IronPort IronPort works as Proxy, URL Filtering, Anti-Virus & Anti Phishing. IronPort protect enterprises against Internet threats. It was best known for IronPort AntiSpam, the SenderBase email reputation service, and email security appliances. These appliances ran a modified FreeBSD kernel under the trademark AsyncOS. IronPort email and web security gateway and management products currently referred to as Cisco Email Security and Cisco Web Security, have now becomes an integral part of the Cisco Security vision and strategy. Cisco continues to deliver the world-class email and web security that IronPort customers are used to. The security products and technology from IronPort complement Cisco industry-leading threat mitigation, confidential communications, policy control, and management solutions.
1. History IronPort Systems, Inc., headquartered in San Bruno, California. IronPort was founded in December 2000, by Scott Banister and Scott Weiss. On November 24, 2003, IronPort acquired the SpamCop filtering and reporting service, which it ran as a stand-alone entity. Cisco Systems announced on January 4, 2007 that it would buy IronPort in a deal valued at US$830 million[4][5] and completed the acquisition on June 25, 2007. IronPort was integrated into the Cisco Security business unit. Senderbase was renamed as Sensorbase to take account of the input into this database that other Cisco devices provide. SensorBase allows these devices to build a risk profile on IP addresses, therefore allowing risk profiles to be dynamically created on http sites and SMTP email sources.
2. Working Content Security Module on Firewall can be use instead but can be used only upto 1000 users. For more than that, we should use Cisco IronPort. Iron port can size upto 20,000 users. Content Security Module on ASA Firewall uses only one Scanner, Trend Micro Scanner. On IronPort, they use Three Scanners One from McFee, One from Sophos and one from Webroot. MacFee and Sophos for Anti-Virus and Anti Phishing and Webroot are for Anti Malware. Customer can choose how many scanners he wants. He need not buy all the three.
IronPort When a packet comes in, it is sent parallelly to multiple scanners available. Scanners after checking the packet in their DV Engine will drop it if there is something malicious about it. If all is well, send to Webroot for further processing and finally send to the users. Yet another level of Security Feature: Sensor Based or the new name is "Sender Based". All the Data Centres of WSA in multiple locations across the group will seek the latest intelligence in web security. If a new virus is found, they update it to the Iron port. Depending on the incoming packet's source IP address (Which is marked anywhere between -10 and +10), packet can be dropped, Quarantined or Allowed inside by Iron port. Iron port can be configured to do so by the admin. Granular Level Access control is possible using Application Vectoring.
Figure 1 Ironport(ESA)
Working
3. Types of IronPort 3.1.
Web Security Appliance (WSA)
A web proxy server accepts incoming connections destined to the web and acts as an intermediary between the clients and the World Wide Web. Cisco IronPort Web Proxy Server Security Appliances Figure 2 IronPort S370 Web Security Appliance help enterprises secure and control internet traffic by offering multiple layers of malware defence on a single, integrated appliance. These layers of defence include Cisco IronPort Web Reputation Filters, multiple anti-malware
IronPort scanning engines, and the Layer 4 Traffic Monitor, which detects non-port 80 malware activities. The Cisco IronPort S-Series is also capable of intelligent HTTPS decryption, so that all associated security and access policies can be applied to encrypted traffic. A web proxy is the foundation for security by mitigating one of the biggest exposures to risk in an organization namely the unrestricted internet access. It allows for comprehensive content analysis, which is critical to accurately detect devious and rapidly mutating web-based malware. Powered by the proprietary Cisco IronPort AsyncOS operating system, the web proxy includes an enterprise-grade cache file system. This system efficiently returns cached web content through intelligent memory, disk, and kernel management-easily ensuring high performance and throughput for even the largest of networks. The Cisco WSA is the first secure web gateway to combine leading protections to help organizations address the growing challenges of securing and controlling web traffic. You get advanced malware protection, application visibility and control, acceptable use policy controls, insightful reporting, and secure mobility all on a single platform.
3.1.1. Advanced Threat Defense The Cisco WSA is powered by Cisco Security Intelligence Operations (SIO), our industryleading threat intelligence organization. Cisco SIO detects and correlates threats in real time using the largest threat detection network in the world. It monitors 100 TB of daily security intelligence, 1.6 million deployed security devices, 13 billion daily web requests, and 35 percent of worldwide email traffic. The Cisco WSA uses multiple layers of anti-malware technologies and intelligence from SIO updated every three to five minutes. It protects against hidden threats by analyzing every piece of web content accessed by the user, from HTML to images and Flash graphics.
3.2.
