Dual NIC on windows client breaks Cisco Umbrella SIG

upllopyeret — Tue, 20 Aug 2024 14:14:58 GMT

Hi All

We've been testing if it's possible to break Umbrella on a Windows clients, and what we've found out is that if there's multiple NICs available, it's possible to disconnect the first NIC and then pass traffic on the second NIC to bypass Umbrella. No admin creds needs, just physical disconnects.

I can't find any documentation on Umbrella and dual NICs on a client, and how to prevent this.

Any thoughts?

Re: Dual NIC on windows client breaks Cisco Umbrella SIG

Ken Stieers — Tue, 20 Aug 2024 15:13:44 GMT

Replied to your reddit post too...

Newer builds use TND to catch that. Upgrade to 5.1.4.74 or later.
Release Notes for Cisco Secure Client (including AnyConnect), Release 5.1 - Cisco<>

Ken

Re: Dual NIC on windows client breaks Cisco Umbrella SIG

vishalbhandari — Thu, 22 Aug 2024 11:53:03 GMT

Potential Solutions to Prevent Bypassing Umbrella with Dual NICs:

Network Interface Binding:
- Configure the client to bind DNS requests to a specific NIC. This forces all DNS traffic to go through the NIC that Umbrella is monitoring.
Disable Secondary NICs:
- If possible, disable secondary NICs via Group Policy or manually configure them to prevent their use for network traffic.
Host-based Firewall Rules:
- Implement host-based firewall rules that restrict traffic on the secondary NIC, allowing only essential or specified traffic while ensuring DNS requests are forced through the primary NIC.
Routing Table Configuration:
- Configure the routing table on the client device so that DNS traffic is only routed through the NIC associated with Umbrella. This can be enforced using static routes.
Advanced Network Policies:
- Use Network Access Control (NAC) or other endpoint management tools to enforce policies that only allow traffic from approved NICs or restrict network access based on the NIC in use.
Umbrella Virtual Appliance:
- Deploy the Cisco Umbrella Virtual Appliance (VA) in your network to monitor and enforce DNS traffic at a more granular level. The VA can be configured to inspect traffic regardless of the NIC in use.
Endpoint Protection Integration:
- Integrate Umbrella with endpoint protection tools like Cisco AnyConnect Secure Mobility Client, which can enforce DNS security across all network interfaces.
Monitor Network Activity:
- Regularly monitor network activity for unusual patterns, such as devices suddenly switching NICs or using unmonitored network interfaces.

topic Dual NIC on windows client breaks Cisco Umbrella SIG in Cloud Security

Dual NIC on windows client breaks Cisco Umbrella SIG

Re: Dual NIC on windows client breaks Cisco Umbrella SIG

Re: Dual NIC on windows client breaks Cisco Umbrella SIG

Potential Solutions to Prevent Bypassing Umbrella with Dual NICs: