Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
360
Views
0
Helpful
0
Comments

Umbrella for Government - Releases 1.0 and 1.5

msikilli
Cisco Employee
Cisco Employee

on ‎10-28-2024 11:14 AM

Release notes:

Umbrella for Government 1.0 & 1.5

 

Updated: September  2024

 

What’s in this release:

 

  • Umbrella for Government, a FedRAMP Moderate [IL2] authorized instance of Cisco Umbrella
  • Umbrella for Government includes the following: DNS Security, DNS EDU SKUs, SIG-Essentials, SIG Advantage, and SIG Edu SKUs.
  • Offers robust protection against modern-day cyber threats through DNS security, Secure Web Gateway (SWG), Data Loss prevention (DLP), Cloud-Delivered Firewall (FaaS), and Cloud security Access broker (CASB) capabilities.
  • Extends DNS security with an Integration with CISA’s Protective DNS (PDNS) service, enabling Federal agencies to meet the CISA requirements.
  • Offers protection through FIPS compliant* client binaries for roaming devices, mobile devices and Chromebook.

    Authorization Information
  • FedRAMP Moderate Authorized (IL2) instance of Cisco Umbrella. Agency Authorization by FCC (Agency sponsor)
  • Customer Eligibility: Federal, State, Local, Public EDU; US FedGov Contractors
  • Gov Community cloud
    More details available on the FedRAMP Marketplace
  • For SLED customer, StateRAMP and TX-RAMP authorized.

 

 

 

Differences between Umbrella Commercial and Umbrella for Government:

 

Features available only in Umbrella for Government

  • PIV-CAC Card support for Cisco Virtual Appliance
  • Integration with CISA’s Protective DNS
  • FIPS compliant clients with secure registration
  • To support redundancy/high availability - a pair of IPSec tunnels within a Network Tunnel Group. These IPSec tunnels are created in primary and secondary DC respectively. These DCs do not go out of rotation at the same time.

 

Services not available with Umbrella for Government:

  • Cisco Talos Incident Response (custom research and analysis)
  • XDR Integration (previously SecureX)
  • Network Devices Integration
  • Catalyst SDWAN Auto Tunneling

 

Features not available in Umbrella for Government

  • MultiOrg Support
  • Cisco Umbrella Investigate (console and API)
  • Reserved IP
  • Secure Malware Analytics (previously Threat Grid)
  • File Retrospectives
  • Selective proxy
  • Umbrella Legacy APIs and API keys
  • Umbrella Roaming Client (stand-alone DNS client)
  • Exports on Cisco managed S3 buckets
  • Block page bypass
  • Enforcement APIs
  • Microsoft IDP Integration: (this has been queued for inclusion in Microsoft’s gallery and is waiting for Microsoft to publish).

Technical Notes

DNS - General:

  • Resolver addresses: 18.252.251.72, 18.254.118.193
  • DNSCrypt uses protocol version 3 only
    • Public Key: 02:2BCD:AA85:9C50:FEBD:A5E6:CC81:0AC2:033D:56DF:E908:F323:CE49:C753:6BE5:BF72:31FA
    • Provider: 3.dnscrypt-cert.umbrellagov.com
  • DoT/DoH service name: dns.umbrellagov.com

Authentication

Using non-SAML authentication 2FA via SMS is not supported in Gov.

After the OrgInfo.json file is deployed to the client, user authentication will be prompted by the Umbrella Roaming Module prior to registration with the Umbrella organization. The user will see a popup window displaying the IdP authentication challenge.

 

If the user authentication is successful, the window will disappear, and registration will proceed normally. As part up the registration process, the client will obtain a time-to-live (TTL) value configured within the IdP. When the TTL value expires, the user will see a new popup window for reauthentication. The TTL interval is specified by the IdP admin.

If the user closes the window without authenticating, the window will reappear.

There is a documented bug, whereby the user will see a blank authentication window if there is a communication problem with the IdP or if the IdP is not reachable.

Identity:

  • SAML 2.0 based authentication is used to securely register roaming devices against the customer’s preferred IdP. This has been tested with Okta, Entra, and ADFS, other IdPs are subject to testing.
    • Limitation: encrypted SAML assertations handling is not supported.
  • In the SAML configuration page under “Re-authenticate Users”, the “Never” option has been removed.
  • SCIM apps will be available in the following marketplaces:
    • Okta OIN, app name “Cisco User Management for Umbrella for Government”
    • Entra (Azure) US Gov, app name “Cisco User Management for Secure Access”
  • Umbrella supports in-boundary download of artifacts including the Virtual Appliance and Cisco Secure Client (Windows and MacOS available in March 2024).

Roaming client management:

  • Registration for unmanaged devices is not supported

Virtual Appliance (VA) and Active Directory Connector (ADC):

  • The VA supports PIV/CAC smart card authentication for admin SSH access when deployed on the VMWare hypervisor.
  • The VA and ADC support API key-based authentication for registration and sync.
  • VA does not support anycast.
  • The VA supports is available for VMWare and Hyper-V deployment. No cloud-based deployments are supported.
  • The VA supports DNS forwarding to CISA’s PDNS service.

Block/Warning Pages:

  • Block page bypass not supported.

Cisco Secure Client (CSC) Umbrella Roaming Module:

To leverage the Umbrella DNS and Secure Web Gateway (SWG) features in “GovCloud”, the CSC must run in “FedRAMP” mode. Once in FedRAMP mode the umbrella client will:

  1. Utilize the built-in CiscoSSL crypto library in FIPS mode.
  2. Communicate with Umbrella registration endpoints and SWG proxies running within the protected GovCloud environment.
  3. Leverage the configured IdP for SAML-based user authentication for registration and sync services.

Roaming Client Deployment:

The Umbrella system uses the OrgInfo.json file for its initial configuration, however the content of this file has changed.

Example FedRAMP OrgInfo.json (not an actual FedRAMP org):

{

"organizationId" : "000000",

"isFedDeployment" : true

}

Example Commercial OrgInfo.json(not an actual configuration):

{

"organizationId" : "000000",

"fingerprint" : "415a3d0d4af440058299bc4993ab2bf5",

"userId" : "000000"

}

Tthe fingerprint and userId fields are no longer needed since the client will authenticate the user directly.

The OrgInfo.json file should be placed in the same location as always (see commercial documentation)

 

 

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents