Three Models of Cisco Umbrella Deployment

There is no need to convince anyone of the fact that phishing is one of the most widespread methods of attacks on enterprises. The Data Breach Investigation Report 2022 from Verizon shows that phishing is the second greatest (after login credential theft) threat for companies. 

It’s worth asking yourself, is there a mechanism that preempts a phishing attack, e.g. downloads the infected file, thus locking out the Command & Control connection? The answer is: yes. DNS can be a suitable stage for blocking such an event.  

DNS is a mechanism on which communication over the Internet is based. Translating a domain address query, comprehensible for humans (e.g. google.com), into a specific machine address (IP for google.com is 142.251.39.46) is possible thanks to this. It’s the first and natural line that can be used for verification of an infected or suspect domain or one used for launching attacks. Based on the classification of the domain, DNS can return information on whether the domain that you’re trying to connect to is blocked or reachable. 

DNS Security with Umbrella  

The address and DNS query verification mechanism is the foundation of Cisco Umbrella’s operation. Configured as a DNS server for your company, Umbrella can see all DNS names into IP addresses solving queries that come from your organization. Umbrella blocks attacks before they occur due to the fact that it works during the first phase of every connection.  

Cisco has also thought about a case, where the user leaves the network and connects to various domains outside the company network. Here, security will be provided by the so-called Umbrella Roaming Client, a lightweight app installed on a computer that controls all DNS queries. This deployment model is called off-net, and its advantage lies in the fact that it doesn’t require a connection through VPN.  

Umbrella itself is a continuation of the OpenDNS project, which makes it possibly the most common DNS security solution worldwide. Data volume that passes through Umbrella on a daily basis reaches 200 billion queries from 100 million users. Umbrella is used by over 18 thousand Enterprise segment companies, and DNS queries come from more than 190 countries in the world.  

  
The DNS Umbrella server system itself is made up of servers located in 32 processing centers all over the globe. They cover virtually every continent, which makes for high service accessibility, while the delay of name-solving between users and servers can be kept to a minimum. 

  
Additionally, the Umbrella system works basically uninterrupted since 2006 (100% business uptime) thanks to, among other factors, the implementation of Anycast-type routing. This means that all Umbrella DNS servers are visible under the same IP address, and Anycast routing ensures that DNS query packets are routed to a DNS server location that is closest to the user.  

Behind the entire domain ranking in the Cisco Umbrella database are statistical methods that allow effective case analyses and the compromised domain classification. With that, Umbrella is capable of blocking DNS responses that would normally route users to risky domains. 

  
One of the statistical methods is the so-called co-occurrence or correlation of events that occur within a short interval and is related to the infected master domain. This results in some domains getting detected by Cisco Umbrella even before being rated by anti-malware and anti-virus engines, while the attacks can be prevented as soon as at the DNS level.  

How to Implement Umbrella? 3 Models  

Quick Deployment – Easy  

When analysing Umbrella deployment models, we can boil it down to three points:  

1. registering organization on the Umbrella dashboard, 

2. specifying the IP address or an exterior public addressing pool of our business, 

3. routing DNS queries to Cisco Umbrella DNS.  

 
This way enables us to implement Cisco Umbrella for testing or production in a matter of just dozens of minutes.  

Of course, full deployment requires close tailoring of some parameters. In the easiest model, this change is boiled down to changing the DNS server address in the DHCP pool. With this, the user immediately queries the Umbrella DNS server, and we can see all connections in the dashboard.  

Get more with Umbrella Virtual Appliance model  

The alternative model, providing even more information from DNS queries, is deployment with the use of Umbrella Virtual Appliance. It’s a virtual device supplied by the manufacturer, compatible with popular virtualizers, such as ESX, KVM or Hyper-V. Umbrella VA takes on a role of a DNS proxy between users and the DNS server within the company, as well as Umbrella servers. 

When a DNS query reaches the Virtual Appliance, it’s getting forwarded to Cisco Umbrella. Thanks to Umbrella Virtual Appliance you can integrate your DNS with AD servers via an AD Connector. This helps with building security policies and DNS-level reports based on domain groups or user names. Reports allow you to very quickly figure out which users query for infected websites. With that knowledge, you can verify, whether they are already infected themselves.  

“On the Go” Model – Workers Outside the Workplace  

The third model is an aforementioned off-network model, using an Umbrella Roaming Client. It’s a lightweight client that safeguards end users by assuming a role of a DNS proxy to Cisco Umbrella DNS servers, without the need to be present at the company, and the need to route Remote Access VPN tunnels. Alternatively, there is a possibility of integrating the Umbrella Roaming Client with the VPN Remote Access client Cisco AnyConnect. This is the so-called Roaming Security Mode, used as part of the AnyConnect framework and playing the same role as Umbrella Roaming Client.  

Reports, or What Can be Seen in Cisco Umbrella  

Already at a first glance, the Cisco Umbrella dashboard shows you data from the last 24 hours. In particular, you can see the Security Blocks chart, which shows the volume of blocked DNS queries from the last 24 hours that came from your users. 

What criteria does Umbrella use to group blocked queries?  

• by destination, meaning location and network/subnetwork;  
• by identity, meaning queries by specific users;  
• by type, meaning the category of a threat. 

What Does the Cisco Umbrella Dashboard Look Like? 

Additionally, in the Overview dashboard, you can see the volume of blocked DNS queries for websites spreading malware from the last 24 hours, as well as thwarted attempts of routing Command and Control type threat vectors.  

  
Umbrella Reports also show you the trends related to hazard activities and blocked queries, broken down into target domains:  

• you can see what kind of action was taken,  
• where did the query come from,  
• what external address did the user have when querying for such domains,  
• what was the result of the query, 
• when exactly did the query take place,  

• we can also have a look at what exactly got blocked.  

Moreover, when using the Virus Total portal you can also verify a given domain, indicated by Umbrella as a malware vector, and check which anti-malware engines have also verified this website as malware.  
You can filter or sort reports by Top Destinations, or domains with the greatest number of blocked queries, among other criteria, as well. This can point to the fact that you should block that domain somewhere else in the network.  

Free Cisco Umbrella Tests  

Our experience tells us that already at the time of most Cisco Umbrella tests, the customers decide to implement this solution without even waiting for them to be completed. This means that reports shown to the customers by Cisco Umbrella in the dashboard are valuable, and already after a few hours of operation, they are convinced of implementing this solution into the network as an extra security measure, de facto a basic front-line one.