Re: Cisco Umbrella

[Brian Epstein <bepstein () IAS EDU>]

Hi Ryan,

We purchased Cisco Umbrella before Cisco purchased it under the name of OpenDNS.

In general, we've been very happy with the purchase and have seen success of it blocking malware and reducing the 
amount on our campus.  Here are some quick notes from our perspective.

1. We utilize OpenDNS Virtual Appliances for our campus.  They will separate internal DNS from external DNS and only 
query Cisco Umbrella for external queries.  This is done via an encrypted link from our campus to Umbrella.

2. We block all outbound UDP/TCP port 53 traffic from our campus, forcing our users to utilize OpenDNS.

3. At the recommendation of Cisco and our Email Gateway provider (Proofpoint), we do not utilize Cisco Umbrella for 
lookups from our email gateway.  This allows for raw DNS queries to be interpreted by Proofpoint and block based on the 
reputation engines that they have in place.  We do the same for our IDS/IPS systems and any security related system 
that needs raw DNS.

4. Our campus is an open academic campus as far as the Internet goes, so we only block known malware.  We created a 
policy within Cisco Umbrella that we called Academic Freedom which doesn't block any category of site (Social Media, 
Adult content, etc), but only blocks Malware and Newly Created Domains (this is very effective).

5. Our IT team that has access to Cisco Umbrella has been asked to ignore categorization of DNS traffic to avoid 
invasion of privacy for users.

6. We don't use the agents on computers.  If someone checks their email from a Starbucks and clicks on a phishing link, 
they will not be protected unless they are using our VPN (which does not do split tunneling).  We recommend everyone 
use our VPN when off campus.

7. When we first turned OpenDNS on, there was an upstream network glitch that caused an OpenDNS outage.  This lead us 
to engineer a contingency plan in the case that Cisco Umbrella/OpenDNS went down.  We are doing this with our F5 load 
balancers and a priority groups.  If OpenDNS is down, it fails to our secondary systems which bypass OpenDNS.  For our 
campus, access is paramount and we'll accept the risk in these rare circumstances of users being able to access 
malicious domains.

8. We've had very few false positives.  The ones we have gotten are usually taken care of quickly by Cisco Umbrella.  
By utilizing policy block and allow lists, we can customize the experience.  Newly created domains is sometimes an 
issue, but we have found it to block a lot of malware in practice.  For the most part, this hasn't been a big issue for 
our helpdesks.

9. We recently started logging all DNS requests and pull them into our logging environment.  We have a log file 
retention policy to ensure they are deleted in a timely manner, and the access is limited due to privacy concerns.  
However, having that log has been invaluable to determine who clicked on a phish and has allowed us to avoid phishing 
our users.  We use real phishing attempts to determine who clicked.

I hope that this has been helpful,
Thanks,
ep

-- 
Brian Epstein <bepstein () ias edu>                     +1 609-734-8179
Manager, Network and Security           Institute for Advanced Study
Key fingerprint = A6F3 9F5A 26C5 5847 79ED  C34C C0E5 244A 55CA 2B78

----- Original Message -----
From: "Ryan Conley" <rconley () URI EDU>
To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU>
Sent: Tuesday, April 21, 2020 1:47:57 PM
Subject: [SECURITY] Cisco Umbrella

Hello Everyone,

We are currently in the process of setting up a Cisco Umbrella POC. I was
curious as to who is using Umbrella and what your experience has been?
Also, how did you go about creating/testing policies for your institution?
Any information/lessons learned is much appreciated.

Thank you,

-- 

Ryan Conley

Information Security

University of Rhode Island

Surge Building Room 136

Kingston, RI

Office: 401-874-9511

rconley () uri edu

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature