US Region

Grandmetric LLC
Lewes DE 19958
16192 Coastal Hwy USA
EIN: 98-1615498
+1 302 691 94 10

EMEA Region

ul. Metalowa 5, 60-118 Poznań, Poland
NIP 7792433527
+48 61 271 04 43


Grandmetric LTD
Office 584b
182-184 High Street North
E6 2JA
+44 20 3321 5276

  • en
  • pl
  • Three Models of Cisco Umbrella Deployment

    Three Models of Cisco Umbrella Deployment

    Date: 07.02.2023

    Category: Security

    There is no need to convince anyone of the fact that phishing is one of the most widespread methods of attacks on enterprises. The Data Breach Investigation Report 2022 from Verizon shows that phishing is the second greatest (after login credential theft) threat for companies. 

    It’s worth asking yourself, is there a mechanism that preempts a phishing attack, e.g. downloads the infected file, thus locking out the Command & Control connection? The answer is: yes. DNS can be a suitable stage for blocking such an event.  

    DNS is a mechanism on which communication over the Internet is based. Translating a domain address query, comprehensible for humans (e.g., into a specific machine address (IP for is is possible thanks to this. It’s the first and natural line that can be used for verification of an infected or suspect domain or one used for launching attacks. Based on the classification of the domain, DNS can return information on whether the domain that you’re trying to connect to is blocked or reachable. 

    Check how a production company started to block malware and phishing in only 24 hours with Cisco Umbrella!

    DNS Security with Umbrella  

    The address and DNS query verification mechanism is the foundation of Cisco Umbrella’s operation. Configured as a DNS server for your company, Umbrella can see all DNS names into IP addresses solving queries that come from your organization. Umbrella blocks attacks before they occur due to the fact that it works during the first phase of every connection.  

    Cisco has also thought about a case, where the user leaves the network and connects to various domains outside the company network. Here, security will be provided by the so-called Umbrella Roaming Client, a lightweight app installed on a computer that controls all DNS queries. This deployment model is called off-net, and its advantage lies in the fact that it doesn’t require a connection through VPN.  

    Cisco Umbrella security can protect users in the network (on-net) and outside of it without VPN (off-net)

    Umbrella itself is a continuation of the OpenDNS project, which makes it possibly the most common DNS security solution worldwide. Data volume that passes through Umbrella on a daily basis reaches 200 billion queries from 100 million users. Umbrella is used by over 18 thousand Enterprise segment companies, and DNS queries come from more than 190 countries in the world.  

    The DNS Umbrella server system itself is made up of servers located in 32 processing centers all over the globe. They cover virtually every continent, which makes for high service accessibility, while the delay of name-solving between users and servers can be kept to a minimum. 

    Additionally, the Umbrella system works basically uninterrupted since 2006 (100% business uptime) thanks to, among other factors, the implementation of Anycast-type routing. This means that all Umbrella DNS servers are visible under the same IP address, and Anycast routing ensures that DNS query packets are routed to a DNS server location that is closest to the user.  

    Cisco Umbrella uses advanced statistical methods and machine learning to anticipate threats

    Behind the entire domain ranking in the Cisco Umbrella database are statistical methods that allow effective case analyses and the compromised domain classification. With that, Umbrella is capable of blocking DNS responses that would normally route users to risky domains. 

    One of the statistical methods is the so-called co-occurrence or correlation of events that occur within a short interval and is related to the infected master domain. This results in some domains getting detected by Cisco Umbrella even before being rated by anti-malware and anti-virus engines, while the attacks can be prevented as soon as at the DNS level.  

    How to Implement Umbrella? 3 Models  

    Quick Deployment – Easy  

    When analysing Umbrella deployment models, we can boil it down to three points:  

    1. registering organization on the Umbrella dashboard, 
    1. specifying the IP address or an exterior public addressing pool of our business, 
    1. routing DNS queries to Cisco Umbrella DNS.  

    This way enables us to implement Cisco Umbrella for testing or production in a matter of just dozens of minutes.  

    Quick deployment of Cisco Umbrella on-network DNS protection

    Of course, full deployment requires close tailoring of some parameters. In the easiest model, this change is boiled down to changing the DNS server address in the DHCP pool. With this, the user immediately queries the Umbrella DNS server, and we can see all connections in the dashboard.  

    Get more with Umbrella Virtual Appliance model  

    The alternative model, providing even more information from DNS queries, is deployment with the use of Umbrella Virtual Appliance. It’s a virtual device supplied by the manufacturer, compatible with popular virtualizers, such as ESX, KVM or Hyper-V. Umbrella VA takes on a role of a DNS proxy between users and the DNS server within the company, as well as Umbrella servers. 

    Umbrella Virtual Appliance

    When a DNS query reaches the Virtual Appliance, it’s getting forwarded to Cisco Umbrella. Thanks to Umbrella Virtual Appliance you can integrate your DNS with AD servers via an AD Connector. This helps with building security policies and DNS-level reports based on domain groups or user names. Reports allow you to very quickly figure out which users query for infected websites. With that knowledge, you can verify, whether they are already infected themselves.  

    “On the Go” Model – Workers Outside the Workplace  

    The third model is an aforementioned off-network model, using an Umbrella Roaming Client. It’s a lightweight client that safeguards end users by assuming a role of a DNS proxy to Cisco Umbrella DNS servers, without the need to be present at the company, and the need to route Remote Access VPN tunnels. Alternatively, there is a possibility of integrating the Umbrella Roaming Client with the VPN Remote Access client Cisco AnyConnect. This is the so-called Roaming Security Mode, used as part of the AnyConnect framework and playing the same role as Umbrella Roaming Client.  

    Cisco Umbrella on-the-go model

    Reports, or What Can be Seen in Cisco Umbrella  

    Already at a first glance, the Cisco Umbrella dashboard shows you data from the last 24 hours. In particular, you can see the Security Blocks chart, which shows the volume of blocked DNS queries from the last 24 hours that came from your users. 

    What criteria does Umbrella use to group blocked queries?  

    • by destination, meaning location and network/subnetwork;  
    • by identity, meaning queries by specific users;  
    • by type, meaning the category of a threat. 

    What Does the Cisco Umbrella Dashboard Look Like? 

    Additionally, in the Overview dashboard, you can see the volume of blocked DNS queries for websites spreading malware from the last 24 hours, as well as thwarted attempts of routing Command and Control type threat vectors.  

    All security activity full visibility with Cisco Umbrella

    Umbrella Reports also show you the trends related to hazard activities and blocked queries, broken down into target domains:  

    • you can see what kind of action was taken,  
    • where did the query come from,  
    • what external address did the user have when querying for such domains,  
    • what was the result of the query, 
    • when exactly did the query take place,  
    • we can also have a look at what exactly got blocked.  

    Moreover, when using the Virus Total portal you can also verify a given domain, indicated by Umbrella as a malware vector, and check which anti-malware engines have also verified this website as malware.  
    You can filter or sort reports by Top Destinations, or domains with the greatest number of blocked queries, among other criteria, as well. This can point to the fact that you should block that domain somewhere else in the network.  

    Free Cisco Umbrella Tests  

    Our experience tells us that already at the time of most Cisco Umbrella tests, the customers decide to implement this solution without even waiting for them to be completed. This means that reports shown to the customers by Cisco Umbrella in the dashboard are valuable, and already after a few hours of operation, they are convinced of implementing this solution into the network as an extra security measure, de facto a basic front-line one.  

    Test Cisco Umbrella with Grandmetric


    Marcin Bialy

    Marcin Biały is Network and Security Architect with over 14 years of experience, with Service Provider and Enterprise networking background. He used to work for large service providers, global vendors and integration services companies as Network Architect, Leading Architect and Techincal Solution Manager positions. He designed, implemented and supported dozens large scale projects and infrastructure migrations, solved hundreds of tickets and spent hours with CLI and GUI of many flavors. Marcin is also holding industry recognizable certificates such as CCNP, CCNA, CCSI #35269, FCNSP #7207, FCNSA and more.

    Leave a Reply

    Your email address will not be published. Required fields are marked *