Not too long ago, we switched to a new Internet security solution. Our previous solution was a Cisco product called Cisco Web Security, or CWS. This was a cloud proxy solution and it worked well. But, being a proxy, it had its short comings with a big one being that it would rewrite all the web pages – of course, that is the nature of using a proxy-based solution. Secure sites (HTTPS) were even worse since CWS could not secure them unless it was allowed to perform man-in-the-middle style of rewriting the web page. This was an ok way of securing these sites as it would not always work well.
I am pretty sure that Cisco recognized these shortcomings since they purchased a company to replace CWS. They bought OpenDNS which had a unique solution to Internet security. One of the key components of the Internet is Domain Name Servers, or DNS. DNS is why you can use a URL (like www.itsecdef.com) and not have to know the IP address. Rather than looking at the content of the site, OpenDNS would categorize the site itself. When you request an approved site you would get the address for the site AND you would go directly to the site – no rewriting of the web page. However, when you went to a site that was either blocked by policy or identified as malicious you would not get the site’s address. Rather, you would get the address for an OpenDNS server to explain why you cannot get to the bad site. This was a really good product and Cisco made it even better by augmenting it with other solutions including some of the CWS features. They even changed the name to Cisco Umbrella since it covers more features (umbrella, get it?).
If you have ever had the chance to migrate a company’s Internet security solution then you know it is not a fun project and has really bad outcomes when things go wrong. When someone cannot get to the company’s ERP system, they just open an incident – no real complaining since they cannot work. Alternatively, if someone cannot get to their news site or watch videos on YouTube, they can get really cranky. If it is because you messed up the Internet migration, watch out for the pitchforks. Well, this was not the case for me with Umbrella.
There were two main phases to the migration: network and client. The network migration took all of 1 hour – actually it took a lot less but I had to wait for my testers and that always starts with some initial banter. All we had to do was repoint our DNS servers to the OpenDNS IP addresses for recursive lookups. Seriously, that was it. Once that was done, all DNS lookups for Internet sites went through Umbrella. The second phase was the clients. When people are remote (and not on VPN) they are secured through the use of a module on the AnyConnect client. We used our SCCM system to upgrade the client, remove the CWS module, and add the Umbrella module. Of course, this took longer than the network migration but it was facilitated by SCCM so we could monitor the progress.
There are some other features with Umbrella to allow for securing sites based on user ID’s (like Active Directory) but we did not deploy these. The main reason for this was EU data privacy regulations. If we did not know the user ID’s that accessed websites then we would not know what users were going to which websites. As a security person, I was not fond with the loss of data but the EU Works Councils did not care about my feelings. As the person responsible for getting us to Umbrella, this actually made the migration quicker. To get Active Directory integration working we would have had to deploy appliances within the network to point computers to (instead of our existing DNS servers) and add an AD connector. This migration could be done by altering DHCP but that means someone has to hit every DHCP scope. For a global company, that is a good amount of manual labor.
What did I learn about Umbrella during this migration? For starters, Cisco is still working to better the product, which includes more integrations such as with their Cloudlock service (CASB). I am planning to research these other product integrations when I get some more personal bandwidth. Additionally, using our DNS servers made the migration really easy. One thing I would mention is that you want each DNS server to point to the OpenDNS servers – do not point all the internal DNS servers to one specific internal DNS server and have it go outside. There really is no need to do this and it allows for Internet breakouts to be wherever (as long as the Internet provider allows you to use any DNS server). Finally, unlike CWS, Umbrella is able to secure more than web surfing since DNS is used for more than just the Internet. For instance, malware can utilize DNS to communicate back to a control system – unless Umbrella is there to respond with a different address. In conclusion, Umbrella is a product that works great. Your users will not thank you for switching to it but they will not grab the pitchforks either.