Comparing WSA and Cisco Umbrella¶
Web Security Appliance and Cisco Umbrella¶
WSA Versus Umbrella¶
Both are designed to protect against threats that occur through web traffic
Web Security Appliance On-premises proxy appliance that web traffic flows through for inspection
Cisco Umbrella Cloud based product that blocks DNS reply to malicious sites before the connection occurs
WSA Acceptable Use Controls - URL Filtering and Dynamic Content Analysis¶
URL Filtering¶
Legacy proxies can incorrectly categorize up to 80% of websites
WSA integrates into Cisco ecosystem
Talos determines malicious sites
85 predetermined URL categories
Sites can change categorization based on updated information
WSA Actions¶
Monitor - Monitor traffic and compare to other settings
Warn - Users will have to acknowledge AUP to continue
Block - Deny access to the site
Time Based - Access to sites during preconfigured times
Quota Based - Daily amount of traffic or time spent on a category
Explicit Allow - Allow sites regardless if they fall into blocked categories
Redirect - Redirects traffic to another URL
The WSA allows organizations to categorize websites into custom URL categories.
Uncategorized URLs¶
If the URLs are for internal sites, create a custom category
WSA will use Dynamic Content Analysis engine
Look for words inside of the URL
Analyze content of site and compare to large dataset
Precedence¶
Custom URL Categories
Predefined URL Categories
Undefined URL Categories
WSA Acceptable Use Controls Application Visibility and Control¶
Application Visibility and Control¶
Differences between URLs and applications
URL filtering alone is all or nothing
AVC sees applications in use on the website
Categorize Applications¶
Name
Behavior
Type
WSA Actions¶
Monitor - Monitor traffic and compare to other settings
Bandwidth - Limit Limit the total amount of traffic on the site
Restrict - Application isn’t allowed but the website is
Block - Entire website is blocked
Anti-malware on the WSA¶
Dynamic Vectoring and Streaming Engine¶
DVS engine is a framework that allows for other systems to integrate with the WSA.
Webroot - Adware and spyware detection that compares URL request to signature database
Sophos - Malware scanning engine that uses genotype and behavioral genotype technologies
McAfee - Uses signatures and heuristic analysis. Allows for new threats to be detected
Sophos and McAfee can not be used at the same time. Webroot can be used with either Sophos or McAfee.
Cisco AMP Integration¶
Sends AMP SHA-256 hash of file
Know if the file is malicious or not
If hash hasn’t been seen, WSA will allow the file
Send AMP a copy of the file
AMP will update files maliciousness as more information is learned
Web Reputation Scores (WBRS)¶
Integrate with Talos to determine a sites score on the likelihood that it would contain malicious content
-10 through -6
Sites that have been hijacked or that are actively spreading malware
Block traffic to that site
+6 through +10
Widely accessed sites that have a long history of being responsible
Allow traffic, and not decrypt
-6 through +6
Ad syndication or user generated content
Allow traffic, but decrypt and scan for DLP
Cisco Umbrella Features¶
Traditional Firewalls and Proxies¶
Inspect the communication as it’s occurring
Requires traffic to be decrypted
Powerful devices are on-site
Can affect performance
Cisco Umbrella¶
Blocks DNS reply so communication never occurs
Relies on Cisco Talos data to know whether sites are safe or not
Safe sites/Whitelisted
Resolves DNS request to the website
Unsafe Sites/Blacklisted
DNS response goes to a block page
Unknown/Risky
DNS response goes to Umbrella’s Intelligent Proxy in the cloud
Additional Umbrella Features¶
Associates multiple related domains
Forexample.com and forinstance.com
Different domains are associated
Top level domain mapping
American Registry for Internet Numbers
Asia-Pacific Network Information Centre
Region specific domains should have region specific IP address
Intelligent Proxy¶
Used for risky sites
Resolve DNS request with Umbrella’s proxy IP
Inspect traffic, and can scale in size as needed
Umbrella Investigate¶
View real time data on a website
DNS requests over time
Integrate with Umbrella Investigate’s API
Cisco Umbrella Tiers¶
Free Umbrella Tier¶
Point endpoints to 208.67.220.220 or 208.67.222.222
Blocks websites that Umbrella knows are malicious
Umbrella DNS Security Essentials¶
Create specific policies
Custom URL filtering and policies
Block users on-premises or using the Umbrella agents
Reports and APl available
Umbrella DNS Security Advantage¶
Decrypt TLS traffic
Block direct IP communication
Umbrella investigate
Umbrella Secure Internet Gateway Essentials¶
Direct IPsec tunnel to Umbrella
Threat grid file sandboxing
Cloud-delivered firewall
Cloud Access Security Broker
All policies are configured in the Umbrella Cloud dashboard.