Have you ever wanted to learn Cisco Umbrella but never had the opportunity? Fear not because I have put together this free Cisco Umbrella course just for you. In this course, you will find a variety of written and video-based content designed this way so that you can first understand Umbrella topics theoretically before putting theory into practice with a series of videos.
I will do my best to update the course content (time dependent) but if you find this content useful, please feel free to like, share and subscribe to my YouTube channel for more great content.
Lesson 1: Welcome To The Network Wizkid Cisco Umbrella Course
Thank you for choosing to learn more about Cisco Umbrella with Network Wizkid. This course has been designed to give you all the knowledge you need in order to understand and deploy Cisco Umbrella.
Throughout this course, we will focus on Cisco Umbrella and deep dive into the features available today. This course will also include walkthrough labs to help you better understand how the theory of Cisco Umbrella is applied in live environments.
You are encouraged to apply the theoretical concepts presented in this course where possible in your own lab environment. If you have not yet started a Cisco Umbrella trail, you can do so by clicking here.
We hope that you enjoy the course and more importantly gain new and valuable skills that will help progress your career.
Lesson 2: A Brief History of Cisco Umbrella
What many people don’t know is that Cisco Umbrella was not always a Cisco product. So, before we dive into the finer details of Cisco Umbrella, let’s take a brief look at the history behind what is known as Cisco Umbrella today.
Back in July 2006, a company called OpenDNS was founded. OpenDNS started as a recursive Domain Name System (DNS) service provider with plans to provide a safer and faster Internet browsing experience for home users and businesses. As the business grew over the years, OpenDNS expanded upon its traditional DNS offerings and released a new cloud security product suite, Umbrella. Where the traditional DNS services focused on phishing protection and content filtering, Umbrella was designed to protect enterprise businesses from malware, phishing and other known attacks that were often caused as a result of visiting malicious websites.
OpenDNS continued to focus on protecting its users and in late 2012, they founded OpenDNS Security Labs. This research team was focused on threat hunting and classifying threats by applying data mining techniques, all of which would feed back into the OpenDNS security suite to provide the utmost protection for its users.
With multiple awards and a massive user base of 50 million users by 2013, OpenDNS continue to excel and in late 2013, another offering called ‘Investigate’ was launched. The purpose of investigate was to provide a platform where cybersecurity teams could investigate and gain insights into the threats that were being identified on their networks.
Fast forward to 2015, OpenDNS is acquired by Cisco for $635 million in a bid to enhance the Cisco security product portfolio. Just over one year later, Cisco rebranded the Umbrella and Investigate to Cisco Umbrella and has continued to enhance the service offerings for businesses around the world.
Now in 2023, OpenDNS continues to offer free and paid services for consumers while Cisco Umbrella is offered as a premium cloud security solution for businesses.
Lesson 3: Cisco Umbrella Overview
Today Cisco Umbrella is known as a cloud security, cloud-delivered Security-as-a-Service (SECaaS) for Secure Access Service Edge (SASE). SASE is a fairly new term coined by Gartner in 2019 as a way to define networking and security services in one unified cloud-delivered service. The need for SASE comes as traditional IT landscapes are now irrelevant as remote users and devices are now accessing applications beyond the usual organizational boundary where they were able to control who and what accesses what and when. The rise in cloud-based applications and hybrid work has called for new architectures and new ways of doing things in order to stay ahead of malicious behaviour and protect businesses from breaches.
Cisco Umbrella has come a long way from its DNS origins and now combines multiple cloud-delivered security functions under one umbrella. Throughout this course, we will dissect Cisco Umbrella so that you can get a better understanding of the capabilities that exist with the solution but it’s important to remember that DNS-layer protection is at the heart of the Cisco Umbrella solution.
Where many security services were traditionally deployed on-premises, within an organization, Cisco Umbrella has the ability to deliver a whole security stack from the cloud. This is great for organizations as this cloud-delivered SECaaS offloads hardware maintenance and responsibilities, increasing their Return on Investment (ROI) and allowing businesses to focus on what really matters; protecting their users, devices and data. There is no longer the need to worry about downtime or patch management as Cisco Umbrella is constantly updated.
Cisco Umbrella has over 40+ data centres worldwide and uses Anycast routing, allowing each data centre to identify itself with the same IP address. This means regardless of where you are, internet traffic will always take the shortest path to and from Umbrella, meaning there is no added latency. You can view a list of data centres here.
The following list is a breakdown of security services that are offered under the Cisco Umbrella solution.
- DNS Layer Security
- Interactive Threat Intelligence
- Secure Web Gateway
- Remote Browser Isolation
- Cloud-delivered Firewall with Intrusion Prevention System (IPS)
- Data Loss Prevention (DLP)
- Cloud Access Security Broker (CASB)
- Cloud Malware Detection
As you can see, Cisco Umbrella is rather powerful and to bring it all together is Cisco SecureX, a cloud-native security orchestration platform.
Throughout this course, we will focus on each of the aforementioned features from Cisco Umbrella and show you how each one functions.
Lesson 4: A First Look at the Cisco Umbrella Dashboard
Lesson 5: Cisco Umbrella Licensing
There are a number of different licensing packages that Cisco Umbrella customers can choose from depending on their business requirements. There are four distinct packages available each packaged with different features:
- DNS Security Essentials
- DNS Security Advantage
- SIG Essentials
- SIG Advantage
DNS Security Essentials is the lowest of the four licensing packages when comparing features. The DNS Security Essentials license provides DNS-layer protection by blocking threats to malicious domains using built-in intelligence from Cisco Talos or by using custom allow/block lists. The DNS-layer protection will work for on-network traffic as well as remote clients as long as they are using the Umbrella roaming client with Cisco AnyConnect or the Security Connector iOS application.
The SIG Advantage license is the highest tier and offers everything that Cisco Umbrella has to offer from DNS-layer security, Cloud-delivered firewall, right the way through to DLP and IPS in the cloud.
Cisco has a very detailed document that breaks down the differences between each license here but the important thing to remember is that DNS Security Essentials is the lowest tier and SIG Advantage is the highest tier. Therefore, when making decisions about which license to procure, always assess the business requirements first as this will allow you to make a more informed decision and select the features most suited to your organization.
Cisco also offers special licensing packages for Schools and Universities. There are two distinct packages available for educational institutes:
- DNS Security for Education
- SIG for Education
However, it is worth pointing out that educational institutes can opt for DNS Security Advantage or SIG Essentials if they were more suited to the features contained within each license. A full breakdown of the license offerings for educational use can be found here.
Lesson 6: Cisco Umbrella’s Architecture
Before we start exploring the Cisco Umbrella features, it’s important that you understand how Cisco Umbrella is built to provide exceptionally fast performance and reliability even with a multitude of security controls enabled.
We often find that user experience is impacted when security controls are put between the user and the intended application that they are trying to reach but this doesn’t hold true for Cisco Umbrella because of its global cloud architecture.
In fact, independent testing of Cisco Umbrella has shown that Umbrella actually improves the performance to Software as a Service (SaaS) applications by over 30% when compared to traffic that didn’t go through Cisco Umbrella. To understand how Cisco Umbrella is able to achieve results like this, we really need to understand its global architecture and how it works.
Cisco has data centers (DCs) globally for Cisco Umbrella deployments and each DC is located next to Internet Exchange Points (IXPs). This strategic placement means that Cisco Umbrella is best placed to peer directly with Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) and Cisco does just that. With over 1000 peering partners and counting, Cisco Umbrella is able to reduce latency, increase reliability and improve round-trip time thus, increasing performance and delivering an exceptional customer experience. IXPs are physical locations where Internet Service Providers (ISPs) and Content Delivery Networks (CDNs) connect with one another, so you can think of Umbrella as having an exclusive path to IXPs. In addition, Cisco Umbrella relies on Anycast augmented routing to solidify its promise of delivering top-notch reliability. With Anycast routing, traffic is routed to what is considered to be the best data center based on the highest availability and quality at that given moment. Cisco Umbrella customers don’t need any special configuration or load balancers to get this working as it’s all part of the Umbrella service. With this architecture, Cisco Umbrella has been able to deliver DNS security services with 100% uptime since 2006.
The Cisco Umbrella architecture is based on 30,000 automated, container workloads distributed globally at scale. The compute and network components are said to be self-healing and can resolve issues and automatically scale as required, providing a flexible architecture without introducing downtime.
All Cisco Umbrella data centers meet many of the compliance requirements you would expect an organization the size of Cisco to meet when handling data at rest and data in motion. These compliance standards include ISO27001/SOC2 and GDPR requirements.
You can view the current status of Cisco Umbrella services by navigating to the Cloud Security Service Status here. Take a few moments to explore the Umbrella services and see whether they are all online as expected.
Lesson 7: AnyCast Routing Overview
We now know that the Cisco Umbrella architecture works with Anycast routing, but what is Anycast routing and how does it actually work?
Anycast routing is a technique used to route data to the nearest destination among a group of possible destinations. In other words, when a packet is sent to an anycast address, it is automatically routed to the nearest node in the network that is using that address. With Anycast routing, multiple servers, have the same IP address and so in the case of Cisco Umbrella, each Umbrella instance has the same IP address regardless of where they are located.
Anycast addresses are typically used in situations where there are multiple servers or nodes that can provide the same service, such as a content delivery network (CDN) or a Domain Name System (DNS) server. By using anycast routing, clients can connect to the nearest server, which can improve performance and reduce latency. This makes perfect sense when we think about the way Cisco Umbrella functions and how it is able to provide security services without impacting performance.
When a client sends a packet to the Anycast IP address, the packet is sent to the nearest server based on the network topology and routing protocols in use. This can be achieved using a variety of routing protocols, such as Border Gateway Protocol (BGP), which is commonly used for connecting the Internet backbone.
One important consideration when using anycast routing is that all servers using the same anycast address must provide the same service and have the same content. This is because clients will automatically connect to the nearest server, and if that server does not have the required content or service, the client may not be able to access it.
Lesson 8: Containerisation Overview
By now, you know that Cisco Umbrella makes use of something called containerization. But what is containerization? How does it work? The containerization concept may be well understood by you but for the benefit of the doubt, in this section, we will cover what containerization is so that you can better understand the Cisco Umbrella architecture.
The concept of containerization comes from the need to provide a more efficient way to deploy applications. Containerization is a process of encapsulating an application and all its dependencies into a single package known as a container. Containers are lightweight, portable, and isolated environments that can run on any operating system or cloud platform.
Traditional application deployment involved installing the application and all its dependencies on a physical or virtual machine. While the traditional approach is still a valid deployment method and one that is still widely used today, when deploying at scale, this approach can be time-consuming and error-prone. In contrast, containerization simplifies the deployment process by bundling the application and its dependencies together in a container.
Containers are built using containerization tools such as Docker, Kubernetes, and OpenShift. These tools allow developers to package their applications as containers and then deploy them on any infrastructure. Containers also enable developers to create consistent environments across different stages of the software development life cycle, from development to testing to production.
Containers have many benefits, some of which include:
- Portability: Containers can be easily moved between different environments, such as from a developer’s laptop to a testing environment or production environment.
