Infrastructure Security Overview

Cisco IronPort Hosted Email Security
Cisco® IronPort Hosted Email Security combines best-of-breed technologies to provide the most scalable and sophisticated email protection available today. Based on the same industryleading technology that protects 40 percent of Fortune 1000 companies from inbound and outbound email threats, Cisco IronPort Hosted Email Security allows customers to reduce their on-site data center footprint and out task the management of their email security to trusted security experts. It provides a dedicated email security infrastructure in multiple, resilient data centers to enable the highest levels of service availability and data protection. Cisco IronPort Email Security solutions are designed to ensure the highest levels of security and availability of the hosted infrastructure – from both a physical and logical access perspective. The design spans aspects like access controls to data center buildings, processes to protect access to customer data, and the availability of the hardware infrastructure. The figure below highlights these aspects.

Physical Security

Data Center Uptime

Security Operations Center Controls

the mantraps are fitted with a minimum of one fixed camera and audio surveillance of the space. Most video channels synchronously record audio. access control and can be independently viewed by fixed cameras. a digital video surveillance system provides for an automated surveillance interface. Additionally. D ata C e n t e r U p t i m e The figure on page 3 describes the architecture of the Cisco IronPort Hosted Email Security solution. 2. The use of IOU increases attentiveness to the monitors and provides a superior video product for investigations. SAS 70 Type II certified data centers 3. Executive team members have remote access to video via PDA and VPN laptop access. All PTZs use up-the-coax protocol for immediate relocation to any current fixed camera location. Data center security is supported by state-of-the-art surveillance systems. power. cooling and bandwidth redundancy within each data center 4. Network connectivity. All access points off the mantrap require the additional biometric authentication of the card holder and mantrap relay logic. Bandwidth to process up to 20 Gb/sec of network traffic . This includes: 1. Exterior access points are kept to a minimum. Surveillance System Along with Cisco’s onsite presence. The exterior doors were designed and installed for additional protection. Observe and Under­ stand) methodology. Pan/tilt/zoom (PTZ) cameras are used on the exterior and areas of sensitivity. Highlights of this solution include: 1. and (in most cases) only one door at each facility can be used for entry or exit.01 lux. They include detection devices.Infrastructure Security Overview: Cisco IronPort Hosted Email Security pa g e 2 P h y sic a l S ecu r i t y Physical security of the data center is the foundation of a vigilant security infrastructure. constructed of 12 gauge stainless steel and strapped by ¼” aluminum. All video is archived in M-JPEG format for a minimum of 90 days. backed by security personnel to ensure the highest levels of physical infrastructure security. with auto low-light switching capable of viewing to . Video is recorded at 720x240 pixels at 15 IPS upon motion or 30 IPS upon operator command. All fixed cameras are high-resolution color. Video is retained for approximately 100 days. Access Control/Intrusion Detection All entrances are centrally monitored 24x7x365. These doors lead into specially-engineered mantraps. The data center deploys an active surveillance system with 24x7 officers operating the camera system using IOU (Identify. Geographically-diverse data centers for disaster recovery 2.

these data centers have the bandwidth capacity to process up to 20 Gb/sec of network traffic. To prevent failure and ensure connectivity in the event of an unexpected incident which impacts one of the inputs. Behind this highly-redundant networking infrastructure. This ensures consistent uptime for the email security infrastructure that is plugged into the system. and RPPs. delivered via a very sophisticated power grid architecture that includes primary power circuits and failover power connections. By pointing multiple MX records to these data centers the solution provides email continuity. tracking and more.Infrastructure Security Overview: Cisco IronPort Hosted Email Security pa g e 3 D ata C e n t e r U p t i m e ( co n t i n ued ) Cisco IronPort Hosted Email Security employs multiple SAS 70 Type II data centers in an active-active deployment architecture. They have 100 percent power availability. which includes multiple data centers. the data centers utilize two separate fiber inputs that are physically separated. Each of these systems has separate UPS batteries. . reporting. both of which come from two completely separate N+2 power systems. The data centers are designed with the most advanced designs for space and power in the industry. The first is the network infrastructure that has multiple carrier-grade access routers. even in the event of an unforeseen disaster at one of the data centers. Additionally. Most data centers today are faced with severe issues resulting from improper management and control of equipment-generated heat. the solution employs multiple dedicated Cisco IronPort email security hardware that is used for mail processing. The architecture. PDUs. ensures the highest level of availability for the Cisco IronPort Hosted Email Security service. and are delivered to each rack via color-coded receptacles. generators. distribution switches and POD switches – ensuring that there is no single point of failure. Fiber Entrance #2 ISP r owe s P #1 itie Utiltrance En r owe sP itie ce #2 il t U tran En Internet MX MX Outside Air Cooling (Air Exchange) Large Access Routers Chilled Water Cooling (Chilled Towers) Distribution Switches Swamp Cooling (Utility Water) POD Switches Multiple UPS Systems Generator #1 Data Center 1 Data Center 2 Freon Cooling Email Security Infrastructure Generator #2 ISP Fiber Entrance #1 Cisco IronPort Hosted Email Security Data Center Architecture Each of the data centers has multiple levels of redundancy built into the infrastructure.

swamp. 30% to 60% humidity non-condensing. Humidity control delivered through ATS/Liebert units via infrared humidifier. Specifications of the infrastructure at work in powering the data center are listed below. Each data center facility has enough primary and backup cooling to ensure that the heat generated by the email security infrastructure is appropriately dissipated and ample backup cooling is available in case of a failure with one of the cooling systems. 1.000 to 2. . chilled water and outside air mechanisms.000 gallons Generator both auto start and auto transfer. HVAC systems (and entire facility) operate on diesel generators. Isolation bypass feature on automatic transfer switch. 4 hours redundant True A/B power feeds UPS backup power Voltage output 480 transformed to 120/208 V -48 Volt DC Battery Plant 1200 amp expandable to 10. The cooling infrastructure is delivered through Freon. the demand on cooling systems has grown significantly. Minimum 24-hour run time fuel capacity Grounding in accordance with NFPA 70 Two-hour response for fuel delivery 2-hour battery reserve non-redundant.Infrastructure Security Overview: Cisco IronPort Hosted Email Security pa g e 4 D ata C e n t e r U p t i m e ( co n t i n ued ) As server densities have increased. Environmental Controls Under-floor cooling provided by computer-room grade equipment Temperature maintained at 72 degrees F dry bulb at ASHRAE 1% Cooling not less than 200 BTU/h per square foot with an N+1 redundancy In the event of a power interruption.000 amp 2. Power Specifications 17 KiloWatts Power and cooling per rack 120/208V AC and -48V DC available 100% generator backup Generator capacity designed to multiple 1 to 2 MgWatt generators Size of fuel tank 1.

These include both physical controls and vulnerability detection scans. Cisco Security Operations Center Help Desk 1. Network Security With a combination of security devices and applications. Corporate space is also controlled. Physical Controls Cisco provides photo identification to all employees and contractors. the Cisco SOC uses a layered approach to security. processes and tools. Vulnerability Scans The Cisco ROS service delivery network is routinely scanned to assess risks and vulnerabilities. In order to ensure a world-class level of security oversight. Detected events are managed by the Cisco Security Management Service. This helps deliver peace of mind to Cisco customers.Infrastructure Security Overview: Cisco IronPort Hosted Email Security pa g e 5 S ecu r i t y O pe r at io n s C e n t e r The Cisco Security Operations Center (SOC) is run by the Cisco Remote Operations Services (ROS) organization. Intrusion detection systems (acting as sensors) are strategically placed throughout the network to monitor traffic and detect security events. . Systems Security Cisco ROS uses multiple controls to ensure the security of managed systems. A security event manager provides event and threat correlation of the security devices throughout the service delivery network. Digital certificates are used to secure access to customer web portals and systems that require both internal and external access. a. Preventive maintenance is performed quarterly and full load tests are conducted annually. This strategy allows users to only access information that is legitimate to their purpose (least privilege). Primary power to the facility is provided by the local utility. monitoring the traffic between the service delivery network and customer networks for suspicious or malicious patterns. Backup power systems are routinely checked and tested. Access is granted based on a business need. 2. All visitors must obtain a visitor’s badge and be escorted within the building. Additional layers include multiple firewalls to control inbound access to Cisco ROS. Intrusion detection is used at various points within the network. adding to a defense-in-depth design. as well as the highest level of secure service delivery standards. requiring proper badge access to enter. Results from these assessments are used to create internal IT incident cases for necessary remediation. b. Backup power is provided to critical areas by standby UPS systems and generators. which must be worn visibly within the building. Entrances to controlled data centers and wiring closets are accessible only from internal corporate space. Video cameras are located at each building entry and monitored and managed by the 24x7 Security Facilities Operation Center. Cisco ROS implements continual management and internal auditing of employees.

