Cisco Umbrella Master Class: From Modern ID Challenges to Full‑Scale Deployment

Name: Cisco Umbrella Training - Masterclass
Uploaded: 2026-01-16T11:04:44.752321+00:00
Channel: SecureWire
Description: Summary and key takeaways on Cisco Umbrella Master Class: From Modern ID Challenges to Full‑Scale Deployment, covering Introduction The video introduces Cisco

SecureWire

Jan 16, 2026

•

5 min read

YouTube video ID: D-zon4NNin0

Source: YouTube video by SecureWire — Watch original video

PDF

Introduction

The video introduces Cisco Umbrella as a cloud‑native security platform that protects users, devices, and applications wherever they connect. It is part of a larger Udemy course covering nine hours of content, including architecture, virtual appliance installation, best practices, and licensing.

Modern Identity & Access Challenges

Traditional hub‑and‑spoke model – Branch offices back‑haul traffic to a corporate data center for inspection before reaching the Internet.
Cloud adoption – IaaS, PaaS, SaaS (e.g., SAP, Microsoft 365, Salesforce) demand low‑latency, direct‑to‑cloud access.
Direct Internet Access (DIA) – Organizations use broadband circuits to connect sites directly to cloud providers, bypassing on‑prem firewalls and creating security gaps.
Mobile workforce – Laptops, smartphones, and tablets work from home, cafés, or conferences, making per‑site firewalls impractical.
Resulting need – A security framework that enforces policies regardless of user location.

Secure Access Service Edge (SASE)

Gartner’s SASE model combines networking and security functions (Zero‑Trust Network Access, Cloud Access Security Broker, Secure Web Gateway, Firewall‑as‑a‑Service, DNS security, etc.) into a single, cloud‑delivered service. Cisco Umbrella is one of the vendors that implements SASE.

How Cisco Umbrella Fits Into SASE

DNS Layer Security – The core service; all DNS queries are routed through Umbrella, which blocks malicious domains before resolution.
Multi‑layer inspection – After DNS resolution, Umbrella’s Secure Internet Gateway (SIG) adds Secure Web Gateway (SWG), Cloud‑Delivered Firewall (CDF), intrusion‑prevention, file‑malware inspection, and DLP.
Threat intelligence – Integrated with Cisco Talos, AMP, and other feeds; includes an Investigate API for programmatic look‑ups.

Architecture Overview

Component	Description
DNS Layer Security	First line of defense; blocks malicious domains at resolution time.
Cloud‑Delivered Firewall (CDF)	Layer 3/7 firewall in the cloud; inspects protocols, ports, and applications.
Secure Web Gateway (SWG)	Full proxy that can perform SSL decryption, deep‑packet inspection, and file sandboxing.
CASB (Cloud Access Security Broker)	Discovers and controls shadow IT, enforces cloud‑app policies.
Interactive Threat Intelligence	Pulls data from Talos, AMP, etc.; provides block/allow decisions and investigative APIs.
Virtual Appliance (VA)	Linux‑based resolver deployed on‑premises to capture internal IP addresses and forward DNS to Umbrella.

Licensing Tiers

Four variants exist: 1. DNS Essentials – Core DNS security only. 2. DNS Advantage – DNS security + partial SWG (gray‑list proxy) and limited SSL decryption. 3. SIG Essentials – Full DNS security + optional add‑ons; basic firewall, URL filtering, custom URL blocks. 4. SIG Advantage – All‑features package: full CDF, full SWG with complete SSL decryption, IPS, DLP, CASB, remote browser isolation, and unlimited malware analytics.

Key differences include: * URL filtering and deep‑packet inspection require a SIG license. * Full‑layer IPS and DLP are only in SIG Advantage. * Remote Browser Isolation and advanced CASB are add‑ons for SIG Essentials or included in Advantage. * All tiers provide reporting, API access, and policy management.

Getting Started – Instance Creation & Network Definition

Sign up for a free trial (DNS‑only) at umbrella.cisco.com or use a purchased subscription.
Log in to dashboard.umbrella.com – The left pane shows Deployments, Identities, Policies, Reporting, etc.
Add a Network – Provide a name, public IPv4 address, and subnet mask (e.g., 192.168.128.0/32). This tells Umbrella the source of DNS traffic.
Configure DNS on the edge device – Replace existing DNS servers with Umbrella’s IPs (208.67.222.222 and 208.67.220.220) on routers/DHCP.
Verify activity – Use the Activity Search report to see allowed/blocked DNS requests and their categories.

Why a Virtual Appliance?

When only the public IP is visible, you cannot identify which internal host generated a request. Deploying the VA provides a local DNS resolver that forwards queries to Umbrella while preserving the original internal IP address for logging and policy enforcement.

Installing the Virtual Appliance

Download the OVA/OVF from the Umbrella portal (choose VMware ESXi or Hyper‑V).
Deploy on your hypervisor – Assign a static IP (e.g., 192.168.128.4), set the gateway, and configure the local DNS forwarder to your AD/DNS server (e.g., 192.168.128.3).
Login with the default credentials umbrella<ORG_ID> and change the password.
Configure using commands such as config VA interface ens160 192.168.128.4 255.255.255.0 192.168.128.1 and config local DNS add 192.168.128.3.
Synchronize – The VA shows a green status once it registers with the Umbrella cloud.
Update edge DNS – Point all internal devices (via router or DHCP) to the VA’s IP instead of the public Umbrella resolvers.
Result – Activity reports now display the true internal IP, enabling precise threat hunting.

Site & Internal Network Mapping

Domain Management – Add internal domains (e.g., securewire.org) to bypass Umbrella for internal name resolution.
Internal Networks – Define each LAN/WLAN subnet and associate them with a logical Site (e.g., Secure South Office).
Site Association – Link the VA to its site so Umbrella can apply site‑specific policies.

Secure Internet Gateway (SIG) Overview

SIG extends Umbrella beyond DNS: * Side‑to‑Side IPSec Tunnel – Connects on‑prem routers (or SD‑WAN devices) to the Umbrella cloud. * Traffic Flow – DNS → CDF → SWG → optional DLP/IPS → Internet. * Egress IP – Umbrella provides a pool (e.g., 146.112.0.0/16). A static egress IP can be requested from Cisco support. * Policy Stack – DNS policies are evaluated first, followed by firewall rules, then SWG inspection, and finally DLP/CASB actions.

Practical Takeaways

Cisco Umbrella replaces traditional on‑prem security appliances with a cloud‑first, identity‑centric model.
Deploying the VA is essential for visibility into internal hosts.
Choose the licensing tier that matches your inspection depth: DNS‑only for basic protection, SIG Advantage for full Zero‑Trust enforcement.
Properly map networks, sites, and identities to enable granular policy control.
Leverage the Investigate API and threat‑intel feeds for automated response.

Next Steps (Course Roadmap)

The remaining modules cover: * Detailed policy creation (DNS, firewall, web, DLP). * Active Directory integration for user‑based policies. * Advanced SIG features such as remote browser isolation and custom block pages. * Integration with Cisco Meraki, ASA, and SIEM solutions. * Ongoing monitoring, reporting, and incident response workflows.

Cisco Umbrella delivers a comprehensive, cloud‑native SASE solution that secures DNS, web traffic, and cloud applications from any location; deploying the virtual appliance and selecting the appropriate licensing tier unlocks full visibility and Zero‑Trust protection across modern, distributed enterprises.

Frequently Asked Questions

Who is SecureWire on YouTube?

SecureWire is a YouTube channel that publishes videos on a range of topics. Browse more summaries from this channel below.

Does this page include the full transcript of the video?

Yes, the full transcript for this video is available on this page. Click 'Show transcript' in the sidebar to read it.

How Cisco Umbrella Fits Into SASE

* **DNS Layer Security** – The core service; all DNS queries are routed through Umbrella, which blocks malicious domains before resolution. * **Multi‑layer inspection** – After DNS resolution, Umbrella’s Secure Internet Gateway (SIG) adds Secure Web Gateway (SWG), Cloud‑Delivered Firewall (CDF), intrusion‑prevention, file‑malware inspection, and DLP. * **Threat intelligence** – Integrated with Cisco Talos, AMP, and other feeds; includes an Investigate API for programmatic look‑ups.

Why a Virtual Appliance?

Helpful resources related to this video

If you want to practice or explore the concepts discussed in the video, these commonly used tools may help.

Cisco Secure Network Analytics (Stealthwatch) Book Recommended

Provides in‑depth guidance on Cisco's network detection and response platform, helping readers extend Umbrella's DNS security with advanced threat analytics; valuable now as organizations adopt integrated SASE monitoring.

Amazon →

Sase Security Fundamentals Online Course

Covers the principles of Secure Access Service Edge, Zero‑Trust networking, and cloud‑delivered firewalls, giving learners the context needed to design Umbrella deployments effectively.

Amazon →

Cisco Umbrella Dns Security Subscription

A purchasable cloud service that provides the core DNS protection described in the video; essential for organizations seeking immediate protection without on‑prem hardware.

Amazon →

Cisco Securex Platform License

Integrates threat intelligence, automation, and incident response across Cisco security products, enhancing Umbrella's investigative capabilities for rapid remediation.

Amazon →

Links may be affiliate links. We only include resources that are genuinely relevant to the topic.

Summarize another video

Full Transcript YouTube

hello and welcome to the Cisco umbrella
Master Class video
in this video we're going to talk about
Cisco umbrella what it is the
architecture installation of the virtual
appliances some of the best practices
and many other details
this is a section of a wolf that's Cisco
umbrella course that we have on udemy
which is about nine hours long that
encompasses a lot of other features
details Sig and many other components so
feel free to check that out and the link
is in the description
throughout this course reach us out on
this email address if you have any
questions so let's get started
before diving any further let's review
what our modern ID challenges so back in
the day you used to have this corporate
office branch offices in other
sites that are located at different
geographical locations they would all
backhaul their traffic or network data
back to the corporate data center and
then it would be inspected out here if
it wanted to go out on the internet it
would just
I'll just put here www to indicate World
Wide Web
so if it wanted to go out on the
internet from here it would actually
come into the corporate data center and
then go out to the internet
now as you may wonder you have this
advancements in Cloud Technologies so
you have a lot of these cloud computing
Technologies around infrastructure as a
service platform as a service software
as a service
right so businesses are adopting these
on a rapid scale
because now they are much more
affordable it makes things much faster
for them and it makes business much more
efficient so with that being said they
don't want to have like latency or lag
delays in the applications so for
example if we are talking about sap
now if this application is in the cloud
they would need to have
this application to be very Snappy
quicker no latency so if users from here
and here are accessing this application
routing that traffic back to the
corporate office
over the internet and then to the
Cloud providers Data Center
it would be very very problematic for
the business users because it would be
much more sluggish slow and degraded in
performance
at the same time you don't want to
bypass the security controls right so
you want to have all these inspections
being taken place just to make sure that
you follow all the best practices and
Implement policies
so over the course of time businesses
started to have direct internet access
or d i a it what it is called
wherein this unit or this site started
to have like a direct internet
connection to the cloud provider so that
it is much faster to have application
access now this could also be Microsoft
365 or let's say it is
um
or let's say it is Salesforce many other
applications right so you have like
hundreds and hundreds of them
so with this model uh we also have
something called as SD van that has
taken up lot of the space
because now businesses want to have like
cheaper internet circuits maybe
Broadband Connections in order to have
connectivity to the cloud direct
internet access they no longer want to
have this primitive architecture to flow
their data back to the corporate office
right so you now have a loophole out
here wherein the security controls are
now bypassed so you cannot really have
like next Generation firewalls and all
placed out here again because it will
increase cost
and not forgetting a good old friend
mobile devices whether it's tablet
computers handheld smartphones laptops
so these are constantly on the move and
people are working from home from coffee
shops and they're constantly on the Move
let's say they are traveling to a
conference sales meetings you know uh
chamber meetings or what have you so how
do you protect these users as well even
if they are mobile or roaming they would
still access these Cloud apps they would
still need to access the Erp they would
need to access their emails so can you
imagine running a Next Generation
firewall
at each home where people are kind of
dreams from
that's probably impractical right so
with all of these challenges in place
Gartner came out with a term called
sassy or
s-a-s-e secure access service edge
so this is a very new technological
Paradigm that businesses are shifting
towards wherein it is a standard that
enforces cyber security principles no
matter where users are so if they are in
a coffee shop if they're working from
home if they are in a corporate data
center if they're on a move if they're
at a conference anywhere all of the
security principle will apply for them
and there will be things like
authentication authorization security
monitoring and everything
so sassy is the security principle or
framework that is used to address all of
these today's ID challenges that we just
talked about
and Cisco umbrella happens to be one of
the technology vendor that enforces or
supports sassy
or secure access service edge
so in short sassy looks something like
this so uh back in the day you had this
centralized infrastructure in place next
to the headquarters and then you had
like Branch offices in
um many other locations from your
company look
sink back up to the corporate data
center and then it would have internet
access whether if it's Cloud apps email
anything
but now the Paradigm has shifted towards
this decentralized architecture wherein
the headquarter is now out of the
equation so you have Branch offices your
storage routing information everything
is kept out somewhere else so it's no
longer in the headquarters
then you have like mobile devices which
are constantly on the move they are 24
7.
accessing apps in the cloud whether it's
sap
people are browsing YouTube Salesforce
HR applications Microsoft 365 and
everything
so the entire Paradigm of the perimeter
is shifted away so there's no such thing
as a boundary anymore
and Sassy helps to achieve cyber
security goals by enforcing uh identity
and access management threat prevention
zero trust Network architecture or ztna
Cloud access security broker uh
implementing secure web Gateway uh
firewall as a service file inspection
DNS in everything so you see this blue
layout here so essentially Cisco
umbrella implements all of these and
sits in this blue layer acting as a
sassy solution to provide security
enforcement
let us look at how umbrella comes into
picture and how it helps us to address
some of the security risks that we saw
in the previous section
so at the bottom if you see you have all
of these on-premise networks or roaming
users and different devices that are
connected to the network that use DNS
which is the underlying protocol used
for internet access
so right off the bat all of their
requests for DNS are now routed through
Cisco umbrella which is essentially a
DNS service
so in the first use case if there is a
request from a user or a device that
goes to a malicious URL or a malicious
website that request is automatically
identified by Cisco umbrella and that
request is blocked so it doesn't even go
out on the internet before the
resolution itself when the user types in
the URL for the malicious website
when it results in Cisco umbrellas DNS
service
it identifies that it is malicious and
it does not serve back the IP address of
that website because
umbrella identified that as a malicious
website so user basically gets a block
page saying that this website is
malicious and you no longer are allowed
access to it
so that is as far as the blocked
requests are concerned
if Cisco umbrella sees that this request
is clean or the URL is good then the
request is allowed and the user gets an
IP address responded back by the
umbrella DNS servers and now the user
can make the connection to that website
or through that URL and the request is
sent out via the Internet
now
once the resolution for DNS takes place
and the request is being made
here there's a loophole right so if the
request is good it will be allowed but
what if that good website also has some
underlying files or URL redirects or
subdomains or anything related to that
website which further downloads malware
on our user's workstation
so umbrella has the additional component
for Sig which is the secure web Gateway
Advanced malware protection IPS DRP and
all of these components that tie in
after the umbrella DNS service allows
that website further inspection can
happen at the next layers so that your
allowed requests are still vetted out to
make sure that there are no other
malicious entities associated with them
so if the further inspection says that
everything is good the request still
flow out to the internet
if there is for some reason malicious
content being downloaded from a good
site
then the requests are blocked
so overall you have this two-part or
multi-layer
security inspection by Cisco umbrella so
at any given point of time all of the
requests are thoroughly inspected and
they are vetted out to make sure that
they convert to the security policies
now we'll talk about which other
features that are available in different
licensing tiers within Cisco umbrella in
the subsequent section so all of these
features are not included by default in
your Cisco umbrella offering so there
are some core features there are some
intermediary features and there are some
Advanced features and towards the end
you also have several add-ons that you
need to purchase in order to get this
full-fledged functionality
in having a visibility and inspection
from start to finish
so at the bottom out here you have all
of your on-prem infrastructure that
includes sd-wan based deployment or
direct internet access sites that we
already talked about which may be
present at your branch offices
next you have your on and off network
devices that includes laptops mobile
phones which are constantly on the move
which are off Network or off-grid and
then you also have servers and
infrastructure which includes Workforce
which are present basically inside your
location of your data center or other
buildings or campus locations right so
all of these devices use Cisco umbrella
as their DNS service which provides DNS
resolution and also on top of that
provides all of the security needs
through security policies
now you have to understand that Cisco
umbrella is a cloud-based offering and
there are no physical components that
are involved on installation at your
site
you may be having one component which is
called a virtual appliance which we will
be talking about in a later video
wherein you deploy
um
a Linux based agent or a server inside
your network in order to keep track of
your local endpoints
so we'll be revisiting this later
so now let's focus more about Cisco
umbrella architecture and what are the
different components that I actually
used here
so you start off with something called
as a DNS layer security which is the
primary or the heart of Cisco umbrella's
offering so this is your first line of
defense or the first layer wherein it
secures all of your DNS related
functions
so we talked about your devices sending
a DNS request and then they receive a
DNS response right with the IP address
so this is the layer that basically
takes care of your DNS resolution and
applying security to it so if your
device is send a request to let's say
training.securewise.org Cisco umbrella
will use this DNS layer security to
assess is
training.securewire.org a secure site or
a safe site or is it a bad site so based
on that classification it will
accordingly serve the IP address of that
site if it is good if it is a bad site
it will just simply serve a block page
so you have to understand that this is
the primary and the core feature that
Cisco umbrella offers as its fundamental
offering
the next piece out here so we'll focus
on something called as Cloud delivered
firewall or CDF this is a cloud-based
firewall which is layer 3 and layer 7
aware so it knows how to inspect
application and detect applications and
this is served the through Cisco
umbrellas SAS or software as a service
right so you no longer have anything
placed on site with respect to firewall
Hardware or any other components so this
is delivered directly through the cloud
essentially what it helps you to do is
to inspect other protocols like FTP
different Services different
applications right so what a typically
Next Generation firewall would do now
Cisco umbrella offers you this module or
this sub service within the Cisco
umbrella's offering and it can do
firewall based inspection for you
now we will be talking about this in
more greater detail how you use it how
you establish connections through it and
how you turn on these features
the next component is the secure web
Gateway or swg this is an add-on towards
the CDF or Cloud delivered firewall
wherein all of your connections that
actually flow after the DNS resolution
they are inspected by secure web Gateway
in order to make sure that you don't
have any malicious content you don't
have any malicious files being
downloaded so this entire component acts
as a web proxy
that helps you to inspect every single
bit and content and essentially perform
deep packet inspection across all of
your connections that actually flow to
the web pages
right or to the web content
this also helps you to do some things
related to SSL decryption so you can
partially decrypt web traffic or you can
also have full SSL decryption in order
to get more insight into your encrypted
traffic to perform things like data loss
prevention any sensitive information
leakage any unauthorized actions from
your users and things like that so you
can post a lot of web policies through
your secure web Gateway and this is
again offered as a SAS
component through Cisco umbrella Cloud
so there are no components that are
required for you to deploy on-site just
a simple configuration change and it
will help you to do a full SSL
decryption across your entire web
traffic
moving on to the next component which is
cast b or casb and it is abbreviated as
Cloud access security broker so this is
a fairly new term that is coined by
Gartner and the other assessors wherein
now we already talked about things like
Cloud boom and the agility that is
required by businesses for cloud
applications so we as it professionals
often fall behind wherein businesses are
adopting more Cloud applications and
they are not telling the IT team saying
that hey we are using this Cloud
application
can you help us out to see if there are
any risk associated to it so it people
often fall behind so we need to make
sure that we understand from a cyber
security standpoint what are the various
Cloud applications that are used to make
sure that they are properly vetted out
and make sure that they confirm to our
organizations Cloud security strategy
what do I mean by that is this
let's say I as a cyber security person
in a company approve Microsoft 365 as
the authorized application for email
SharePoint documentation uh repository
for OneDrive and the entire Suite that
comes to it
suddenly one of the business unit
decides that we are gonna go with
Google's Cloud Suite or G Suite so
they're using now Gmail as their mail
service uh let's say they are also using
Google Drive is a documentation
repository in comparison to what is
authorized as OneDrive now if you see
all of those applications you would
immediately come to know that those are
not approved by your organization so
cash B is the component that helps you
to identify when users are using
applications that are not authorized by
it these are also called as Shadow ID
right so that gives you a proper insight
you can also do things like discovery of
various other artifacts like application
Discovery and schedule jobs for through
that so we'll be talking about this in
the later video when we dive into Sig or
secure internet gateway versus umbrella
so stay tuned on the latest sections
and last component is interactive thread
intelligence that Cisco umbrella uses
from uh its threat intelligence sources
like Cisco Talos its intelligence teams
different feeds whether if it's layered
to amp thread grid so various other
Technologies are combined and linked
through Cisco umbrella via apis that you
can turn on and you can have much more
better visibility around threat
intelligence
for things like known bad IP addresses
known bad domains you can investigate
them get more details associated with it
and understand the general Behavior
this component also includes something
called as Cisco umbrella investigate API
that helps you to programmatically query
the investigate API to get the details
like if it's a
to gather details like if an IP address
that UI investigating is a good IP
address or not so we'll also be having a
look at this in the later video
but overall it integrates all of the
threat intelligence services that Cisco
offers through a single platform so that
you have a unified solution
um that you can adopt
so in short these were the components or
architecture elements that are used by
Cisco umbrella uh in this entire
solution
in the next video we'll be talking about
the different licensing model that are
used in Cisco umbrella and which of
these features are included in which
licensing tiers so stay tuned in the
next video Until then see you in the
next one
in this lecture we will be understanding
which are the different components that
are included in Cisco umbrella that we
saw in the previous lecture that are
included in which licensing tiers so
that you can make a better and informed
decision on identifying the package that
is more suitable for you
so at the top you see there are four
variants of Cisco umbrella starting with
DNS Essentials DNS Advantage Sig
Essentials and Sig advantage
so
these two things are covered in blue and
these two items are covered in green
so essentially you have to make a
decision if you want to use Sig or if
you want to use DNS security
so it depends on your use case and we
have like a few pointers that we'll be
talking about later in helping you to
identify which package is best for you
however in this lecture we'll be talking
about which are the different components
that are included and which components
are not included in the platforms so to
start off with you have security and
control features so the first one we'll
look at is the DNS layer security which
we talked about as the heart of the
Cisco umbrellas offering that helps you
to detect malicious websites malware
phishing sites and high risk domains
that is included in all of the four
variants of Cisco umbrella and this is a
must solution
secondly we'll move on to secure web
Gateway which is swg it's a part of the
Sig solution but it can be used in the
security Advantage version through a
partial deployment and what do I mean by
that is uh although you have SSL
decryption that can be carried out in
this variant for secure web Gateway but
it is partial and what do I mean by that
is only the graylist domain or which are
suspicious in nature can be tunneled
through secure web Gateway
however in Sig Essentials an advantage
you can a proxy or tunnel all of your
web traffic irrespective if it's good
bad or gray gray means uh it needs
further inspection to determine if it is
malicious or not right so uh important
key thing to note here is security
Advantage gives you only partial
functionality of SSL decryption or proxy
so only the gray list domains can be
proxied out web filtering option that is
domain based and category based like if
it's a website is pornographic in nature
if it's social media all of that
categorization features in are included
in all of the four variants however if
you wanted to do a filtering of URLs and
deep packet inspection you would need to
have a Sig license
all the four variants allow you to do
custom blocks based on allowed domains
or blocked domains however the
creation of custom blocking of URLs is
only permitted in Sig license in either
of the sync
similar to the decryption of SSL traffic
for file based inspection there is
partial functionality and security
Advantage wherein only graylisted
applications are allowed to be inspected
however in Sig Essentials and Advantage
all of your files can be proxied and
inspected through the Cisco umbrella
package you have some limitations on
malware analytics so this is through the
threat Intelligence on suspicious files
so there is a cap of 500 requests per
day in six Essentials an advantage has
unlimited whereas this feature is not
included in either of the TNS Security
Essentials or advantage
[Music]
moving on to the next component which is
casb or Cloud access security broker
which helps you to identify applications
for shadow ID use cases this feature is
partially available in DNS security
variant but it is fully available and
supported in the Sig variant
all right moving on to the next one is
DNS layer security which we already
talked about now Cloud interval firewall
or CDF that is layer 3 and layer 7 aware
Cloud delivered firewall it is not
available in DNS security versions
either Essentials or Advantage you need
to get a Sig version either Essentials
or advantage
however there's a catch here if you
wanted to have layer 7 protection that
includes IPS functionality you need to
go with seek advantage
uh DLP capabilities are only included in
Sig Advantage they are not included in
any of the three but you can definitely
take this as an add-on for seek
Essentials
the next one is remote browser isolation
so if we wanted to completely isolate
your browser sessions and inspect like
risky sites and completely sandbox them
out you can take this as an add-on for
seek Essentials or advantage and it is
natively not included in any of the
packages so this is something you have
to pay extra and get it enabled
for the threat intelligence piece you
can use secure X to tie in Cisco
umbrella with other Technologies like
amp thread grid automated responses and
functions so that is included in all of
the variants
however for Cisco umbrellas investigate
API it is only included in the higher TS
of security Advantage seek Essentials
and seek advantage
the last piece is traffic forwarding use
attribution management reporting and
logs all these features are included in
all of the four variants so basically it
gives you a set of preset reports
logging activities and different
features that you can use to integrate
with other elements like your sim for
logging and reporting that is included
in all four
management for things like multi-aut
console
umbrella apis so that you can use
scripts and remotely programmatically
access different functionalities of
Cisco umbrella that you can use and
these are included in author for
variants
customizing of block pages and bypass
options are also included in all of the
four variants so you don't
um run out of any features
the only difference out here is creating
policies for saml or security assertions
markup languages in order to identify
users maybe through your Azure ad Octor
or any other single sign-on solution
those policies can be created only with
Sig Essentials and Sig Advantage so it
does not let you use those features in
the DNS Security Essentials or Advantage
version
you can create multiple policies based
on different identities like Network
device user endpoint so in all of the
four variants so there's no restriction
there
you can use Cisco
umbrellas any connect client to deploy
the umbrella module to forward traffic
to Cisco umbrella cloud and that is used
for devices that are off the network
which are mobile
now before we jump into the actual
installation of the umbrella and setting
it up we need to quickly talk about
something called as identity and
identity provisioning
as we spoke about earlier identity is
nothing but a source
so a source is used in the policy to
apply context whether if you want to
deny or allow that particular source
in order to identify these sources you
have these identities
as you can see there are multiple types
of identities
the first one is networks wherein it
refers to a subnet that you use on your
computer network so you can uniquely
identify sources based on networks right
so we'll be adding networks first and
then as and when we increased the
complexity of our deployment we'll be
adding additional details
so networks is your IP information or
internal subnets the next portion is
users in groups so this is achieved
through your active directory
integration wherein you transfer the
information about users
your groups
and many other details on your active
directory into the umbrella Cloud so
that you can apply policies based on
specific users right so if you want
specific rules for HR you can do that
then if you wanted to have specific
rules for the executive leadership team
like CEOs and ctOS you can do that as
well so again this requires active
directory integration
and it can either be through on-premise
or it can be through Azure 80 and that
includes saml however this cannot be
done across all the three what I mean by
that is if you do active directory
integration for on-premise you cannot do
the same for Azure ad because you cannot
really sync multiple users that are
existing from different identity sources
all right so if you do Azure ad
integration you don't have to do
on-premise integration if you have the
same users syncing between both
all right
so the third one is Network tunnels
wherein you build an ipsec based site to
site tunnel uh between your branch
offices or corporate offices and
umbrella Cloud this is mainly used for
Sig and enabling firewall policies DLP
policies and web traffic inspection the
next one is sites now sites can be
categorized as like geographical
locations like if you have offices in
India offices in Australia or us each of
them would represent a site and category
you can group them in terms of
geographical locations
the next one is roaming computers so
this will be things like your laptops
your smartphones your iPads which are
constantly on the move so they are not a
part of a network or they are they're
not inside an active directory domain
right so they're outside your perimeter
Network so in order to apply policies
for them you have some agents that you
can deploy on laptops and also you have
applications that you can use for
smartphones in order to onboard them in
Cisco umbrella
the next is mobile clients though this
essentially refers to a subset of your
smartphone devices that you can
provision Cisco umbrella connectors and
add them through your MDM Solutions like
Microsoft InTune and things like that
and the last portion is network devices
which are essentially uh integrated
directly with umbrella whether if it's
in through API so these things could
include Cisco Meraki then your ASA
firewalls which natively have direct
capabilities to integrate with syscom
brother
so all in all these are the broad
categories of different identities that
you can use and it is very important for
you to plan out which types of
identities you can use
so the ones that are broader are
networks Network tunnels
sites so when I say broader it means
that these are more on a wider scope so
if you add networks to a policy it will
apply to several users
but if you wanted to apply specific
policies for specific users you would
need to integrate users and groups
roaming computers and mobile clients
right so the more specific you want you
need to have more Integrations and then
more Dynamic nature if you want like
access to be wide open uh and apply on a
larger scale than networks and sites and
network tunnels is the way to go
all these options are available for use
so you can use the one that suits you
the most so we're going to start with
integrating networks then we'll look at
the virtual appliances users and groups
through active directory then take care
of sites roaming clients mobile clients
then in Sig we look at Network tunnels
and then towards the end which is a
little bit Advanced configurations we'll
be having a look at Network device
Integrations in mobile device
Integrations
in this lecture we're gonna jump start
into the umbrella deployment
before we get started I want you to have
an umbrella instance of your own so that
you can get Hands-On and you can tag
along with me as and when we are doing
demo lab and deployments
so if you don't have any
umbrella instance of your own I'd highly
recommend you to come into
umbrella.cisco.com
and at the moment the Cisco's page form
rather looks like this and we are
interested in getting a free trial for
you so if you come up to the top right
corner click on free trial
and that should bring up a form
and you get a 14 day free trial so you
don't have to put in any of your credit
card information so you can go ahead and
enter your details in here and once you
sign up click on this button and you
should be able to get an email with a
provisioning for Cisco umbrella
now note that this free traffic umbrella
is only for uh DNS security it doesn't
include any Sig related functionalities
all right so keep that in mind
now what I have done is I have already
purchased a full-blown subscription for
Cisco umbrella secure internet gateway
Advantage seek Advantage so um
I would really appreciate if you leave a
comment and like this video because uh
we paid it just for you so that it can
get the maximum benefits out of this
so I'll quickly open up that email and
show you how it looks like so the email
looks something like this so it's from
Cisco umbrella and it says your order
has been processed and all you need to
do is just sign in to
dashboard.umbrella.com and you'll be
good to go and my email address will be
listed out here and when I try to
attempt to login I should click on
forgot password so that I can set that
password and I'll be good to go all
right so we'll take this down and hop
over to our umbrella console and get
logged in
so I'll enter my details in here
so right off the bat I have my dashboard
shown up under the overview tab so
underneath I have various options
towards your left Pane and in the middle
you have the heads up display in various
widgets
and since we are starting from fresh we
don't have anything deployed as of yet
and this data would be populated as soon
as we have several elements in here
so if you look at the left side here
under deployments we have something
called as core identities so identities
is nothing but your Source where DNS is
originating from
now it can originate from your network
this could be your site your location
your office location a branch office it
could be a network device which could be
like an ASA a Cisco Meraki which is
directly integrated with this camera
roaming computers that includes laptops
which are on the Move mobile devices can
be your iOS Android smartphones
Chromebook uses
Network tunnels that includes any ipsec
based tunnels that are established for
sake so we'll be talking about this
later
and lastly users and groups wherein it
helps you to identify and pinpoint
individual users groups in your company
which is used on your active directory
so all of these serve as identities
which help you to uniquely identify the
source of your DNS traffic
so this is very important to keep in
mind
because policies are applied based on
identities
next you have configuration like domain
management sites and active directory
internal networks root certificate saml
and service account exceptions we're
going to look at this in more details
later
than you have policies
so here is the place where you create
different policies
note that since I have a Sig Advantage
subscription
some of these details will not be
visible for you if you have a different
license like DNS Security Essentials
will not have web policies and stuff all
right so keep that in mind
so quickly uh recapping in here DNS
policy is associated to DNS layer
security which is the heart of this
solution
firewall policies related to the cloud
delivered firewall web policy is
associated to your Cloud Web Gateway or
your web proxy which is included in Sig
then you also have a data loss
prevention or DLP policy
so for policy components you have IPS
signature lists destination lists
content categories application settings
so these are just nothing but objects
that you can use
and tie in this with the policies we'll
be having a look at these in more
details later
next you have a section for reporting so
you have some code reports here which
are provided out of the box
some additional reports
and also you can manage reports like
schedule reports
and Export reports and download them
next you have this investigate
portion wherein you can leverage this to
perform investigations on your security
events or security incidents and
leverage Cisco umbrellas investigate API
and lastly you have this admin panel
wherein you have accounts user roles
wherein you can Define many admins in
here all right to login
you have a portion for log management
for defining and integrating logs for
your sim
authentication is authentication to the
console itself and you can use external
Azure ID based authentications and
things like that
bypass users and bypass codes would be
Associated to users that you would need
to bypass
umbrella policies so that you can bypass
some certain controls and have access to
block sites
API keys and lastly licensing so this
was just a quick overview and a quick
rundown of what is there on the left
side
and you can probably compare it with the
console that you have and see which are
the features that you are missing based
on the different licensing tiers
all right
the next very important thing to note is
your organization ID or oid right so
that is displayed in the URL itself so
if you click on the URL
you see here dashboard.umbrella.com
forward slash o and there's one unique
number in here so for me it shows up to
be
810-2570 so this serves as your
organization ID so you need to make sure
that you make a note of this
all right so our next step is to add
something called as a network
so we'll navigate into core identities
and click on Networks
and I'll hide this left pane so that
it's much more easier to look at
so at the moment I don't have any
networks to find now a network is very
important so that Cisco umbrella knows
where you are coming from because ciscom
brother is a shared cloud-based platform
it has to know the source of the traffic
so that it knows which policies to apply
and segregate based on your organization
right so right off the bat it says I'm
coming out from this netted IP address
so we'll add this up into the Netflix
portion so that Cisco umbrella knows
that secure wire is coming out of this
IP so that it knows which policies to
apply
now a quick recap I'll just pull up the
lab Network diagram
so you see out here I have my Iraqi
firewall and whatever sits behind in
here all of these devices will be
querying Cisco umbrella as their DNS
server
whatever is there out here as the egress
point
this traffic will be netted out when it
leaves the firewall right so I need to
know the net IP of this or the public IP
address so that I can add it to the
umbrella cloud
if you have this as a static IP address
this is great you can add that so it
will not change
however if you have this as a dynamic IP
address you need to download something
called as an umbrella client we'll just
talk about that in a minute
so we'll hop on back to the umbrella
console
I'll copy this out
and click on ADD
and I'm gonna say
secure wire
South office
so it is a best practice to name
networks based on locations like if this
office was in UK you can say secure wire
UK office something like that so that
it's very easy for you to identify and
tag various networks when it increases
in size right
so this is an ipv4 address so I'm going
to use ipv4 in here
and this and the subnet is going to be
32 because it's one IP address right so
if you have multiple IP addresses like
some use some IPS I used in DMZ and
stuff you can add the entire block
if you are using IPv6 you can use this
and if you're using mixed you can add
both
so I'm going to leave this unchecked
because mine is static and I'm gonna
click on Save
and that should add
the network so I have my first Network
show up here notice that I have a
default policy so don't worry about this
we're gonna take care of this in the
policies video
give it some time so that
um you know hosts from this network need
to send DNS traffic to Cisco umbrella
and only then it would turn this
inactive flag to active so we'll quickly
do that by changing our DNS settings on
our
firewall or the router
alright so I'm on my firewall
or which could be your router so I have
two internet connections so what I'm
gonna do here is at the moment I have
both of these pointing to Google
so we'll edit this and change the
primary DNS
and this is 208.67.222.222
and the secondary it's gonna be two zero
eight 1.67.220.220
right so I'll click on update
the second place I need to change this
is in my DHCP because I have an internal
DHCP running
so in here I need to do the same so it's
going to be 208.67.222.222
second one is 208.67.220.220
uh I'll need to make sure that I
restart my devices
or renew the lease so that the new DNS
servers are populated
in Meraki I can directly do use umbrella
but we'll see the setting later when we
do integration with Meraki I just wanted
to show you how you can change it on
your upstream or routers so that it's
much more similar all right so I'll
click on Save changes
so I waited for about 10 minutes and now
you can see this flag has turned out too
active so one out of one active networks
are detected and the graph is now slowly
climbing up right so if we give some
more time we're gonna get more events so
what I'm gonna do is I'm gonna click on
active Networks
and now you see this flag has turned out
to active
because it's now seeing network
communications or devices from this
subnet
so quickly uh come into reporting and
click on activity search
just to see if we can find anything
yes sure enough I see uh DNS requests
from my securewise South office
and I can see where it is trying to go
to
right so there are some Windows updates
if I scroll down
uh I can see the IP address
where it is coming from
uh action is allowed and I can also see
the categories that it is tagging each
request to
all right so that concludes our first
setup wherein we spun up our first
Network and tied to it
in the next video we'll be talking about
briefly the Dynamic DNS updater for your
external IP if you don't have a static
IP what that looks like all right until
then see you in the next one
we are now at the final piece of
verifying to make sure that whatever we
have deployed so far Works in is on the
track
so at the moment I can see that I'm
getting some logs and I can very well
verify that all of my DNS queries are
being sent to syscom brother all right
hey bud can you notice one thing out
here which is odd you see here external
IP as my van IP address
right what if I wanted to know who
generated these DNS requests
right so I know for sure that this is an
Android phone
this is a Samsung phone
so you see this column out here called
internal IP now it is showing blank
now if this is blank I don't know who
generates which DNS request right so if
this request was a malicious request and
I wanted to track who generated it I
have no clue whatsoever to track it down
the answer to this issue is to install
something called as a virtual Appliance
or a VA inside your network so that all
of these devices can send their DNS
requests to that local resolver in that
way we'd be able to identify accurately
and pinpoint who the source or the
internal IP is
so we'll be taking care of that in the
next section wherein we'll be talking
about installation we'll be performing
the actual installation and then we'll
be actually seeing uh how it actually
captures the internal IP address a
couple of items to wrap up in here is we
know for sure that it works perfectly
fine
there are some additional sites that you
can use which are provided by Cisco
umbrella and those sites can actually
gauge if you are using Open DNS or not
what do I mean by that is this so I'm
going to open a new tab and I'm gonna
type in here
welcome.opendns.com
and I'm gonna reload it again
so you see here there's a orange check
mark mentioning that I am indeed using
Open DNS so this is to confirm that all
of my DNS requests are flowing through
Open DNS or Cisco umbrella
so if you don't know Cisco umbrella took
over Open DNS when they bought that
company that actually made this solution
if you hear me say Open DNS or Cisco
umbrella interchangeably it means the
same solution
okay so there is another site called
internetbadguys.com so if you click on
that they should be blocked
so as you can see here Cisco umbrella it
says the site is blocked due to a
phishing threat
so this blocks by this is blockband
administrator
if you click on diagnostic information
you can actually see some more details
like IP address of this site
all right
so this confirms that we are correctly
using Cisco umbrella
all right so with that being said we
come to this end of this current video
and in this section we briefly talked
about getting started in Cisco umbrella
we deployed a network and we verified
the internal settings we saw Dynamic DNS
updater client and we also saw some of
the confirming steps that you can take
in order to confirm if you are using
syscom result or not all right
that was the end of this current video
in this section I'll see in the next
video wherein we'll be talking about the
umbrella virtual Appliance and
installing it on our Network until then
see you in the next one
in the last lecture we saw how we cannot
see or track the internal IP addresses
of our internal clients and we can see
the netted IP or the external IP on the
firewall and we don't have any clue
whatsoever how to track these internal
hosts when we try to see if there are
any issues or if there are any malicious
Communications going out all right so
we'll quickly recap why this happens and
what is the solution and we'll quickly
jump into the solution which is the
installation of the umbrella's virtual
Appliance
all right so referring to our lab
diagram what actually happens is so so
far we have not configured this side of
the house right so when we have clients
that are using this internal Network
what actually happens is let's say for
example this is an Android device it
wants to communicate out to Google Play
Store
it'll send its DNS traffic to this
firewall
out here and in turn the firewall will
send it out to the umbrella DNS Services
the response will come back with the IP
addresses and the clients will make
connection to the internet right but
when this traffic leaves this network
over here
what happens is The netting takes place
because private iot addresses are never
routed on the internet so the firewalls
public IP is assigned to all of the
packets that are going out so when
netting takes place this is where we see
that public IP addresses Associated to
the DNS traffic
so the solution for this is to make sure
that these devices
send their DNS request
to a local resolver or a local DNS
server which is the umbrella's virtual
Appliance and we're gonna install this
and IP it on
128.4 so moving forward all of these DNS
traffic from all of the internal clients
will reroute or will be sent to this
virtual Appliance and in turn this
virtual Appliance will create a tunnel
or a configuration
with our
Cisco umbrella portal the instance that
we have
alright so
thereafter what will happen is if this
client
queries let's say Google Play Store it
will request the local umbrella of
virtual Appliance for its IP address
and then it turn it will respond to the
DNS requests
and then the device will make
Communications to the required resource
that way
umbrella will keep track of who is
requesting which sites and who's trying
to resolve which domains all right so
this will be the first part of the
integration wherein we'll be installing
this virtual Appliance and we'll be
configuring it
and then we'll be testing it out to make
sure that we see the internal IP
addresses
in the subsequent sections we will be
making a connection with the virtual
Appliance and the ad server and that way
we'll be able to keep track of usernames
so that will be the next step
so we'll hop on to our umbrella
dashboard to get the installation files
for this VA and then we'll install this
VA on our ESX server
so now that we are on our umbrella
portal I'm gonna navigate into
deployments
and I'm interested in
sites and active directory
and I don't have any Integrations in
here so I'm going to click on download
to download the installation files for
the virtual Appliance right so in my
case I'm using VMware esxi so I'm gonna
click on download to get this if you're
using hyper-v you're going to use this
link
all right it now says uh do I want to
download this I want to allow
and let that download
and while that file is being downloaded
you see out here the password to access
this local virtual Appliance is umbrella
with you capital and this number is your
organization ID
all right so this will be my password
but it'll be different for you and just
to recap organization ID can be fetched
through this URL
all right so our VA has been downloaded
what we can do here is I'm gonna hop on
to my ESX server which is on
192.168.128.2
uh uh and we are interested in creating
a new virtual machine
we're gonna deploy it from an OVA or an
ovf
I'm going to give it a name
click on next
and it is using
my default storage gonna click next
make sure you select the proper Network
I'm gonna choose thin provisioning
power on automatically
click on next
make sure this is good
so yep it's a Linux 5.4 version
finish
so let this upload task complete so it's
going to
take a while so I'm going to pause here
all right so our VM is imported and
we'll click on Virtual machines
here's our VA
click in in I'm going to click on the
console and try to see what happens
all right so it's booting up which is a
good sign
all right and there we go
it's trying to acquire DHCP so we'll be
changing that
all right so as you can see it is doing
some tests to sync up to the umbrella
cloud
and slowly slowly everything is turning
green
which is good
so at the bottom you see uh there are
set of options that we can use to access
the uh console and we are interested in
doing that what we can do is I'm gonna
click on control plus b
so it says are you sure you want to
enable config mode default password for
this VA is so and so
um I'm gonna say yes
so here we'll have to key in our
password and here it's going to be
umbrella with you capital
and my organization ID
eight ten two five seven zero
okay now it is asking us to change the
password and note the user account it is
VM admin
enter the new password
alright there we go
so this is a custom Linux version of
Open DNS or Cisco umbrella so the
commands are a little bit different so
you can tag along uh just to see what
those are uh very first command is going
to be config VA show
and this will show the current version
of the configuration that is living on
this machine
as you can see the name is in IP address
um
we have a primary adapter which is ens
160.
and the IP address is assigned through
thcp so we're going to change that
first of all we're going to change the
name
so that command is going to be config VA
name and the name what we want to put
so I'm going to say config VA name
secure wire Dash va1
so the name is changed and the second
thing I want to do is change the DHCP
based IP addresses and make it static
and our VA is going to be living on
192.168 128.4
so the command for that is config VA
interface the name of the interface
which is ens160
IP address it is going to be
192.168.128.4
subnet mask is two five five two five
five two five five zero and Gateway is
gonna be 192.168.0120.1
and we'll remove this extra space hit
enter
now our next step is to make sure that
local DNS queries from this domain are
routed to our domain controller and the
command for that is config
local
DNS add
can hit question mark and hit enter so
it's going to show you
uh the syntax of the command so if I say
config local DNS question mark enter
so it would give me the syntax so if
you're ever confused in what the
commands are you can use that syntax
right so it's add
IP address and that is
192.168.128.3 which is my domain
controller
and I'm gonna hit enter
so it's added successfully and lastly
our next step is to make sure that
whatever we have is verified
so I'm going to execute config VA show
so IP address has been changed
it's now also pulling static IP address
so all of this looks good and make a
note of this resolvers so it is umbrella
DNS servers
to exit out of the prompt I'm just gonna
execute the command exit
give it a minute so that everything
turns green
and there we go this DNS server is okay
and local DNS is also set up correctly
in the last lecture we saw how we can
download install setup and configure uh
virtual Appliance and we concluded by
changing the configuration of the
virtual Appliance and we saw it synced
to our umbrella dashboard
hey but notice out here there is some
kind of a Red Cross here and says error
so click here for details so if I click
here it says I have only one VA and this
virtual Appliance is not redundant
within a site so it recommends that you
have two or more vas just like how we
discussed right so since this is a lab
environment I'm gonna have only one
setup in here but if you are running in
a production environment it is highly
recommended that you have minimum two or
more right so I'm going to hit cancel
and we can ignore this error for now
in this video we'll talk about uh adding
some of our internal components that is
internal Networks
internal sites
and Link it to our
main sites
what do I mean by site is you can
picture this as your branch office
location
let's say you have one branch office in
San Francisco one you have in New York
one you have in Mumbai India or one you
have in UK London right so you can
create locations as your sites so that
you can categorize like your virtual
Appliance your internal networks you can
associate them to sites so that it's
much easier for you to track and keep
accounts of of where things are right so
just to recap internal IPS or internal
networks map to something called as a
site so your site is an overarching
feature and each site can have multiple
internal networks so we're gonna do
exactly that and also we're gonna verify
that we have internal IP addresses being
tracked correctly or not all right so
what I'll do here is first I'm gonna go
under deployments and domain management
and in here I'm gonna Define my internal
domain that is being used on my domain
controller which is securewy.org
I'm going to click the add button
to add
secure via DOT org
don't want to have a space
so it is my internal domain so any DNS
requests going to this domain is going
to be sent to my domain controller and
it's going to bypass Cisco umbrella
right so this is the very first step
that you have to do
click on Save
and if you have any other local domains
you can keep on adding here as a list
our next step is to Define what our
internal networks are and just to
quickly show you
uh we have an isolated 10.0.0.08
and a 19168 128.0 24 Network so we're
gonna add these two just to make sure
that we Define them and tag them so that
when we investigate it becomes much more
simple and easy
so we'll hop over to internal networks
and the configuration
so I don't have anything added in here
so click on ADD
my first network is
secure wire
South
LAN
because it's a
physically cabled Network
so this is going to be 192.168.128.0
subnet is 24. and this is associated to
a network right
and securewire South office is my
network
I'm gonna click save
and add the other wireless network as
well
I'm just gonna say WLAN so wireless LAN
isolated right so it's 10 0 0 0
slash eight
this again is tied to a network which is
secure via South office that we added in
the very beginning
click on Save
so now I have my internal networks all
right uh the next step I need to do is
bundle all of these up into a site
right because if I come into sites and
active directory the site it lists is
default side
so we're gonna click on settings
and click on add new site
I'm gonna name this site as
secure
South office
so it's just a
location name
so hit save
so that's added
and we'll go back
and we're gonna associate this virtual
Appliance to that particular site that
we just created
all right that looks good
so if we wanted to create like let's say
additional networks and Associate them
to a site you can very well do that as
well
right so
um I'd like to keep everything buckled
up on the network
uh so that it's much more easier for me
to manage which sources it's coming from
but if you had multiple overlapping
networks you can associate them to a
site
all right so I'm Gonna Leave This blank
and hit cancel
all right with that being said our next
step is to verify that internal IP
addresses are being tracked correctly
but in order for that to happen I need
to make sure that my internal devices
which are in here so all of these
devices should send their DNS requests
to the umbrella VA right so we'll just
change that configuration on the
firewall so that all of that traffic is
sent to the virtual Appliance and if you
have any manual systems that are being
set up that way you can set them up to
point it to the VA so we'll jump into
the firewall and change that
configuration to point DNS to the
virtual Appliance
so initially we had added the IP
addresses of the umbrella servers but
here I'm gonna change this to
192.168.120 8.4
and you would enter the second one down
here but since I have only one
I'm just gonna add one in here
now if you have a DHCP server like for
example if we hop onto our slide now if
you have this ad server as a DHCP server
that is handing out IP addresses inside
your network which typically happens in
a production environment you would need
to go in the DHCP settings in here and
add the DNS server as your virtual
Appliance
and we'll be doing that uh in the later
video when we are integrating ad service
so that is coming up in the subsequent
videos
so I waited for about 10 minutes and now
I came into activity search Under
reporting and just like how we saw
earlier
check out the internal IP uh this is my
domain controller so 120.3 so I can see
what destinations it is trying to reach
out to
external ipv we saw earlier
uh now I can track who this person is if
I scroll down let's see if I can get
somebody else so I have another device
here Dot 18.
looks to be a mobile device
so
it's connected to YouTube and stuff so I
can actually see and now Trace who the
endpoint is
so through the VA now we can confirm the
different IP addresses from the internal
Network
all right so with that being said we
come to the end of this current video
and we have verified installed
configured and set up a virtual
Appliance and now we are good to go in
jumping into the next step which is the
integration with the active directory or
ad servers until then hello there and
welcome
we are at a point to discuss now secure
internet gateway or Sig
now this is the component of Cisco
umbrella which is an add-on
over the heart of the umbrella solution
which is the DNS policies
all right so in short what Sig is or
secure internet gateway essentially it
is a SAS based service
which is deployed as a software as a
service model and delivered to multiple
clients and essentially this service
lives in the cloud so you don't have to
deploy any controls with respect to
Hardware or anything on premise
so you get this as a subscription that
you can leverage and utilize one egress
point for all of your data traffic
whether if it's on premise Mobile
roaming users anything
all right so this is how it actually
looks and we'll get into the
functionality and how it actually works
the architecture and the components
but we'll briefly talk about the
features that are included in Sig which
is in addition to the DNS layer which is
a heart of the umbrella solution
so if you need additional inspection
so we talked about DNS layer inspection
application policies and proxy right so
selective proxy so if you need
additional inspection on top of that
so if you need protocol based inspection
you need to identify layer 3 to layer 7
applications which are flowing across
your infrastructure in the networks and
also if you want to enforce things like
intrusion prevention policies
uh data loss prevention policies if you
want to do a complete decryption of your
web traffic and tunnel everything so
that you can inspect every single data
packet flowing across your network you
would need to have Sig which gives you
those additional capabilities it also
gives you something called as a CDF or
Cloud delivered firewall
so this component helps you to enforce
protocol layer inspection application
layer inspection right up from layer 3
which is like your essential TCP ports
up until the layer 7 inspection which is
application aware based inspection
you can create policies just like how
you would create firewall policies on
Palo Alto or Cisco ASA those firewall
rules that it can have you can set them
up through this component of Sig which
is CDF
next in line is intrusion prevention so
essentially it includes components that
are associated to
rules that can be turned on and whatever
traffic is flowing through your network
it can be inspected and correlated
against those rules to identify
potential intrusions whether if it's
inbound or outbound
the biggest feature over here is this
swg or secure web Gateway which is a
full or complete proxy
right we're gonna see the difference
between this and the selective proxy
that we had seen earlier or intelligent
proxy
it essentially is the same component but
in here swg helps you to Tunnel
everything not just unknown sites but
known sites unknown sites right those
can be tunnel everything through
secure web Gateway and you can have full
and complete inspection and complete
decryption
next you have file in malware protection
which is delivered through amp so this
is similar to the one that we saw
um in the previous modules wherein we
did file inspection but in here it gives
you additional features like files and
boxing malware detonation inspection of
unknown files and things like that
so additional features and more muscle
on top of it
you have something called as a casb or
Cloud access security broker that helps
you to identify hidden applications
unauthorized applications which are used
on your internal Network so that you can
track Shadow ID use cases and track down
users that are using unauthorized apps
and lastly you have something called as
a data loss prevention or DLP that helps
you to Define policies to look for
Content like Social Security numbers
credit card information financial
information people's private information
like date of birth uh in combination
with first name last name addresses to
track pii so if you are
obliged to follow certain compliance
policies then this would be a great
feature to have
DRP also helps you to do like a
proactive scan in your Microsoft 365
OneDrive or Google Cloud environment to
detect potential uh
private information or confidential
information if it is not handled
correctly
so we'll quickly have a look at Sig
the different components and how it
actually works so essentially just like
how we had for the DNS layer security we
have users and devices
these can either be connected to your
corporate Network or these can be
roaming
so
in Sig what happens is normally you have
this router
or like a layer 3 device which is a
simple solution that was probably
implemented for sd-wan or a simple
internet connectivity right so you can
consider this to be a smaller footprint
you don't have things like next
Generation firewalls ASAS or bigger
appliances out here so you can consider
like a smaller footprint Meraki MX
or a watch guard firewall or any other
device which does not do additional
inspection like these features have like
all of these features would not be
included in here
so these so this device serves as a
Gateway for all the for all of these
users and since you want to have
additional Sig based inspection
what you do here is you establish
something called as a side to side
tunnel which is an ipsec tunnel that
terminates on this end
into the umbrella cloud
right
so all of the traffic flowing from your
router to the umbrella cloud is
encrypted through this tunnel based on
the parameters that are defined in the
side to side tunnel configuration
and this tunnel is formed over the
public internet which is the untrusted
network right so data flows from your
router into the umbrella cloud
now what happens out here is
complete magic so
so when your data traffic reaches to the
umbrella Cloud it is inspected for
multiple layers of security which we'll
talk about in a minute and essentially
if you have policies to deny traffic or
if your traffic is detected as malicious
it will be identified as block traffic
and it will be blocked
and in the opposite case if it is
permitted
it will be allowed through the internet
and it'll go to its public destination
whether it's cloud or any other apps on
the internet
the egress point that you see out here
will have
an IP address that is either mapped to
any of these two subnets
146.112.0.0 16 Network or
155.190.0.0 16.
and you have to remember that you don't
essentially get a fixed egress IP
address if you wanted to you have to
reach out to the umbrella support and
the account manager in order to reserve
an IP address just for your deployment
if you want to have one static IP
address
so we'll blow up this component and
we'll try to see what what modules are
included in here
all right so we have our on-premise and
off-premise devices
right sd-wan buildings campus offices
connected
to the Cisco umbrella cloud
through a side to side tunnel
and that is seek
once you have this connection
established we already saw DNS layer
security which is the heart of this
solution so this is the first layer that
is enforced right all of your DNS
policies DNS layer security policies are
applied first
and once these are inspected the next in
line is your Cloud delivered firewall
so I'll just put one
and this would be two
so your CDF or Cloud delivered firewall
will look for traffic anomalies
additional Port based inspection service
inspection layer 7 apps inspection if
you have turned it on all of those
things
would be performed by CDF or Cloud
delivered firewall
and all of those features are very
similar to your traditional firewall and
how it actually works we're gonna see it
in more details later when we set up
policies
the next in line is your secure web
Gateway right which is your full proxy
or a complete proxy
in here all of your data traffic
irrespective if the traffic is good or
unknown it gets proxied through the
secure web Gateway however in your DNS
layer security intelligent proxy which
is essentially the same
only the unknown traffic is routed
through the intelligent proxy and that
is only selective decryption right only
for the unknown sites however in here
even if the site is good it is tunnel
through the secure web Gateway for
additional inspection and this is where
things like DLP happens
right
and also my apologies IPS inspection
happens out here as well in the cloud
delivered firewall
so DLP and additional security policies
that you may deploy in Secure web
gateway to inspect things like files
that are being downloaded
you can have policies to sandbox the
files so that they can be dynamically
analyzed for malicious behaviors and you
just don't have unknown traffic analyzed
but you have known traffic also so that
you can Implement complete zero trust
Network architecture deployment
right now casb is a component that lives
on top of all of these and helps you to
identify applications helps you to
identify unauthorized apps cloud
deployments and things like that
there is also something called as
additional features on interactive
threat Intel that are delivered through
umbrella investigate API which you can
leverage for your incident response or
investigation processes
very very cool feature for your security
operations team and we'll also have a
look at this towards the end of this
course
all right so these other subsystems or
mod use of your Sig component which are
delivered on top or in addition to your
DNS layer security that is the heart of
the umbrella solution
if you want to learn more about Cisco
umbrella we have a full-fledged course
upon udemy when we talk about many other
details which include active directory
integration Advanced configuration with
virtual appliances
policy management which includes
whitelists blacklists Global whitelists
block page customization application
management
bypass codes intelligent proxy and file
inspection it also includes SSL
decryption up until layer 7. roaming
computers and mobile devices which
includes integration with MDM how you
can deploy Cisco umbrella on your
smartphones which includes iOS devices
and Android devices
right and not forgetting about the
anyconnect roaming agent module which is
on laptop Integrations
we also dive into Sig or secure internet
gateway
and touch base on cloud delivered
firewall so this is like your virtual
ASA in the cloud
in Secure web Gateway
which includes the IPS full application
proxy complete decryption and data loss
prevention
we also touch base on preventing DLP in
in SAS applications like Microsoft 365
Google G suite and other Cloud providers
and how syscom result helps you to
implement DLP in those platforms
we also talk about Cisco umbrella
investigate how you can run sock
operations and integrate your processes
with ciscomb roller
and also we talk about various other
Advanced Integrations that includes
Cisco Meraki Cisco ASAS your sim if you
have any log management solution and
also event reporting
and there are some other additional
elements as well regarding
Administration and investigation in
reporting
so if you like this video feel free to
head out to this URL which is also in
the description box below and if you
want some coupon codes you can email out
to us on support securewire.org
I hope this course was informative to
you until then take care