (header("From") == "^$|<\\s*>") {

drop();}

Filter Samples

• Filter rule to drop attachments for an LDAP groupno-attach_group:

If (rcpt-group == “CN=no-attch,CN=Users,DC=acme,DC=com”) {

drop-attachments-by-filetype(“Executable”);

drop-attachments-by-filetype(“Media”);

drop-attachments-by-filetype(“compressed”);

}

• Filter rule to quarantine outgoing email with profanityquarantine_profanity:

if (dictionary-match(“bad.words”)) {

bcc(“admin@acme.com”)

}

17

Brightmail Spam Detection

Symantec Brightmail is Technology Leader• 99.9999% accurate, catches over 95% of spam

– 17 technologies for robust, multi-layered defense

• The most extensive anti-spam operations center– Anti-spam filters updated every 10 minutes– BLOC is unmatched for detecting spam and rule distribution – BLOC delivers the most complete and up to date set of filters

– Over 30,000 new rules per day automatically updated

– No operator intervention required

• Flexible options– Quarantine of individual user mail

– Operator configurable spam threshold

Positioned in the “Leaders” Quadrant -Magic Quadrant for Enterprise Spam Filtering

- Gartner Research, 2004

“IronPort combinesBrightmail’s

solution with itsown reputation-

based filter,resulting ineven better

detection whilemaintaining theextremely low

false-positive rate”-- Forrester Research

18

Brightmail / IronPort Integration

• Selectable Brightmail action to spam / suspect spam– Deliver / Drop / Quarantine– Append / Prepend mark– Add custom header to email– Alter recipient / mail server

• Filter action to skip Brightmail scanning• Brightmail Quarantine Server• Exchange / Notes Folder Agent• Use of virtual gateway and LDAP group function for

multiple spam scanning policy

Brightmail Quarantine

• Brightmail Quarantine provides users with Web access to spam messages that the Brightmail software has quarantined for them. – Users can browse, search, and delete their spam

messages and also re-deliver misidentified messages to their standard inbox.

– An administrator account provides access to all quarantined messages.

19

Quarantine Server Features

• Spam stored centrally at gateway; not passed through network

• End users notified daily/weekly about new spam• Expunger - Centralized message purging after x

days• Can “release” quarantined msgs to user(s) inbox• End users can access quarantine at any time• Search functionality for both administrators and

end-users

Quarantine View

20

IronPort - Quarantine Server Integration

Brightmail Brightmail Quarantine Quarantine

ServerServer

IronPort CIronPort C--SeriesSeries

SMTPSMTP

SMTPSMTP

Clean emailsClean emails

SPAMSSPAMS

SMTPSMTP

Brightmail updates Brightmail updates via HTTPSvia HTTPS

LDAPLDAP

AuthenticationAuthentication

HTTPHTTP

Client AccessClient Access

Messages assigned Messages assigned “Quarantined” action“Quarantined” action

Why Brightmail on IronPort?

"The IronPort platform is a proven email security appliance solution that, in combination with Brightmail's market leading anti-spam technology effectively and accurately protects customers. Brightmail's partnership with IronPort has allowed our combined solution to protect tens of millions of mailboxes worldwide, and with our expanded collaboration we will protect millions more."

Enrique Salem, president and CEO of BrightmailBrightmail Press Release: Brightmail and IronPort Systems Strengthen Strategic Partnership - June 7, 2004 (http://www.brightmail.com/pressreleases/060704_pr1.html)

21

Ironport C-Series Architecture

Virus Protection at the Gateway

• Multi-layered, multi-vendor approach addresses security shortcomings– Need integrated virus scanning at the gateway

• Ease of management– Automatic updates and administrative control is centralized

• Reduces burden on mail servers– Scanning at a high performance gateway reduces demands

on groupware servers and remaining infrastructure– Dropping messages at the gateway reduces bandwidth

requirements in the network

“Multi-layer, multi-vendor strategy.”-- Gartner Group

22

IronPort C-Series with Sophos Anti-Virus Protection

• Integrated Sophos®

anti-virus engine– High performance in-line scanning

• Easy to deploy and manage– Intuitive user interface– Single view with Mail Flow Monitor– Auto updates– Lower TCO with integrated

solution

Sophos Anti-Virus Integration• Different settings based on the source of email• Clean messages are delivered, others are handled according

to administrator settings• Optional notification of administrator, sender, or recipient

23

Reporting

• Mail Flow Monitoring– Real-time and historical data about who has connected to your

mail server and what they have sent to you

• Periodic Reports– Basic mail flow data reports on a schedule

• Logs– All the details

• “Spamtowho”– Offline mail log digestion tool

• Mail Flow Central (TBA Q3 ‘04)– Full feature reporting portal

Mail Flow: Secure, Visible, & Integrated

• Security through insight– Highlights anomalies– Identifies senders and receivers and

tracks historical data– Enables access control

on Port 25

• Reduced administrative burden– Single view into all applications– Eliminate time searching for data

