View
452
Download
1
Category
Preview:
Citation preview
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
OpenDNS and AnyConnect
Adam Winn, Product Manager
Aug 30th, 2016
DNS-Layer Network Security Delivered from the CloudOpenDNS Umbrella Overview
3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Desktops Business Apps
Critical Infrastructure
4© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Desktops Business Apps
Critical Infrastructure
Critical Infrastructure(Amazon, Rackspace, Windows Azure, etc.)
Business Apps(Salesforce, Marketo,DocuSign, etc.)
RoamingLaptops
Remote Users
5© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The NGFW Improves Perimeter SecurityBut Relies on the VPN to Protect Roaming Users
Last 20 years of security outside the perimeter:
VPNon
REMOTEACCESS
6© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
But Not Every Connection Goes Thru the VPNCreating a Blind Spot for the NGFW
VPNoff*
*or split tunnel
Not all traffic—over all ports, all the time— is backhauled
7© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
By 2018, Gartner estimates:
25% of corporate data traffic will bypass perimeter security.
8© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Way Your Employees Work has Changed
82%of workers admit to
not always using VPN
Your networkextends beyond the perimeter,
and your security must, too.
49%of the workforce is mobile
and under defended
Security may never stop 100%
of the threats, but it must work 100% of the time.
9© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
INTERNET
MALWAREC2/BOTNETSPHISHING
AV
AV
AV AV
ROUTER/UTM
AV AV
ROUTER/UTM
SANDBOXPROXY
NGFWNETFLOW
AV AV
AV AV
MID LAYER
LAST LAYER
MID LAYER
LAST LAYER
MID LAYER
FIRST LAYER
Where Do You Enforce Security?
Perimeter
Perimeter Perimeter
Endpoint
Endpoint
CHALLENGESToo Many Alerts via Appliances & AV
Wait Until Payloads Reaches Target
Too Much Time to Deploy Everywhere
BENEFITSAlerts Reduced 2-10x; Improves Your SIEM
Traffic & Payloads Never Reach Target
Provision Globally in UNDER 30 MINUTES
10© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Predict Threats Before They HappenReal-time, diverse data reveals
internet activity patterns, which we learn from to identify attacker
infrastructure
How We Do It
Security Efficacy and Performance
DNSxyz.com 1.2.3.4
Blocks malicious domain requests and IP responses
as DNS queries are resolved
No Extra Agents or User Actions
Integrated into Cisco AnyConnect for Windows and Mac, and there’s nothing new for end-users to do
11© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Requests Per Day
80BCountries160
Daily Active Users
65MCustomers12K
Our PerspectiveDiverse Set of Data
12© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StatisticalModels
• Identifies other domains looked up in rapid succession of a given domain
• Correlations uncover other domains related to an attack
“C-Rank” Model (co-occurrences)
• Detect domain names that spoof brand and tech terms in real-time
“NLP-Rank” Model(Natural Language Processing)
• Live DGA• SecureRank
Many More Models• Geo-Diversity• Geo-Distance
Earliest & Most Accurate Predictions & Classifications
• Detect domains with sudden spikes in traffic
• Finds domains involved in active attacks
“SP-Rank” Model (Spike Rank)
• Analyzes how servers are hosted to detect future malicious domains
• Identifies steps that precede malicious activity
Predictive IP Space Monitoring
1M+ Live Events
Per SecondFULLY AUTOMATED
13© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
No One Combines Better Performance & Effectiveness
#1Fastest & Most Reliable DNS w/ 65M+ Users
3M+Daily New Domain Names Discovered
60K+Daily Malicious Destinations Identified
7M+Total Malicious Destinations Enforced
14© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
OpenDNS and AnyConnectWorking Together To Simplify Security
15© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• OpenDNS Umbrella: Cloud-delivered, predictive network security service for DNS and IP activity.
• Cisco Umbrella Roaming: Limited version of OpenDNS Umbrella. For off-network/off-VPN protection. Sold alongside AnyConnect, ASA and NGFW. Cisco-branded.
Key Definitions
16© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Umbrella Roaming Client (URC): A lightweight, standalone agent that tags and directs an endpoint’s DNS requests to Umbrella. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X.
• Umbrella Roaming module for AnyConnect: A new AnyConnect 4.3 module that performs the same functions as the standalone URC. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X.
Key Definitions
* OpenDNS Umbrella Professional, Insights, Platform, and MSP
17© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• On-premises users are protected by stacks of security products• Remote workers must use VPN to get the same level of protection
Umbrella Roaming: The ChallengeUnder-protected off-network users
VPNon
SANDBOXPROXY
NGFWNETFLOW
18© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• But VPN utilization is decreasing• 82% of workers admit to not always using VPN when remote
Umbrella Roaming: The ChallengeUnder-protected off-network users
SANDBOXPROXY
NGFWNETFLOW
VPNoff
19© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Umbrella Roaming
VPNon
VPNoff
ODNSactive
SANDBOX
PROXY
NGFW
NETFLOW
Umbrella
MalwarePhishing SitesC2 Callbacks
Block
Cloud-Delivered Security Service for Cisco NGFW
Protection when off the VPN no additional agent required*
Visibility and enforcementat the cloud-edge via DNS
Block requeststo malicious domains and IPs
Predictive intelligenceuncover current
and emergent threats
* When used with the AnyConnect Umbrella module
20© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security or SystemAdmin’s Machine
Building Installation Package
Download Profile for AnyConnect Module
dashboard2.opendns.com*
Download AC Push- or Pull-Deploy Image
software.cisco.com
4.3
*Currently at dashboard2.opendns.com, but will switch to dashboard.umbrella.com in November
One-Time Process
21© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Uploading Installation Package
4.3Create/Edit VPN Policy toInclude Umbrella Module
“PUSH” OPTIONUpload AC 4.3 and All Files to Endpoint Software Distribution
“PULL” OPTIONUpload AC 4.3 and
All Files to ASA or ISE
22© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Optional Automatic UpdatesEliminates On-Going Maintenance for AnyConnect
AnyConnect update on cisco.com
Umbrellaservice
Umbrella moduleenabled in AnyConnect
Umbrella service regularly checks for new AnyConnect versions,
which includes all modules, not just “Roaming Security”
Umbrella moduleregularly checks for
updates, and automatically installs new version without admin or user intervention
23© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Easy Upgrade Experience:Demo
24© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AnyConnect Module: How We Enforce Security at the DNS Layer
25© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Built-in OS Component
s.NET APIWindows RegistryWMI Configuration
Any Running
App
Cisco AnyConnect
Roaming Module
CISCONGFWCISCO
UMBRELLA
STEP 2adomains resolved by OpenDNS when outside VPN and not local
or STEP 2bdomains resolved by your
DNS server when VPN tunneled or
if local LOCAL DNS
SERVER
Any Running
App
Cisco AnyConnect
Roaming Security
CISCO UMBRELL
A
AnyRunning
App
LOCAL DNS
SERVER
Cisco AnyConnect
Roaming Module
CISCO UMBRELL
A
DNS Forwarded to Umbrella or Local DNS Server
encrypted EDNS
request w/device ID
forwards the
identical DNS
request
enforces security policy based on threat intel & device ID
response from your DNS server
returns IP to requested domain or block page
DNS requests
to internal
domainsSTART HERE!
DNS requests
to Internet domains
START HERE!
STEP 1watch for new networks,
exempted domains & VPN status
device ID device ID device ID
LOCAL DHCP
SERVER
Internal, split tunnel, & search domain lists for
customer
AnyConnect
Driver
AnyConnect
Driver
AnyConnect
Driver
26© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Powerful Security With No Complexity or Latency:Demo
27© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Simple for Both Security & Sysadmin Teams
1 Enable roaming in minutes
2 Global security by default
3 Instant visibility into threats
4 Detailed logs for incident response
28© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Where Does Umbrella Fit With CWS?INTERNET
ON NETWORK
ALLOTHERTRAFFIC
WEBTRAFFIC
EMAILTRAFFIC
INTERNETALL
OTHERTRAFFIC
WEBTRAFFIC
EMAILTRAFFIC
OFF NETWORK
ASA/FirePOWERDPI/block by IP, URL,packet, or file
ESA/CESblocks by sender,
content, or file
WSA/CWSproxy/block by URL, content, or file
ESA/CESblocks by sender,
content, or file
CWSproxy/block by URL, content, or file
Umbrellaresolve/block by domain, IP, or URL
Umbrellaresolve/block by domain, IP, or URL
AMP FOR ENDPOINT
check/block hash
AMP FOR ENDPOINT
check/block hash
29© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• What version of the AnyConnect Client does this work on? o Minimum 4.3 MR1 (4.3.01095) for Windows and Mac
• Is there a minimum ASA version required?o Not for the Umbrella Roaming module
• Do I have to change the configuration on my ASA?o Not for pre-deploy. The ASA won’t override manual installations and profiles for Umbrella module.
• Does it require a separate license?o The Roaming Security module is included with AnyConnect Plus or Apex subscriptions. Devices
without AnyConnect can use the Umbrella Roaming Client (standalone) that is included with most Umbrella subscriptions. In either case, an Umbrella subscription is still required.
• Is it available for iOS, Android or Chromebook?o While on-network, these devices can be protected with network-level policies (Umbrella Professional
and above). There are no off-network agents for these platforms at this time.
FAQ
30© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• IP Layer Enforcement*• Active Directory integration for policies and reporting*• Change Root CA from OpenDNS to Cisco**• And much more…
AnyConnect Umbrella Module: Roadmap
* OpenDNS Umbrella Insights, Platform, and MSP** Most relevant to OpenDNS Umbrella Insights and above
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you for watching.
32© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Appendix
33© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Umbrella Roaming: Order of Operations
Umbrellaservice
AnyConnect Umbrella module1. Probe to determine network state2. Tell AnyConnect to pass DNS queries3. (If non-local domain) Creates EDNS0* packet, embeds
unique device id4. (and if port 443 is open) Encrypt data w/DNScurve**5. Gives packet to AnyConnect, to forward to OpenDNS’s
anycast IP address for DNS resolution
rootcom.domain.com.
AuthoritativeNameservers
*https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS**https://dnscurve.org/
Umbrella service1. (if encrypted) decrypts DNS query2. Checks domain and hostname for policy3. (if not blocked or globally cached) resolves IP4. Checks IP against intel5. (if domain & IP safe) returns destination IP
or (if domain or IP bad) returns block page IP
Umbrella module in AnyConnect
34© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AnyConnect Module: States of Operation
PROTECTED BY UMBRELLA
Protected by UmbrellaNon-local domain requests forwarded to 208.67.222.222 over 53/UDP
Protected & EncryptedNon-local domain requests forwarded to 208.67.222.222 over 443/UDP
Protected… …by Umbrella Network*…by Umbrella VA*Probes Umbrella service; unlikely state as its for different Umbrella packages
ConfiguringProbing after network state change
Unprotected- Can’t Connect- Missing Profile- Service Unavailable
Disabled- Full-Tunnel VPN Active- Trusted Network Detected*
NOT PROTECTED BY UMBRELLA
ADDITIONAL STATES SHOWN IN PORTAL
OfflineService unable to sync with module for a certain time period(e.g. computer not turned on)
UninstalledEnd-user or admin properly removed module
* For other Umbrella packages, IP-Layer Enforcement may be provided by the module even in these states
35© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2016 Cisco Annuual Security Report
WEBNON-WEB
15%of C2 bypasses
Web ports 80 & 443
DNSIP IP
91%of C2 can be blocked
at the DNS layer
Why Add Security at the DNS Layer?
Lancope Research
68%of orgs don’t monitor
recursive DNS
Recommended