What is Cisco Umbrella?

Cisco Umbrella is a cloud-based security product that enforces security and blocks malicious activity before a connection is even established. As this solution is cloud based, there is absolutely no need of hardware installation. Cisco Umbrella is a cloud-delivered service, Umbrella provides the visibility needed to protect internet access across all the locations for all types of users and across all network devices.

Cisco Umbrella solution offers following services:

• Provides protection from malware, ransomware, or phishing attempts from malicious or fraudulent websites
• Provides protection for roaming users and devices, irrespective of their location and without the need to be connected to an office network.
• Enforces organization’s acceptable use policy, using inbuild content categories, as well as custom defined blacklist and whitelist.
• Integrated with Cisco AMP and Anti-virus engines to provide advance signature-based inspection.
• Provides real time security activity, to identify compromised systems and targeted attacks.

How does Cisco Umbrella Work?

Cisco Umbrella uses DNS (Domain Name System), to forward requests from our network to the Cisco’s Umbrella DNS. Whenever any device sends DNS requests to Cisco Umbrella resolvers, these requests are then analysed to detect threats and anomalies. For example, if umbrella sees that a device is sending requests for known bad domains then it is most likely that the device is compromised.

1. When any user tries to open any website, to reach that website, the client’s machine would need to know the IP address of the website, to get IP address of the website, the machine will send DNS query which will be sent to Cisco’s Umbrella DNS resolvers.
2. Umbrella will analyse the request to determine whether the website domain that the user is trying to access is safe or not. If the domain is safe, then Umbrella responds back with the IP address of the domain.
3. If the domain user trying to visit is not safe then based on the configured policy, umbrella will respond back with the IP address of its Block page.

Umbrella is very easy to configure and can easily secure corporate users by redirecting DNS requests to Umbrella. Additionally, umbrella solution can also be deployed with the lightweight Umbrella Roaming Client, or the Cisco AnyConnect with Umbrella Roaming Security module. These roaming clients and security modules can secure both home and remote users, connecting through public Wi-Fi, without the need to connect to the corporate VPN.

LAB 1: Setting Up Cisco Umbrella

The objective of this lab is to set up Cisco Umbrella account as well as remote client.

Task 1: Creating account for Cisco Umbrella

Step 1: Go to Google Chrome Browser and browse to https://www.temp-mail.org/en/ to get a corporate-like email Id & note down the email you get (copy it)

**Do not put the mail ID shown below, use the one generated on your Machine

Step 2: In New Tab (Press Ctrl + T),Go to https://umbrella.cisco.com/ and register for free trial with the corporate account you got in Step 1.

Step 3: Get the email verified and created a password.

Note: Create any password you like but for the Lab we are creating Password: Ubuntu@2021

Task 2: Login into Cisco Umbrella Dashboard

Step 1: Go to https://www.login.umbrella.com/ and login with the account & password, for now we will skip all the other options shown, we will just add the IP address & download the Umbrella Client.

Task 3: Add new network to Cisco Umbrella account

Step 1: Go to Deployments > Core Identities > Networks > Add >

We will check “the network has dynamic IP Addresses”, but if we have a Static IP, we can uncheck this option.

Task 4: Download & Install Cisco Umbrella Remote Client

Step 1: Go to Deployments > Roaming Computers

Since we want to connect our local Windows Machine to Cisco Umbrella, we can either download Cisco Umbrella Remote Client or AnyConnect Umbrella Roaming Security Module. We will be using Cisco Umbrella Remote Client.

Step 2: After installation verify if the Device is Synced with Cisco Umbrella

Step 2.1: On Windows Machine

Step 2.2: On Cisco Umbrella cloud

Go to Deployment > Core Identities > Roaming Computers

After installation we will now automatically see Our Machine in the Roaming Computers Option (on Cisco Umbrella Dashboard). From here on, the client will now securely transfer all DNS related queried to Cisco Umbrella Cloud.

Task 5: Install Certificate signed by Cisco Root Certificate Authority

Step 1: Download Certificate from Cisco Umbrella Cloud dashboard

Go to Deployment > Configuration > Root Certificate

LAB 2: Configure Umbrella Policy & Custom Block Page

The objective of this lab is to configure security policy on Cisco Umbrella, to block E-Commerce and Gambling websites.

Task 1: Check websites are accessible or not

Step 1: Go to Google Chrome and check that both websites are accessible (check in Incognito Mode), after checking close all Incognito Tabs

https://www.amazon.com

Step 2: Now go to new tab (press Ctrl + T) and go to https://www.poker.com

Step 3: Close all tabs of incognito mode.

Task 2: Create a Custom Block Page

Step 1: Login to Cisco Umbrella Dashboard

Step 2: Add a new block page appearance

Go to Policies > Policy Components > Block Page Appearance

Step 3: Go to Policies > Management > All Policies > Default Policy

We have just created a custom block page, we will now set the custom page as default so that it can be used whenever client visits restricted site

Task 3: Block E-Commerce & Gambling Websites

Step 1: Go to Policies > Management > All Policies > Default Policy

Task 4: Sync Windows with Cisco Umbrella Cloud

Step 1: Check Sync time on Windows Machine & on Cisco Umbrella Dashboard

Step 1.1: On Windows Machine,

Step 1.2: On Cisco Umbrella Dashboard, Go to Deployment > Core Identities > Roaming Computers

Step 2: Stop Cisco Umbrella Clienton Windows Machine, Clear DNS cache & again start the Client service

**NOTE: Automatic Sync between Windows Machine & Cisco Umbrella Cloud takes about 5-12 Minutes, so syncing may take time, we will still forcefully try to sync by restarting the Client Service after 5-12min.