IOS. The Netherlands Cisco has more than 200 offices worldwide. PowerPanels. Additional human controls utilized by Cisco ROS include: a. Human controls are becoming an important aspect of data center security. Cisco Eos. CCDP. the Cisco logo. Auditing and Testing Cisco ROS employs a five-step process to mitigate exposure to network-based threats. Addresses. MeetingPlace. and Welcome to the Human Network are trademarks. SenderBase. CCNA. Internet Quotient. CCIP. Network Registrar. Cisco IOS. Collaboration Without Limitation. the Cisco Systems logo. GigaDrive. CCENT. CCNP. To develop and preserve a culture of security. C o n c l usio n Cisco IronPort Hosted Email Security is backed by state-of-the-art data centers that enable the highest available physical. the Cisco Certified Internetwork Expert logo. and Access Registrar. Networkers. HomeLink. and the protection of informational assets and intellectual property. Catalyst. LightStream. scheduling. EtherFast. and fax numbers are listed on the Cisco website at www. and/or its affiliates in the United States and certain other countries. Cisco Press. Cisco Unity. PCNow. Cisco ROS change control is a partnership with customers to establish proper authorization for requesting. b. IronPort. CCVP. Inc. Event Center. Follow Me Browsing. Cisco Systems Capital. and the WebEx logo are registered trademarks of Cisco Systems. MediaTone. everyone works together toward the common goal of keeping the com­ pany (and its partners and customers) secure. Change Control Change control is critical to the operation of any IT environment and Cisco ROS service delivery teams. the executive team has embedded security into corporate initiatives and its code of business conduct. PIX. FormShare. ProConnect. Cisco ROS has a number of different controls in place that help ensure customer data security. successful organizations recognize that responsibility and accountability resides with all employees. The support of the Cisco Security Operations Center provides an additional layer of security. Through these means. Play. utility and data redundancy under one roof. Cisco TelePresence. Spectrum Expert. P/N 435-0255-1 6/09 (0809R) . SMARTnet. the IronPort logo. iQuick Study. Fast Step. CA Asia Pacific Headquarters Cisco Systems (USA) Pte. MeetingPlace Chime Sound. Inc. CCSP. Cisco StadiumVision. Cisco WebEx. All other trademarks mentioned in this document or website are the property of their respective owners. DCE. This process includes utilizing a defined security Aironet. The aim for these controls is to protect customer data against security threats that may arise from within the service provider. assessing compliance. phone numbers. monitoring for policy violations.Infrastructure Security Overview: Cisco IronPort Hosted Email Security pa g e 6 S ecu r i t y O pe r at io n s C e n t e r ( co n t i n ued ) 3. With employees educated about the importance of security awareness throughout the organization. Job descriptions outline roles and responsibilities within Cisco ROS. EtherSwitch. Cisco conducts background screenings as part of the hiring process for all full-time and contract employees. ScriptShare. Changing the Way We Work. Americas Headquarters Cisco Systems. iPhone. and employees are assimilating security in their daily activities. At Cisco. Cisco is able to offer the highest levels of service availability and data protection. implementing and validating all changes within the customer environment. CCIE. and the rule of least privilege is applied to ensure proper access to customer networks and information. Live. The final step includes a routine overview of all identified threats and exposures to improve the overall security of the network. WebEx. Networking Academy. Linksys. begins with awareness and education. and routinely testing the policy to minimize exposure. Ltd. The Fastest Way to Increase Your Internet Quotient. Bringing the Meeting To You. Cisco Systems. The use of the word partner does not imply a partnership relationship between Cisco and any other company. Singapore Europe Headquarters Cisco Systems International BV Amsterdam. and Learn and Cisco Store are service marks. Cisco. CCDA. ensuring secure service delivery. Human Controls Information security. CCDE. Cisco Nexus. San Jose. StackWise. MGX. Cisco Lumin. TransPath.

Sign up to vote on this title
UsefulNot useful