Disclaimer — All content in this article are based on my research and from work experience. Should not consider this article as official recommendation from Cisco Systems.
Unlike proxying all web traffic, Cisco Umbrella DNS-Layer protection use “selective” proxy mechanism to intercepts the web traffic, in Cisco terms this feature is called “Intelligent” proxy.
Umbrella classify all domains into three category — Good, Bad and Grey.
The classification is based on domain’s reputation. Each domain is assigned with a score based on in-depth research and the information received. The research data mainly come from Cisco Umbrella research team, Talos and more than 50 partners including researchers, academics institutions etc[1].
For example purpose, I am using Cisco Talos Reputation Center web tools to verify the reputation of three domains https://talosintelligence.com/reputation
Umbrella Intelligent proxy will allow Cisco.com domain and block yr9n47004g[dot]com domain.
putlockers.cr domain is neither Trusted nor Untrusted. Based on Talos domain reputation site, the domain putlockers.cr may host “Illegal Downloads” is the reason the domain is not fully trusted.
Grey domains reputation are similar (not exactly) to our above example and subjected to proxy all the web traffic. That means the end point will not make direction web connection to a grey domain. Grey domains are accessed via Umbrella proxy, this helps Umbrella to gain visibility into web traffic to scan embedded malicious-files and enforce content filtering (based on policy).
There are two ways we can enable Intelligent proxy, either with SSL Decryption enabled or without SSL Decryption enabled.
There are three main scenarios with Intelligent proxy feature.
- Intelligent proxy is disabled, no web traffic will be send through Umbrella proxy. Umbrella DNS resolve the domain name and return the IP address of good & grey domain to the end device. End devices can establish web connection directly to the good and the grey domains.
- Intelligent proxy is enabled, without SSL decryption then all web traffic to grey domain will be forwarded to Umbrella proxy. Port 80 (HTTP) web traffic will get security enforcement as per policy. But Umbrella won’t get any visibility into web traffic of port 443 (HTTPS). Hence not able to perform malware & anti-virus scanning or content filtering.
- Intelligent proxy is enabled, with SSL decryption then all web traffic to grey domain will forward to Umbrella proxy. Both port 80 & 443 web traffic will get security enforcement as per policy.
Note: File Inspection should be enabled along with Intelligent proxy with SSL decryption to scan files for malicious content hosted on grey domains before those files are downloaded.
The Cisco Umbrella root certificate is needed when Intelligent proxy with SSL decryption is enabled, to access the intended grey website. Otherwise the browser will show certificate error. Yes, we may able continue to access the website by clicking “I accept the risk” option in the browser. but this is not a best practice and not recommended.