• Automatically-generated reporting– Manage your mail flow policies– Share data with IT staff and

management

IronPort Mail Flow Monitor™

24

Periodic Reports

• In any or all of three formats, each having independent distribution lists

– Plain text– HTML– CSV (Comma

Separated Values)

• Archival of previous generations

– Visibility into trends– On-demand viewing

Logs

• Retrievable or automatically upload to designated file server by FTP / SCP

• Detail email activities on Text Mail Logs– And Delivery Logs, Bounce Logs, Status Logs, Systems Logs, CLI Audit

Logs, FTP / HTTP Logs, Brightmail Logs, Antivirus Logs, LDAP Debug Logs

Wed Jul 7 14:39:54 2004 Info: New SMTP ICID 7509805 interface 192.168.1.1 (192.168.1.1) address 211.75.36.67 reverse dns host unknown verified noWed Jul 7 14:39:54 2004 Info: ICID 7509805 SBRS -1.1Wed Jul 7 14:39:56 2004 Info: Start MID 5488328 ICID 7509805Wed Jul 7 14:39:56 2004 Info: MID 5488328 ICID 7509805 From: <bad.guy@spammers.com>Wed Jul 7 14:39:56 2004 Info: MID 5488328 ICID 7509805 RID 0 To: <user@acme.com>Wed Jul 7 14:39:56 2004 Info: MID 5488328 Message-ID '<OF7B3DC7C1.6249FE2D-ON48256ECA.001AC4FB@spammers.com>'Wed Jul 7 14:39:56 2004 Info: MID 5488328 Subject ‘I found you’Wed Jul 7 14:39:56 2004 Info: MID 5488328 ready 2301 bytes from <bad.guy@spammers.com>Wed Jul 7 14:39:56 2004 Info: ICID 7509805 closeWed Jul 7 14:39:56 2004 Info: MID 5488328 Brightmail positiveWed Jul 7 14:39:56 2004 Info: MID 5488328 rewritten to 5488329 by antispam filter 'unknown'

Sample Text Mail LogsSample Text Mail Logs

25

“spamtowho”

• An offline tool that reports all necessary details e.g. how many spam / virus-infected emails a user received for a period of time

• Not officially supported tho (it’s written by our Support Engineer……)

Inbound Message Deliveries Begun 12,936Messages received 11,750Messages received on 192.168.1.1 11,750Per destination rcpt

Total Mail Spam % Spam Virusesaaa@my_domain.com 11 1 9.09 1bbb@my_domain.com 10 1 10 1ccc@my_domain.com 13 2 15.38 2ddd@my_domain.com 12 2 16.66 2eee@my_domain.com 11 2 18.18 2

Sample “Sample “spamtowhospamtowho” result” result

IronPort Mail Flow Central (Q3 ‘04)

• External software that runs on a Windows 2000 or Windows 2003 server

• Message Tracking, Reporting

26

IronPort Mail Flow Central (Q3 ‘04)

Detail ReportingDetail Reporting

Message TrackingMessage Tracking

Mail Flow Central - Message Tracking

• Answers the difficult questions– “I sent a contract to the law firm yesterday and they never received it.

What happened?”– “I must have received 20 spam messages today! I thought you were

doing something about this?”

• Saves administration time– Simple and advanced search– Track messages from one machine

or all machines simultaneously

• Powerful search engine– Finds messages during a

specified time– Finds messages from an

individual to an individual

27

Mail Flow Central Reporting

• Summary Reports demonstrate Return on Investment (ROI)– Reports show the number of spam messages blocked and the number

of viruses blocked over time

• User Reports show the individual granularity– Which individuals would have been

affected by spam or viruses– Which individuals have been

sending the most mail

• Domain reports highlight the sources of bad and good email by domain

• Trend analysis to show the progress in keeping email secure

IronPort Reduces Administration TimeAdvanced technology automates manual tasks

“These IronPorts run themselves”Joe Chodi, CTO of Major League Baseball

Multi-master centralizedmanagement: makechanges only once

Industry’s lowestfalse positive rate

eliminates support calls

No manual white orblack lists needed

Automatic rate limitingprevents Denial of Service

without intervention

Stops virus outbreaks evenbefore signatures are available

Anti-spam updates:30,000 rules per day,

every 5-10 minutes

No tuning ortraining required

Centralized scheduledreporting: never

sort through logs again

Visually test configurationchanges without making

them effective

28

• Revolutionary MTA Platform for High Availability

• Threat Prevention with IronPort Reputation Filters™

• Content Scanning for Policy Enforcement

• Spam Detection with Brightmail™ Anti-Spam

• Virus Detection with Sophos™ Anti-Virus