Cisco's IronPort Hunts for Encrypted Security Threats

The update to the IronPort S-Series Web Security Appliance adds several new features, including selective HTTPS scanning, which opens suspicious encrypted traffic to scanning while keeping legitimate traffic private.

Typically, network security devices do not have visibility into encrypted HTTPS traffic, making a blind spot in many businesses' security strategies. That creates a means for malware writers to cloak their security threats, said Tom Gillis, senior vice president of worldwide sales and marketing at IronPort, San Bruno, Calif.

"If you're a malware writer, it's easy to create a site that looks like a regional bank. For most network providers, even if they can decrypt HTTPS traffic, they won't decrypt that session because it's supposed to be private," Gillis said. "We add reputation awareness, looking at how long the server has been up, how much content it serves, the country of origin, the DNS setup. The classification doesn't matter. We can make an assessment based on trustworthiness."

Another new feature is multi-vendor signature scanning. IronPort's Dynamic Vectoring and Streaming engine uses reputation data to push content through a multi-vendor signature-based scan when needed. Now the vendor has added support for anti-spyware signatures from Webroot as well as anti-spyware and anti-virus signatures from McAfee.

"With the S-series being built on both signatures as well as reputation filtering, spyware is caught at a much higher rate than standard signature-based engines," said David Tompkins, managing partner at Dallas-based solution provider GalaxyTech, via e-mail.

IronPort's Gillis said customers can choose between Webroot and McAfee or use both of their signatures, estimating that 90 percent of the market uses more than one scanning vendor.

The new features will be available in December as part of a new software release, Gillis said.

Cisco, San Jose, Calif., completed its acquisition of IronPort in June.