Cisco Umbrella is one of the most interesting cisco security solutions. Basically, Umbrella is a cloud based solution and a big DNS Services It all starts with DNS and Precedes file execution and IP connection. Which means that Umbrella blocks malicious websites at the DNS level before establishing an IP connection with the malicious web server. If the Website is categorized as clean, the Cisco Umbrella as a regular DNS server returns the IP address of the web server then the PC establishes direct IP connection to the web server.

Cisco Umbrella was launched as a replacement of Cisco Cloud Web Security which operates as a proxy server for HTTP and HTTPS traffic.

When the Cisco Umbrella returns the IP address of the legitimate web server and we want to inspect the legitimate traffic web traffic. How to intercept this direct IP connection with the legitimate web server? especially the HTTPS traffic which needs to be decrypted in order to inspect if a malicious file is embedded.

The solution is the "Intelligent Proxy" with "SSL Decryption" features. The intelligent proxy is the ability for Cisco Umbrella to intercept and proxy web requests to inspect the content of the web traffic. We can classify by categories which type of web traffic we want to proxy and apply SSL decryption. When Intelligent Proxy is enabled, instead of returning the IP address of the Web Server, Cisco Umbrella returns the IP address of the Intelligent Proxy server.

Basically, Intelligent Proxy in Cisco Umbrella inherits the function of the old solution CWS Cloud Web Security.

Go to the Client PC

Open Firefox and browse to www.eicar.com.

The European Institute for Computer Antivirus Research (EICAR) developed the EICAR test file. This

EICAR test file can be used to test the response of antivirus and antimalware programs.

Click DOWNLOAD ANTI MALWARE TESTFILE.

Under Download area using standard protocol http. Click eicar.com.

You should be able to download the Malware File as shown below.

From the Client PC try another test by clicking eicar.com under Download area using the secure, SSL enabled protocol https.

You should be able to download the Malware File as shown below.

Navigate to Policies > Management > All Policies and click edit the policy Demo-Policy.

Enable File Inspection.

Navigate to Advanced Settings.

Select SSL Decryption to allow the intelligent proxy to inspect traffic over HTTPS

When selected, the Root Certificate is available, download and install the Cisco Umbrella root certificate to Client PC. Without this certificate, HTTPS connections will break.

Edit Root Certificate and click Download Certificate.

Install the certificate on the Client PC.

Once enabled, it's a interesting to test whether it's working as expected. Access the URL https://ssl-proxy.opendnstest.com .

You should a message that confirms that the SSL Decryption in the Intelligent Proxy is working.

Try to access the URL www.eicar.org once again, this time the access is blocked as shown below.

Navigate to Reporting > Core Reports > Activity Search, you should see the eicar website is not accessible to download a malware file.