IronPort S160 Web Security Appliance

Overview:

Yesterday’s defenses are no longer effective in the fight against today’s sophisticated web threats. The shift from viruses and worms to exploited legitimate sites, more unique varieties of malware and the growth of social networking sites are forcing businesses to put up new defenses. These types of attacks do not discriminate, and even the smallest IT security organization needs to defend its users.

According to industry estimates, approximately 75 percent of all business PCs are infected with spyware, yet less than 10 percent of businesses have deployed perimeter malware defenses. Additionally, 87 percent of all web-based threats today are delivered by legitimate sites. The speed, variety and maliciousness of web-based malware attacks highlight the importance of a robust, secure platform to protect the network perimeter from such threats.

Increasing enterprise web traffic creates new security challenges for enterprise IT. HTTP now dominates at the enterprise edge, carrying numerous applications and types of information.

In addition to the security risks introduced by malware and spyware, web traffic also exposes an organization to compliance and productivity risks introduced by inappropriate Internet usage. The Cisco® IronPort S160 web security appliance combines acceptable use policy controls, reputation filtering, malware filtering and data security on a single platform to address these risks.

A single, highly-secure Cisco IronPort S160 can typically replace three comparable appliances from competing vendors. This consolidation reduces the operational costs (power, rack space, etc.) and supports green data center initiatives – all while increasing ROI and efficiency.

Extending security to the branch office should be an integral part of any web security strategy. Branch networks have become a source of many potential security vulnerabilities, yet limited protection resources have existed at the branch level. Understanding branch office risks and security requirements is critical to building an overall web security strategy. With the Cisco IronPort S160, Cisco extends the full capabilities of its powerful, secure web gateway (including all of its innovative security technologies) to remote and branch offices.

Cisco provides a manageable, and intelligent web security architecture for protecting branch offices, enabling you to do business effectively and safely.

The Cisco Difference

Cisco IronPort email and web security products are high-performance, easy-to-use and technically-innovative solutions, designed to secure organizations of all sizes. Purpose built for security and deployed at the gateway to protect the world’s most important networks, these products enable a powerful perimeter defense.

Leveraging the Cisco Security Intelligence Operations center and global threat correlation makes the Cisco IronPort line of appliances smarter and faster. This advanced technology enables organizations to improve their security and transparently protect users from the latest Internet threats.

Features:

Innovative Security Platform Delivers Performance and Accuracy

The Cisco IronPort S160 helps businesses and remote offices secure and control web traffic by offering multiple layers of malware defense on a single, integrated appliance. These layers of defense include Cisco IronPort Web Reputation Filters, multiple anti-malware scanning engines and the Layer 4 (L4) Traffic Monitor, which detects non-Port 80 malware activity. The Cisco IronPort S160 is also capable of intelligent HTTPS decryption, so that all associated security and access policies can be applied to encrypted traffic.

A fast web proxy is the foundation for security and acceptable use policy (AUP) enforcement. It allows for deep content analysis, which is critical to accurately detect devious and rapidly mutating web-based malware. Powered by the proprietary Cisco IronPort AsyncOS operating system, the web proxy includes an enterprisegrade cache file system. This system efficiently returns cached web content through intelligent memory, disk and kernel management – easily ensuring high performance and throughput for networks of all sizes.

Industry-Leading Acceptable Use Policy Enforcement

Cisco IronPort Web Usage Controls, available on all Cisco IronPort S160 web security appliances, provide industry-leading visibility and protection from web use violations through a combination of list-based URL filtering and real-time dynamic categorization. This unique solution is powered by Cisco Security Intelligence Operations (SIO), which uses global Internet traffic visibility and analysis to target categorization efforts and provide timely updates, maximizing URL list-based efficacy.

Cisco IronPort URL Filters offer the broadest reach and the highest accuracy rate in controlling web content. Cisco’s database contains over 20 million sites (corresponding to over 3 billion pages), with global coverage across 70 languages and 200 countries.

Cisco IronPort URL Filters provide industry-leading coverage and accuracy against web traffic requests. An administrator can easily configure access policies based on 52 pre-defined categories and an unlimited number of custom categories. Time-based policies are also supported for truly flexible acceptable use policy management.