- Consistency: Containers provide a consistent environment for applications to run, regardless of the underlying infrastructure. When we think of Cisco Umbrella and its global footprint, consistency is a key focus in being able to offer the same services at scale.
- Efficiency: Containers are lightweight and can start up quickly, making them ideal for deploying microservices or other small applications.
- Isolation: Containers provide a level of isolation that improves security and reduces the risk of conflicts between applications and dependencies.
Lesson 9: DNS Overview
Cisco Umbrella’s core function is to provide DNS-layer protection and so it’s important that we understand Domain Name Systems (DNS) and how they work. This course assumes that students have foundational networking knowledge and so this section aims to provide an overview of DNS to remind students of its core components and how DNS works when working with Cisco Umbrella.
DNS is a hierarchical naming system that translates domain names, which are easy-to-remember names such as cisco.com or networkwizkid.com, into Internet Protocol (IP) IP addresses, which are numerical identifiers used by computers to identify each other on the internet.
When you type a domain name into your web browser, your computer sends a DNS query to a DNS server, asking it to resolve the domain name into an IP address. The target DNS server then looks up the domain name in its database and returns the corresponding IP address to your computer, which is then used to establish a connection to the intended website.
The DNS system is organized into a hierarchical structure of domains, with the root domain at the top, followed by top-level domains (TLDs) like .gov, .com, .org, and .net, and then second-level domains like cisco.com or networkwizkid.com. Each domain is administered by a domain name registrar, which is responsible for managing the registration of domain names and their corresponding IP addresses.
DNS records are used to store information about domain names, such as their IP addresses (including IPv6 addresses), mail server information, and other settings such as authoritative DNS servers for specific domains.
The most common types of DNS records include:
A record: maps a domain name to an IPv4 address
AAAA record: maps a domain name to an IPv6 address
MX record: specifies the mail servers for a domain
CNAME record: creates an alias for a domain name
NS record: specifies the DNS servers for a domain
TXT record: stores additional information about a domain
DNS servers also have the ability to cache previous DNS requests to improve the performance of DNS queries; they do this by storing the results of previous queries for a certain amount of time.
DNS security is also an important aspect. Many different types of DNS-orientated attacks exist and therefore DNS security is required in order to prevent attacks like DNS spoofing, where malicious actors provide false information to DNS servers in order to redirect users to fake/malicious often to trick users and steal their information. To prevent these types of attacks, DNS Security Extensions (DNSSEC) can be used to provide digital signatures and cryptographic verification of DNS records.
To put all of this into context, let us refer back to Cisco Umbrella.
Cisco Umbrella is made up of many global recursive DNS servers.
When a user makes a request to access a website, their device sends a DNS query to a DNS resolver to resolve the domain name to an IP address. If the DNS resolver is configured to use Cisco Umbrella as its DNS service, the query is forwarded to Umbrella’s global network of recursive DNS servers for resolution.
Cisco Umbrella uses a combination of threat intelligence, machine learning, and other advanced security techniques to analyze the DNS query and determine whether the requested domain is safe or malicious. If the domain is known to be associated with malware, phishing, or other threats, Umbrella will block the request and prevent the user from accessing the site.
If the requested domain is deemed safe, before Umbrella can return the IP address for the requested website to the user’s device, it needs to first find out what that IP address is. Cisco Umbrella will do this by either finding the associated IP address in its cache if it’s a well-known website such as google.com or if the A/AAAA record is not cached then Umbrella will need to query the authoritative DNS hierarchy to receive the answer. Once the IP address is known, it is forwarded to the requester who can then establish a connection with the website and access the content.
In summary, Cisco Umbrella acts as a secure recursive DNS service that provides protection against a wide range of cyber threats by analyzing DNS requests in real-time and blocking malicious domains with the help of Talos threat intelligence before they can cause any harm.
Lesson 10: Getting Started with Cisco Umbrella Deployments
The first thing we need to do once we’ve purchased Cisco Umbrella is access the Umbrella dashboard. Each Umbrella deployment is identified by a unique Organization ID (Org ID) number. The Org ID is required when deploying Umbrella components and so administrators will find themselves referring to this when deploying Umbrella.
You can find your Umbrella Org ID by accessing your Umbrella dashboard at https://dashboard.umbrella.com. Once logged in, you will see your Org ID in the URL.
Before you start configuring your deployment, check and ensure that your organization has the correct license assigned. That you can contact the Cisco sales team if you are on the incorrect license and you find that you don’t have access to features you find that your organization requires.
Lastly, to prevent access issues to the Umbrella dashboard, we can configure additional administrators along with other role-based access controls. Default built-in roles can be used and assigned to users or custom roles can be created using the Custom Roles page.
Lesson 11: Getting Started with DNS-Layer Protection
DNS is at the heart of Cisco Umbrella and so it’s only right that we start off by looking at how we can use Umbrella to create DNS policies and protect networks.
When deploying Cisco Umbrella, one of the very first steps is to register the networks that you want to protect with Umbrella. Once configured, Umbrella will know exactly where your traffic is coming from and allow administrators to create DNS policies to further enhance the protection.
When configuring the networks that should be protected with Umbrella, it is important to ensure that the IP addresses being used are the public IP addresses. Usually, organizations will know their public IP addresses but if the intention is to protect the current network you are connected to then you could always check your public IP address by accessing your edge device that connects to your ISP or easier still, use a website such as whatsmyip.com to check your public IP address. If you’re connected to a VPN, your public IP may appear to be different.
Once you have configured the networks that you want to protect, we can then also configure devices within the network, for example, routers, switches, firewalls, endpoints etc. to use the Cisco Umbrella IP addresses for DNS lookups. These devices and endpoints can be configured with Umbrella IPv4 or IPv6 addresses.
Umbrella IP Addresses
Once all devices and endpoints have been protected with Cisco Umbrella, it is possible to verify Umbrella protection using the following website here. If you’ve configured your devices correctly, you will see a message saying ‘Welcome to Umbrella’ however, if you are not protected, an ‘Oops’ message is presented.
One additional tool that can be used to verify external DNS requests are routed through Umbrella is the following nslookup debug command: nslookup -type=txt debug.opendns.com
The aforementioned debug command returns some useful information that can be used by administrators to troubleshoot and verify Cisco Umbrella is functioning as should be. In addition, it can be used to see which Umbrella instance is preferred, which policy is being used and from which organisation.
Depending on the environment that is being protected with Cisco Umbrella, it could be quicker to make use of local DNS servers to protect all devices within the network rather than configuring each one individually. To do this we can configure the Umbrella IP addresses as forwarders on local DNS servers so that they are queried for external DNS requests.
Lesson 12: Configuring DNS Layer Protection for Networks
Lesson 13: Configuring DNS Layer Protection for Endpoints & Devices
Lesson 14: DNS Layer Protection Activity Search Summary
Lesson 15: Configuring Cisco Umbrella as Forwarders for Local DNS
Lesson 16: Getting Started with DNS Policies
Once networks and other identities have been added to Cisco Umbrella, we can create DNS policies to control access and decide whether we should inspect certain traffic. The word ‘identity’ is used in Umbrella to identify any entity that interacts and is protected by Cisco Umbrella. The available configuration settings enabled will depend on the licensing that has been purchased by the organisation however, for the purpose of this course, we will discuss all available features.
Before configuring DNS policies, it is important to first understand how the DNS policy engine works within Cisco Umbrella and so this lesson will focus on just that.
Cisco Umbrella comes with a default policy for DNS and administrators have the ability to modify the default policy to meet the needs of their organisation. The default DNS policy will always apply to all identities configured in an Umbrella deployment; this cannot be changed. In addition, Umbrella administrators can also create additional policies on top of the default DNS policy. Only user-created policies can be deleted; the default DNS policy cannot be deleted and that is because its purpose is to act as a ‘catch-all’ when no other DNS policy exists.
When multiple DNS policies exist, Umbrella will evaluate each policy from the top until an identity match is found. Once a policy has been matched, Umbrella won’t evaluate any policies below the one that was matched. If no matches are found, then the default DNS policy will always be applied because that policy is permanently set to match all identities. It is also possible to rearrange policies so that the most specific policy is evaluated first, to do this, an administrator would simply drag and drop policies to where they feel they are best placed.
Lesson 17: Adding DNS Policies
There are a number of steps to be taken when creating a new DNS policy in Cisco Umbrella. New policies are created using the policy wizard to ensure that all configuration steps have been completed before applying a new policy.
When creating a new DNS policy using the policy wizard, administrators are taken through the following stages:
- Select the level of security that should be applied to the new policy: In this first step, administrators can select whether they want to apply access control features such as content category blocking, blocking based on destinations contained in pre-configured or modified blacklists or access based on application. Threats can be blocked using Cisco’s Advanced Malware Protection by analyzing file signatures or optionally, threats can be blocked based on category. The following advanced features can also be configured:
- Intelligent Proxy: Web connections to domains deemed risky are proxied
- SSL Decryption: Encrypted web traffic over HTTPS is decrypted using the intelligent proxy and inspected before permitting access to web applications. SSL decryption, when set allows for the blocking of risky URLs
- SafeSearch: Allows SafeSearch to be enforced on supported websites such as YouTube, Google and Bing. SafeSearch automatically filters potentially harmful content, for example, adult content from being displayed even if searched for by a user
- Allow-Only Mode: With Allow-Only Mode enabled on a DNS policy, users only have access to websites that have been specifically permitted. Websites not permitted will automatically be blocked
- Logging: a feature that also always needs to be set so that administrators can see insightful information around policy matches. There are three options for logging:
- Log All Requests: Will log all DNS Requests
- Log Only Security Events: Logs requests that match a security filter or in the policy or integration only, all other requests are not logged
- Don’t Log Any Requests: Nothing is reported but events will still be logged anonymously for research and threat intelligence purposes
- What would you like to protect: this is the next step in the DNS policy creation wizard and this is where Umbrella administrators select identities that they would like this policy to apply to. For example, we may decide that we only want this specific policy to apply to a particular user group within our Active Directory or you could be more granular and specify individual users. This example would require the integration of an Identity Provider (IdP) such as Active Directory and is something we will explore a lot more later in this course.
- Security Settings: Determine which type of categories to block, for example, an Umbrella administrator might choose to block the Malware category effectively blocking malicious websites that are known to host malicious content. By default, the Default Setting is applied however, administrators can create new security settings to meet their requirements. Moreover, administrators can see which category is going to be blocked because a blue shield will appear next to each blocked category. Cisco Umbrella has a number of defined categories that give administrators the ability to quickly create policies and better protect their organization based on domains Cisco deems to be harmful.
- Integrations: this is an additional section that will appear if the Umbrella Tennent has other integrations associated with it. This section will only appear if you have integrated other products with Cisco Umbrella. Every Cisco customer who has purchased a security product will have free access to Cisco’s SecureX orchestration platform and so it is recommended that administrators integrate this platform to block additional domains gathered by local intelligence.
