Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
What's new
in Umbrella
Cisco's Secure Internet Gateway
Jonny Noble,
Manager, CloudSec Technical Marketing
BRKSEC-2023
#CLUS
The Traditional Model
Network
Internet / SaaS / IaaS
Centralized
Security
Single place to enforce
policies and protection
MPLS VPN
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Disruption: To the cloud
Network
Internet / SaaS / IaaS
Decentralized
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Resulting Security Challenges
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Users and Apps Have Adopted the Cloud…
Security must too
49% 82%
of the workforce admit to not
will be mobile1 using the VPN2 Security controls
must shift to the cloud
70% 70%
increase in of branch offices
SaaS usage3 have DIA4
Sources:
1. “Securing Portable Data and Applications for a Mobile Workforce” SANS, 2015
2. “Your Users Have Left the Perimeter. Are You Ready?” IDG, 2016
3. “Keeping SaaS Secure” Gartner, 2016
4. “Securing Direct-To-Internet Branch Offices: Cloud-Based Security Offers Flexibility and Control,” Forrester, 2015
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
What's new in Umbrella, Cisco's Secure Internet Gateway
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Session Abstract
• This session includes look at all security services provided by Cisco
Umbrella, Cisco's secure internet gateway, and illustrates the benefits
enabled by cloud-delivered security with practical examples.
• The session covers the following services:
• DNS-layer with selective proxy
• Full proxy SWG
• Firewall as service
• Cloud access security brokerage (CASB) service
• You’ll learn how Umbrella enables branch transformation, increases
security posture with leading DNS-layer (added layer) protection, allows
for secure XaaS adoption and supports customers' cloud-first strategies.
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Who am I?
• I manage the Technical Marketing Engineering team for Cloud Security at Cisco,
with expertise in web security, cloud-based security, and Cisco Umbrella
• I have vast experience in customer-facing disciplines in leading global hi-tech
organizations over the last 20 years
• In the past I managed all training activities for ScanSafe within Cisco, including
defining, creating and implementing partner and customer training and certification
programs; creating and providing all training content and tools for customers,
partners, and Cisco employees world-wide (including eLearning, on-line, and “on
demand” content), and management of on-line certification exams
• I also have rich experience in presenting breakout sessions and proctoring labs at
Cisco Live events and representing Cisco at numerous other customer and partner
events, trade shows, and exhibitions
• I hold a degree in Sociology & Psychology, a Business MBA, and am CISSP certified
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
For Your Reference…
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Related & Overlapping Sessions
BRKSEC-2019 Risky Business: Help Reduce Risk by Gaining Visibility and Control of Cloud App Usage Thursday, 1pm
BRKSEC-2069 Meraki Integrations with the Cisco Security Architecture Thursday, 1pm
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Deliver Protection Everywhere
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Cloud-delivered
firewall
Web SaaS usage
gateway controls (CASB)
DNS-layer Correlated
security threat intel
Cisco
Umbrella
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Agenda
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
It all Starts with DNS
Traffic redirection - DNS Policy
DNS based redirection Resolvers Internet
Selective Proxy
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Where Does Umbrella Fit?
Malware
C2 Callbacks
Phishing
AV AV AV AV AV
Port agnostic
HQ BRANCH ROAMING
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
DNS-layer Enforcement
A good place to start
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Umbrella’s View
of the Internet
180B 90M
requests daily active
per day users
17K 160+
enterprise countries
customers worldwide
BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Umbrella: In the Sweet Spot
Recursive DNS
Any device Authoritative DNS
root
com.
domain.com.
