Cisco Umbrella

Protection and Visibility for Enterprise Networks

About me

Network and Security Architect

Cisco CCIE #38620 (R&S)

VMware VCP/Red Hat RHCE

andrea.dainese@gmail.com

www.routereflector.com

@adainese

www.linkedin.com/in/adainese

Developer (UNetLab)

VMware vExpert since 2014

Cisco Champion since 2014

> Introduction

Introduction

You cannot protect
what you don't know

> Introduction

EndPoint Protection

(Content Filtering)

Secure Web Gateway
VS

Secure Internet Gateway

> Introduction

> Introduction

SWG SIG
Protection Enterprise Networks Everywhere
Control Granular web* usage Any protocol 
Setup Time Days Minutes
User experience Can break some sites/apps No latency

Cisco Umbrella

> Cisco Umbrella

2006: OpenDNS Founded

2012: OpenDNS enters the enterprise market (Umbrella)

2015: Cisco acquires OpenDNS/Umbrella

100B requests/day
85M daily users
12k Enterprise Customers

Today

Brief History

The largest cloud-based DNS service

What is OpenDNS/Umbrella?

Threat prevention for

> Cisco Umbrella

  • Homes (OpenDNS)
  • Enterprises

Protection against

> Cisco Umbrella

  • Unwanted Websites
  • Suspicious Websites
  • Advertising
  • Malware
  • Phishing Attacks
  • Newly Seen Domains (and DGA*)
  • Command and Control Callbacks
  • DNS Tunnelling VPN**

*: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

**:

A MRZGS3TLEBWW64TFEBXXMYLMORUW4ZI.t.example.com

CNAME WW2IDPOZQWY5DJNZSQ.t.example.com

Visibility

> Cisco Umbrella

Cloud Services

Visibility

> Cisco Umbrella

Malicious Activity Volume

Visibility

> Cisco Umbrella

Active Directory Users

A famous CryptoLocker

#WannaCry

(a brief story)

A Long Time Ago: EternalBlue by NSA

March 14th, 2017: Microsoft Security Bulletin (MS17-010)
April 15th, 2017: Shadow Brokers release

> A famous CryptoLocker

May 12th, 2017 | 07:24 UTC: #WannaCry Patient Zero

May 12th, 2017 | 07:30 UTC: @MalwareTechBlog Post

May 12th, 2017 | 07:43 UTC: Kill Switch on Umbrella

Umbrella Investigate

#WannaCry Yesterday

https://goo.gl/kDEfCv

> Umbrella Investigate

#WannaCry Today

https://goo.gl/kDEfCv

> Umbrella Investigate

Targeted Malware

> Umbrella Investigate

Architecture

Overview

Deployment Mode

Networks

Internal Networks (VA)

Network Devices
Roaming Computers

> Architecture

Networks

> Architecture

Networks

> Architecture

Roaming Clients

> Architecture

Availability

> Cisco Umbrella

208.67.220.220
208.67.220.222

208.67.222.220
208.67.222.222

208.67.220.0/24

208.67.222.0/24

Anycast

High Availability

> Architecture

Linux:

  • timeout 5s
  • attempts 2
  • use always the first one

Windows:

  • timeout 1s
  • attempts 1
  • use the last one for 15m

OS X:

  • timeout 1s
  • attempts 2
  • use the last one for 10m

WorkFlow

> Cisco Umbrella

  1. Wait for an incoming DNS request
  2. Identify the Customer
  3. Determines if the request is:
    • safe | whitelisted
    • malicious | blacklisted
    • risky | unknown
  4. Apply the policy
  5. Respond to the client accordingly

Know your network

> Architecture

Non blocking policy

or

> Architecture

Multi-Layer Security

  1. DNS: Cisco Umbrella
  2. Url Filtering

> Architecture

License

Professional

Platform

Insights

(per client)

Thank you

andrea.dainese@gmail.com

www.routereflector.com

@adainese

www.linkedin.com/in/adainese