Email Security Appliance (ESA)
Email Security Appliance (ESA) is easy-to-deploy solutions that defend your email system against spam, viruses, phishing, and a wide variety of other threats. In use at eight of the ten largest ISPs and more than 40 percent of the world's largest enterprises, these systems have a demonstrated record of unparalleled performance, accuracy and reliability. Cisco IronPort email security appliances protect enterprises of all sizes – the same code base that power our most sophisticated customers is used in the entire Figure 3 Cisco Email Security Appliance C680 product family. By reducing the downtime associated with email-borne malware, these products simplify the administration of
IronPort corporate mail systems and reduce the burden on technical staff, while offering insight into mail system operation. IronPort email security appliances provide a multilayer approach to stopping email-based threats:
For spam protection, email and web reputation filtering technology is combined with industry-leading Cisco IronPort Anti-Spam feature. Cisco IronPort Outbreak Filters are paired with fully integrated traditional antivirus technology and patent pending anti-targeted attack protection to ensure users are protected from the industry’s more malicious attacks. Cisco Data Loss Prevention technology provides organizations with the broadest set of tools to enforce regulatory compliance and acceptable use policies accurately and efficiently. Cisco IronPort PXE encryption technology fulfils secure messaging, compliance, and regulatory requirements.
Figure 4 Shows
a typical Email Security Deployment
3.2.1. Cisco IronPort’s Email Security Technology Differentiators
Cisco IronPort AsyncOS is a unique, high-performance software architecture designed to address concurrency based communications bottlenecks and the limitations of file-based queuing. Cisco IronPort Reputation Filters perform a real-time email threat assessment and then identify suspicious email senders. Suspicious senders are rate limited or blocked, preventing malicious traffic from entering the network. Cisco IronPort Anti-Spam combines best-of-breed conventional techniques with IronPort’s breakthrough context sensitive detection technology to eliminate the broadest range of known and emerging email threats. Cisco IronPort Outbreak Filters detect new virus outbreaks in real time, and then quarantine suspicious messages - offering protection up to 42 hours before traditional antivirus solutions.
IronPort
3.3.
Cisco Data Loss Prevention technology provides comprehensive DLP policies and remediation options, unparalleled accuracy, and easy deployment and management capabilities - meeting acceptable use policy and compliance requirements readily. Cisco IronPort PXE encryption technology revolutionizes email encryption - meeting compliance requirements while delivering powerful business-class email features. The Cisco Threat Operations Center (TOC) provides a 24x7 view into global traffic activity, enabling Cisco to analyse anomalies, uncover new threats, and track traffic trends.
Management Appliance (SMA)
The Cisco Content Security Management Appliance (SMA) centralizes management and reporting functions across multiple Cisco email and web security appliances. It simplifies administration and planning, improves compliance monitoring, helps to Figure 5 Content Security Management Appliance M1060 enable consistent enforcement of policy, and enhances threat protection. Centralize management and reporting functions across multiple Cisco Email Security Appliances (ESAs) and Cisco Web Security Appliances (WSAs) with the Cisco Content Security Management Appliance (SMA). The integration of Cisco SMA with Cisco ESAs and WSAs simplifies the planning and administration of email and web security, improves compliance monitoring, makes possible a consistent enforcement of acceptable-use policies, and enhances threat protection.
3.3.1. Enhanced Threat Protection The Cisco SMA provides a comprehensive view of security for improved threat intelligence, defense, and remediation. That includes:
Centralized management of email spam quarantine Comprehensive threat monitoring across multiple web and email security gateways Web reputation scoring Botnet detection
The SMA's reporting capabilities can also be used to identify and address key activities and trends for data loss prevention (DLP) and remediation.
IronPort 3.3.2. Features and Benefits of the Cisco SMA and SMAV Feature
Benefits
Centralized management The Cisco SMA simplifies administration by publishing configurations from a single management console to multiple Cisco ESAs and WSAs. Updates and settings are managed centrally on that and reporting console rather than on the individual appliances. Organizations can dedicate specific appliances to individual applications for high-volume deployments. Fully integrated reporting allows traffic data from multiple Cisco ESAs and WSAs to be consolidated. Message tracking
Data is aggregated from multiple Cisco ESAs, including data categorized by sender, recipient, message subject, and other parameters. Scanning results, such as spam and virus verdicts, are also displayed, as are policy violations.
Web tracking
A record of individual web transactions is maintained, with information such as IP address, username, domain name, time accessed, and other details. Visibility is provided into employee use of Web 2.0 applications such as Facebook, YouTube, and instant messaging.
