cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Impact to MDATP protection / visibility / investigations when using Cisco Umbrella Roaming Client

Sergg
Iron Contributor

‎May 21 2020 01:14 PM

‎May 21 2020 01:14 PM

Impact to MDATP protection / visibility / investigations when using Cisco Umbrella Roaming Client

Dear Experts,

Integrated Cyren web filtering is not yet prod. EMS customer with MDATP planning to deploy Cisco Umbrella DNS protection on endpoints to get non-productive and malware URLs blocked. I have a concern on how Umbrella Roaming client will coexist with the existing deployment of MDATP. Please see my thoughts and questions below,

 

Umbrella Roaming Client (URC) uses DNS to make a decision if the page is allowed. If it is allowed original unmodified IP address returned to the client. If the page is not allowed then IP address within the range 146.112 / 16 returned. This is Cisco scrubbing farm built of transparent proxies. It will display a block page.

My concern is that URC will make DNS protocol invisible to other endpoint protection products (like MDATP). Does anyone have experience or thoughts with MDATP and Umbrella Roaming Client (URC) coexistence? Will the customer be loosing out because MDATP unable to see RAW DNS requests? Are those requests even monitored to begin with? Here is a blog about coexistence MDATP in Proxy environment MDATP Monitoring network connection behind forward proxy - Public Preview

 

### references – a few words about Umbrella Roaming Client (URC) ###

Umbrella Roaming Client – DNS filtering DNS proxy (local domains can be added to exception list)

After you install the Cisco Umbrella roaming client you'll notice that the IP address gets changed to localhost or 127.0.0.1, otherwise known as the loopback interface. This is normal and expected behavior.

The Umbrella roaming client runs as a local service which is used as a local resolver and DNS forwarder, encrypting and authenticating requests using the DNSCrypt protocol. Requests are then forwarded to Umbrella’s anycast IPs, with the replies returned to the host through the loopback interface. This essentially makes the Umbrella roaming client a DNS Proxy, which is why you see the DNS change to localhost/127.0.0.1. The DNSCrypt protocol makes all of your transactions secure.

 

Intelligent proxy feature

From DOC : intelligent proxy intercepts and proxies requests for malicious files embedded within certain so-called "grey" domains. Can work with or without SSL decryption. Cisco recommends SSL encryption

From TESTING DOC : If the IP address of "domain.com" comes back with an IP address within the range 146.112 / 16 (for example, 146.112.0.0 / 255.255.0.0), then it's being directed through the intelligent proxy.

3,830 Views
0 Likes
2 Replies
Reply
2 Replies
adamgwinn

‎Jul 09 2020 05:30 PM

‎Jul 09 2020 05:30 PM

Re: Impact to MDATP protection / visibility / investigations when using Cisco Umbrella Roaming Clien

@Sergg  did you ever see what happened here?

0 Likes
Reply
Sergg

‎Jul 14 2020 03:45 AM

‎Jul 14 2020 03:45 AM

Re: Impact to MDATP protection / visibility / investigations when using Cisco Umbrella Roaming Clien

@adamgwinnI did not found any info if this supported/unsupported/gives any complications. Besides the customer decided against OpenDNS so I did not had a chance to try and see what will happen live.

0 Likes
Reply