Cisco Umbrella Overview and Basic Setup
What is the purpose of Cisco Umbrella
Cisco Umbrella is a tool for protecting you while browsing the internet. On an individual level it protects against Malware, Phishing Attacks, Command & Control and Ransomware. On a company level it can also assist with enforcing web browsing company policies, by blocking access to certain websites either explicitly or via categorises. For example you can block anyone in the business from accessing gambling websites.
The steps for setting up Cisco Umbrella are:
- Setup your Cisco Umbrella portal
- Set your security and content settings
- Install the Cisco DNS appliance on all sites where you have internal DNS
- Point your internal DNS to the appliance
- Roll out the Cisco Umbrella Roaming agents
Your Cisco Umbrella partner will provide an admin login, which you will use to add the relevant people in your organisation, who require the following access:
- Full Admin
- Read Only
- Block Page Bypass
- Reporting Only
Enable Two Step Verification which we recommend for every Cloud system.
Decide which region you want your logs to be stored in: North America or Germany.
Security & Content Settings
Select which of the following security defences you would like enabled:
- Malware protection – ThreatAware recommend to be on
- Newly seen domains – Default off (ThreatAware recommend switching on after a few weeks and monitoring)
- Command Control Callbacks – ThreatAware recommend to be on
- Phishing protection – ThreatAware recommend to be on
- Dynamic DNS – Default off (ThreatAware recommend switching on after a few weeks and monitoring)
- Potentially harmful domains – Default off (ThreatAware recommend switching on after a few weeks and monitoring)
- DNS Tunnelling VPN – ThreatAware recommend to be on
- Cryptomining – ThreatAware recommend to be on
Select which categories you would like to block for your organisation from the list below, ThreatAware recommend Moderate. From that point you can customise accordingly, based on your company’s web browsing policy.
Install Cisco Umbrella Appliance
The purpose of the Cisco Umbrella appliance is to ensure that your DNS requests get routed correctly and are matched against the username. This enables user and group based policies to be applied. They are only required if you have internal servers. The process is very simple, your client simply points the appliance to their DNS. If the request is external the appliance sends you to OpenDNS servers, and if the request is internal the appliance directs your request to the internal onsite DNS servers.
The installation process involves four stages:
- Download either the VMware ESXi or Microsoft Hyper-V appliance from “Sites and Active Directory” within deployments in the portal.
- Install the appliance onsite, setting the IP address, subnet and gateway.
- Run the Windows config script on all domain controllers (downloadable from “Sites and Active Directory”).
- Install and run the Window service on all domain controllers (downloadable from “Sites and Active Directory”).
ThreatAware recommend that you install two appliances per site to ensure you have resilience in case one should fail.
Point Internal DNS
To begin using the capabilities of Cisco Umbrella, update your DHCP to point all of your client’s primary and secondary DNS to the internal IP address of the new primary and secondary Cisco Umbrella appliance accordingly.
Install Cisco Umbrella Roaming Agents
To protect all of your machines whether they are in or out of the corporate network we strongly recommend you install the Cisco Umbrella roaming agent. The simplest way to do this is to utilise Webroot which comes with all versions of ThreatAware. The process is as follows:
- Login to Webroot
- Select all computers you wish to install the roaming agent on (ThreatAware recommend all)
- Select “Agent Commands/Advanced/Download and Run a Command”
- Put the following details in the prompt:
- URL: http://shared.opendns.com/roaming/enterprise/release/win/production/Setup.msi
- Command Line Options: “/qn ORG_ID=unique org id ORG_FINGERPRINT=unique org fingerprint USER_ID=unique user id HIDE_UI=1 HIDE_ARP=1″
- Ensure the machines appear in Roaming Computers in the Cisco Umbrella console. Any that are missing will need to be installed manually.
With the Cisco Umbrella agent installed on all of your machines your team can now safely browse the internet. If you have the enhanced version of ThreatAware you should also be able to easily track and monitor the health of your computers from one dashboard.