Re: Cisco IronPort

[Jesse Thompson <jesse.thompson () DOIT WISC EDU>]

Phishing is a difficult problem for anti-spam vendors to solve since 
phishing campaigns are frequently targeted specifically at your domain. 
 It's not realistic to rely on a vendor (or outsourced provider) to 
have a one-stop solution to the phishing problem.

We've seen cases of the phishers gaining access to a local account and 
sending test emails to the account until they find a message that gets 
through.  It's like expecting your desktop A/V to protect you from a 
hacker that already has an account on your computer; eventually they 
will root it.

This is an area that you will need quality staff to devise solutions 
that incorporate local policy and manual intervention.  Yes, this also 
applies if you outsource your email since Google and Microsoft do not 
deal with this problem, and if you look at the APER list you will see 
that they are a big source of the problem.

You will want to find a product that is powerful and flexible.  We use 
PureMessage, and I recommend it.  It's extremely cusomizable (sieve 
configuration) and extensible (perl plugins).  I've never used Ironport, 
but it sure gets hyped a lot; which probably means they give a nice 
powerpoint presentation.

Jesse

Foerst, Daniel P. wrote:
> Hi Mig,
>  
> That is all very interesting to know. We have begun to preliminarily 
> look at IronPort as we are a large Cisco shop. However we have had many 
> concerns regarding the phishing exploits.
> Can anyone else speak of alternatives to IronPort that are good and 
> possibly EDU friendly? The latter isn't a prerequisite, but it would be 
> nice to know.
>  
> -dan
>  
>
> Daniel Foerst
> Manager, Networks & Security
> The Catholic University of America
> Washington, DC 20064
>
>  
>
> ------------------------------------------------------------------------
> *From:* The EDUCAUSE Security Constituent Group Listserv 
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Mig Hofmann
> *Sent:* Tuesday, June 23, 2009 1:14 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* Re: [SECURITY] Cisco IronPort
>
>
> We have had an Ironport for several years but have been increasingly 
> unhappy with the product's heuristics and phishing detection 
> capability.  It just let a large number of phishing emails through this 
> weeek that we feel it should have caught.
>
> We have repeatedly asked CISCO to include outside blacklist sources such 
> as Google Code and .edu related forums to better monitor phishing 
> variants but we repeatedly see new variants that get through even though 
> mentioned on these forums and blacklists.  We have to assume after 
> discussing this for over a year, that perhaps the .edu domain is not a 
> priority to them else we would expect to see these included in their 
> updates/sigs.  We have had Platinum support for a year but it has not 
> helped in this regard much as we can determine. 
>
> My understanding from talking with the prosecutors on the recent DoJ 
> case was that although CISCO was very helpful in data gathering, almost 
> no university that had an Ironport detected the type of spam the Shah 
> brothers were sending.  I'm not sure what that says about the product, 
> but unfortunately it makes it increasingly useless to us for the types 
> of activity and messages we would like to prevent getting through.
>
> Mig
>
>
> K. Mig Hofmann
> Information Security Officer
> San Francisco State University
> 1600 Holloway Avenue
> San Francisco, CA 94132
> 415-338-3018
> mig () sfsu edu <mailto:mig () sfsu edu>
> www.sfsu.edu <http://www.sfsu.edu>
>
> -----The EDUCAUSE Security Constituent Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU> wrote: -----
>
>     To: SECURITY () LISTSERV EDUCAUSE EDU
>     From: "Axworthy, Heather" <haxworthy () UMASSP EDU>
>     Sent by: The EDUCAUSE Security Constituent Group Listserv
>     <SECURITY () LISTSERV EDUCAUSE EDU>
>     Date: 06/23/2009 09:46AM
>     Subject: [SECURITY] Cisco IronPort
>
>     Hello all,
>
>      
>
>     I’d like to know if any institution out there has deployed a Cisco
>     IronPort device in their network?  Just curious as to what you think
>     about it?  Ease of use? Reporting?  Worth the money?
>
>      
>
>     Any information would be greatly appreciated.
>
>      
>
>     Feel free to reply off list.
>
>      
>
>     Thanks,
>
>     Heather
>
>      
>
>      
>
>      
>
>      
>
>      
>
>     :: *Heather Axworthy *, Lead Security Specialist
>     :: University Information Technology Services (UITS)
>     :: University of Massachusetts President's Office
>     :: 774.455.7762 Phone
>
>     :: 774.455.7733 Fax
>     :: haxworthy () umassp edu <mailto:haxworthy () umassp edu>
>
>     University of Massachusetts : 333 South St. : Suite 400 :
>     Shrewsbury, MA 01545 : www.massachusetts.edu
>     <http://www.massachusetts.edu/>
>
>      
>
>      

--
  Jesse Thompson
  Division of Information Technology, University of Wisconsin-Madison
  Email/IM: jesse.thompson () doit wisc edu

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature