From Zero to Protected in 15 Minutes with Cisco Umbrella

March 5th, 2020
From Zero to Protected in 15 Minutes with Cisco Umbrella

Cisco Umbrella might just provide the fastest Mean Time to Value of just about any IT security solution on the market. That’s because you can go from entirely unprotected to enjoying the security shield of Cisco Umbrella’s DNS security platform in as little as 15 minutes. In fact, it could be even faster if your environment is already using the free, publicly accessible Cisco Umbrella DNS resolvers (208.67.220.220 & 208.67.222.222), which many administrators configure by default on domain servers and Internet edge routers.

So, let’s say you’ve gotten a trial or purchased licenses for Umbrella. What happens from there?

Activating Your Account

Initially, you will get a welcome email. If you have registered for an Umbrella trial, it will look like Initially, you will get a welcome email. If you have registered for an Umbrella trial, it will look like the image below. If you purchased your Umbrella licenses outright or signed up for monthly Umbrella service through a Managed Services Provider (like High Availability), your email may look a little different.

 Click the “Activate” button in the email, and you’ll be taken to the Umbrella Dashboard portal to finish registering your account:

Create a password and hit Submit. Let’s be good security practitioners – use a unique, complex password for every website! We won’t cover it here, but you can enable your Umbrella account for 2-Factor Authentication later on – and you should! You’ll be taken to the Umbrella login page. Enter your new credentials and LOG IN.

 

Basic Setup Once you’re logged in to your new account, you’ll immediately be presented with a wizard to help you get started! In Umbrella’s terms, a “Network” is a type of Identity, which is a way to identify your users and devices to Umbrella. Identities can be a public IP address range, an internal LAN subnet, an Active Directory user or group, a mobile device, or a roaming computer. The “Network” identity is basically a public IP range that DNS traffic belonging to your organization will originate from. This might be the IP address of your firewall or another IP block assigned by your ISP. You’ll want to identify the correct IP block (subnet address as well as prefix length) before proceeding. In this wizard, you’ll set up your first Umbrella Network. Enter a label for the network (maybe it’s “Headquarters” or “Philadelphia” or whatever else – you can change it later), and then enter the public IP prefix that DNS traffic from this site will originate from. If you’re using IPv6, use the appropriate radio button in the wizard to enable those addresses as well.

When you’ve filled out the network details, click Next.

 

Next, Umbrella will prompt you to download the Umbrella Roaming Client for your operating system. You can do that now, or you can click Next. This blog won’t be going into the Roaming Client deployment, and you can always download it later.

And that’s it! Well, that’s it for the setup of your initial Network Identity. We have just a couple of other quick tasks to get Umbrella protecting our network. For now, click “Start Using Cisco Umbrella.”

 

You’ll be taken to the Umbrella Dashboard. This view shows you an overview of everything going on with your Umbrella account. Navigation is on the left-hand side.Sending DNS Traffic to UmbrellaBut wait! We aren’t protected yet! If we open a browser and go to a nefarious website like http://www.internetbadguys.com (OK, that’s actually a test site run by Umbrella, and it’s not dangerous to go to for testing!), we see that we can reach the site. Umbrella isn’t protecting us yet. 😱

What did we miss? Well, we need to actually forward all of our site’s DNS traffic up to Umbrella so it can check it against the security and content-filtering policies and respond appropriately. Now, it’s possible you’re already using the Cisco Umbrella (or OpenDNS as it used to be called) DNS servers, 208.67.222.222 and 208.67.220.220, as your upstream DNS resolvers on your router or Active Directory servers. If so, then you’re already sending your traffic to Umbrella, and just by identifying your Network in the Umbrella dashboard, you are ready to apply policy. But for this example, let’s assume we did not have the Umbrella servers as our DNS resolvers yet. This step of the configuration will vary depending on your environment. If you use AD servers for your internal DNS resolution, you will need to update them with the Umbrella DNS servers. In my test environment, I’m using a Meraki MX firewall, which conveniently has a preset for Umbrella. Just select that and save the change, and now clients in my network will be assigned the Umbrella servers as their DNS resolvers. In this case, the change won’t take effect until the next DHCP lease renewal, but if you assign an internal server like an AD server and redirect that DNS server to use Umbrella, the change is instant.

 

Once this change is made, trying the Umbrella test site nets us the desired result 😎The last step in the DNS traffic flow configuration is preventing anything on our network from side-stepping Umbrella by reaching out directly to another DNS server. This requires setting up additional outbound restrictions on your border firewall to prevent DNS traffic to other destinations besides Umbrella. Note that this particular step may be something you want to implement gingerly to avoid clobbering something that had a hard-coded public DNS resolver for a reason or something like that. I show the final state configuration here, but you may need to start with a slightly more lenient policy and lock it down after some monitoring.And that's done! Now all DNS traffic from our environment is flowing to Cisco Umbrella, which is identifying it based on source public IP prefix and applying a DNS security policy per our Dashboard settings. Policy Tuning At this point, after just a couple minutes of work, we have Cisco Umbrella providing basic security protections to our network via DNS security, because the default Umbrella policy includes blocking major security threats. If we return to the Dashboard and go to the Policy configuration, we see the default policy. You can add multiple policies for differentiated treatment, but that’s future tuning.If we click “Edit” on the Security Setting Applied area, we will see our default security policy. Clicking the Edit button within the security policy would allow us to enable or disable different security categories. The default provides a baseline level of protection, enabling other categories will increase security with a possible increase of false positives, but you can tune these based on your organization’s security posture.After adjusting our Security policy, we can go back to the Policy overview and drill into our Content Filtering policy. Here the default is not to do any content-based blocking, but as an example, I show selecting the preconfigured “Low” level of restriction and applying it. Each of the default content presets becomes increasingly restrictive, or you can select the “Custom” option and tailor the blocking categories to your needs.

After saving these settings, we can head back to Dashboard Overview, and after a little while, we’ll start to see statistics populate.

Based on these values, Umbrella is doing its job, providing a baseline level of security and content DNS security to our corporate network, protecting our users from phishing attacks, malware distribution, botnets, and inappropriate web content – all with about 15 minutes of work. 🥳

Wrapping Up (or Continuing On)

Now, don’t think this is the end of the road. There is a lot more you can do with Cisco Umbrella. This jumpstart just got our toes wet and helped us set up a basic level of protection and policy for our corporate LAN users. However, Umbrella can do much, much more. Just a few of the other important and valuable things you can do with Umbrella include:

  • Deploy Umbrella virtual appliances to provide better context about the origin of DNS requests within your environment and more granular DNS security policy
  • Active Directory integration for differentiated policy based on user or AD group membership
  • Deploy the Umbrella Roaming agent to protect your computers even after they disconnect from the corporate network
  • Integrate with your MDM to apply Umbrella protection to mobile devices
  • Download and deploy the Umbrella SSL Root CA certificate to allow seamless blocking of SSL-encrypted sites
  • Enable the Umbrella Intelligent Proxy to protect users transparently even when reaching a “gray” site
  • Integrate Cisco Umbrella with your SIEM platform
  • Schedule automated reports to update administrators and management about the value that Umbrella is bringing to your organization
  • Review a risk-categorized inventory of cloud-based services your organization uses and allow or block them based on corporate policy
  • Consider deploying Umbrella Secure Internet Gateway (SIG) features for cloud-based security beyond DNS, including full-time web proxy and cloud-delivered firewall services

High Availability is well-versed in all aspects of Cisco Umbrella and would be happy to help you plan out a deployment and assist with the configuration of any or all of the above features. But even if you want to get going on your own, this blog has shown you how quick and easy it is to provision your Cisco Umbrella account and get genuine security value for your business in just a few minutes.

Contact your High Availability account manager today to learn more about Umbrella, start a free trial, or discuss how we can help you better secure your network and your business.

 

Join the High Availability, Inc. Mailing List

Subscribe