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Statistical Models
4M+ live events per second
11B+ historical events
Guilt by inference
Co-occurrence model
IP Geo-Location model Patterns of guilt
Secure rank model Spike rank model
Sender rank model Natural Language
Processing rank model
Guilt by association Live DGA Prediction
Predictive IP Space Modeling
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Umbrella Data Centers Co-located at Major IXPs
Umbrella Datacenters
• Amsterdam • Milan
• Berlin • Mumbai
• Bucharest • New York
• Chicago • Palo Alto
• Copenhagen • Paris
• Dallas • Prague
• Denver • Sao Paulo
• Dubai • Seattle
• Frankfurt • Singapore
• Hong Kong • Sydney
• Johannesburg • Tokyo
• London • Toronto
• Los Angeles • Vancouver
• Melbourne • Warsaw
• Miami • Washington DC
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Fast and Reliable
1000s of peering sessions Anycast IP routing
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Connect to the cloud
Flexible deployment options
DNS-based deployment
Tunnel-based deployment
AnyConnect Roaming client ISR 1K/4K WLAN controller Catalyst 9K* DNS/DHCP servers
*Future
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Protecting Roaming Users
No longer the weakest link…
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Agenda
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Umbrella Web Gateway: Full Web Proxy
App Visibility
• Building more complete web gateway & Control
functionality in our cloud platform
• Gain deeper visibility and control
of web traffic anywhere users go
• Flexibility to choose level of traffic
sent to Umbrella: Selective or full proxy
• Multiple connection methods:
IPSec tunnel, proxy chain, PAC Content File
files, AnyConnect client1 Control Full web Inspection
& Blocking
• O365 bypass supported via MS API2 proxy
• Further functionality to be delivered
in phases as it’s developed Data Loss
Prevention1
1. Future capability
2. No option yet in UI, enabled by support
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Key Requirements for SWG Services
Visibility Protection Control
Future
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Not Just an “Upgrade” of Selective Proxy
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Flexible Connection Methods
PAC &
Tunnel Proxy Chain AnyConnect *
Using IPSec Web traffic
For endpoints
*Future
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
SIG Deployment Methods
Traffic redirection - DNS Policy
DNS based redirection Resolvers Internet
Selective Proxy
IPSec
Web
Internet
Web Proxy Chaining
Web
Roaming*
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Deployment Methods
Supported Methods Requirements Identities
Proxy Chaining
• Transparent via WCCP • Web Proxy or Secure Web Gateway • Network Identity
• Manual upstream proxy configuration with proxy capabilities (eg. Cisco WSA) • SAML: Username/User Group*
• Device capable of forwarding XFF • XFF Header: Internal IP
header (for internal IP identity only)
• AD Connector: Username/User Group
PAC File
• Local or GPO • Group Policy Management (Windows) • Network Identity
• WPAD • Tool capable of configuring PAC setting • SAML: Username/User Group *
• Custom PAC file hosting in an enterprise environment • AD Connector: Username/User Group -
• Umbrella PAC file Future
IPSec
• Shares the same tunnel • Device capable of supporting • Network Identity
configuration as CDFW IPSec tunnel configuration • SAML: Username/User Group *
(eg. ASA, CSR, ISR etc)
• AD Connector: Username/User Group -
• Umbrella Certificates Future
AnyConnect - Future
• TBD • TBD • TBD * Supported IdPs:
Okta, Ping Identity, Azure AD, ADFS
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Allow Specific URLs
New functionality: Destination allow lists
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
HTTPS Inspection
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Full URL Visibility in Logs
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Log Export
• Full proxy logs included in
standard log export
• Exported to Cisco or customer’s
own S3 bucket
• Comprehensive list of supported
fields
• Recommended to use log format
version 4
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
SAML and User Provisioning
End-user authentication
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Agenda
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Use-case for Cloud Delivered Firewall
Customer Concerns: guest Wi-Fi
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cloud-delivered Firewall
Internet
Future
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Cloud Firewall At-A-Glance
Tunneling
Capabilities
• L3/L4 firewall; L7 capabilities in future update
• Supported today on IPSec tunnel, future updates
Global
will include support for AnyConnect coverage Identity
• Outbound firewall only
Identities
• Network Tunnel used as primary identity
• SAML support will be included in future update
Infrastructure
• Multi-geo datacenter support
• Auto-DC failover
Logging and Reporting
• Firewall logs included as part of Activity Search
Logging and Policy
• Log export supported via S3 reporting
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Inbound vs Outbound Firewall
Inbound Outbound
Inbound
VPN Access Control
Branch to branch VS Security features
WAF DLP Compliance
Outbound
IDS/IPS Proxy features
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Full Traffic Processing
Traffic redirection - DNS Policy
DNS based redirection Resolvers Internet
Selective Proxy
Umbrella DNS*
All other IPSec Firewall
Web
Internet
Web Proxy Chaining
Web
Roaming*
All other
*Will be supported in the future
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Firewall Policy
Order of operation is the same as with ACL
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
L3/L4 capabilities
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
CloudFW Reporting Provides Context & Filtering
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
IPsec Tunnel
Architecture
Tunnel Definition in Umbrella Dashboard
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Defined Tunnels in Dashboard
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Tunnel Support
https://docs.umbrella.com/deployment-umbrella/docs/working-with-tunnels
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Datacenter Headend Deployment – June 2019
10 data centers worldwide and growing
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Capacity and Availability
Primary Data Center
Capacity
• 150 Mbps/tunnel currently supported
LAX SJC
with plans to increase capacity in stages 146.67.112.2 146.67.112.2
(Head end IP)
• 90% of branch locations using Viptela
utilize less than 100 Mbps In case of DC failure,
Umbrella service issues
• If customer needs more than 150 Mbps, another DC in the same
multiple tunnels can be deployed region will serve the old
DC’s IP address.
Availability No requirement to
change Head End IP in
• 99.9% guaranteed uptime; hybrid tunnel configuration.
Branch
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Failover Conditions
Device Issues
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Failover Conditions
Path Issues
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Failover Conditions
Datacenter (DC) Issues
2 Umbrella
DC 2
• There are situations when the Umbrella Umbrella
DC 1
service itself experiences issues 1 3
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Agenda
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Policy Outcome Flow
• DNS policies are evaluated first,
CDFW
blocked by DNS
• Any 80/443 traffic sent to SWG
(unless blocked in firewall policy)
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Policy Verdicts
Policies
Internet
DNS blocks:
Domains in a Destination List
CDFW allows:
Allows port 80/443
Outcome
1. DNS policy evaluated NAT
Blocked Site Blocked Site IP
2. DNS returns IP of the block page
3. CDFW blocks connection
DNS CDFW SWG
Umbrella Cloud
2
Block page IP
Blocked site 1
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Policies
Internet
DNS blocks:
Domains in a Destination List
CDFW blocks:
Blocks a range of IPs
Outcome
1. DNS policy evaluated NAT
Blocked Site Blocked Site IP
2. DNS returns IP of the block page,
3. Policy evaluated by CDFW
DNS CDFW SWG
4. CDFW blocks connection
Umbrella Cloud
2 4 CDFW block
Block page IP
Blocked site 1 3
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Policies
Internet
DNS allows:
Domains in a Destination List
CDFW blocks:
Blocks a range of suspicious IPs,
including one matching a domain in
the DNS Destination List
NAT
Outcome DEST. LIST 172.2.2.2
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Policies
Internet
DNS allows:
Destination List, some sites
matching shopping 4a SWG allow
CDFW allows:
All 80/443 and port 21
4a
SWG allows/blocks:
NAT
Shopping
DEST. LIST 80/443/21 SHOPPING
Outcome 80/443
3b
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Policies Non-HTTP Policy Verdict
Internet
DNS allows:
Domains in a Destination List, some
sites matching shopping 4a
SWG allow
CDFW allows: CDFW Allow
All 80/443 and port 21
4a
SWG allows/blocks:
NAT
Shopping Port 21
DEST. LIST 80/443/21 SHOPPING
Outcome 80/443
3b
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Policies
Internet
DNS grey list:
Selective Proxy enabled
CDFW blocks:
Range of IPs
Outcome
1. DNS policy evaluated NAT
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Policies
Internet
DNS grey list:
Application Allow: Google Drive
CDFW allows: 4a SWG allow
80/443
SWG allows/blocks:
Google Drive (via AVC)
4a
NAT
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Policy Decision Verdicts Summary
DNS Policy CDFW Policy SWG Policy Final
Traffic Verdict Verdict Verdict Verdict
Block N/A Block - CDFW
Block
Allow N/A Block – DNS
Block N/A Block - CDFW
HTTP Allow
Allow Allow/Block Allow/Block - SWG
Block N/A Block - CDFW
Selective Proxy
Allow Allow/Block Allow/Block - SWG
Allow Allow/Block N/A Allow/Block - CDFW
Non-HTTP Block N/A N/A Block – DNS
Selective Proxy Allow/Block N/A N/A
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
SD-WAN (Viptela) Integration
Secure direct internet access (DIA) locations
MPLS
Next: Automated provisioning to Umbrella
Data Center SD-WAN fabric Branch
• Scale security with future SaaS/web traffic growth
via minimal-touch provisioning in single dashboard
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
SaaS Usage Controls
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
CASB – API Access (cloud to cloud)
Protecting the enterprise’s sanctioned apps
Protection against
Public
APIs • Compromised accounts,
anomalies, and insider threats
• Data exposures and leakages
• Compliance violations
• Overprivileged applications
(via Applications Firewall)
• Mis-use of corporate
Cisco NGFW / Umbrella credentials with third-party
apps via O-Auth
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
App Discovery & Blocking
Addressing Shadow IT
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
App Discovery & Blocking - Workflow
1 Identify apps in App Discovery
Select the “Edit app controls”
2 link under the app
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Service Status Page
https://status.umbrella.com
Now includes
• Cloud Delivered Firewall
• Tunnel Head-End
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Agenda
• Introduction to Umbrella SIG
• Enforcing DNS for Added Layer Protection
• Umbrella’s Secure Web Gateway
• Cloud Delivered Firewall
• Bringing it all Together
• Summary
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Fastest
and most reliable
cloud infrastructure
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Closing Comments
Speak with your Cisco Security representative who can assist with
starting a conversation with product experts and our Products team
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Continue your education
Demos in the
Walk-in labs
Cisco campus
#CLUS BRKSEC-2023 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Thank you
#CLUS
#CLUS