cisco ironport infrastructure security overview
TRANSCRIPT
7/28/2019 Cisco IronPort Infrastructure Security Overview
http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 1/6
Cisco® IronPort Hosted Emil Security combines best-of-breed technoloies to provide the
most sclble nd sophisticted emil protection vilble tody. Bsed on the sme industry-
ledin technoloy tht protects 40 percent of Fortune 1000 compnies from inbound nd
outbound emil threts, Cisco IronPort Hosted Emil Security llows customers to reduce their
on-site dt center footprint nd out tsk the mnement of their emil security to trusted
security experts. It provides dedicted emil security infrstructure in multiple, resilient dtcenters to enble the hihest levels of service vilbility nd dt protection.
Cisco IronPort Emil Security solutions re desined to ensure the hihest levels of security
nd vilbility of the hosted infrstructure – from both physicl nd loicl ccess perspec-
tive. The desin spns spects like ccess controls to dt center buildins, processes to
protect ccess to customer dt, nd the vilbility of the hrdwre infrstructure. The ure
below hihlihts these spects.
Cisco IoPo Hosed Ei Secui
InfrstructureSecurity Overview
Secui Opeios Cee Coos
Phsic Secui D Cee Upie
7/28/2019 Cisco IronPort Infrastructure Security Overview
http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 2/6
P a g E 2InfraStrUCtUrE SECUrIty OvErvIEw: Cisco IoPo Hosed Ei Secui
Physicl security of the dt center is the foundtion of viilnt security infrstructure. Dt center security is supported
by stte-of-the-rt surveillnce systems, bcked by security personnel to ensure the hihest levels of physicl infrstructure
security. This includes:1. Surveillnce System
alon with Cisco’s onsite presence, diitl video surveillnce system provides for n utomted surveillnce interfce.
all xed cmers re hih-resolution color, with uto low-liht switchin cpble of viewin to .01 lux. Pn/tilt/zoom (PTZ)
cmers re used on the exterior nd res of sensitivity. all PTZs use up-the-cox protocol for immedite reloction to ny
current xed cmer loction.
Video is recorded t 720x240 pixels t 15 IPS upon motion or 30 IPS upon opertor commnd. Most video chnnels
synchronously record udio. Video is retined for pproximtely 100 dys. The dt center deploys n ctive surveillnce
system with 24x7 ofcers opertin the cmer system usin IOU (Identify, Observe nd Understnd) methodoloy. The
use of IOU increses ttentiveness to the monitors nd provides superior video product for investitions. Executive
tem members hve remote ccess to video vi PDa nd VPN lptop ccess. all video is rchived in M-JPEg formt for
minimum of 90 dys.
2. access Control/Intrusion Detection
all entrnces re centrlly monitored 24x7x365. The exterior doors were desined nd instlled for dditionl protection.
They include detection devices, ccess control nd cn be independently viewed by xed cmers. Exterior ccess points
re kept to minimum, nd (in most cses) only one door t ech fcility cn be used for entry or exit. These doors led into
specilly-enineered mntrps, constructed of 12 ue stinless steel nd strpped by ¼” luminum. all ccess points
off the mntrp require the dditionl biometric uthentiction of the crd holder nd mntrp rely loic. additionlly, the
mntrps re tted with minimum of one xed cmer nd udio surveillnce of the spce.
The ure on pe 3 describes the rchitecture of the Cisco IronPort Hosted Emil Security solution. Hihlihts of this solution
include:
1. georphiclly-diverse dt centers for disster recovery
2. SaS 70 Type II certied dt centers
3. Network connectivity, power, coolin nd bndwidth redundncy within ech dt center
4. Bndwidth to process up to 20 gb/sec of network trfc
P H y S I C a l S E C U r I t y
D a t a C E n t E r U P t I m E
7/28/2019 Cisco IronPort Infrastructure Security Overview
http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 3/6
P a g E 3InfraStrUCtUrE SECUrIty OvErvIEw: Cisco IoPo Hosed Ei Secui
Cisco IronPort Hosted Emil Security employs multiple SaS 70 Type II dt centers in n ctive-ctive deployment rchitec-
ture. By pointin multiple MX records to these dt centers the solution provides emil continuity, even in the event of n
unforeseen disster t one of the dt centers. The rchitecture, which includes multiple dt centers, ensures the hihest
level of vilbility for the Cisco IronPort Hosted Emil Security service.
Ech of the dt centers hs multiple levels of redundncy built into the infrstructure. The first is the network infrstructure
tht hs multiple crrier-rde ccess routers, distribution switches nd POD switches – ensurin tht there is no sinle
point of filure. Behind this hihly-redundnt networkin infrstructure, the solution employs multiple dedicted Cis co
IronPort emil securit y hrdwre tht is used for mil processin, reportin, trckin nd more. To prevent filure nd ensure
connectivity in the event of n unexpected incident which impcts one of the inputs, the dt centers utilize two seprte
fiber inputs tht re physiclly seprted. additionlly, these dt centers hve the bndwidth cpcity to process up to 20
gb/sec of network trffic.
Most dt centers tody re fced with severe issues resultin from improper mnement nd control of equipment-en-
erted het. The dt centers re desined with the most dvnced desins for spce nd power in the industry. They hve
100 percent power vilbility, delivered vi very s ophisticted power rid rchitecture tht includes primry power circuits
nd filover power connections, both of which come from two completely seprte N+2 power systems. Ech of these sys-
tems hs seprte UPS btteries, enertors, PDUs, nd RPPs, nd re delivered to ech rck vi color-coded receptcles.
This ensures consistent uptime for the emil securi ty infrstructure tht is plued into the system.
D ata C E n t E r U P t I m E ( C O n t I n U E D )
Cisco IronPort Hosted Email Security Data Center Architecture
ISP
U t i l i t i e
s P o w
e r
E n t r a n
c e # 1
ISP
MXMX U t i
l i t i e s P
o w e r
E n t r a n
c e # 2
Internet
Data Center 1 Data Center 2
Fiber Entrance #2
Fiber Entrance #1
Generator #2
Generator #1
Email SecurityInfrastructure
Distribution
Switches
Large AccessRouters
PODSwitches
Outside Air Cooling(Air Exchange)
Chilled Water Cooling(Chilled Towers)
Swamp Cooling
(Utility Water)
Freon Cooling
M u l t i p l e U P S S y s t e m s
7/28/2019 Cisco IronPort Infrastructure Security Overview
http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 4/6
P a g E 4InfraStrUCtUrE SECUrIty OvErvIEw: Cisco IoPo Hosed Ei Secui
as server densities hve incresed, the demnd on coolin systems hs rown sinificntly. Ech dt center fcility hs
enouh primry nd bckup coolin to ensure tht the het enerted by the emil security infrstructure is ppropritely
dissipted nd mple bckup coolin is vilble in cse of filure with one of the coolin systems. The coolin infrstruc-
ture is delivered throuh Freon, swmp, chilled wter nd outside ir mechnisms.
Specifictions of the infrstructure t work in powerin the dt center re listed below.
1. Power Specifictions
2. Environmentl Controls
D ata C E n t E r U P t I m E ( C O n t I n U E D )
17 KiloWtts Power nd coolin per rck UPS bckup power
120/208V aC nd -48V DC vilble Volte output 480 trnsformed to 120/208 V
100% enertor bckup -48 Volt DC Bttery Plnt
genertor cpcity desined to 1200 mp expndble to 10,000 mp
multiple 1 to 2 MWtt enertors
Size of fuel tnk 1,000 to 2,000 llons 2-hour bttery reserve non-redundnt,4 hours redundnt
genertor both uto strt nd uto trnsfer. True a/B power feeds
Isoltion bypss feture on utomtic
trnsfer switch.
Minimum 24-hour run time fuel cpcity groundin in ccordnce with NFPa 70
Two-hour response for fuel delivery
Under-oor coolin provided by Coolin not less thn 200 BTU/h per squre
computer-room rde equipment foot with n N+1 redundncy
Temperture mintined t 72 derees In the event of power interruption, HVaC
F dry bulb t aSHRaE 1% systems (nd entire fcility) operte
on diesel enertors.
30% to 60% humidity non-condensin. Humidity c ontrol delivered
throuh aTS/Liebert units vi infrred humidier.
7/28/2019 Cisco IronPort Infrastructure Security Overview
http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 5/6
P a g E 5InfraStrUCtUrE SECUrIty OvErvIEw: Cisco IoPo Hosed Ei Secui
The Cisco Security Opertions Center (SOC) is run by the Cisco Remote Opertions Services (ROS) orniztion. In order
to ensure world-clss level of security oversiht, Cisco ROS implements continul mnement nd internl uditin of
employees, processes nd tools. This helps deliver pece of mind to Cisco customers, s well s the hihest level of secure
service delivery stndrds.
1. Network Security
With combintion of security devices nd pplictions, ddin to defense-in-depth desin, the Cisco SOC uses lyered
pproch to security. additionl lyers include multiple rewlls to control inbound ccess to Cisco ROS. This strtey llows
users to only ccess informtion tht is leitimte to their purpose (lest privilee).
Intrusion detection systems (ctin s sensors) re strteiclly plced throuhout the network to monitor trfc nd detect
security events. Detected events re mned by the Cisco Security Mnement Service. Intrusion detection is used t
vrious points within the network, monitorin the trfc between the ser vice delivery network nd customer networks for
suspicious or mlicious ptterns.
a security event mner provides event nd thret correltion of the security devices throuhout the service deliverynetwork. Diitl certictes re used to secure ccess to customer web portls nd systems tht require both internl nd
externl ccess.
2. Systems Security
Cisco ROS uses multiple controls to ensure the securit y of mned systems. These include both physicl controls nd
vulnerbility detection scns.
. Physicl Controls
Cisco provides photo identiction to ll employees nd contrctors, which must be worn visibly within the buildin. all
visitors must obtin visitor’s bde nd be escorted within the buildin.
Entrnces to controlled dt centers nd wirin closets re ccessible only from internl corporte spce. access is
rnted bsed on business need. Corporte spce is lso controlled, requirin proper bde ccess to enter.
Video cmers re locted t ech buildin entry nd monitored nd mned by the 24x7 Security Fcilities
Opertion Center.
Primry power to the fcility is provided by the locl utility. Bckup power is provided to criticl res by stndby
UPS systems nd enertors. Bckup power systems re routinely checked nd tested. Preventive mintennce is
performed qurterly nd full lod tests re conducted nnully.
b. Vulnerbility Scns
The Cisco ROS ser vice delivery network is routinely scnned to ssess risks nd vulnerbilities. Results from these
ssessments re used to crete internl IT incident cses for necessry remedition.
S E C U r I t y O P E r at I O n S C E n t E r
Cisco Security Operations Center Help Desk
7/28/2019 Cisco IronPort Infrastructure Security Overview
http://slidepdf.com/reader/full/cisco-ironport-infrastructure-security-overview 6/6
P a g E 6InfraStrUCtUrE SECUrIty OvErvIEw: Cisco IoPo Hosed Ei Secui
3. Humn Controls
Informtion security, nd the protection of informtionl ssets nd intellectul property, beins with wreness nd eduction.
To develop nd preserve culture of security, successful orniztions reconize tht responsibility nd ccountbility resides
with ll employees.
at Cisco, the executive tem hs embedded securit y into corporte inititives nd its code of business conduct, nd employ-
ees re ssimiltin security in their dily ctivities. With employees educted bout the importnce of security wreness
throuhout the orniztion, everyone works toether towrd the common ol of keepin the compny (nd its prtners nd
customers) secure.
Humn controls re becomin n impor tnt spect of dt center security. The im for these controls is to protect customer
dt inst security threts tht my rise from within the service provider. Cisco ROS hs number of different controls in
plce tht help ensure customer dt security. Cisco conducts bckround screenins s prt of the hirin process for ll
full-time nd contrct employees. Job descriptions outline roles nd responsibilities within Cisco ROS, nd the rule of lest
privilee is pplied to ensure proper ccess to customer networks nd informtion.
additionl humn controls utilized by Cisco ROS include:
. auditin nd Testin
Cisco ROS employs ve-step process to mitite exposure to network-bsed threts. This process includes utilizin
dened security policy, ssessin complince, monitorin for policy violtions, nd routinely testin the policy to mini-
mize exposure. The nl step includes routine overview of ll identied threts nd exposures to improve the overll
security of the network.
b. Chne Control
Chne control is criticl to the opertion of ny IT environment nd Cisco ROS service delivery tems. Cisco
ROS chne control is prtnership with customers to estblish proper uthoriztion for requestin, schedulin,
implementin nd vlidtin ll chnes within the customer environment.
S E C U r I t y O P E r a t I O n S C E n t E r ( C O n t I n U E D )
P/N 435-0255-1 6 /
Cisco IronPort Hosted Emil Security is bcked by stte-of-the-rt dt centers tht enble the hihest vilble physicl,
utility nd dt redundncy under one roof. The support of the Cisco Security Opertions Center provides n dditionl
lyer of security, ensurin secure service delivery. Throuh these mens, Cisco is ble to offer the hihest levels of ser-
vice vilbility nd dt protection.
C O n C l U S I O n
aeics HedquesCisco Systems, Inc.Sn Jose, Ca
asi Pcic HedquesCisco Systems (USa) Pte. Ltd.Sinpore
Euope HedquesCisco Systems Interntionl BVamsterdm, The Netherlnds
Cisco hs more thn 200 ofces worldwide. addresses, phone numbers, nd fx numbers re listed on the Cisco website t .cisco.co/go/oces
CCDE, CCENT, Cisco Eos, Cisco Lumin, Cisco Nexus, Cisco StdiumVision, Cisco TelePresence, Cisco WebEx, the Cisco loo, DCE, nd Welcome to the Humn Network re trdemrks; Chnin the Wy We Wor
Live, Ply, nd Lern nd Cisco Store re service mrks; nd access Reistrr, aironet, asyncOS, Brinin the Meetin To You, Ctlyst, CCDa, CCDP, CCIE, CCIP, CCNa, CCNP, CCSP, CCVP, Cisco, the Cisco Certie
Internetwork Expert loo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Cpitl, the Cisco Systems loo, Cisco Unity, Collbortion Without Limittion, EtherFst, EtherSwitch, Event Center, Fst Step, Follo
Me Browsin, FormShre, giDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort loo, LihtStrem, Linksys, MediTone, MeetinPlce, MeetinPlce Chime Sound, MgX, Networke
Networkin acdemy, Network Reistrr, PCNow, PIX, PowerPnels, ProConnect, ScriptShre, SenderBse, SMaRTnet, Spectrum Expert, StckWise, The Fstest Wy to Increse Your Internet Quotient, TrnsPth, WebE
nd the WebEx loo re reistered trdemrks of Cisco Systems, Inc. nd/or its flites in the United Sttes nd certin other countries.
all other trdemrks mentioned in this document or website re the property of their respective owners. The use of the word prtner does not imply prtnership reltionship between Cisco nd ny other compny
(0809R)