Data SheetCisco IronPort S-Series Web Security AppliancesThe industry’s best secure web gateway for acceptable use policy enforcement,malware protection, data security, and application visibility and control.IntroductionThe web has become the ubiquitous platform for application delivery in the enterprise, whether that isbrowser-based application platforms such as or Google Apps, or rich-media applications such as Apple iTunes or Cisco WebEx meeting applications using web protocols as a widely available transport in andout of enterprise networks.Threat writers, attracted by this ubiquitous access, have shifted malware attacks largely to the web, resulting innear-epidemic threat levels. Traditional defenses are proving to be inadequate against rapidly changing webbased malware, leaving corporate networks exposed to the inherent danger posed by these threats andemphasizing the importance of a robust, secure platform to protect the enterprise network perimeter from suchthreats.Increasing employee mobility - largely enabled by web-based applications - offers productivity benefits forbusinesses and flexibility for users. However, this has also introduced significant security challenges, asorganizations must find ways to extend security and policy enforcement to mobile users. The Cisco IronPort S-Series Web Security Appliance is the industry’s first and only secure web gateway (Figure1) to combine acceptable-use-policy (AUP) controls, reputation filtering, malware filtering, data security, andapplication visibility and control on a single platform to address these growing risks. By combining innovativetechnologies, the Cisco IronPort S-Series helps organizations address the growing challenges of both securingand controlling web traffic whether their employees are tethered to a corporate LAN or sitting in an airport on theirsmartphones. 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 1 of 1

Figure 1.Secure Web Gateway: A Comprehensive Security Solution to the Business Challenges of the WebCustomers enjoy low total cost of ownership (TCO), because these powerful applications are integrated andmanaged on a single appliance. Robust management and reporting tools deliver ease of administration, flexibility,and control, as well as complete visibility into policy- and threat-related activities.The Cisco DifferenceCisco IronPort email and web security products are high-performance, easy-to-use, and technically innovativesolutions designed to secure organizations of all sizes. Built for security and deployed at the gateway to protectthe world’s most important networks, these products enable a powerful perimeter defense. By taking advantage of Cisco Security Intelligence Operations (SIO) intelligence and global threat correlation,Cisco IronPort appliances are smarter and faster. Their advanced technology enables organizations to improvetheir security and transparently protect users from the latest Internet threats.FeaturesInnovative Security Platform That Delivers Protection, Performance, and AccuracyCisco IronPort Web Security Appliances help enterprises secure and control web traffic by offering multiple layersof malware defense on a single, integrated appliance. These layers of defense include Cisco IronPort WebReputation Filters, Adaptive Scanning, multiple antimalware scanning engines, and the Layer 4 Traffic Monitor,which detects non-port-80 malware activity. The Cisco IronPort S-Series is also capable of intelligent HTTPSdecryption, so that all associated security and access policies can be applied to encrypted traffic.A fast web proxy is the foundation for security and AUP enforcement on the Cisco IronPort S-Series. It allows forcomprehensive content analysis, which is critical to accurately detect rapidly mutating web-based malware. Powered by the proprietary Cisco IronPort AsyncOS operating system, the web proxy includes an enterprisegrade cache file system. This system efficiently returns cached web content through intelligent memory, disk, andkernel management - easily ensuring high performance and throughput for even the largest networks.Industry-Leading Acceptable Use EnforcementCisco IronPort Web Usage Controls, available on all Cisco IronPort S-Series Web Security Appliances, provideindustry-leading visibility and protection from web use violations through a combination of list-based URL filtering 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 2 of 12

and real-time dynamic categorization. This innovative solution is powered by Cisco SIO, which uses global Internettraffic visibility and analysis to target categorization efforts and provide timely updates, maximizing URL list-basedefficacy.Cisco IronPort Web Usage Controls include both the category of the content and the application in use as part ofthe policy controls available to administrators. In addition to simply blocking or allowing applications by type orindividually, administrators can apply deeper controls to particular application types. For instance, administratorscan control the “safe search” settings on major search engines such as Google or Bing, as well as user-generatedcontent sites such as YouTube or Flickr. Or limit bandwidth consumed by streaming-media applications to controlcongestion. Or allow chat through web instant messenger, but disallow file sharing.Category, application, and protocol control are facilitated at a granular level, regardless of the protocol orapplication flowing through the network perimeter. Intelligent HTTPS decryption inspects encrypted data forsecurity or AUP violations. The Cisco IronPort S-Series brings all of these capabilities together to provide a singletouch point for administrators who want to control the data entering and leaving their networks (Figure 2).Figure 2.The Cisco IronPort S-Series Combines Revolutionary Technologies to Provide Multilayered Web Security on aSingle ApplianceMultilayer, Multivendor Malware Defense in DepthCisco Security Intelligence Operation (SIO) is an advanced security infrastructure that provides threat detection,correlation, and mitigation to continuously provide the highest level of security for Cisco customers. Using acombination of threat telemetry, a team of global research engineers, and sophisticated security modeling, CiscoSIO enables fast and accurate protection, allowing customers to securely collaborate and embrace newtechnologies.Cisco SIO is a sophisticated security ecosystem consisting of three components: Cisco Sensor Base: The world’s largest threat-monitoring network captures global threat telemetry datafrom a massive footprint of Cisco devices. Threat Operations Center: A global team of security analysts and automated systems extracts actionableintelligence. Dynamic updates: Real-time updates automatically delivered to security devices, along with best practicerecommendations and other content, help customers track threats, analyze intelligence, and ultimatelyimprove their organization’s overall security posture. 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 3 of 12

The industry’s first and most accurate web reputation filters provide a powerful outer layer of malware defense.Using the intelligence gained from Cisco SIO, Cisco IronPort Web Reputation Filters analyze more than 200different web traffic-and network-related parameters to accurately evaluate the trustworthiness of a URL or IPaddress. Cisco IronPort Web Reputation Filters examine every request the browser makes (from the initial HTMLrequest to all subsequent data requests) - including live data, which may be fed from different domains. Thiscomprehensive examination gives these filters a unique advantage over those of other vendors that reduce webreputation to a simple URL filtering category.Cisco IronPort Web Reputation Filters are the industry’s only reputation system to include botnet protection, URLoutbreak detection, and exploit filtering - protecting users from exploits delivered through cross-site scripting(XSS), cross-site request forgery, Structured Query Language (SQL) injections, or invisible iFrames. The powerbehind this revolutionary reputation technology comes from the pattern-based assessment techniques and perobject scanning capabilities of the system. 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 4 of 12

Cisco IronPort Adaptive Scanning is a new content scanning logic feature on the Cisco IronPort S-Series. Thisnew security feature greatly increases the catch rate for malware embedded in images and in JavaScript, text, andFlash files. Adaptive Scanning intelligently selects scanners after analyzing content type and risk profile, resultingin up to 50% higher efficacy in blocking malware.Adaptive Scanning is an additional layer of security on top of Cisco IronPort Web Reputation Filters, whichanalyze more than 20 billion web transactions daily. Cisco IronPort Web Reputation Filters examine over 150different characteristics (such as domain registration information, use of dynamic IPs, traffic volumes, and patternsin the URL being requested) to determine the risk profile of a given URL and assign a web reputation score.Cisco IronPort’s antimalware capabilities give the Cisco IronPort S-Series the distinction of being the first solutionon the market to offer multiple antimalware scanning engines on a single, integrated appliance. Moreover, anadministrator can run these scanning engines simultaneously to enable greater protection against malwarethreats, with little-to-no performance degradation. This system takes advantage of verdict engines from Sophos,Webroot, and McAfee to provide best-of-class protection against the widest variety of web-based threats, rangingfrom adware, browser hijackers, phishing, and pharming attacks to more malicious threats such as rootkits, Trojanhorses, worms, system monitors, and keyloggers.These engines from Sophos, Webroot, and McAfee are fully integrated into the Cisco IronPort Web SecurityAppliances. Sophos offers award-winning protection against known and unknown threats using its Genotype andBehavioral Genotype Protection. The Sophos Genotype virus-detection technology proactively blocks families ofviruses, and Behavioral Genotype Protection automatically guards against zero-day threats by analyzing thebehavior of the code before it executes - offering protection from new and existing viruses, Trojan horses, worms,spyware, and other adware. The Webroot scanning engine, backed by a threat research team at Webroot,performs both request- and response-side scans. Efficacy and coverage are strengthened by Phileas (the firstautomated spyware detection system), which identifies existing and new threats by intelligently scanning millionsof sites daily. The McAfee scanning engine is backed by Avert Labs, the world’s top threat research center.The McAfee database includes both virus and malware signatures and can be configured to perform bothsignature- and heuristics-based scanning.Cisco IronPort S-Series Web Security Appliances provide an integrated, single-appliance solution with multipleantimalware scanning engines from different vendors. The appliances employ sophisticated object parsing andstreaming techniques to enforce AUPs and security features for web traffic, and simultaneously use hardwareoptimizations (such as multicore scanning) to distribute these parallel operations and take full advantage of thesystem resources. The result is a tenfold improvement in performance when compared to first-generationscanning solutions.HTTPS decryption enables the Cisco IronPort S-Series to enforce acceptable use and security policies overHTTPS-decrypted data. This solution is the first to use web reputation and URL filtering to make HTTPSdecryption decisions.For example, a banking site can be bypassed for HTTPS decryption - unless its web reputation score is low, inwhich case the HTTPS connection is decrypted to scan content for malware, or is blocked outright. With thisability, administrators no longer have to sacrifice security for privacy.Even with the best defenses in place, it is inevitable that some threats will still be present in the network. That iswhy the S-Series includes an integrated Layer 4 Traffic Monitor, which scans all ports at wire speed, detecting andblocking spyware phone-home activity. By tracking all 65,535 network ports, the Layer 4 Traffic Monitor effectively 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 5 of 12

stops malware that attempts to bypass port 80. In addition, the Layer 4 Traffic Monitor can dynamically add IPaddresses of known malware domains to its list of ports and IP addresses to detect and block. Using this dynamicdiscovery capability, the Layer 4 Traffic Monitor can monitor the movement of malware in real time - even as themalware host tries to avoid detection by migrating from one IP address to another.Powerful Data Security EnforcementData security and data-loss prevention (DLP) empower organizations to take quick, easy steps to enforcecommonsense data security policies; for example, preventing engineers from sending design files by webmail,blocking uploads by finance staff of Microsoft Excel spreadsheets larger than 100 KB, or preventing posts ofcontent to blogs or social networking sites. These simple data security policies can be created for outbound HTTP,HTTPS, and FTP traffic.For enterprises that have already invested in special-purpose DLP systems, the Cisco IronPort S-Series offers anoption to interoperate with DLP vendors through the Internet Content Adaptation Protocol (ICAP). By directing alloutbound HTTP, HTTPS, and FTP traffic to the third-party DLP appliance, organizations can allow or block basedon the third-party rules and policies. This scenario also enables deep content inspection for regulatory complianceand intellectual property protection, incident severity definition, case management, and performance optimization.Native FTP protection allows Cisco IronPort S-Series Web Security Appliances to provide complete visibility intoFTP usage, enforcing acceptable use and data security policies and preventing malware infections. Acting as anFTP proxy, the Cisco IronPort S-Series enables organizations to exercise granular control, including the ability toallow or block FTP connections, perform active-passive FTP mediation, restrict users or groups, control uploadsand downloads, and restrict sent and received files to certain types or sizes.Additionally, S-Series appliances can use Cisco IronPort Web Reputation Filters to score FTP servers and scandownloaded content for malware and spyware payloads. This FTP protection enforces simple, commonsense datasecurity policies based on file metadata, user, URL category, and reputation (Figure 4). Alternately, FTP traffic canbe passed to an external DLP solution for additional, more granular, scanning.Figure 3.Cisco IronPort Web Security Manager Makes It Easy to Create Different Sets of Policies for Each Group of Users 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 6 of 12

