Product Assessment: Report Date: Analyst: Service: Market: Class: Current Perspective:

Cisco - IronPort C370

January 13, 2011 Musich, Paula Hot Topics , Business Technology and Software

Enterprise Security , Enterprise Security Secure Messaging

Summary
Buying Criteria

Current Perspective The IronPort C370 is threatening to competitors, because the leading e-mail security appliance provides advanced threat prevention, blocks viruses and spam, and enforces corporate e-mail policy. The product, built on the IronPort AsyncOS operating system, includes best-of-breed anti-spam technology, contextsensitive detection capabilities, data loss prevention, onboard e-mail encryption, and solid reputation and scoring intelligence stemming from a broad and diverse customer base. IronPort, a Cisco business unit since its acquisition in January 2007, is one of the leading providers of e-mail and Web security for customers including ISPs, enterprises, and SMBs, protecting over 400 million mailboxes in more than 30,000 customer accounts worldwide. IronPort is a pioneer in this industry with significant brand recognition. The IronPort C370 is targeted at medium-sized enterprises with 2,000 to 10,000 users, but it can handle traffic for many more depending on mail volumes, making it a very high-performance appliance for the price. Key strengths include the products accuracy via the use of IronPort Anti-Spam (IPAS), which leverages IronPorts mature reputation filters, based on SensorBase e-mail traffic monitoring service data. IronPort has extended its e-mail reputation filtering to include Web reputation to provide customers with timely Web information based on the activities of various hosts on the Internet, also leveraging information from SensorBase. In 2008, the company enhanced its Web Reputation filters with the addition of URL Outbreak Detection and Botsite Defense. In 2009, Cisco added both a managed secure messaging services option and hybrid cloud/premises form factor to its secure messaging line, although uptake has been slower than expected.

Although still in its infancy, Cisco believes that a third of the overall secure messaging market will adopt the hosted model, which appeals more to SMBs. Cisco will be challenged, however, to make its service costcompetitive.

Strengths and Weaknesses

Strengths The IronPort C370 includes solid accuracy through IronPort Reputation Filtering, a leader in the industry that relies on the SensorBase Network security database, based on about 700,000 organizations that track spammers and identify bad URLs. Reputation Filtering often blocks more than 90% of incoming e-mail at the initial connection and without the need for contextual review. IronPort is addressing customers compliance requirements through data leakage protection for structured data in motion, integrated encryption, and quarantine capabilities. The DLP add-on, based on market-leading technology from RSA, has been well received by customers, especially in the financial services and medical vertical markets. The DLP option, which complements IronPorts existing encryption, has achieved attach rates of between 32% and 36% per month. IronPort has made good strides in recruiting partners from Ciscos massive sales channel. With Ciscos backing and the help of its channel partners, Cisco grew its content security revenue in the third quarter of 2010 by 30 percent, according to Infonetics Research, with secure messaging making up about half of that increase. The IronPort C370 benefits from the consolidated threat correlation provided by Ciscos Security Intelligence Operations. It gathers and correlates threat data from not only web and messaging security products in the field, but also Cisco IPS and firewall products. That allows Cisco to examine and mitigate a much larger range of threats. Weaknesses IronPort does not include instant messaging (IM) protection along with its e-mail security and Web security offering, trailing behind competitors such as McAfee with its Secure Computing/CipherTrust acquisition and best-ofbreed secure messaging provider Proofpoint, both of which have been offering IM protection for some time. IronPort lacks integrated e-mail archiving. Support in the IronPort C370 for integrated data leakage prevention monitoring was late to market compared to Ciscos primary secure messaging competitors. IronPort secure messaging appliances are typically more expensive than those of rival vendors.

Point and Counterpoint

Point Some organizations believe that the best services out there for e-mail security are actually hosted solutions, coming from companies such as Google/Postini and Symantec/MessageLabs. Counterpoint What customers are looking for is a managed solution, something on which they do not have to spend time, and IronPort is a managed solution in a box. Be it an appliance form factor, a software form factor, or a hosted service form factor, a bad spam engine is a bad spam engine.

If users are spending a lot of time searching through a quarantine and looking for important messages that were lost, then it does not matter if it was an appliance or a service. In either case, that is not a managed solution which is driving down a users cost and making their business more effective. At the same time, Cisco is working to ramp up its new hosted message security services to exploit the faster growth rates in that form factor. Point IronPorts appliance is expensive to manufacture and sell, which presents a competitive opportunity for other companies. Counterpoint When users examine the pricing models IronPort has introduced, including the bundles for companies with up to 5,000 users, that is not an issue anymore. IronPort has an appliance that costs $99,950, but that is a carrier-grade platform supporting ISPs with tens of millions of users. For individual companies that price-out the product over three years, taking into account the cost of management, subscription costs, hardware, and headcount, IronPort comes out on par with pretty much all the other solutions out there (and definitely with the managed services). In addition, IronPort has the reputation of being a premium product. Counterpoint When it comes to accuracy, IronPort AntiSpam has low false-positives, but it also has new technology in Web reputation that makes it more effective in stopping things such as image spam, which has been a huge problem for customers. IronPort filters more than 3 trillion messages each month, maintains more than 1 million spamtraps, and manages eight security operations centers worldwide.

Point Large security vendors competing in this space, such as Symantec, tout a larger, globally based research and response team better able to respond to security threats.

Buying/Selecting Criteria
Anti-spamming Functionality

IronPort C370 provides protection from a range of known threats including spam, phishing, and virus outbreak attacks, as well as protection from short-lived/hit-and-run attacks and image spam. The product relies on the best-of-breed IronPort Anti-Spam engine. It includes anti-virus technology from McAfee and Sophos and IronPorts own Virus Outbreak Filters (VOF). IronPort has no plans to add to, subtract from, or otherwise change its AV partners. IronPorts anti-spam technology is based on the IronPort Reputation Filters, which claim to stop up to 90% of incoming spam at the connection level. The filters are linked to IronPorts SensorBase network security database, which analyzes and scores incoming e-mails IP addresses before allowing, throttling back, or rejecting the message. SensorBase is a key differentiator because its effectiveness is based on its broad bank of e-mail traffic coming from a large and diverse collection of customers, along with data from thousands of additional

contributors. Therefore, while some competitors also use reputation data filtering, IronPorts is considered one of the largest in the industry. In response to the evolving spam/malware threat, IronPorts Web reputation technology rates Web links in emails to increase protection against junk mail and links to malicious sites. The reputation technology performs a number of checks on the Web links included in an e-mail and provides a score, based on IP addresses, host names, and URLs, on information gleaned from SensorBase. IronPort has added what it calls URL Outbreak Detection and Botsite Defense to its Web reputation services. IronPort was one of the first anti-spam providers to begin including protection from image spam, a continuing threat in the anti-spam battle. Protection is provided through IronPorts Context Adaptive Scanning Engine (CASE), which examines the complete context of a message. The scanning engine protects against rapid start spam attacks.

Architecture

The IronPort appliances are positioned at the network perimeter and powered by IronPort's proprietary operating system, AsyncOS, which allows each appliance to support more than 10,000 simultaneous connections. The operating system is built on a UNIX-based kernel. The AsyncOS is designed to allow multiple processes to run in parallel on different processors, allowing the software to exploit advances in multi-core processing. Competing secure messaging platforms run through a single CPU or process at a time and cannot fully exploit the horsepower of multi-core processors. IronPort includes an update service to ensure the anti-spam appliances are running the most up-to-date antispam and anti-virus engines. This eliminates the need for ongoing tuning and maintenance to ensure timely protection. The C370 will also check for operating system updates and provide a simple function to install them. The IronPort appliances support a unique rate-limiting capability, which strategically slows down suspicious senders, reducing the spam and malware while avoiding the risk of false-positives. The IronPort C370 starts at $29,950 for hardware, support, and anti-spam updates for one year for 1,000 to 5,000 users. Special pricing is available for government and educational organizations, and three-year contracts are available. Cisco supplements its enterprise-focused C370 appliances with the scaled-down C160 appliance for SMBs as well as new hosted secure messaging services and a hybrid form factor.

Management Features

IronPort C370 is an enterprise networking device, so the product comes with full management capabilities including SNMP support, a full command line interface, and a Web user interface. Additionally, the product uses a unique centralized management feature, which includes a peer-to-peer architecture so users do not need a separate management host. Instead, every unit talks to every other unit, so there is no single point of failure for managing clusters and groups of appliances. IronPort supports a number of APIs for its mainly large enterprise customer base, in order to ease integration of the appliance into IT management systems. So, for example, customers are able to use Tivoli to monitor the system and provisioning systems for updates. Every function is available through the Web UI as well, and the company has made efforts to make that easier to use with smaller customers in mind. IronPort provides at least 28 different reports as part of its real-time and centralized reporting capabilities. Reports are comprehensive; so, for example, one formatted report will include information on mail traffic history, composition of traffic (how much was spam, virus, cleaned), and where threats originated. Customers can subscribe to specific reports and review them through the integrated PDF output.

 IronPorts E-mail Security Manager includes policy management capabilities, including best practices, providing the ability to write rules on inbound/outbound content based on subject, attachments, keywords, and dictionaries along with the ability to take action on those rules. Administrators can set user and group-level policies. A recent re-architecting of the CASE anti-spam rules engine allowed IronPort to double the performance for rules processing. The IronPort PXE encryption technology, integrated with content filters in the C-Series, supports encrypted email delivery regardless of the recipients e-mail client. Although IronPort PXE is an extra-cost add-on to the CSeries appliances, about one third of secure messaging customers buy it. End users can access the IronPort Spam Quarantine to check and manage messages. Users have the ability to route missed spam directly to the IronPort Threat Operation Center for review using a Microsoft Outlook or Lotus Notes plug-in.

Vendor Support

IronPort provides 24/7 support capabilities through its customer support organizations, delivered through several support centers based around the world. IronPorts support and distribution arms have been drastically broadened since its acquisition by Cisco. IronPorts Global Threat Operations Center publishes real-time rule updates to help guard against new spam and malware attacks and it includes research data for over 32 different languages. SensorBase data represents about a third of the worlds e-mail traffic, according to IronPort, and it represents data from more than 100,000 ISPs, universities, and corporations around the world. With the launch of its hosted secure messaging service, Cisco introduced an aggressive service level agreement that specifies five-nines availability. Some rivals only offer three-nines availability.

Metrics
Anti-spam Performance
Claimed Effectiveness Claimed Accuracy >99% < .000001%

No limits, the system is horizontally expandable Email and Accounts/Volume in production at numerous ISPs each with tens of millions of mailboxes Limits

Messaging Security Functionality

Encryption Yes; includes message-level encryption with IronPort PXE and gateway-to-gateway encryption with TLS controls Yes, each appliance can handle 10,000 simultaneous connections and tracks and rate limits excessive connections from individual hosts and networks Yes, directory-integrated recipient validation with rate-limiting and tarpit functionality for DHA connections Yes, advanced control for both inbound and

DoS Attack Detection and Prevention DHA Attack Detection and Prevention SMTP

Connection Management

outbound SMTP connections

Anti-spam Functionality
Header Analysis "Reputation" Filters Yes, Context Adaptive Scanning Engine (CASE) takes header composition and content into account when scanning messages. Yes, SenderBase reputation data is used both for SMTP connection management and to improve the accuracy and effectiveness of IronPort Anti-Spam. On average, SenderBase Reputation Filters block more than 90% of the spam messages at connection level. Yes, heuristic rules are generated automatically by machine learning systems and also published by analysts in IronPort's 24x7 Operations Center Yes, SenderBase powers the next-generation Web Reputation System that tracks not just bad URL's but the infrastructure hosting these URL's Yes, message bodies, attachments, and embedded objects are scanned for spam, virus, and policy violations. Yes, block list information is incorporated into SenderBase reputation scores and administrators can choose to add 3rd-party blocklists. Yes, developed both by automatic rule as well as human rule-writers that cover 40+ languages worldwide Yes, available on-box or from a centralized console

Heuristics

URL Filters

Content Scanning Real Time DNS Block List Signatures

Custom Domain Safe/Block Lists End User Safe and Block Lists Keyword and Phrase Lexicon Bulkmail Checking Baysian Filtering Tuning necessary Block NonEnglish Spam Languages supported

Yes

Yes, including the ability to weigh different words and phrases appropriately Yes, in both CLI and GUI Yes, used by the Operations Center for spam engine training and message classification No, all engine tuning is fully managed by IronPort with no work required of local administrators Yes, with operational spam feeds from 40+ countries All languages are supported with no restrictions. Languages in primary markets include: English, Arabic, Armenian, Basque, Belarusian, Bengali, Bulgarian, Catalan, Chinese (simplified & traditional), Croatian, Czech, Danish, Dutch, Estonian, Farsi/Persian, Filipino, Finnish, French,

German, Greek, Georgian, Gujarati, Gurmukhi, Hebrew, Hindi, Hungarian, Icelandic, Indonesian, Italian, Japanese, Kazakh, Korean, Macedonian, Marathi, Malay, Norwegian, Polish, Portuguese, Romanian, Russian, Sinhala, Slovak, Slovene, Spanish, Swedish, Syriac, Tamil, Thai, Turkish, Ukrainian, Urdu, and Vietnamese. Blocks Phishing Messages Realtime Look-up on Messages Spam Filter Updates Number of New Rules/Day Outbound Anti-Spam Yes, including real-time Web reputation data from SenderBase The appliance does one real-time query to collect sender reputation data. All other data is pushed locally to the appliance to optimize performance. Every five minutes per the default configuration. The update frequency can be adjusted in the configuration. Over 900,000

Yes, it is included as part of IronPort Anti-Spam.

Message Disposition Options

Message Disposition Central/Enduser Quarantine Email Digest Sent to Users Release Quarantine w/Email Digest Configurable Scoring Sys for Spam Configurable at Group/User Level Disposition Configurable Deliver, Drop, Bounce, Quarantine, Annotate Subject, Add Custom Header, Redirect, Archive, Encrypt Yes, End-User Quarantine available both on-box as well as on a centralized management appliance Yes, with configurable templates

Yes, End-User Quarantine available both on-box as well as on a centralized management appliance

Yes, with scores from 1 to 100 for both Positive and Suspect spam Yes

Administrator

Anti-virus Filtering
Antivirus Signature Supplier(s) Virus Protection IronPort Virus Outbreak Filters for preventive protection, Sophos and McAfee Anti-Virus for reactive signature-based scanning Yes

Virus Filter Updates Massmailing Worm Auto Deletion Virus Signature Updates Attachment type Filter by Extension Emerging Threat Detection

Every five minutes per the default configuration. The update frequency can be adjusted in the configuration. Yes

Outbreak signatures and Sophos and McAfee signature updates are updated directly via Cisco IronPort. Yes

Yes, with IronPort Virus Outbreak Filters (VOF)

Yes Message Content/Subject Filter Outbound Anti-virus Yes, no extra charge

End User Controls

End User Access to Quarantine End User Mgmt of Safe/Block List End User Mgmt of Spam Policy E-mail Aliases Supported Yes, through the e-mail digest or through the Web interface Yes, through the e-mail digest or through the Web interface

End users can white and blacklist certain e-mail addresses or domains and report spam that got through. Yes, including support for LDAP aliasing

Administration
Policy Control Levels Event-driven Alerts Yes, all spam, virus, DLP, content, and remediation policies can be applied on a per-domain, group, or individual level through Email Security Manager. Yes, through email and SNMP

Yes. IronPort's Centralized Management uses a Multiple servers/Single peer-to-peer architecture that elemenates any risk of a single point of failure for management Mgmt Console GUI Webbased Mgmt Console Multiple Administrator Yes, as well as a full command line interface (CLI)

Yes

Roles Directory Support LDAP/Active Directory supported for recipient validation, mail policy control, address rewriting, and mail routing

Automated/Manual Directory requests are made automatically as Update needed and cached locally Service Failover across Multiple Servers Proprietary MTA or 3rd Party Yes, through DNS MX records

Proprietary AsyncOS MTA

Authentication Support
SPF Support Yes, for both inbound and outbound mail. Plus, SenderBase incorporates e-mail authentication data into its reputation scores. Yes, for both inbound and outbound mail. Plus, SenderBase incorporates sender ID data into its reputation scores. Yes, for inbound and outbound mail, both DomainKeys and DKIM. Plus, SenderBase incorporates e-mail authentication data into its reputation scores. Yes, configurable through Content Filters and appliable at a domain, group, and individual level

Sender ID Support Domain Keys Support

Content Compliance

Content Filtering
Customize Content Filters E-mail Part Inspection Attachment Filters (Content/File Type) Dictionary Filters Custom Disclaimers Attachment Blocking Archiving Notifications Outbound ContentFiltering Yes, no extra charge

SMTP connection, envelope, headers, body, attachments, and embedded objects Both

Yes Yes Yes Yes Yes Yes

Reports

Stored Reporting Data Default Reports Available

Yes

26 integrated reports tracking over 120 different parameters

Both, Published/Emailed including PDF export Reports Database Type Supported Single Database for Multi Servers Report Aggregation (All Servers) Automatic Report Generation Support for Auto-export of Logs Embedded database for storage on the appliance, with APIs to retrieve data and store in any external storage Yes, using the IronPort M-Series Appliance

Yes

Yes

Yes, through FTP, SCP (push and pull) , or Syslog

Product Delivery Model

Form Factor Other Form Factor Availability Appliance Models Appliance, cloud-based offering, hybrid No

C160 - $6,950, up to 1000 users; C370 - $29,950, 1,000 to 5,000 users; C670 - $69,950, over 5000 users; X1070 - $99,950, carrier-grade platform. Sizing varies by customer traffic patterns. Bundle pricing available for up to 5,000 users; discounts available for educational and government customers. IronPort AsyncOS

Appliance Operating System Hardware Manufacturer Operating Systems on Software

Dell N/A

Pricing
Price of Update Service Included Major Product Yes

Yes

Upgrades Included 2-year List Price for 1,000 Users Anti-virus Pricing for Above 2-year List Price for 5,000 Users Anti-virus Pricing for Above Other Options Available Contact IronPort, pricing sold in 1 or 3 year increments Contact IronPort, pricing sold in 1 or 3 year increments Contact IronPort, pricing sold in 1 or 3 year increments Contact IronPort, pricing sold in 1 or 3 year increments Per-user, per-year modules include: IronPort AntiSpam, Virus Outbreak Filters, Sophos AV, McAfee AV, Image Analysis, Multiscan, and Email Encryption. Also optional are spare appliances, training, and support.

Support & Maintenance

Length of One-year warranty; ongoing support covers Warranty/Maintenance issues and software upgrades hardware 24/7/365 Support Response Centers Worldwide Yes Yes

Infrastructure
Number of Honeypot Email Accounts Total Messages Filtered per Month Number of Operations Centers More than 1 million

3 trillion

Eight

All materials Copyright 1997-2011 Current Analysis, Inc. Reproduction prohibited without express written consent. Current Analysis logos are trademarks of Current Analysis, Inc. The information and opinions contained herein have been based on information obtained from sources believed to be reliable, but such accuracy cannot be guaranteed. All views and analysis expressed are the opinions of Current Analysis and all opinions expressed are subject to change without notice. Current Analysis does not make any financial or legal recommendations associated with any of its services, information, or analysis and reserves the right to change its opinions, analysis, and recommendations at any time based on new information or revised analysis. Current Analysis, Inc. 21335 Signal Hill Plaza, Second Floor, Sterling, VA 20164 Tel: 877-787-8947 Fax: +1 (703) 404-9300

Current Analysis, Inc. 2 rue Troyon, 92316 Sevres Cedex, Paris, France Tel: +33 (1) 41 14 83 17 http://www.currentanalysis.com