- Umbrella
- Licenses
- Virtual appliance
- Roaming client
- Intelligent proxy
- File inspection
- Policy
- Umbrella Investigate
Umbrella
- recursive DNS
- anycast: 208.67.220.220, 208.67.222.222
- action
- permit
- block: redirects to block page
- proxy
- deployment
- via network: DHCP option, local DNS settings, virtual appliance
- roaming client: standalone module, AnyConnect module, Cisco Security Connector (iOS)
- hardware: ISR, WLC, ASA/FTD; HW acceleration, VA functionality
- can check search queries
- adds wildcard to parameters in GUI
- dynamic IP updater: software, for dynamic IP received from ISP
Licenses
- number of users
- tiers
- DNS Security Essentials
- DNS protection
- AnyConnect and standalone client
- integration with Cisco Threat Response
- DNS Security Advantage
- block direct IP access
- selective proxy: unknown domains only
- SSL decryption
- Umbrella Investigate
- Secure Internet Gateway
- full proxy
- ThreatGrid sandbox
- retrospective events
- L3/L4 cloud firewall (IPsec connection)
- CASB
- DNS Security Essentials
Virtual appliance
- VM
- conditional DNS forwarder
- proxies public DNS requests to Umbrella (private domain is defined manually and forwarded to local NS)
- extended DNS (EDNS) for transmission:
- device ID (VA)
- organisation ID
- requestor internal IP: PAT visibility
- encrypts and authorizes DNS traffic (UDP 53)
Roaming client
- registers itself as an unltimate NS on 127.0.0.1:53 and [::1]:53
- no IPv6 support on MacOS
- encrypts and authorizes DNS requests, UDP 443
- uses EDNS
Intelligent proxy
- only for TCP 80, 443
- proxies only the resources that are unknown to Umbrella
File inspection
- web proxy required
- uses AV, AMP: file is malicious if at least one engine considers it to be malicious
- returns only clean files
Policy
- permit in whitelist > deny in blacklist
- default: permit all except malicious
- allow-only mode: whitelist policy
Umbrella Investigate
- REST API, GUI
- discovers and predicts attack source: IP, domain name
- sources
- passive DNS data (~4 years)
- BGP routes
- WHOIS
- ASN-IP mapping
- geolocation
- can determine DNS spikes, fast flux
- domain co-occurence:
- domains that are queried about at the same time
- determines suspicious domains
- stores telemetry for a week