AUP, application and protocol control are facilitated at a granular level, regardless of the protocol or application flowing through the network perimeter. The Layer 4 Traffic Monitor looks for “phone-home” malware activity, while intelligent HTTPS decryption inspects encrypted data for security or AUP violations. The Cisco IronPort S160 brings all of these capabilities together to provide a single touch point for administrators who want to control the data entering and leaving their networks.

The Cisco IronPort S160 combines revolutionary technologies to provide multi-layered web security on a single appliance

Multi-Layer, Multi-Vendor Malware Defense-in-Depth

An integrated Layer 4 (L4) Traffic Monitor scans all ports at wire speed, detecting and blocking spyware “phone-home” activity. By tracking all 65,535 network ports, the L4 Traffic Monitor effectively stops malware that attempts to bypass Port 80. In addition, the L4 Traffic Monitor is able to dynamically add IP addresses of known malware domains to its list of ports and IP addresses to detect and block. Using this dynamic discovery capability, the L4 Traffic Monitor can monitor the movement of malware in real time – even as the malware host tries to avoid detection by migrating from one IP address to another.

Cisco Security Intelligence Operations (SIO) is an advanced security infrastructure that provides threat detection, correlation and mitigation to continuously provide the highest level of security for Cisco customers. Using a combination of threat telemetry, a team of global research engineers and sophisticated security modeling, Cisco SIO enables fast and accurate protection, allowing customers to securely collaborate and embrace new technologies. Cisco Security Intelligence Operations is a sophisticated security ecosystem consisting of three components:

• Cisco SensorBase: The world’s largest threat monitoring network that captures global threat telemetry data from a massive footprint of Cisco devices.
• Threat Operations Center: A global team of security analysts and automated systems extract actionable intelligence.
• Dynamic Updates: Real-time updates automatically delivered to security devices, along with best practice recommendations and other content, help customers track threats, analyze intelligence and ultimately improve their organization’s overall security posture.

The industry’s first and best web reputation filters provide a powerful outer layer of malware defense. Leveraging Cisco Security Intelligence Operations (SIO), Cisco IronPort Web Reputation Filters analyze over 50 different web traffic- and network-related parameters to accurately evaluate a URL or IP addresses’ trustworthiness. Cisco IronPort Web Reputation Filters examine every request made by the browser (from the initial HTML request to all subsequent data requests) – including live data, which may be fed from different domains.

This gives these filters a unique advantage over vendors that reduce web reputation to a simple URL filtering category.

Cisco IronPort Web Reputation Filters are the industry’s only reputation system to include botsite protection, URL outbreak detection and exploit filtering – protecting users from exploits delivered through cross-site scripting (XSS), cross-site request forgery, SQL injections or invisible iFrames. The power behind this revolutionary reputation technology comes from the system’s pattern-base assessmen techniques and per-object scanning capabilities.

The Cisco IronPort Anti-Malware System gives the Cisco IronPort S160 the distinction of being the first solution on the market to offer multiple anti-malware scanning engines on a single, integrated appliance. Moreover, an administrator can run these scanning engines simultaneously to enable greater protection against malware threats, with little-to-no performance degradation. This system leverages the Cisco IronPort Dynamic Vectoring and Streaming (DVS) engine, and verdict engines from Webroot and McAfee, to provide bestof- breed protection against the widest variety of web-based threats. These threats can range from adware, browser hijackers, phishing and pharming attacks to more malicious threats such as rootkits, Trojans, worms, system monitors and keyloggers.

Scanning engines from Webroot and McAfee are fully integrated into the Cisco IronPort S160. The Webroot scanning engine, backed by a threat research team at Webroot, performs both request- and response-side scans. The McAfee database includes both virus and malware signatures and can be configured to perform both signaturebased and heuristics-based scanning.

Native FTP protection enables complete visibility into FTP usage – enforcing acceptable use and data security policies, and preventing malware infections.

The Cisco IronPort DVS engine was built to provide an integrated, single-appliance solution with multiple antimalware scanning engines from different vendors. It employs sophisticated object parsing and streaming techniques to enforce acceptable use policies and security features for web traffic. It simultaneously leverages hardware optimizations (such as multi-core scanning) to distribute these parallel operations and fully utilize the system’s resources. The result is a ten-fold improvement in performance when compared to first-generation scanning solutions.

