I’ve just been introduced to Cisco Umbrella now even though I’ve heard the name before, I haven’t actually tried it yet until now. Umbrella comes from the OpenDNS Business purchase that Cisco did a while back, and is essentially a service to secure traffic trough proxying DNS requests. So in essence it is to setup clients to use the public Umbrella DNS servers which are 126.96.36.199 & 188.8.131.52 where we have a set of policies which define what end-users are allowed to access or not.
So when you access your favorite website or newspaper online or such your computer will do 20+ DNS requests where their are different 3.party ads or other content which needs to be rendered inside the browser session which you don’t actually see. What if one of these domains actually contain malware or some form of bitcoin mining JS code? That is kind of hard to know, there has of course been traditional ways to handle and securing web traffic which has been using a forward web proxy where all traffic is forwareded trough a network appliance, but this doesn’t scale to that degree and has some implications for remote workers. This might also place a bottleneck on your proxy since all layer 7 traffic is tunneled trough it. Umbrella works on a smart level since it only checks the DNS requests a client has and makes sure that the domain does not fall into a category that is blocked in a policy. If there is a domain that Umbrella finds suspicious it will do a more in-depth analytics of the content it provides.
Umbrella can either be deployed using Umbrella virtual appliance utilized as conditional DNS forwarders on your network, Virtual Appliances record the internal IP address information of DNS requests for usage in Reports, also the VA provide more granular control.
Or you can also just point the DNS servers to the umbrella DNS servers or use the lightweight client which can be installed on endpoints and protect remote workers.
So what about when malware authors do hardcoded downloads that point to an IP address instead of DNS name? Umbrella also has a IP Layer Enforcement which works at IP level to detect suspicious addresses. The Umbrella roaming client retrieves a list of suspicious IP addresses from Umbrella Cloud Services, and automatically checks again for any new IP addresses several times an hour from the Umbrella API, but again most services are in different tiers of Umbrella (http://bit.ly/2B2hh2k)
The UI is pretty slick and simple to configure where we can define block and allow lists also just specify categories which domains should be allowed/blocked. For instance it blocks Malware based domains which is a list maintained by Cisco.
So when an end-user browses to an external website which is blocked by Umbrella, they will get this 302 redirect message instead. This is because that the domain is blocked and the DNS request will route the enduser to a Cisco website instead.
Umbrella is a really cool interesting product which can enforce alot of security on endpoints without an “hit” to the end-user experience, however you need to be aware of that Umbrella is not intended to enforce data loss prevention policies, which address compliance concerns due to accidental disclosure of company or customer data, and is not intended to completely replace a firewall, which is designed to secure both internal and external network connections.