Michael Wilbur and Robert Irving of St. Clair County Community College in Michigan use a Cisco IronPort appliance to control phishing scams and malware. 

Jun 09 2011

Lock It Down

Cisco's IronPort eases security woes for St. Clair County Community College.

Cisco's IronPort eases security woes for St. Clair County Community College.

July 2011 E-newsletter

Lock It Down

Play It Safe with DLP

Understanding Endpoint DLP

M86 Secure Web Gateway

By the spring of 2010, the IT professionals at St. Clair County Community College (SC4) knew they had to find a way to better control e-mail spam. The grumbling of users was getting louder and louder as their inboxes became clogged with unwanted messages, some of which potentially posed serious threats to the college's networks. By November, SC4 had implemented a Cisco IronPort C160 e-mail security appliance that was stopping tens of thousands more junk and malware-carrying messages than the filtering technology it replaced.

“The tipping point for us was the rising volume of noise from the user community,” says Michael Wilber, technology director for the college, which serves about 9,000 students on its 25-acre campus in Port Huron, Mich.

“We had been using the same e-mail security technology for about 10 years, and we began to notice that whenever new spam attacks came through, the old filter wasn't defending against them very quickly. We wanted something that provided more accurate filtering, especially to block phishing scams and malware.”

The college provides Microsoft Exchange e-mail to full-time and adjunct faculty, as well as to full- and part-time students, which adds up to between 10,000 and 12,000 active accounts at any given time.

The need to implement the best technology available was crucial, especially considering the difficulties inherent in setting and enforcing strict security policies in a community college setting, says CIO David Buck. Students are not typically focused on network security, and SC4, like most community colleges, relies heavily on part-time adjunct faculty who often miss security notifications.

“Adjunct instructors also use their college accounts pretty loosely, often as throwaway accounts,” Buck says. “We don't get to be quite as assertive in our security policy enforcement as is possible in business. We have to convince the users to do the right thing. We do everything we can think of to enforce good behavior, but we really need good technology to back it up.”

Finding the Solution

Before deciding on the IronPort appliance, the SC4 staff researched products from several other manufacturers, soliciting demonstrations and manufacturer presentations, including one from a hosted solution. They also met with security specialists from CDW•G to discuss the college's needs and to explore their technology options. Besides wanting the most effective technology that fit within the budget, SC4 was looking for a product that worked with all types of e-mail servers and with the rest of the school's IT infrastructure, says Wilber. Ease of management and implementation were also important, mainly to reduce the burden on SC4's 10-person IT staff.

Other priorities were reliable vendor support and finding a solution that included features that the college did not necessarily need at once, but that promised capabilities for the future, Wilber says.

IronPort's proven effectiveness in other higher education settings weighed heavily in the ultimate choice of the Cisco appliance, says Wilber. SC4 contracts out its IT operation to SunGard Higher Education, which provides the staff with a ready-made network of peers on other college campuses, he says.

“We noticed that a lot of other higher education sites were using Cisco IronPort, and the feedback from those places was all good – and it was the same from some other colleges in the area that were also using IronPort,” he says.

Like most other spam-filtering appliances, the IronPort C160 uses web reputation filtering as its first line of defense against unwanted or malicious e-mail. Reputation filtering is based on the known history of any web address as a source of spam. Reputation scores are derived from monitoring networks and identifying the spam traffic traveling over them, which is how Cisco claims an edge. According to the vendor's statistics, its monitoring system collects e-mail and web traffic data from more than 120,000 networks worldwide, which is several times more than any competitor. The vast relative size of Cisco's monitoring sample does translate into more accurate reputation scores, says Gartner analyst Peter Firstbrook.

“It's a corollary of Metcalfe's Law, which says the value of a network goes up in proportion to the number of nodes on the network,” he says. “In this case, the quality of the reputation scores goes up with the number of networks monitored, and Cisco has the largest population of networks.”

IronPort's reputation filtering is designed to block up to 80 percent of incoming spam at the connection level, which saves bandwidth and network resources by reducing the number of quarantines made by the system.

Looking for a Management Advantage

Unlike SC4's old e-mail security technology, which required separate appliances to filter inbound and outbound messages, the IronPort C160 consolidates both functions in a single unit, streamlining monitoring and management. Because the college maintains live and backup e-mail security systems, the switch to C160 meant the IT staff had to support only two appliances rather than four.

The IronPort Centralized Management feature lets the IT staff automatically duplicate the configuration of the primary appliance to the backup device. This saves the administrators time and ensures glitch-free recovery in the event of an equipment or power failure.

Both the C160s can be managed through a single console, through which the IT staff can monitor traffic and fine-tune the restrictiveness of the e-mail filter in response to user feedback and emerging threats.

“Now, if I want to track a message, I only have to log in to one interface instead of trying to find it across two appliances,” says network administrator Robert Irving.

While SC4 staff chose the IronPort C160 primarily to control spam traffic, the appliance's built-in engines for integrating either Sophos and McAfee antivirus technologies represented an important feature, says Irving.

“That flexibility increases your network security options, which is important because the threats change,” he says.

The Cisco appliance also offers an initial layer of protection with its IronPort Virus Outbreak Filters, which identify and quarantine suspicious messages until signatures are released by the traditional antivirus vendors.

The IronPort C160 also includes features such as e-mail encryption and data loss technology that let administrators set policies governing what information can be included in outbound messages. SC4 has yet to use those capabilities, as the staff is considering how best to implement them at the school, but the features are “exciting,” says Wilber, and played a part in the buying decision because Cisco was the only manufacturer to offer them at the college's price point.

“You want some bells and whistles that will allow you to do some extra things in your environment later,” he says. “Buying premium products and services lets you think about what other technology you can bring to the campus.”

According to Gartner's Firstbrook, features like encryption and data loss prevention are becoming increasingly important as organizations turn their attention to protecting the content of messages sent by legitimate users.

“The filtering technology of products like the Cisco IronPort has reached the point that most people don't get much spam in their mailboxes anymore,” he says. “Now organizations are looking to solve other problems with their e-mail.”

Seeing the Benefits

Wilber gives most of the credit to network administrator Irving for a “flawless” implementation of the IronPort.

“Because of our particular environment, we had several servers and services relaying off the old security solution, using it as a relay, so it was a critical piece of infrastructure,” he says. “[Irving] worked with all the different teams here to make sure their messages were being relayed.”

Preparation is one of the real keys to implementing the IronPort, says Irving. He took his time researching the best way to deploy the C160, consulting with CDW•G tech support and the manufacturer before he took the technology live.

“It was two weeks of research and configuring, and then about 10 minutes to get it up and running,” he says.

The benefits for users showed up pretty quickly as well. SC4's old technology rejected roughly 90 percent of the messages coming into the college network, Wilber says. In a 30-day period soon after the installation, the IronPort blocked 93.7 percent of the 1.9 million e-mail messages aimed at college accounts. That means the IronPort stopped 70,000 to 80,000 pieces of spam that would previously have landed in user inboxes.

“Besides the threat posed by those e-mails if they carry some sort of malware, you have to think about the user time and bandwidth saved,” Wilber says.

And end users have clearly noticed, says Buck. “We used to get 5 to 10 complaints each week about unwanted messages,” he says. “Now we get maybe one a month.”

In addition to improving e-mail security, the IronPort C160 has made life easier for the IT staff as well. The consolidation onto fewer security appliances was a real advantage, Wilber says.

“Now we use less power in the data center, less real estate in the data center, less strain on our cooling systems, and we can manage everything from one console with the IronPort,” he says.

Performance Value

The two IronPort units together cost approximately $70,000, a substantial expenditure for a public community college, but in line with the IT department's purchasing philosophy, Wilber says.

“Cost is always an issue for us, but we always ask what is the best solution for the user community,” he says. “The goal has to be delivering technology to the campus that's going to work out for the users.”

CIO Buck acknowledges that the IT budget is “extremely challenging” when the school considers technology purchases, but adds that the expertise of his staff gives the department extra latitude in buying decisions.

“We looked at comprehensive security suites before we selected the IronPort, but they were on the pricey side for us,” he says. “We have the advantage of having a staff that's above average in technical skills that allows us to be a best-of-breed shop. They can perform the integration necessary, and they know how to exploit the best features of the technology.”

But no matter how much confidence the IT staff has in the technology and how effectively it's being exploited, educating the user community remains a crucial element of spam control, Irving says.

“If an attack gets through, you want your users to know not to answer that phishing scam by going to a web site or giving their credentials,” he says. “You want them to know not to open malware and to report URLs for blacklists. We spend a lot of time trying to communicate best practices to our users.”

For Buck, good security is a balancing act that can be compromised by either settling for the cheapest technology solution, or depending on premium technology and ignoring the role of policies and communicating with users.

“You go with the best technology you can afford, and then you work to get user buy-in on the things they need to do to keep their information and the network safe,” he says.

Outbound Alert

Colleges and universities have transient user populations who are often not particularly attuned to security. That's why IT managers at institutions should always remember that malicious e-mail traffic travels on a two-way thoroughfare, says Gartner analyst Peter Firstbrook. Many of the most malicious spammers are phishing, trying to fraudulently gather sensitive information by impersonating trusted senders, such as the college's IT staff.

“Spammers typically send out a spoof e-mail to everybody at a school saying they want to check the strength of passwords and telling people to enter the password in a box,” Firstbrook says. “They'll get a couple hundred responses, and they get network credentials. Then they use the college or university system to spam other people.”

Because most antispam systems are reputation-based and colleges generally have good reputations on the Internet, the spam initially gets through to its target recipients. But invariably, the reputation of the college's domain name runs into trouble. Firstbrook says once the college domain is blacklisted among the Internet security services, the IT staff has to contact the services to explain what happened to preserve legitimate e-mail service from the school. Unfortunately, says Firstbrook, spammers know the process and will respond with another volley of spam from the college system.

“It gets a lot harder to get off of the blacklists once you start spamming a couple of times in a row,” he says. “It's a bad situation. The spammers have gotten the use of the reputation and the college's e-mail service is compromised.”

The answer to the threat is making sure outbound mail is inspected and filtered with as much care as the traffic coming in, says Firstbrook.

“You have to make sure that nobody in your environment is sending out spam, wittingly or unwittingly,” he says.

As a best practice, colleges should use rate shaping, which limits the number of e-mail messages that can be sent from an account over a specified period, says Firstbrook. The system should generate an alert to an account that exceeds the limit, notifying the user that it may be infected.

“Rate shaping will detect instances of legitimate mass mailings – say, from a professor to students, but you can always change the allowable rate on that account,” he says. “You want to know and take steps if your environment is being used by a spambot.”

<p>Paul Howell</p>