- Limit Content Access: Allows policies to be created to control what destination websites users are not allowed to access based on the content type. Administrators can choose to block content categories based on High, Moderate, Low or custom content category settings.
- Control Applications: Allows policies to be configured to block access to selected applications and categories of applications. It is important to note that SSL decryption needs to be enabled in order to make use of this feature.
- Apply Destination Lists: Allows policies to be created based on whitelisted and blacklisted domain filters. This policy option can be good if you choose to override any domains that otherwise might have been blocked or allowed as a result of other policy configurations. Note that when allow lists and block lists are configured, the allow list will always take precedence over the block list.
It is important to note that when we create destination lists, we can include IP addresses, URLs and FQDNs with some caveats. URLs are only supported for block lists whereas IP addresses are only supported when configuring allow lists.
- File Analysis: Using Cisco Advanced Malware Protection (AMP) administrators can inspect and block malicious files. Cisco uses a range of static and dynamic analysis methods and file reputation data to analyze and determine the outcome of each file that an Umbrella deployment sees.
- Set Block Page Settings: Allows administrators to set block pages that will appear to users if a request is blocked. The default Umbrella block page can be used or administrators can configure a custom block page in line with more specific requirements. Additionally, the policy can be configured to allow users to bypass the block page with an Umbrella-created username and password or by using a bypass code to bypass the block page. Users who can bypass a block page will need to authenticate with a set of credentials or with a bypass code before they can access the otherwise blocked content.
- Summary: The summary page contains all the information about the changes that you’ve made to the policy. It allows you to give the policy a name and if you spot any mistakes or need to make additional changes to the policy go back and edit each section rather than going back through the wizard again. Once saved, the policy is applied and is now active.
Lesson 18: DNS Policy Walkthrough
Lesson 19: Rearranging Policies in Cisco Umbrella
Lesson 20: Best Practices for DNS Policies
Cisco Umbrella makes it easy enough to create policies using the policy wizard however, there are a few additional things that can be done to get the best out of DNS policies:
- Identify your security and compliance requirements: Define what types of DNS traffic you want to block or allow based on your organization’s security policies and compliance requirements.
- Using group identities: Where possible, always try and use top-level groups to ensure that policies are applied to all users, devices and groups. Groups added to a policy should be less specific and listed below the more specific policies that are created.
- Keep it simple: Start with a small set of rules and gradually expand as needed. Avoid overly complex policies that may be difficult to manage or troubleshoot.
- Consider Roaming Device Policies: A good way of identifying and applying policies to roaming devices is by using ‘tags. Tags can be assigned to roaming devices as a way of grouping multiple roaming devices. Tags cannot be assigned to anything other than a roaming computer at the time of writing this.
- Use the default policy: The default policy blocks traffic to known malicious domains and allows traffic to known good domains. Consider customizing the policy to meet your organization’s specific needs.
- Prioritize your policies: Order your policies based on priority, so that the most important policies are evaluated first.
- Test your policies: Before deploying policies in a production environment, test them in a lab or staging environment to ensure they function as expected.
- Monitor and tune policies: Continuously monitor and adjust your policies to ensure they are effective and meet your organization’s changing needs.
- Document your policies: Document your policies and keep them up-to-date. This will help ensure consistency and facilitate troubleshooting.
Lesson 21: Troubleshooting Cisco Umbrella DNS Polices
As a Cisco Umbrella administrator, there will come a time when you need to troubleshoot issues that could be related to configured DNS policies.
Here are a few things that we can do to help resolve issues related to DNS policy configuration:
- Verify that the correct DNS policies have been applied to the correct networks or devices. Check the network or device settings in the Umbrella dashboard to ensure that the DNS policy is enabled.
- Check that the correct security settings are in place for the DNS policy. Verify that the settings match the security requirements of the network or device.
- Verify that DNS queries are being forwarded to Umbrella. Check the DNS server settings on the network or device to ensure that they are configured to forward DNS queries to Umbrella.
- Check the logs in the Umbrella dashboard to identify any issues with DNS queries. Look for any patterns in the logs that may indicate a problem with the DNS policy.
- Check the Umbrella dashboard to ensure that the DNS policy is not being overridden by another policy. Verify that the DNS policy is the highest priority policy.
- There is a handy tool within the Cisco Umbrella DNS Policy section called Policy Tester. This allows Umbrella administrators to specify identities and their intended destination to see which DNS policy would be matched.
- Check the Umbrella dashboard to ensure that the DNS policy is not being blocked by an allowlist or blocklist. Verify that the domain is not on any allowlist or blocklist.
- Check the Umbrella dashboard to ensure that the correct DNS policy is applied to the correct IP address range. Verify that the IP address range matches the network or device.
- Check the Umbrella dashboard to ensure that the DNS policy is not being impacted by a configuration error. Verify that the configuration settings are correct.
- Check with the Umbrella support team to identify any known issues with DNS policies. Ask for assistance if you are unable to resolve the issue on your own.
- The support team will more than likely ask for diagnostic information to help them find the problem. Umbrella administrators can download the Umbrella Diagnostic Tool here and follow the instructions required to share any information with the Umbrella support team.
- Perform a packet capture to identify any issues with DNS queries. Analyze the packet capture to identify any issues with the DNS policy or the network configuration.
- Check the diagnostic information presented on the Umbrella block page. This information can be used to identify the policy that has been matched. In an upcoming lab walkthrough, we will see how we can use the diagnostic information to further troubleshoot within Cisco Umbrella.
