Secure Internet Gateway – Cisco Umbrella

As traffic patters change to a decentralized pattern, there needs to be a way to secure traffic to the cloud.

Today we will be talking about the Secure Internet Gateway (SIG), Umbrella formally OpenDNS.

Umbrella is a recursive DNS service, it resolves DNS queries. Almost everything starts out by making a DNS request.

The process of recursive DNS look-ups are pretty straightforward. Lets walk the process.

  1. A user opens web browser and types in
  2. Umbrella, the recursive DNS services queries a root server. The root server only has top level domain IPs for top level domain servers. Eg. (.com, .net). The root server will reply to Umbrella “I’m not sure, but here is the IP for the .com server, ask them”
  3. Umbrella queries the TLD server (.com). The TLD server stores information on the Authoritative Name Servers for domains that end in (.com). The TLD server will reply to Umbrella “I’m not sure, but here is the IP for the Authoritative Name server, ask them”
  4. Umbrella now has the IP address of the Authoritative Name Server for, Umbrella will ask Amazon’s Authoritative Name Server, what is your IP address of your Amazon web site.
  5. Amazon will reply with the IP of their website. Umbrella will return the web page to your browser.Screen Shot 2018-10-08 at 11.28.00 AM

There are three scenarios when resolving DNS with Umbrella.

  • Safe – Determined as a safe DNS request. Returns IP-to-URL mapping.
  • Block – Determined as unsafe/malicious DNS request and your request is blocked. The request is blocked by a block page. A block page is configured by an administrator.
  • Inspect – Determined as a risky DNS request. Sites like peer-2-peer hosting could be considered risky. In this scenario Umbrella returns the IP address of the Umbrella proxy so that the site can be inspected.

The Inspect scenario is where Umbrella gets interesting. Proxys are now involved in the scenario. Instead of just seeing the top level domain of a URL, the proxies now inspect the entire URL and web content. It leverages AV definitions, AMP and Talos to determine the sites reputation and content.

How does Umbrella determine a site to be malicious vs non-molicous?

This recursive process is processed by algorithms known as “models” that monitors request patterns,  malicious traffic, and abnormal behavior. The output from multiple models is how a domain is determined malicious or non malicious.

Some of these models:

  • Co-Occurance model
  • Spike Rank Model
  • Predictive IP space monitoring

Umbrella Investigate is a built in capability that can give you some offensive tools when responding to security incidences.

Screen Shot 2018-09-26 at 3.00.41 PM

Investigate provides real time intelligence on domains and IPs across the Internet to help uncover anomalies and pinpoint malicious domains/IPs. Access to the intelligence is done through web console or api for you to integrate your current security infrastructure with Investigate.

Screen Shot 2018-09-26 at 3.12.20 PM

How do you use Umbrella?

Simply point your DNS to the Umbrella DNS servers. You can do this in several ways.

  • DHCP
  • The ISR 4K version 16.6.1, any traffic passing through the router will use Umbrella
  • Generate an API key through the Meraki Dashboard, integrate it into the Meraki MR
  • Out of the box integration with  Viptal vEdge
  • Cisco Any Connect (Roaming Devices)
    • AnyConnect Umbrella Roaming module
    • If not using AnyConnect, install standalone roaming client

If your clients are using the AnyConnect Umbrella module, the DNS is intercepted by the kernal driver that is sitting at the network adapter. This is the same process that AnyConnect uses when using VPN.

Screen Shot 2018-09-26 at 3.41.16 PM

If your clients are using the roaming client, all DNS requests from any running application are pointed to and then handled by the roaming client.

Where are the Umbrella DNS servers located?

The Umbrella Data Centers are Co-Located at Major IXPs, this enables best path selections throughout the Internet via BGP. Anycast routing  is used for reliability to the DNS resolvers with no additional latency. Anycast routing improves functionality by sending your traffic to the closest data center and provides redundancy.

You can view the location of the Data Centers and the status of Cisco Umbrella systems through this link.

Data Center Locations

For more information see the documentation page Umbrella Documentation