HTTPS decryption enables the Cisco IronPort S160 web security appliance to enforce acceptable use and security policies over HTTPS-decrypted data. This is the first solution to use web reputation and URL filtering to make HTTPS decryption decisions. For example, a banking site can be bypassed for HTTPS decryption – unless its web reputation score is low, in which case the HTTPS connection is decrypted to scan content for malware, or blocked outright. With this ability, administrators no longer have to sacrifice security for privacy.

Powerful Data Security Enforcement

Data security and data loss prevention empower organizations to take quick, easy steps to enforce common sense data security policies. For example, preventing engineers from sending design files by webmail, blocking uploads by finance staff of Excel spreadsheets over 100KB, or preventing posts of content to blogs or social networking sites. These simple data security policies can be created for outbound traffic on HTTP, HTTPS and FTP.

For enterprises that have already invested in special-purpose data loss prevention systems, the Cisco IronPort S160 offers an option to interoperate with DLP vendors via ICAP. By directing all outbound HTTP, HTTPS and FTP traffic to the third-party DLP appliance, organizations can allow or block based on the third-party rules and policies. This also enables deep content inspection for regulatory compliance and intellectual property (IP) protection, incident severity definition, case management and performance optimization. F e atur e s ( C o ntinu e d ) The Cisco IronPort S160’s sophisticated reporting tools yield a complete real-time and historical view of web traffic, as well as threat activity and prevention – providing unprecedented security insight.

Native FTP protection allows the Cisco IronPort S160 to provide complete visibility into FTP usage, enforcing acceptable use and data security policies, and preventing malware infections. Acting as an FTP proxy, the Cisco IronPort S160 enables organizations to exercise granular control, including: allow/block FTP connections, restrict users/groups, control uploads/downloads, and restrict sent/received files to certain types or sizes.

Additionally, the Cisco IronPort S160 can score FTP servers with Cisco IronPort Web Reputation Filters and scan downloaded content for malware and spyware payloads with the Cisco IronPort Dynamic Vectoring and Streaming (DVS) engine. Cisco’s FTP protection utilizes Cisco IronPort Data Security to enforce simple, common sense data security policies based on file metadata, user, URL category, and reputation or can pass the FTP traffic to an external DLP solution for additional, more granular, scanning.

The Cisco IronPort S160 now has comprehensive coverage for the three most common protocols carrying business information across the boundary and over the Internet – HTTP, HTTPS and FTP.

Comprehensive Management and Reporting Capabilities

Cisco IronPort Web Security Manager provides a single, easy-to-understand view of all access and security policies configured on the appliance. Administrators manage all web access policies (including URL filtering, time-based policies, reputation filtering and malware filtering) from a single location. Additionally, administrators can mix and match client-based criteria (e.g. client IP address, authenticated username, etc.) and destination-based criteria (e.g. URL, URL category, proxy port, etc.) to flexibly determine when each set of policies is applied.

Cisco IronPort Web Security Monitor offers valuable insight into overall web activity, as well as threat identification and prevention, within corporate networks. These on-box and off-box reports are designed to provide actionable information as well as historical trends. Enhanced reporting provides enterprises visibility into policy and security violations.

Multiple deployment modes enable flexibility within a business network. Deployment modes include deployment as an explicit forward proxy for the network or transparent deployment of an L4 switch or a WCCP router within the network. The Cisco IronPort S160 can be configured as a standalone proxy or to co-exist with other proxies (such as in a proxy hierarchy for conditional routing, failover and load balancing).

Enterprise-grade SNMP facilitates hands-off monitoring and alerting for key system metrics including hardware, performance and availability. Support for SNMPv1, 2, and 3, along with a comprehensive enterprise-class alert engine, ensure oversight for all system parameters – including hardware, security, performance and availability.

Integrated authentication via standard directories (such as LDAP or ActiveDirectory) and the ability to implement multiple authentication schemes (such as NTLM or Basic) lets enterprises deploy the Cisco IronPort S160 seamlessly, while taking advantage of pre-existing authentication and access control policies within their networks. Features such as multi-realm authentication (which enables authentication against multiple authentication domains) provide flexible failover scenarios and multi-organization deployments.

The Cisco IronPort S160 also enable warn/continue pages to allow the organization to educate users on corporate acceptable use and security policies, restricted guest access for visitors, and re-authentication for on-the-fly privilege override. Given the diversity of ways in which group information is stored in user directories, the Cisco IronPort S160 supports obtaining group information from a group object, as well as from an attribute in the user’s profile

The Cisco IronPort S160 can be deployed to easily suit your enterprise and branch office architecture

These features offer increased flexibility and richness in policy and authentication to meet the requirements of sophisticated enterprises.

Extensive logging allows enterprises to keep track of all web traffic, benign and malware-related. Standard log formats include Apache, Squid-detailed – along with the ability to specify custom log formats, consistent with enterprise logging policies. Administrators can enable, disable and set log subscriptions, or set log rollover and size limits, based on log types.

In addition to the Apache and Squid log file formats, the Cisco IronPort S160 supports the W3C-standard Extended Log File Format (ELFF). This allows administrators to use many thirdparty log analyzer tools, and also enables the generation of customized logs for various audiences. For example, separate logs for IT, HR, and top management – each with a customized set of logging fields.

Benefits:

Single Appliance Security and Control The Cisco IronPort S160 offers a single appliance solution to secure and control the three greatest web traffic risks facing enterprise networks: security risks, resource risks and compliance risks.

Mitigate Malware Risks and Costs With malware infecting approximately 75 percent of corporate desktops. By providing comprehensive protection, even the smallest business or branch office can ensure minimal downtime to the end-user and minimize the danger of information leakage, including risks from the use of FTP and dynamic Web 2.0 sites.

Cisco’s multi-layered defense includes Cisco IronPort URL Filters, Cisco IronPort Web Reputation Filters and Cisco IronPort DVS technology (with multiple anti-malware scanning engines running simultaneously) – ensuring industry-leading accuracy.

Complete, Accurate Protection Cisco IronPort S160 appliances are designed from the ground up to address the broadest range of web-based malware threats, including those from the use of FTP and dynamic Web 2.0 sites.A multi-layered defense that includes Cisco Security Intelligence Operations, Cisco IronPort Web Usage Controls, Cisco IronPort Web Reputation Filters and Cisco IronPort DVS technology (with multiple anti-malware scanning engines running simultaneously), ensures industry-leading accuracy.

This multi-layered protection is based on a deep content application-layer inspection, as well as network-layer pattern detection, checking both inbound and outbound activities. These innovations make the Cisco IronPort S160 the industry’s most secure web gateway.

Enforce Acceptable Use Policies (AUP) By implementing acceptable use web policies, enterprises can not only conserve resources for work-related web usage, but also inform end-users to help shape web access behavior over time. Enterprises can increase the amount of time that employees spend on business-oriented activities, reducing misuse of enterprise networks and bandwidth.

Simplified Data Security The data loss problem extends well beyond malware. Employees can easily use webmail to send a message including proprietary information, post confidential data on social networks and blogs, or transfer financial documents over FTP to a server outside the corporate network. Making sure that sensitive data does not leave the corporate boundary – while allowing users to leverage the full power of the Internet – is an important and challenging issue to solve.

The Cisco IronPort S160 enables organizations to take quick, easy steps to enforce common sense data security policies for outbound traffic on HTTP, HTTPS and FTP.

Reporting Visibility The Cisco IronPort S160 appliances deliver real-time and historical security information, allowing administrators to quickly understand web traffic activity. Realtime reports let administrators identify and track issues such as policy violations and security violations as they occur. Historical reports allow administrators to identify trends and report on efficacy and ROI.

Performance in a Small Package and Low Total Cost of Ownership Cisco IronPort appliances scale to meet the unique scanning needs of web traffic, thereby ensuring that the end-user experience is maintained. The cisco IronPort S160 provides a single platform that contains a complete, in-depth defense – along with all the necessary management tools – significantly reducing the initial and ongoing TCO of small businesses and remote offices.

Reduced Administrative Overhead Perfect for small to medium businesses and remote offices, the Cisco IronPort S160 is designed to minimize administrative overhead, offering easy setup and management with an intuitive graphical user interface, support for automated updates, and comprehensive monitoring and alerting.

Specifications:

Documentation:

Download the IronPort S160 Data Sheet (PDF).