- If a specific machine or user is experiencing problems, the following nslookup command that we’ve already covered can also be used:
nslookup -type =txt debug.opendns.com
- You can verify that a machine is protected by Umbrella and gather additional diagnostic information, similar to the information output when using the aforementioned nslookup command by navigating to a web browser and entering the following URL: www.policy-debug.checkumbrella.com
Lesson 22: Bypass Codes and Users
Lesson 23: DNS Policy Tester
Lesson 24: Cisco Umbrella Diagnostics Information
Lesson 25: Cisco Umbrella Diagnostics Tools
Lesson 26: What are Virtual Appliances?
Cisco Umbrella Virtual Appliances (VAs) are a type of software appliance that provides security and DNS-layer protection for networks by forwarding external DNS requests to the Umbrella cloud and internal domain requests to local DNS servers. These virtual appliances are deployed on virtual machines (VMs) and require at least one virtual CPU (vCPU), 512MB of RAM and 7GB of storage space. The virtual appliances can be deployed on hypervisors such as VMware ESXi, Microsoft Hyper-V, and KVM or in cloud environments like Microsoft Azure, Google Cloud or Amazon Web Services (AWS).
The VAs act as conditional forwarders by sending DNS requests from devices on the network and filtering external requests based on the policies configured in the Cisco Umbrella dashboard. Local requests will be passed to internal DNS servers to complete each request. The VAs don’t cache DNS records nor do they add additional latency to an environment and multiple VAs can be configured to handle DNS requests.
The benefit of deploying VAs is to gather additional information such as the requester’s internal IP address. Recall in previous lessons when we discussed the information Umbrella can see when pointing our devices to Umbrella and when adding our public IP as a network; all traffic appears to be from one identity (public IP). When DNS requests are forwarded to the Cisco Umbrella cloud from a VA, each DNS request is encrypted and authenticated using DNS security. Organizations can benefit further from using VAs if they have an Active Directory (AD) presence as VAs can be integrated with AD to gather and report the identity of each user that makes DNS requests. This information can then be used to create more specific policies within Umbrella and track down any malicious behavior from individual users.
To deploy Cisco Umbrella Virtual Appliances, you need to follow these steps:
- Determine the appropriate virtual appliance model for your network size and requirements
- Choose a hypervisor platform and ensure that it is supported by Cisco Umbrella
- Download the virtual appliance OVA file from the Cisco Umbrella portal
- Deploy the virtual appliance on the hypervisor
- Configure the virtual appliance with the appropriate settings and connect it to the Cisco Umbrella dashboard
- Once the virtual appliance is deployed and configured, it will start intercepting DNS requests and filtering them based on the policies configured in the Cisco Umbrella dashboard. The virtual appliance can be managed and monitored through the same dashboard as other Cisco Umbrella products, providing a unified view of network security
Lesson 27: How Umbrella Manages Internal Domains
Umbrella will automatically forward any RFC 1918 addresses to your local DNS server as these are considered non-routable addresses and therefore must be passed to the local DNS server to be resolved. If an organization has internal domains other than .local then Umbrella will need to know about these domains so that it knows where to forward DNS requests. Take the following example:
Network Wizkid Corporation uses FQDN wizkidworld.com internally and therefore DNS requests should be routed to the local DNS server and not externally. Cisco Umbrella can be configured with all applicable internal domains for an organization. We will see how this can be configured in an upcoming lab walkthrough.
Lesson 28: VA Deployment on VMWare ESXi
Lesson 29: Configuring the VA
Lesson 30: Exploring DNS Requests Sent to the VA
Lesson 31: Configuring & Exploring Domain Management Behaviour
Lesson 32: VA Integration with Active Directory
Active Directory (AD) integration with Cisco Umbrella Virtual Appliances (VAs) is a feature that allows organizations to enforce security policies based on user identity and group membership.
Active Directory is an Identity and Access Management (IAM) directory service that stores information about users, groups, and devices on a network. By integrating AD with Cisco Umbrella VAs, organizations can use AD as the source of truth for user and group information, and apply policy rules based on that information.
When AD integration is enabled, Cisco Umbrella VAs can query AD to get information about users and groups. This information is then used to enforce security policies, such as blocking or allowing access to specific websites or applications based on a user’s group membership or more specifically, the user.
For example, if an organization has a policy that prohibits access to social media sites during working hours, it can use AD integration with Cisco Umbrella VAs to enforce that policy. When a user attempts to access a social media site, the request is sent to the Cisco Umbrella VA, which checks the user’s group membership in AD. If the user is a member of a group that is allowed access to social media sites, the request is allowed. If not, the request is blocked.
Overall, AD integration with Cisco Umbrella VAs helps organizations to enhance their security posture by leveraging user and group information from AD to enforce security policies across their network.
To integrate Umbrella VAs with Active Directory three components are required; the Windows AD Connector, a Windows script file for the domain controller and network access to Umbrella.
The Windows AD Connector is a tool used to integrate Active Directory (AD) with various third-party applications and services, that being Umbrella in this instance. The connector allows organizations to synchronize user and group information between their AD environment and other applications or services, ensuring consistency across systems.
