Educause Security Discussion mailing list archives
Re: Cisco Umbrella
From: Brian Epstein <bepstein () IAS EDU>
Date: Wed, 22 Apr 2020 11:32:45 -0400
Hi Ryan, We purchased Cisco Umbrella before Cisco purchased it under the name of OpenDNS. In general, we've been very happy with the purchase and have seen success of it blocking malware and reducing the amount on our campus. Here are some quick notes from our perspective. 1. We utilize OpenDNS Virtual Appliances for our campus. They will separate internal DNS from external DNS and only query Cisco Umbrella for external queries. This is done via an encrypted link from our campus to Umbrella. 2. We block all outbound UDP/TCP port 53 traffic from our campus, forcing our users to utilize OpenDNS. 3. At the recommendation of Cisco and our Email Gateway provider (Proofpoint), we do not utilize Cisco Umbrella for lookups from our email gateway. This allows for raw DNS queries to be interpreted by Proofpoint and block based on the reputation engines that they have in place. We do the same for our IDS/IPS systems and any security related system that needs raw DNS. 4. Our campus is an open academic campus as far as the Internet goes, so we only block known malware. We created a policy within Cisco Umbrella that we called Academic Freedom which doesn't block any category of site (Social Media, Adult content, etc), but only blocks Malware and Newly Created Domains (this is very effective). 5. Our IT team that has access to Cisco Umbrella has been asked to ignore categorization of DNS traffic to avoid invasion of privacy for users. 6. We don't use the agents on computers. If someone checks their email from a Starbucks and clicks on a phishing link, they will not be protected unless they are using our VPN (which does not do split tunneling). We recommend everyone use our VPN when off campus. 7. When we first turned OpenDNS on, there was an upstream network glitch that caused an OpenDNS outage. This lead us to engineer a contingency plan in the case that Cisco Umbrella/OpenDNS went down. We are doing this with our F5 load balancers and a priority groups. If OpenDNS is down, it fails to our secondary systems which bypass OpenDNS. For our campus, access is paramount and we'll accept the risk in these rare circumstances of users being able to access malicious domains. 8. We've had very few false positives. The ones we have gotten are usually taken care of quickly by Cisco Umbrella. By utilizing policy block and allow lists, we can customize the experience. Newly created domains is sometimes an issue, but we have found it to block a lot of malware in practice. For the most part, this hasn't been a big issue for our helpdesks. 9. We recently started logging all DNS requests and pull them into our logging environment. We have a log file retention policy to ensure they are deleted in a timely manner, and the access is limited due to privacy concerns. However, having that log has been invaluable to determine who clicked on a phish and has allowed us to avoid phishing our users. We use real phishing attempts to determine who clicked. I hope that this has been helpful, Thanks, ep -- Brian Epstein <bepstein () ias edu> +1 609-734-8179 Manager, Network and Security Institute for Advanced Study Key fingerprint = A6F3 9F5A 26C5 5847 79ED C34C C0E5 244A 55CA 2B78 ----- Original Message ----- From: "Ryan Conley" <rconley () URI EDU> To: "The EDUCAUSE Security Community Group Listserv" <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Tuesday, April 21, 2020 1:47:57 PM Subject: [SECURITY] Cisco Umbrella Hello Everyone, We are currently in the process of setting up a Cisco Umbrella POC. I was curious as to who is using Umbrella and what your experience has been? Also, how did you go about creating/testing policies for your institution? Any information/lessons learned is much appreciated. Thank you, -- Ryan Conley Information Security University of Rhode Island Surge Building Room 136 Kingston, RI Office: 401-874-9511 rconley () uri edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Cisco Umbrella Ryan Conley (Apr 21)
- Re: Cisco Umbrella Pete, Andrew (Apr 21)
- Re: Cisco Umbrella Brian Epstein (Apr 22)
- Re: Cisco Umbrella Bingdong Li (Apr 24)
- <Possible follow-ups>
- Re: Cisco Umbrella Gramke, Jim (Apr 23)