Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
672
Views
1
Helpful
2
Replies

Dual NIC on windows client breaks Cisco Umbrella SIG

upllopyeret
Level 1
Level 1

‎08-20-2024 06:03 AM - last edited on ‎08-20-2024 07:14 AM by Cisco Employee

Hi All

We've been testing if it's possible to break Umbrella on a Windows clients, and what we've found out is that if there's multiple NICs available, it's possible to disconnect the first NIC and then pass traffic on the second NIC to bypass Umbrella. No admin creds needs, just physical disconnects.

I can't find any documentation on Umbrella and dual NICs on a client, and how to prevent this.

Any thoughts?

router login 192.168.l.l
Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎08-20-2024 08:13 AM

Replied to your reddit post too...

Newer builds use TND to catch that. Upgrade to 5.1.4.74 or later.
Release Notes for Cisco Secure Client (including AnyConnect), Release 5.1 - Cisco<>

Ken

vishalbhandari
Spotlight
Spotlight

‎08-22-2024 04:53 AM

Potential Solutions to Prevent Bypassing Umbrella with Dual NICs:

  1. Network Interface Binding:

    • Configure the client to bind DNS requests to a specific NIC. This forces all DNS traffic to go through the NIC that Umbrella is monitoring.

  2. Disable Secondary NICs:

    • If possible, disable secondary NICs via Group Policy or manually configure them to prevent their use for network traffic.

  3. Host-based Firewall Rules:

    • Implement host-based firewall rules that restrict traffic on the secondary NIC, allowing only essential or specified traffic while ensuring DNS requests are forced through the primary NIC.

  4. Routing Table Configuration:

    • Configure the routing table on the client device so that DNS traffic is only routed through the NIC associated with Umbrella. This can be enforced using static routes.

  5. Advanced Network Policies:

    • Use Network Access Control (NAC) or other endpoint management tools to enforce policies that only allow traffic from approved NICs or restrict network access based on the NIC in use.

  6. Umbrella Virtual Appliance:

    • Deploy the Cisco Umbrella Virtual Appliance (VA) in your network to monitor and enforce DNS traffic at a more granular level. The VA can be configured to inspect traffic regardless of the NIC in use.

  7. Endpoint Protection Integration:

    • Integrate Umbrella with endpoint protection tools like Cisco AnyConnect Secure Mobility Client, which can enforce DNS security across all network interfaces.

  8. Monitor Network Activity:

    • Regularly monitor network activity for unusual patterns, such as devices suddenly switching NICs or using unmonitored network interfaces.
0 Helpful
Customers Also Viewed These Support Documents