01-18-2024 05:25 AM
I'm just starting to look into the Cisco Umbrella product and while I'm still in the early stages of my research and learning the more I learn the more it seems like FTD and Umbrella have overlap. Its very possible I'm missing something so I wanted to ask the Cisco community if my thoughts are valid or if I'm missing something.
From what I've gathered about Cisco Umbrella:
There are various pieces of security/inspection offered by Umbrella, the most common/notable being DNS protection and web proxy. For both of these to work you need AnyConnect (secure client) installed on the endpoint (or Umbrella's client if AnyConnect isn't installed).
My question of FTD/Umbrella overlap is driven by knowing that FTD offers these same levels of protection. With Umbrella, your endpoint is redirecting DNS/Web traffic to Umbrella for inspection. Why not just have your AnyConnect client redirect the same traffic flows to the FTD for inspection there (FTD's DNS policy, IPS/Web inspection, and SSL decryption)?
Yes, the client must be connected to the FTD for these protections to be effective, but you could also configure 'always on' connection for the FTD remote access vpn. I believe this is essentially what Umbrella is doing to provide protection to the endpoint for web traffic.
What am I missing?
01-18-2024 06:27 AM
I agree with pretty much all what you mentioned, however, it would depend on the licenses set you have on the FTD, for instance you might not have the URL filtering on the FTD, in that case Umbrella would comes into handy. Also, I think from the user's experience perspective, it would be more efficient to break out the DNS traffic directly from the clients to Umbrella rather than having to send all the way back to the firewall and then back to the clients.
01-18-2024 12:24 PM
01-18-2024 06:45 PM
Few benefits of adding Umbrella in your security arsenal:
1. Umbrella embed tons of near-real time behavioral analyzers into its logic, which work against every record in every DNS request while FTD largely goes by a predefined blocklist which is periodically downloaded
2. It's CASB functionalities can help secure SaaS app usage (granular control for uploads/share/post + Multi-mode DLP + cloud malware protection)
3. Umbrella can help off-load TLS decryption from FTD (which is resource intensive!)
4. It's Application Visibility is great from detecting shadow IT
5. and more..
While "always-on" is one way to protect the remote users, one thing to remember is that back-hauling all your remote user's traffic and having it to go through your on-prem security stack would not benefit them especially if what they are all accessing is an application hosted on the internet. This can lead to poor user experience. You should think of Umbrella as an additional layer of security for your organization especially that we are now on a cloud centric world. Leveraging Umbrella would relieve the strain on your on-premise security stack by letting the remote users use their internet to securely access these apps (via Umbrella).
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide