Cisco Umbrella Branch

The Enterprise Branch

Enterprise branch technologies are of a particular interest to me, mostly because my customer base is at the top end of the small enterprise space. They’re not quite big enough to dive completely into full enterprise architectures, but their needs are definitely beyond what has been addressed by the bare-basic functionality of Cisco’s Meraki and Small Business product lines. More often than not, enterprise branch technologies are where growing enterprises begin.

Cisco’s presentation focused on two technologies in the Integrated Service Router (ISR) 4K series of branch routers: The Cisco Umbrella Branch and Stealthwatch Learning Network, respectively built on Cisco’s OpenDNS and Lancope acquisitions. I'm going to focus on the first of these as it's the more applicable of the two for my customer base.

Cisco OpenDNS

The Cisco OpenDNS service itself leverages the fact that the bulk of information requests on the Internet use DNS queries as their first connection step. It processes DNS queries and, based on predefined content filtering policies established by the organization (blocking categories such as pornography, gambling, piracy, &c) and dynamic filtering policies (blocking known C2 (Command and Control) callback sites, phishing sites, &c), it either returns the correct host for the requests or rewrites responses to prevent clients from connecting to unauthorized destinations.

The basics of this functionality can be had with just about any client or router by using the Cisco OpenDNS nameservers (208.67.222.222, 208.67.220.220, 2620:0:ccc::2 and 2620:0:ccd::2) instead of those provided by the local ISP. Anyone can do it and it's doesn't cost anything, but without an OpenDNS account, the functionality is limited to the blanket blocking of known malware and phishing sites.

By offering free access to the basic OpenDNS service, Cisco gains the opportunity to data mine application behaviour by analyzing the associated DNS requests. They can then correlate the various addresses with the requested domain names to establish a reputation score and apply this to new requests that resolve to the same addresses. Advanced analysis of this pool allows this functionality to be extended in other ways, too. For example, malware-hosting sites can be identified by looking at what DNS requests rapidly follow the original lookup and factoring their reputations into this.

As a consumer offering, this kind of "smart" DNS service is valuable, but it only provides a part of the solution that the enterprise requires. Detailed analysis of what is actually going on as it relates to the organization's network, is where Cisco Umbrella Branch comes into play.

Cisco Umbrella Branch

Cisco Umbrella Branch leverages this by embedding an agent into the IOS XE operating system of the Cisco ISR 4K branch routers. The agent proxies DNS requests from clients to ensure that only the Cisco OpenDNS services are used, rewriting requests to unauthorized name servers as required. It also embeds internal client information into the request so that problems can be isolated to internal users and machines. The organization can then use the Cisco OpenDNS Umbrella console to isolate and identify acceptable use policy and security problems.

This approach isn't a catch-all because it does nothing to mitigate direct-to-IP connections. When asked about this, the presenter pointed out these exceptions could be handled by Cisco's Cloud Web Security Product in conjunction with the Umbrella Branch offering. Still, Cisco estimates that 97% of client attacks use DNS as a component of their connectivity. This makes sense, considering that most of the resources used by these attacks aren't hosted at fixed addresses. If any part of the attack can be blocked by disrupting the DNS, it follows that the rest of the process will fall apart, achieving the desired result.

The Whisper in the Wires

At first glance, I considered all the ways in which the Cisco Umbrella Branch could be defeated, and there are at least a couple. Any process that bypasses DNS and uses direct-to-IP connectivity, or tunnels its DNS queries in another protocol like SSH will go right around this solution. When Cisco suggested that another product would be able to cover that side of things, I realized that I was thinking about it the wrong way.

We're all looking for a magic bullet to address our problems, and Internet security is no exception to this. The trouble is, we've never found that bullet. Years ago, we thought firewalls would protect us and that turned out to be untrue. We started adding other technologies, such as proxy servers, anti-x software, intrusion detection/prevention systems and more. While these play a role in a security solution, none provides it on its own. There's no reason to expect Cisco Umbrella Branch to be any different. A complex problem is almost never addressed by a single, simple solution.

Looking at it in this light, the Cisco Umbrella Branch provides impressive visibility into most branch and small enterprise Internet activity where it wasn't present before. More importantly, the product offers easy cloud-based control over access policies and intelligent mitigation of client-side threats. It's not going to be the only tool in the branch security box, but it has the potential to be one of the more well-used ones.

Further Investigation

I discovered later, that IOS XE on the Cisco CSR 1000v virtual routers has the same support for Cisco OpenDNS that the ISR 4K routers do. This warrants some further research...

Disclaimer: I was invited to the TFDx session at Cisco Live 2016 event in Las Vegas; an event that I was already attending. I was not compensated in any way by the presenter for my attendance. Neither the Tech Field Day staff nor the presenting vendor have had an opportunity to review what I have written. I have no obligation to write about the presenter, nor is there an assumption that I will show any positive bias towards their presentation. The expectation is only that I be honest in any writing that I do.

Originally published at Packet Pushers.