Update on Cisco/IronPort S-Series

IronPort is now part of Cisco's Security Technology Business Unit. It's still operating as a largely independent unit. IronPort's main business is still its C-Series anti-spam appliances, although its Web filtering business (i.e., the S-Series) is also important.

General availability for the S-Series appliance was 1Q07.

Technology Summary

  • Scans Web traffic (unlike the C-Series, which scans email).
  • Filters out "bad" URLs and IP addresses.
  • Spyware control.
  • Blocks malicious phone-home software.
  • Blocks malware in general.
  • Filters viruses and malware using conventional file signatures.
  • Initial filtering done using SenderBase reputation service.
  • S-Series is expected to generate about $100M of revenues for July 2008 to June 2009.
  • The latest announcement is for exploit filtering. This is where the bad guys insert a Trojan at a trusted Web site, such as Amazon or Hotmail or your bank's Web site, and which users thus unsuspectingly download.
  • McAfee signatures are built in for virus control, and Webroot is used for URL fitering.

Typical Pricing

  • Lowest-end appliance is around $7,000.
  • For 1,000 users in a single location, customers generally opt for a dual appliance bundle for active-active redundancy. This bundle includes two IronPort S-Series appliances, IronPort URL Filtering, IronPort Web Reputation, and IronPort Anti-Malware Filters. All bundles include IronPort reporting software and Platinum Support. The two appliances, with three years of service, cost $128,320 list.

Main Competition

Main Competitive Strengths as Perceived by IronPort

  • Use of reputation service; this is a very reliable and computationally inexpensive process.
  • Better throughput on a given device.
  • Web and email threat control consolidated onto a single appliance.
  • Filtering for phone-home software.

Other Comments

  • IronPort's focus is on email and Web threat control. Other Cisco products provide for the control of other types of electronic information, such as instant messaging and data at rest.
  • However, integrating the different control technologies is difficult.
  • Unified management across many different threat vectors would also be of great value.

... David Ferris

One Comment

  1. Barry Fisher
    Posted October 15, 2008 at 11:00 PM | Permalink

    CORRECTION: The S-series uses a OEM signature-based engine for anti-spyware licensed from Webroot, in addition to McAfee for anti-virus. It optionally uses a OEM SurfControl URL-based database for Web filtering. Websense maintains this smaller, less granular, less updated and less security-focused URL database as part of our acquisition of SurfControl to provide to existing SurfControl technology partners wanting to bundle Web fitlering capabilities alongside other features.

  2. EM
    Posted October 16, 2008 at 12:12 AM | Permalink

    Few comments in regards to any analysis done on technology products, especially security ones:

    1. It is not sufficient to bring up the company perspective (marketing material), each product
    should be tested and be compared to competing products.

    2. I think the analysis is missing the real technical perspective, does the solution have any proactive security approach, how good is the reputation technology in handling today’s eCrime (see Websense new approach or Finjan’s or Secure Web approach in dealing with Today’s threats – real-time analysis of the code), this is especially important when you have high percentage of legitimate web sites being hacked (see Websense , Sophos threats reports)

    In regards to IronPort product’s functionality:

    1. Reactive security approach, based on signatures & databases (which means false negative)
    2. Weak Centralized management offering
    3. Weak reporting & logging offering
    4. Expensive solution especially for SMBs

    My two cents,

  3. Dalton Hamilton
    Posted October 6, 2009 at 3:14 PM | Permalink

    IronPort Web Security Appliance now has it own URL Category database called Web Usage Controls. WUC also does dynamic categorization for urls that are not categorized with a delay/latency added of only 30 milliseconds. Obviously realtime categorization cannot be confident on 100% of all uncategorized urls but probably 80%. IronPort also now has Centralized Mgmt with Role-Based admin from the M-Series. Centralized reporting can be done today with Sawmill for IronPort and a major upgrade of their reporting is being worked and is due 1st half of 2010 and will run on their M-Series also. In other words, their technology works, their reputation system is extremely accurate and makes this device a huge asset in terms of letting your users browse with a level of security protection that no other vendor can provide. If you’re looking for security with excellent URL Filtering, the IronPort can’t be beat.

  4. Posted October 23, 2009 at 10:33 PM | Permalink

    CORRECTION TO BARRY! Dalton is correct. Cisco’s Web Usage Controls means that have binned the Surfcontrol Database and now relased their own far more effective version. And EM’s analysis is also incorrect. Cisco’s Web Reputation technology uses is absolutely about proactively blocking sql injections attacks into “legitimate” sites. Keep up chaps !

Post a comment

You must be logged in to post a comment. To comment, first join our community.