SOURCE: IronPort Systems

November 05, 2007 09:00 ET

IronPort Introduces Advanced Web Security Appliance

New Capabilities Include Multi-Vendor Signature Scanning and Selective HTTPS Scanning

SAN BRUNO, CA--(Marketwire - November 5, 2007) - IronPort® Systems, a Cisco business unit and a leading provider of enterprise spam, virus and spyware protection, today announced significant enhancements to the IronPort S-Series™ Web security appliance. This IronPort appliance is a high-performance device, designed to bring security policy enforcement to enterprise Web access -- a portion of the network that (for many corporations) has been left unprotected. The IronPort S-Series has advanced capabilities to assist users in: identifying and blocking malware from entering a corporate network, creating and enforcing acceptable use policies, and ensuring sensitive data is not inadvertently being sent outside of the company. The IronPort S-Series is an important part of Cisco's Self-Defending Network, providing content level security for Web traffic that helps to enhance overall network-level security.

Breakthrough Technology: Reputation-based Filtering

IronPort introduced the concept of reputation analysis at the beginning of 2003. Since then, reputation filtering has proven to be very powerful. In most circumstances, IronPort email appliances can block more than 90 percent of incoming spam emails, based entirely on the reputation of the sending mail server. In January of 2006 IronPort introduced Web reputation filtering, applying the same techniques used so effectively in email, to Web traffic.

IronPort S-Series Web security appliances perform a real-time analysis of the reputation of every web server being contacted by a corporation. This analysis is the first line of defense against Web-based threats. Users of IronPort Web security appliances may choose to implement any number of policies to reject known bad sites, purely based on a site's Web reputation score. Malware has become very sophisticated, with thousands of variants being introduced at any one time. IronPort Web Reputation Filters™ provide an excellent way to counter polymorphic malware attacks that defy signature description. The use of reputation is not limited to connection blocking. Reputation analysis is integrated throughout the IronPort appliance, and is used to vector or steer content to the appropriate scanning engine -- including the new HTTPS inspection engine, as well as the integrated anti-malware system with signatures from McAfee and Webroot. This method results in more efficient and intelligent examination of Web content.

URL Filtering for Acceptable Use

To accomplish the dual goals of increased productivity and limiting potential liability, many corporations have developed acceptable use policies (AUPs) that govern use of the Internet while at work. Many of these policies are implemented via a URL filtering system. The IronPort S-Series contains a world-class URL filtering solution, including detailed reports on end-user Web surfing patterns and more than 50 different categories of websites to control. Using the Web-based policy management tool on the IronPort appliance, it is easy to create and implement LDAP-based acceptable use policies. URL filtering is an effective supplement to IronPort Web Reputation Filters.

Multi-vendor Signature Scanning

The IronPort Dynamic Vectoring and Streaming (DVS) engine™ uses reputation data to guide content through a multi-vendor signature based scan as required. Known bad traffic is blocked, known good traffic is passed through without additional scanning and suspicious traffic is subject to scanning with signatures from multiple security vendors. The IronPort S-Series Web security appliance now supports anti-spyware signatures from Webroot as well as anti-spyware and anti-virus signatures from McAfee.

Advanced Botnet Detection

Threat analysts at IronPort and Cisco have observed an increasing trend towards the Web (and away from email) as the preferred method of malware distribution. As a result, corporations face even more sophisticated botnet infections coming from a variety of different entry points. The IronPort S-Series includes a unique Layer 4 (L4) Traffic Monitor, which analyzes traffic across all ports (not just Web traffic) to identify connections associated with botnet activity on an organization's network. Increasingly, customers are turning to comprehensive systems like Cisco's Self Defending Network to help detect and block activity associated with botnets within their networks, and launch the appropriate remediation such as Network Access Control (NAC).

Selective HTTPS Scanning

IronPort views HTTPS certificate authority kiting as a "blind spot" in the solutions offered by many Web security devices. Since HTTPS is an encrypted connection between the client and the origin server, security devices in the network typically have no visibility into (or control over) HTTPS traffic. The use of HTTPS on the Internet has been growing steadily, at more than 60 percent per year, driven by legitimate uses such as online banking and commerce. It is very easy to create a new website that may have the appearance of a local bank or commerce site, initiate matching HTTPS connections and then deliver malware to end-users in a format that cannot be analyzed by conventional security systems.

IronPort's Web security appliances are designed to help address this future threat by combining reputation-based vectoring and acceptable use categories to selectively examine HTTPS traffic. The IronPort DVS engine can steer suspicious HTTPS traffic to the on-board encryption/decryption engine. This engine can decrypt the connection, scan for malware and acceptable use characteristics and then (if appropriate) re-encrypt for delivery to the end-user. The use of reputation analysis at this stage is critical. Trusted sites with a positive reputation that are also in the banking, health care or commerce categories are best left encrypted. This helps free the corporation from any potential privacy or liability issues regarding end-user traffic that may contain private financial, health care or credit card information. On the other hand, the use of reputation-based vectoring means that suspicious, unknown sites, self-signed certificates or sites backed by suspicious certificate issuers that may be classified as finance, healthcare or commerce will still be decrypted and scanned to help secure the network. This intelligent use of reputation and acceptable use categorization helps yield optimal security, efficiency and end-user privacy.

Visit for more details.

About IronPort Systems

IronPort Systems Inc., headquartered in San Bruno, California, is a leading provider of anti-spam, anti-virus and anti-spyware appliances for organizations ranging from small businesses to the Global 2000. IronPort appliances utilize SenderBase®, the world's largest email and Web threat detection network and database. IronPort products are innovative and easy-to-use -- providing breakthrough performance and playing a mission-critical role in a company's network infrastructure. To learn more about IronPort Systems products and services, please visit:

Copyright © 2000-2007 Cisco Systems, Inc. All rights reserved. IronPort, the IronPort logo and SenderBase are registered trademarks of Cisco Systems, Inc. All other trademarks are the property of Cisco Systems, Inc. or their respective owners. While every effort is made to ensure the information given is accurate, Cisco does not accept liability for any errors or mistakes which may arise. Specifications and other information in this document may be subject to change without notice.

Contact Information

  • Press / Analysts: If you are a reporter or analyst and want
    more information on IronPort Systems please contact:

    David Oro
    The Oro Group
    Email Contact

    Suzanne Matick
    IronPort Systems
    Email Contact