In the diagram, endpoints send DNS queries to Cisco Umbrella. If the traffic is known to be malicious, Cisco Umbrella responds to the DNS query with the IP address of a block page, thus preventing the connection. This fragment is based on the Cisco Learning Library, interactive online course materials: Introducing Cloud Consumer Security (SECICC) v1.0
Cisco Umbrella is a DNS-based security mechanism, which can provide common security for both on-premise and off-premise to provide endpoint security. Cisco Umbrella on-premise deployments do not require an agent to be installed on the endpoint.
The Intelligence Proxy component of Cisco Umbrella inspects the content of the destination, examines ASN and Domain relationships for association with previously seen malware, looks for cryptographically generated domain names, and takes other steps to issue a disposition on the web destination.
Cisco Umbrella only routes the risky/unknown connections through Cisco Umbrella’s cloud-based Intelligent Proxy for deeper inspection of the traffic. This is done by resolving the DNS request with a response to the IP address of the Intelligent Proxy.
Traditionally, blocking web content at the URL level requires proxying all the web connections, which adds complexity and negatively impacts performance. With Cisco Umbrella, safe connections are allowed and malicious requests are blocked at the DNS-layer. Only requests to risky/unknown domains are routed for deeper URL inspection using cloud-based Web security and file inspection using anti-virus engines and AMP. With Cisco Umbrella’s intelligent proxy, users don’t experience any slow or broken internet access. Cisco Umbrella’s intelligent proxy also supports SSL decryption and inspection.
Cisco Umbrella is powered by Cisco Talos threat intelligence, so Umbrella understands the global threat map that includes more than 19 billion daily detected threats. Cisco Umbrella also understands the relationships of many different internet identities, for example the correlation of different Autonomous Systems and Domain Names.
An example of a security intelligence feature that Cisco Umbrella provides is top-level-domain (TLD) geolocation validation. If a client sends a request for http://www.example.us, and the TLD of .us is registered through ARIN in North America, then Umbrella expects that the resolved IP Address will be an IP address in the ARIN block. If the resolved IP address is from South America, Umbrella can flag this anomaly and block the connection.
Deploying Cisco Umbrella
The elegance of Cisco Umbrella is that it can be deployed at scale in minutes, by simply updating the DNS Server settings – at the DHCP server, firewall, the router, the DHCP scope, the local endpoint, or anywhere that a client retrieves its DNS server settings.
For on-network deployment that requires the need to resolve internal domain names, Cisco Umbrella deployment can be as simple as configuring the organization’s internal DNS server to forward all the external DNS requests to the Umbrella Anycast IP address (208.67.220.220 and/or 208.67.222.222 for IPv4, or 2620:0:ccc::2 and/or 2620:0:ccd::2 for IPv6).
Comments