Umbrella

  1. Umbrella
  2. Licenses
  3. Virtual appliance
  4. Roaming client
  5. Intelligent proxy
  6. File inspection
  7. Policy
  8. Umbrella Investigate

Umbrella

  • recursive DNS
  • anycast: 208.67.220.220, 208.67.222.222
  • action
    • permit
    • block: redirects to block page
    • proxy
  • deployment
    • via network: DHCP option, local DNS settings, virtual appliance
    • roaming client: standalone module, AnyConnect module, Cisco Security Connector (iOS)
    • hardware: ISR, WLC, ASA/FTD; HW acceleration, VA functionality
  • can check search queries
  • adds wildcard to parameters in GUI
  • dynamic IP updater: software, for dynamic IP received from ISP

Licenses

  • number of users
  • tiers
    • DNS Security Essentials
      • DNS protection
      • AnyConnect and standalone client
      • integration with Cisco Threat Response
    • DNS Security Advantage
      • block direct IP access
      • selective proxy: unknown domains only
      • SSL decryption
      • Umbrella Investigate
    • Secure Internet Gateway
      • full proxy
      • ThreatGrid sandbox
      • retrospective events
      • L3/L4 cloud firewall (IPsec connection)
      • CASB

Virtual appliance

  • VM
  • conditional DNS forwarder
  • proxies public DNS requests to Umbrella (private domain is defined manually and forwarded to local NS)
  • extended DNS (EDNS) for transmission:
    • device ID (VA)
    • organisation ID
    • requestor internal IP: PAT visibility
  • encrypts and authorizes DNS traffic (UDP 53)

Roaming client

  • registers itself as an unltimate NS on 127.0.0.1:53 and [::1]:53
  • no IPv6 support on MacOS
  • encrypts and authorizes DNS requests, UDP 443
  • uses EDNS

Intelligent proxy

  • only for TCP 80, 443
  • proxies only the resources that are unknown to Umbrella

File inspection

  • web proxy required
  • uses AV, AMP: file is malicious if at least one engine considers it to be malicious
  • returns only clean files

Policy

  • permit in whitelist > deny in blacklist
  • default: permit all except malicious
  • allow-only mode: whitelist policy

Umbrella Investigate

  • REST API, GUI
  • discovers and predicts attack source: IP, domain name
  • sources
    • passive DNS data (~4 years)
    • BGP routes
    • WHOIS
    • ASN-IP mapping
    • geolocation
  • can determine DNS spikes, fast flux
  • domain co-occurence:
    • domains that are queried about at the same time
    • determines suspicious domains
    • stores telemetry for a week