Step 3:  Check Sync time on both devices (it should show “synced: few minutes ago”)

Step 3.1: On Windows Machine,

**NOTE: if u are not able to see last connected: “less than a minute ago” & IPv4 DNS Status : “Protected” then u will need perform above step [step 2] again. And if still have same problem , restart your Windows machine

Step 3.2: On Cisco Umbrella Dashboard, Go to Deployment > Core Identities > Roaming Computers

Task 5: Check websites are accessible or not

Step 1: Go to Google Chrome and check that both websites “https://www.amazon.com/ and https://www.poker.com” are accessible or not (check in Incognito Mode), after checking both websites close all Incognito Tabs

**If both websites are still accessible then you need to go back Task 4: and redo Step 2, maybe the sync was not done successful between Windows Machine & Cisco Umbrella Cloud.

Step 2: Now go to new tab (press Ctrl + T) and go to https://www.poker.com

Step 3: Close all tabs of incognito mode.

LAB 3: Create Bypass Key for Blocked Content on Cisco Umbrella

The objective of this lab is to create a bypass key on Cisco Umbrella to allow a specific user to access blocked website.

Task 1: Create a Bypass key

Step 1: Login to Cisco Umbrella Dashboard

Step 2: Create a bypass code

Go to Admin > Bypass Codes > Add >

**In code expiry put the date and time according to the day you are performing Lab. [put next day date & time (Recommended)]

Note down the CODE it will be used in further steps

Step 3: Select Bypass code for Block Pages under Block Page Setting, so that it can be used whenever block page appears

Go to Policies > All Policies > Default Policies > Custom Block Page Applied > Edit

Task 2: Sync Windows with Cisco Umbrella Cloud

Step 1: Check Sync time on Windows Machine & on Cisco Umbrella Dashboard

Step 1.1: On Windows Machine,

Step 1.2: On Cisco Umbrella Dashboard, Go to Deployment > Core Identities > Roaming Computers

Step 2: Stop Cisco Umbrella Clienton Windows Machine, Clear DNS cache & again start the Client service

**NOTE: Automatic Sync between Windows Machine & Cisco Umbrella Cloud takes about 5-12 Minutes, so syncing may take time, we will still forcefully try to sync by restarting the Client Service after 5-12min.

Step 3:  Check Sync time on both devices (it should show “synced: few minutes ago”)

Step 3.1: On Windows Machine,

**NOTE: if you are not able to see last connected: “less than a minute ago” & IPv4 DNS Status: “Protected”, then you will need to perform above step [step 2] again. If still problem persists, then restart your Windows machine.

Step 3.2: On Cisco Umbrella Dashboard, Go to Deployment > Core Identities > Roaming Computers

Task 3:** **Verify Accessing blocked websites with Bypass Code

Step 1: Go to Google Chrome and verify, if for blocked websites its showing “Administrative Bypass” or not (check in Incognito Mode). *After checking both websites close all Incognito Tabs

https://www.amazon.com/

**If website is not showing “Administrative Bypass” then you need to go again to Task 4: and redo Step 2, maybe the sync was not done successfully between Windows Machine & Cisco Umbrella Cloud.

Step 2: Now go to new tab (press Ctrl + T) and go to “https://www.poker.com”

Step 3: Close all tabs of incognito mode.

LAB 4: Configure Ransomware Protection on Cisco Umbrella

The objective of this lab is to provide DNS based Ransomware Protection using Cisco Umbrella Cloud.

Task 1: Disable Umbrella Client from Windows Machine

**Step 1:**In Windows Machine, go to CMD and disable Umbrella Client

Task 2: Check If Malicious Websites are accessible or not

Step 1: Go to Google Chrome and check if malicious websites are accessible or not(check in Incognito Mode), after checking close all Incognito Tabs

http://maliciouswebsitetest.com/

Step 2: Close all Incognito Window

Task 2: Check Malware policies on Cisco Umbrella Dashboard

Step 1: Login to Cisco Umbrella Dashboard

Step 2: Check Malware policy for websites

Go to Policies > Management > Default Policy > All Policies >

Step 3: Enable “Malware” & “Potentially Harmful Domains” Policies

Task 3: Enable Cisco Umbrella Client on Windows Machine

Step 1: Go to CMD in Windows Machine and enable Umbrella Client

**NOTE: Sync process between Windows Machine & Cisco Umbrella Cloud takes about 5-12 Minutes, so syncing may take time, so start the Client Service after 5-12min.

Step 2:  Check Sync time on both devices (it should show “synced: few minutes ago”)

Step 2.1: On Windows Machine,
**NOTE: if you are not able to see last connected: “less than a minute ago” & IPv4 DNS Status : “Protected” then you will need restart Cisco Umbrella Client. If still problem persists then restart your Windows machine.

Step 2.2: On Cisco Umbrella Dashboard, Go to Deployment > Core Identities > Roaming Computers

Task 4: Check Malicious Websites are accessible or not

Step 1: Go to Google Chrome and check if malicious websites are still accessible or not (check in Incognito Mode), after checking close all Incognito Tabs

 http://maliciouswebsitetest.com/

**If website is still accessible then you need to again restart umbrella on your machine, maybe the sync was not done successfully between Windows Machine & Cisco Umbrella Cloud

Task 5: Check logs/Activities on Cisco Umbrella Dashboard

Step 1: Check logs

Go to Reporting > Core Reports > Activity Search