The Windows AD Connector can be used to integrate AD with a variety of applications and services, including cloud-based services and on-premises applications. When using the AD connector with Umbrella, information about AD users is synced with a VA so that when a user performs a DNS query for a website, that information is matched to the user and IP address. As an additional security mechanism and to stop unauthorized individuals from trying to look at the synchronized data, all usernames are hashed and therefore only Umbrella will be able to correlate the hash to the user. The connector cannot be installed on a server that is operating as a core, or in other words with non-GUI features. A connector account is also required; think of this as a service account. This account must be a member of the Enterprise Read-Only Domain Controllers and Event Log Readers and the password for the account must be set to never expire. Lastly, special characters such as quotations, backslashes, colons or chevrons cannot be used within the password. The AD connector can be installed on the domain controller but it is recommended that services are separated, therefore, installation of the AD connector should be done on a server other than the domain controller. Before deciding which server to install the AD connector on, you must ensure that the server meets the following requirements:
- Windows Server 2012 +
- The Windows server has the latest service packs
- The Windows server has .NET framework 4.5 or above
- Once the AD Connector is installed, Anti-Virus software must allow the OpenDNSAuditClient.exe and OpenDNSAuditService.exe processes
The Windows script file is a .wsf script that is run on the domain controller to register it to the Umbrella cloud so that Umbrella can determine when a user has logged onto or off of their account. Once downloaded, the script will be run from the command line or PowerShell with administrator privileges. If using the command line, the following command without ‘<’ ‘>’ is used to run the script:
Lastly, the server configured with the AD connector will need to have outbound access to the Internet. Firewall rules should allow for TCP 443 and TCP 80 from the connector server. If the organization is using a proxy for outbound access, ports 443 and 80 should be excluded from the proxy and no authentication should be required.
Lesson 33: Umbrella Reporting with VA and AD Integration
Lesson 34: What are Roaming Computers
A roaming computer is essentially a device that is used to access internal and external company resources from a network other than the corporate network. It is a fundamental practice to secure roaming devices, including mobile devices that are used to access company resources. In the context of Umbrella, roaming devices can be protected a number of ways with Umbrella to protect against the endless number of cyber threats that exist today.
In this section, we will explore the different ways Umbrella can be used to protect roaming devices when not on a corporate network.
Lesson 35: The Umbrella Roaming Client
One way we can protect roaming computers is by using the Umbrella Roaming Client.
The Umbrella Roaming Client is a lightweight software agent that provides off-network endpoint protection for Windows and Mac OS devices. It is a component of the Cisco Umbrella security platform, which offers cloud-based security services to protect against advanced threats, malware, and other types of attacks. The Umbrella Roaming Client can make use of the intelligent proxy policies configured within an Umbrella deployment; more on the intelligent proxy later in the course.
The Umbrella Roaming Client is designed to provide protection to devices that are outside of the organization’s network perimeter, such as remote or mobile devices. It provides a layer of security that can protect these devices from internet-based threats, even when they are not connected to the corporate network. The client works by establishing a secure connection to the Umbrella security cloud, which enables it to apply security policies and enforce other policy configurations from an Umbrella instance.
When installed on a Windows machine, the roaming client acts as an exclusive DNS server for that machine by binding to the IPv4 loopback address (127.0.0.1) for port 53 and also the IPv6 loopback address (::1) for port 53. Once installed, all DNS requests will be handled by the Umbrella Roaming Client and the relevant policies will be applied as though the device was connected to the corporate network. As with all DNS requests that are protected with Umbrella, each request from the roaming computer is encrypted and authenticated too. If the Roaming Client is disconnected for any reason, the previous DNS settings used by the computer will be restored from the resolv.conf cache to prevent any connection issues. When internal domains are configured via Domain Management in Umbrella, DNS requests for those internal domains are sent to the local DNS server providing you can reach the network. Therefore, any of these requests won’t be captured in the Umbrella logs.
End of Life (EoL) Notice
Lesson 36: Protecting Computers with the Umbrella Roaming Client
The process of installing the Umbrella Roaming Client is an easy one. The client is downloaded from your Umbrella tenant and then manually unpacked and installed on a Windows or Mac device. For larger deployments, it is possible to deploy the client using management software such as Group Policy Objects (GPO) for Windows or by using other software deployment tools for Windows or Apple machines.
To make the installation more discreet, additional parameters such as hiding the Umbrella client in the Windows tray or removing the ability for users to see the program and uninstall it can be configured after the Umbrella client has been downloaded. We will take a look at some of the options in an upcoming lab walkthrough.
In addition to protecting roaming computers, the Umbrella Roaming Client can also be used to protect computers while connected to the corporate network too. This is useful when organizations choose not to deploy VAs.
Lesson 37: Umbrella Client Installation
Lesson 38: Exploring DNS Requests from External Clients with the Umbrella Roaming Client Configured
Lesson 39: Umbrella Roaming with the Cisco Secure Client (formally Cisco AnyConnect)
Another way of protecting roaming computers is by using the Umbrella Roaming Security Module for Cisco AnyConnect. Part of the Cisco AnyConnect client, this is a great alternative to the standalone Umbrella Roaming Module, especially if your organization are already making use of other AnyConnect modules. Many of the Umbrella capabilities discussed in the previous Umbrella Roaming Client lessons can be achieved with the Umbrella Roaming Security Module for Cisco AnyConnect too. This means organizations that choose to make use of the Umbrella module for AnyConnect are able to apply DNS-layer protection to roaming computers.
One important thing to point out is the behaviour of the Umbrella Roaming Security Module for Cisco AnyConnect when connected to a network with VAs. The Umbrella module will disable itself and use the DNS settings of the VAs. Once the computer moves off of a network where VAs are configured, the Umbrella module will resume.
Cisco recommends that the organizations use the Umbrella Roaming Security Module for Cisco AnyConnect over the standalone Umbrella Roaming Client as this enforces kernel driver DNS redirection which means all DNS lookups are sent to the local system resolvers and they cannot bypass DNS security. Furthermore, Cisco AnyConnect has reached End-of-Life (EoL) and will not be supported in the foreseeable future. Therefore, AnyConnect users and those thinking of deploying AnyConnect should consider the new Cisco Secure Client (Formally AnyConnect Client). In an upcoming lesson, we will take a look at the new Cisco Secure Client and how we can achieve the same thing with respect to the deployment of the Umbrella module.
Lesson 40: Installing and Configuring Umbrella Roaming with the Cisco Secure Client
Lesson 41: Protecting Mobile Devices
To account for the rise in mobile devices, Cisco developed a way to protect mobile devices with Cisco Umbrella. The Cisco Security Connector application was developed to extend Umbrella protection to iOS devices and the Cisco Secure Client for mobile was enhanced to allow for Umbrella protection on Android devices.
The Cisco Security Connector application for iOS works by redirecting all internet traffic from your device through a secure tunnel to the Umbrella cloud platform. This gives organizations the ability to apply Umbrella policies on mobile devices and protect against any potential threats. DNS traffic is inspected and users are protected from malicious sites. On Android devices, the Cisco Secure Client for mobiles adds the same level of protection but for Android devices. In addition, mobile devices can be managed or unmanaged, giving organizations the flexibility to enforce Umbrella policies on any iOS or Android device.
The Cisco Security Connector is easy to install and use on iOS and Android devices. It can be deployed using a number of supported mobile device management (MDM) solutions or manually installed by end-users. Once installed, the app provides seamless protection without impacting device performance or battery life. The same applies to deployment to Android devices.
The supported MDM solutions for iOS at the time of creating this content are:
- Meraki System Manager (SM) with API access enabled.
- Apple Configurator 2.5+
- IBM MaaS360
- Microsoft Intune
- MobileIron Enterprise Mobility Management (EMM) On-Prem and Cloud versions 9.4+
- Workspace ONE
The supported MDM solutions for Android at the time of creating this content are:
- VMWare WorkspaceOne (Airwatch)
- Microsoft InTune
- Samsung Knox
- Google Admin Console (Google Workspace)
In addition, iOS devices must be managed by an MDM system that uses Apple School Manager or Apple Business Manager. Generic MDM solutions may be used but the success results may vary and won’t have necessarily been tested by Cisco therefore, organizations should focus on using supported MDM solutions only. Other prerequisites exist that are beyond the scope of this course.
Overall, the Cisco Umbrella Security Connector is a powerful security solution that helps to protect iOS and Android devices from internet-based threats and provides administrators with the tools they need to manage and enforce security policies on managed devices.
Lesson 42: Secure Internet Gateway (SIG) Overview
DNS layer security is great and we’ve already seen the great things that Cisco Umbrella can do with DNS. However, with the shift in the way that people now work (remote, hybrid), organisations need to ensure that their infrastructure can support these new ways of working while still maintaining security regardless of where a user is located. Moreover, dispersed organisations would need to purchase many of the same security solutions to fulfil security requirements at each location. Some organisations found a way around this by mandating that all traffic from branch sites be backhauled to a central point (typically HQ) where they would be then subject to security controls. The problem with this method is that it created bottlenecks across network infrastructure and added more complexity.
Umbrella SIG is a security offering that aims to address these issues and more. SIG encompasses many cloud-delivered security solutions that traditionally would be situated physically within an organisation. The cloud-delivered security solutions are unified and all covered under the Umbrella SIG offering.
Today SIG offers the following features:
- Secure Web Gateway (SWG)
- Cloud Access Security Broker (CASB)
- Cloud-delivered Firewall with Intrusion Prevention System (IPS)
- Data Loss Prevention (DLP)
- Remote Browser Isolation (RBI)
- DNS-Layer Security
Getting started with SIG is straight-forward:
- Confirm your Umbrella license entitlement
- Register your network (Public IP/s) in the Umbrella dashboard
- Update your device DNS settings to point to Umbrella DNS IP addresses
- Configure your Umbrella policies (DNS, Firewall, Web and/or DLP policies)
Now, although the aforementioned steps appear to be simple enough, we need to understand whether the enablement of SIG features requires prerequisites or introduces implications that an Umbrella administrator should be aware of.
One key callout worth mentioning is the use of reserved IP addresses. That is because by default when using SIG features to access your intended services, all public IP traffic will appear to come from a range of SIG IP addresses. Cisco has documented the following as SIG IP address ranges:
Cisco recommends that you make the necessary provisions to ensure that these IP addresses are permitted for services you need to access. Moreover, organisations may be able to reserve a single IP address for their web traffic; the reserved IP address isn’t shared with other SIG customers. Although this might appear to be the better of the two options, reserved IP addresses come with their own set of requirements:
- Only available for SIG customers that connect to the Umbrella data centre through an IPsec tunnel
- Cisco requires that a minimum of two IP addresses are reserved to allow organisations to fallback to the second IP address should there be any issues with the first IP address
- SIG customers will need to specify their intended data centre locations to which they intend to forward their traffic. Once specified, the IP addresses are reserved and they cannot be moved to different data centres
Speaking about data centre (DC) locations, organisations should be aware that the Secure Web Gateway (SWG) and the Cloud-Delivered Firewall (CDFW) may not be simultaneously supported in some DC locations. At the time of creating this content, the following locations only support the SWG.
- Chicago, IL, US
- Reston, VA, US
- Amsterdam, NL
- Dublin, IE
- Marseille, FR
- Dubai, AE
- Osaka, JP
- Tokyo 2, JP
Please consult the Cisco Umbrella documentation for updates and more information about the support for the SWG and CDFW at each data centre.
We will cover each SIG feature in more detail in upcoming lessons but the important thing to remember about SIG is that it can deliver cloud-based security without impacting performance or introducing latency. Furthermore, not all SIG features must be enabled at once; customers have the option to implement the features that matter most to them and then scale with additional features as their requirements change.