Figure 4.Native FTP Protection Enables Complete Visibility into FTP Usage - Enforcing Acceptable Use and Data SecurityPolicies, and Preventing Malware InfectionsCisco AnyConnect Secure Mobility for Borderless NetworksThe Cisco Borderless Network Architecture integrates security into the distributed network to address today’ssecurity requirements. This approach takes advantage of exceptional threat intelligence, a broad solution portfolio,and strategic partnerships and services to extend security to the right people, devices, and locations, enablingcustomers to build solutions to meet evolving business challenges. One important component of this architecture is Cisco AnyConnect Secure Mobility. This solution combines thenext-generation remote access capabilities of Cisco AnyConnect with the web security capabilities of the S-Seriesto provide mobile users with always-on, secure access to corporate resources while ensuring constant malwareprotection and policy enforcement.The Cisco IronPort S-Series includes support for Cisco AnyConnect Secure Mobility. Employees connecting withthe Cisco AnyConnect VPN Client will experience an always-on, unobtrusive remote-access connection thatextends web security enforcement to the mobile device.Single Sign-On to Software-as-a-Service ApplicationsIn addition to users moving outside the traditional enterprise security boundary, critical business applications areincreasingly being served from external servers. Enterprises are adopting software-as-a-service (SaaS) at highrates, whether it is collaboration services such as Cisco WebEx meeting applications or online application suitessuch as Google Apps or Zoho.A major challenge with adoption of these services is managing user authentication and entitlements.Administrators want to control which users have access to which services, and control their access rights withineach service. They also want the ability to revoke access in a timely fashion when a user leaves the organization.Employees need to remember multiple usernames and passwords, a problem they often solve by writing down thecredentials in clear text, compromising security. These problems become especially difficult as the SaaS servicesproliferate.The Cisco IronPort S-Series includes a standards-based authentication mechanism to bring this under control.The appliance signs onto the target website on behalf of the employee, using the Security Assertion MarkupLanguage (SAML) 2.0 standard. This process uses the employee’s credentials and access rights stored in thecorporate user directory, either Active Directory or Lightweight Directory Access Protocol (LDAP).Administrators retain control over access rights, and employees get a transparent experience by using thecorporate username and password for accessing all applications. The Cisco IronPort S-Series also offerstransparent user identification for Active Directory, which allows increased flexibility for identifying end users inenvironments using Active Directory for end-user authentication. 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 7 of 12

When combined with Cisco AnyConnect Secure Mobility, this capability gives your employees anytime, anywhereaccess to corporate resources - whether hosted within the organization or on external servers - without sacrificingcontrol or security. SaaS applications are accessible only through the corporate infrastructure, regardless ofdevice or location.Comprehensive Management and Reporting CapabilitiesCisco IronPort Web Security Manager provides a single, easy-to-understand view of all access and securitypolicies configured on the appliance. Administrators manage all webaccess policies (including URL filtering,time-based policies, reputation filtering, and malware filtering) from a single location. Additionally, administratorscan mix and match client-based criteria (for example, client IP address, authenticated username, etc.) anddestination-based criteria (for example, URL, URL category, proxy port, etc.) to flexibly determine when each setof policies is applied.On-box web reports offer valuable insight into overall web activity within corporate networks, as well as threatidentification and prevention. These reports provide actionable information in realtime, as well as historical trends(Figure 5). Enhanced reporting gives enterprises visibility into policy and security violations.Figure 5.Native FTP Protection Enables Complete Visibility into FTP Usage - Enforcing Acceptable Use and Data SecurityPolicies, and Preventing Malware Infections 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 8 of 12

Multiple deployment modes enable flexibility within a corporate network. Modes include deployment as an explicitforward proxy for the network or transparent deployment of a Layer 4 switch or a Web Cache CommunicationsProtocol (WCCP) router within the network. Each Cisco IronPort S-Series Web Security Appliance can beconfigured as a standalone proxy or it can coexist with other proxies (such as in a proxy hierarchy for conditionalrouting, failover, and load balancing).Enterprise-grade Simple Network Management Protocol (SNMP) facilitates hands-off monitoring and alerting forkeysystem metrics, including hardware, performance, and availability. Support for SNMPv1, 2, and 3, along with acomprehensive enterprise-class alert engine, helps ensure oversight for all system parameters - includinghardware, security, performance, and availability.Integrated authentication through standard directories (such as LDAP or Active Directory) and the ability toimplement multiple authentication schemes (such as Windows NT LAN Manager [NTLM]) lets enterprises deploythe Cisco IronPort S-Series transparently, while taking advantage of preexisting authentication and access controlpolicies within their networks. Features such as multirealm authentication (which enables authentication againstmultiple authentication domains) provide flexible failover scenarios and multiorganization deployments.Cisco IronPort S-Series Web Security Appliances also enable coaching to allow the organization to educateemployees on corporate acceptable use and security policies, restricted guest access for visitors, andreauthentication for privilege override in real time. Given the diversity of ways in which group information is storedin user directories, the Cisco IronPort S-Series supports obtaining group information from a group object as wellas from an attribute in the user’s profile. These features offer increased flexibility and richness in policy andauthentication to meet the requirements of sophisticated enterprises.Extensive logging allows enterprises to keep track of all web traffic, whether benign or malicious. Standard logformats, such as Apache or Squid, provide the ability to specify custom log formats consistent with enterpriselogging policies. Administrators can enable, disable, and set log subscriptions, or set log rollover and size limitsbased on log types.In addition to the Apache and Squid log file formats, the Cisco IronPort S-Series supports the World Wide WebConsortium (W3C)-standard Extended Log File Format (ELFF). This format allows administrators to use manythird-party log analyzer tools, and also enables the generation of customized logs for various audiences; forexample, separate logs for IT, human resources, and top management - each with a customized set of loggingfields.BenefitsSingle Appliance Security and Control: The Cisco IronPort S-Series offers a single appliance solution to secureand control the three greatest web traffic risks facing enterprise networks: security risks, resource risks, andcompliance risks.Mitigation of Malware Risks and Costs: With malware infecting approximately 75 percent of corporate desktops,overhead for managing infected desktops, ensuring minimal downtime to employees, and minimizing the risk ofinformation leakage is considerable. The Cisco Ironport S-Series mitigates this risk by significantly reducing, if notaltogether eliminating, malware from the enterprise. 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 9 of 12

Reduced Administrative Costs: By stopping these threats at the network perimeter with the Cisco IronPortS-Series, enterprises can significantly reduce the administrative costs, prevent attacker phone-home activity onnetworks, reduce support calls, enhance worker productivity, and also eliminate the business exposure thataccompanies these threats.Complete, Accurate Protection: Cisco IronPort S-Series appliances are designed to address the broadest range ofweb-based malware threats, including those from the use of FTP and dynamic Web 2.0 sites. A multilayereddefense that includes Cisco SIO, Cisco IronPort Web Usage Controls, Cisco IronPort Web Reputation Filters, andCisco IronPort Adaptive Scanning helps ensure industry-leading accuracy.This multilayered protection is based on a comprehensive content-application-layer inspection, as well as networklayer pattern detection, checking both inbound and outbound activities. These innovations make the CiscoIronPort S-Series one of the industry’s most secure web gateways.Enforcement of Acceptable Use Policies: By implementing acceptable use web policies, enterprises can bothconserve resources for work-related web usage and inform employees to help shape web access behavior overtime (Figure 6). Enterprises can increase the amount of time that employees spend on business-orientedactivities, reducing misuse of enterprise networks and bandwidth.Figure 6.The Cisco IronPort S-Series Layers Additional Capabilities on Top of URL Filtering to Provide Richer Controls forWeb Application UsageSimplified Data Security: The data-loss problem extends well beyond malware. Employees can easily use webmailto send a message containing proprietary information, post confidential data on social networks and blogs, ortransfer financial documents over FTP to a server outside the corporate network. Making sure that sensitive datadoes not leave the corporate boundary - while allowing employees to take advantage of the full power of theInternet - is an important and challenging problem to solve.Cisco IronPort S-Series Web Security Appliances enable organizations to take quick, easy steps to enforcecommonsense data security policies for outbound HTTP, HTTPS, and FTP traffic, as well as enabling simpleinteroperability with major dedicated DLP solutions.Mobile Security Across Borderless Networks: The Cisco AnyConnect Secure Mobility solution supports a widerange of desktops and mobile devices, helping ensure that web security continues to be enforced as employeeschange the devices they use. By using a standardized security solution for employees whether they are in theoffice or mobile, IT can also streamline security operations for a compelling TCO. 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 10 of 12

SaaS Access Controls: The Cisco IronPort S-Series uses a standards-based authentication mechanism to bringsign-on under the control of your enterprise. Referencing the employee credentials and access rights stored in thecorporate user directory, administrators retain control over access rights, and employees get a transparentexperience using their corporate username and password to access all applications.Reporting Visibility: Cisco IronPort S-Series appliances deliver real-time and historical security information,allowing administrators to quickly understand web traffic activity. Real-time reports let administrators identify andtrack factors such as policy and security violations as they occur. Historical reports allow administrators to identifytrends and report on efficacy and return on investment (ROI).Enterprise-Scale Performance: The Cisco IronPort S-Series scales to meet the unique scanning needs of webtraffic, thereby helping ensure that the employee’s experience is maintained. Cisco offers industry-leadingperformance through its proprietary AsyncOS platform, an enterprise-grade web proxy and cache file system, andan intelligent, multicore engine for rapid content scanning.Consequently, the Cisco IronPort S-Series can address the capacity requirements of even the largest ofenterprises.Low TCO: Traditional solutions typically require multiple appliances or servers to protect against security,resource, and compliance risks. Unlike other solutions, the Cisco IronPort S-Series provides a single platform thatcontains a complete, in-depth defense - along with all the necessary management tools - significantly reducinginitial and ongoing TCO.Reduced Administrative Overhead: Designed to minimize administrative overhead, Cisco IronPort S-Series WebSecurity Appliances offer easy setup and management with an intuitive GUI, support for automated updates, andcomprehensive monitoring and alerting. The solution is easy to deploy and can be configured to match corporatespecific policies.Product LineThe Cisco IronPort web security product line address issues faced by organizations ranging from smallbusinesses to the Global 2000.Cisco IronPort S670: For organizations above 10,000 users.Cisco IronPort S370: For organizations with 1,000 to 10,000 users.Cisco IronPort S170: For small businesses and organizations with up to 1,000 users.Table 1.Model-Dependent Specifications for the Cisco IronPort S-Series Web Security ApplianceCisco IronPort S670Cisco IronPort S370Cisco IronPort S170Form Factor2U2U1RUDimensions (H x W x D)3.5 x 17.5 x 26.8 in.3.5 x 17.5 x 26.8 in.1.75 x 17.5 x 21.5 in.Power Supply870W, 100/240V870W, 100/240V345W, 100/240VRedundant Power SupplyYesYesNoCPUs2x4 (2 Quad Cores)1x4 (1 Quad Core)1x2 (1 Dual Core)RAID Level & ControllerRAID 10, HardwareRAID 10, HardwareRAID 1, SoftwareMemory8 GB4 GB4 GBChassisProcessor Memory and Disks 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 11 of 12

Cisco IronPort S670Cisco IronPort S370Cisco IronPort S170Disk Space2.7 TB1.8 TB500 GBHot Swappable Hard DiskYesYesYesEthernet5 Gigabit NICSs, RJ-455 Gigabit NICSs, RJ-455 Gigabit NICSs, RJ-45Speed (mbps)10/100/1000, Auto-Negotiate10/100/1000, Auto-Negotiate10/100/1000, Auto-NegotiateDuplexHalf or Full, Auto-NegotiateHalf or Full, Auto-NegotiateHalf or Full, Auto-NegotiateSerial1xRS-232 (DB-9) Serial1xRS-232 (DB-9) Serial1xRS-232 (DB-9) on, Logging, and MonitoringWeb

Cisco IronPort email and web security products are high-performance, easy-to-use, and technically innovative solutions designed to secure organizations of all sizes. Built for security and deployed at the gateway to protect the world's most important networks, these products enable a powerful perimeter defense.