Network & Wireless Blog for professionals

Over 30 thousand readers come back for our content every month!

 

DNS Security or How to Protect Users with Cisco Umbrella

Author:
Category: Podcast, Security


09.06.2021

DNS Protection, what is it? 

DNS, or the Domain Name System, is a system translating URL addresses of websites into a language understandable for computers. Protecting DNS, we do not allow undesired domains to transfer information to our users. This is how we can protect them from phishing or ransomware attacks. When we add a growing level of company digitization, DNS will turn out to be another brick in the cyber wall composed of, i.e. firewall in the data center or at the meeting point with the Internet or antivirus and anti-malware solutions installed on end devices.  

The above firewalls or anti-virus software do not cover all the prospective hazards, despite offering a solid security foundation. One of them is, e.g. malware saved on a pendrive connected to the company computer. 

For the attack to be effected, such malware must connect with its servers which it usually uses DNS queries for. 

Will DNS protect us from phishing? 

DNS Protection is also great for phishing (false links). It is worth mentioning that the attackers are better and better at passing themselves off as websites which they want to gain access to. They might just send a false e-mail to a person tired after a busy day and encourage them to log in a bank website or social media.  

DNS security verifies whether the link that comes with any email directs to a trusted resource or a malicious one. In the latter case, being able to block or permit the DNS request for that link. 

However, DNS can be used both for the professional and everyday Internet use when we may not even be aware of the threat to our data. 

Will DNS Security be of use for remote work? 

Although the company laptops and, with them, company data, are not grouped in one location, they are more and more often in a distributed environment, we can still protect them. How is it done in the case of Cisco Umbrella? 

We can offer DNS Security in two ways: 

  1. By integrating with a VPN session. In such a case, DNS Security (e.g. Cisco Umbrella) is configured inside our network and operates automatically. 
  2. We can also install an endpoint on our computer, i.e. Roaming Client which forces DNS traffic via Umbrella servers, with our data secured all the time. 

In the other scenario, the user need not connect with VPN and direct traffic via the internal organisation infrastructure. 

Is it possible to group users in Cisco Umbrella?  

Yes, it is. The best method is to integrate with Active Directory which requires installing an extra virtual appliance on-premise and integrating Active Directory with it. 

The technical requirements are met by all smartphones we use every day.  

What is more, we can integrate the Roaming Client with Active Directory and thanks to it, see the information sending DNS requests from the user logged in the said computer, as well as information on the internal ID. This is a substantial set of information concerning the user and their choices. 

Do we have access to other functions? 

Umbrella is a dynamically developing product, supplemented with new functionalities on a regular basis. One of more interesting innovations is Cloud Access Security Broker (CASB) which secures users when connecting with cloud applications. 

CASB and Secure Internet Gateway are available in the highest possible licence option of Umbrella which also enables to obtain a proxy. We can redirect traffic via Umbrella servers,decrypt and inspect the SSL traffic , as well as use Layer 3 and 4 policies of a cloud firewall. 

And what if we might need a central ISG? 

This this a perfect option for the customer having many locations, meaning that their work environment is distributed. Thanks to ISG, the customer need not buy a separate firewall for every location. This offers them great comfort and security. This is a finished product which is highly scalable and easily manageable. 

How to start the implementation? How is Cisco Umbrella scaled? 

You should consider the license-related aspects, i.e. how many employees need new software? (How many users are going to use it?) This determines the number of licenses to be bought. Umbrella is licensed for a user and not for the company (excluding the exceptions of licensing for the router or for the Access Point). 

What do we actually need? What functionality? Umbrella offers three subscription plans:

  1. DNS Security Essentials.
  2. Advanced.
  3. Secure Internet Gateway.

The plans differ in terms of functionalities and security degree.  

The basic option is the basic protection from domain-related threats making it possible to create a security policy, integrate with Active Directory and use the Roaming Client.

A higher protection level, i.e. Advanced license, is an extra possibility of a selective proxy, meaning a proxy used partially. In this solution, the traffic unknown to Umbrella yet goes through a selective proxy, and then Umbrella analyses it and provides the response if it is going to let the user in or not. 

An extra option in the Advanced is Umbrella Investigate, i.e. an extra panel where we can track and analyze the domain with respect to threats and its history, as well as the Risk Score, meaning a number of security points awarded to the domain. 

The highest security option is the Secure Internet Gateway licence. This package includes a proxy, Gatsby or an Internet firewall as a Service which means a complete security pack to offer comprehensive security. 

Does the system have any limitations? 

This solution is universal and there are no contraindications to implement Umbrella in an organization of any type and size. The existing security policies are not contraindications to use Umbrella as the only traffic we send via Umbrella is DNS queries which we would send from our computers anyway. 

This solution is universal and there are no contraindications to implement Umbrella in an organization of any type and size.

Jan Ćwierk, Security Engineer, Ingram Micro

How can Umbrella be tested? 

It is best to test using one’s own infrastructure to check how the product operates and if it meets our expectations. The implementation is highly intuitive and, importantly, does not conflict with the existing infrastructure. The standard test duration is 14 days. We then get access to the dashboard where we can observe what Umbrella detects and respond to it.  

The implementation of Cisco Umbrella is easy and fast. Just sign in, set the correct DNS addresses… And that is all. The only thing we need is an Internet connection to carry out the connections. 

— 

The article is based on a Grandmetric podcast called Próba Połączenia. DNS Security was discussed by Marcin Biały of Grandmetric and Jan Ćwierk who works for Ingram Micro and specializes in implementations and licensing of Cisco Umbrella environment. He supports partners when selecting solutions and updates technology in terms of customer functionalities. 

Author

Leave a Reply

Your email address will not be published. Required fields are marked *

Sign up to our newsletter!


 

Newsletter