topic Umbrella /w Decryption in Cloud Security

Umbrella /w Decryption

guacamoley — Thu, 30 May 2024 14:23:22 GMT

I'm having a tough time understanding Umbrella's decryption capabilities. Since Umbrella is just analyzing the DNS Request, how is it able to utilize file policy when Decryption is enabled? Furthermore, my edge firewall is already providing SSL Decryption for internet capabilities. Do I need to worry about using decryption both on the endpoint and the perimeter?

Re: Umbrella /w Decryption

Ken Stieers — Thu, 30 May 2024 14:43:14 GMT

What level of Umbrella are you using? Just DNS? SIG?
And how are you getting the data there if SIG? Tunnels? Client?

Re: Umbrella /w Decryption

guacamoley — Thu, 30 May 2024 14:44:19 GMT

Just DNS. Majority of traffic through secure client.

Re: Umbrella /w Decryption

franzd — Thu, 30 May 2024 23:56:11 GMT

Depending on which DNS tier you are using (Essentials/Advantage):
Essentials - provides you DNS security
Advantage - has intelligent proxy capability which proxies requests to those "grey" sites that we call (e.g. reddit).

So if you are using Essentials, then you will definitely not going to see any web traffic from your activity logs.

Why use Umbrella if you already have a firewall in the HQ? Few reasons:

Most of the organizations today now has a hybrid workforce which your on-prem firewall cannot protect. Yes you can have them VPN-in, but are they really going to? Especially now that most of the applications we use are in the cloud.
Visibility - application discovery report would give you great visibility about the applications your users were using. This gives you visibility into those unsanctioned applications like pdf/word converters for example that you can then block. (you cannot block what you cannot see)
Alleviate TLS decryption load from the firewall - TLS decryption is resource intensive, you can utilize umbrella to offload these from the firewall.

HTH

Re: Umbrella /w Decryption

guacamoley — Fri, 31 May 2024 12:23:35 GMT

I'm still finding this confusing. So with DNS Security, intelligent proxy doesn't do anything? But with advantage intelligent proxy will send the actual https traffic to the proxy or will it just send the dns requeste to the proxy?

Re: Umbrella /w Decryption

Ken Stieers — Fri, 31 May 2024 12:42:26 GMT

With advanced intelligent proxy SOME traffic, the possibly suspect traffic, goes to the proxy. The list of sites that are sent isn't published, but you can look at what traffic of yours is going in the Umbrella console.

If you just have DNS Essentials, none of your traffic goes to the proxy.