Web reporting
Web tracking information is aggregated in real time and displayed in a high-level, easy-to-use graphical format. Reporting features help administrators determine the websites, URL categories, and applications that employees can access on company devices.
Spam quarantining
Spam and marketing messages are stored centrally with the easy-to-use self-service Cisco Spam Quarantine solution. Large enterprises with multiple Cisco ESAs can offload their spam traffic to one location for easier tracking and provide a single point for employee access.
Threat monitoring
Data about web-based threats is provided in real time, including, for example, which users are encountering the most blocks or warnings, and which websites and URL categories pose the biggest risks. Malware and other threats that Cisco WSAs have detected and blocked are also reported.
Reputation scoring
This feature provides detailed information about the reputation scores of the websites that users access. These scores are based on data provided by Cisco WSAs, which analyze web server behavior and assign a score to each URL that reflects the likelihood that it contains malware.
Botnet detection
Ports and systems with potential malware connections are displayed. Data from the Layer 4 traffic monitoring feature on Cisco WSAs can help organizations detect and remediate botnet-infected hosts.
IronPort 4. Modes of IronPort Two modes of working:  
Explicit Proxy/Mode Transparent Proxy/Mode
When a Web browser uses a proxy, the protocol between the browser and the Web proxy is slightly different from the one a browser uses straight to a Web server. Thus, the best interoperability between Web browser and Internet Web servers occurs when the browser is aware of the proxy. If the proxy server is inserted transparently between the client and the server, without any special browser configuration, then several problems quickly creep up. Some of the problems are showstoppers. For example, if the proxy attempts to decrypt SSL traffic, the browser will raise alerts. If the proxy requires authentication to differentiate different types of users or for accounting, this can be incompatible with other Web pages that also require authentication. There's a whole RFC (RFC-3143) listing problems with Web proxies. On the other hand, if you want perfect interoperability, you have to get the proxy configuration information to the Web browser somehow. Several semi-automatic methods exist under the rubric of Web Proxy Auto-Discovery Protocol (WPAD), or, you could manually load the proxy configuration information into the PC.
4.1.
Explicit Proxy/Mode
In Explicit mode, the packet is by default send to IronPort. Proxy server ip is configured in IE or Firefox. Traffic flow from PC or Laptop to Access Switch to Core Switch to WSA (IronPort) back to Core Switch to Firewall to Router to Internet. Intelligence in this case is built in to the IE or Firefox using a PAC file or something like that. But if many users are there working outside office, this mode may not be useful as IE needs access to the IronPort and if outside office, needs VPN to office infrastructure.
4.2.
Transparent Proxy/Mode
Transparent mode works on the port requested by PC or Laptop. All the intelligence in this case is in Core Switch. Transparent Proxy (also called "Intercepting Proxy") which doesn't require touching the Web browser, but also doesn't work all the time, vs. Explicit Proxy that requires Web Proxy AutoDiscovery Protocol (WPAD) and a cooperating device, but which works much better.
IronPort 5. Global Deployment Cisco deployed the Cisco IronPort S670 WSA in three phases:
Proof of Concept (POC): Cisco CSIRT led a 300-user POC, conducted over six months in one building of the Cisco campus in Research Triangle Park (RTP), North Carolina. The appliances inspected all web-bound traffic, as well as the return traffic from the web to Cisco users' devices. Cisco CSIRT enabled WCCP on each desktop VLAN to redirect traffic with destination port 80/TCP to the IronPort WSAs. WCCP enables the IronPort WSA to inspect a user's web traffic, making it unnecessary for Cisco IT or employees themselves to configure the web browser to use the IronPort proxy. Not requiring a specific browser configuration supports Cisco IT's any-device strategy. "During the POC, we validated that reputation filtering blocked malicious traffic that malware filtering missed," Bollinger says. No outages occurred during the POC. Pilot: Next, from early 2009 to early 2011, Cisco CSIRT extended the solution to all 3000 employees on the RTP campus. Every web request initiated over a wired or wireless network was redirected to one of four Cisco IronPort WSAs. During the pilot, the IronPort appliances blocked one percent of all web traffic, representing four million objects that otherwise might have infected the network or led to information leakage. Enterprise Deployment: Cisco IT has been begun deploying the Cisco IronPort WSAs in other large campus sites, beginning with offices whose Internet traffic is routed through RTP. "Scaling from 3000 to 30,000 users only requires changing an access list, enabling WCCP on the routers, and pointing the routers to the IronPort WSAs," says Bollinger. IronPort WSAs are also currently in production on the San Jose, California and Bangalore campuses. Users do not notice any change when their web requests are sent through the proxy server.