TechWiseTV Workshop: OpenDNS and AnyConnect

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

OpenDNS and AnyConnect

Adam Winn, Product Manager

Aug 30th, 2016

DNS-Layer Network Security Delivered from the CloudOpenDNS Umbrella Overview

3© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Desktops Business Apps

Critical Infrastructure


Desktops Business Apps

Critical Infrastructure

Critical Infrastructure(Amazon, Rackspace, Windows Azure, etc.)

Business Apps(Salesforce, Marketo,DocuSign, etc.)

RoamingLaptops

Remote Users


The NGFW Improves Perimeter SecurityBut Relies on the VPN to Protect Roaming Users

Last 20 years of security outside the perimeter:

VPNon

REMOTEACCESS


But Not Every Connection Goes Thru the VPNCreating a Blind Spot for the NGFW

VPNoff*

*or split tunnel

Not all traffic—over all ports, all the time— is backhauled


By 2018, Gartner estimates:

25% of corporate data traffic will bypass perimeter security.


The Way Your Employees Work has Changed

82%of workers admit to

not always using VPN

Your networkextends beyond the perimeter,

and your security must, too.

49%of the workforce is mobile

and under defended

Security may never stop 100%

of the threats, but it must work 100% of the time.


INTERNET

MALWAREC2/BOTNETSPHISHING

AV

AV

AV AV

ROUTER/UTM

AV AV

ROUTER/UTM

SANDBOXPROXY

NGFWNETFLOW

AV AV

AV AV

MID LAYER

LAST LAYER

MID LAYER

LAST LAYER

MID LAYER

FIRST LAYER

Where Do You Enforce Security?

Perimeter

Perimeter Perimeter

Endpoint

Endpoint

CHALLENGESToo Many Alerts via Appliances & AV

Wait Until Payloads Reaches Target

Too Much Time to Deploy Everywhere

BENEFITSAlerts Reduced 2-10x; Improves Your SIEM

Traffic & Payloads Never Reach Target

Provision Globally in UNDER 30 MINUTES


Predict Threats Before They HappenReal-time, diverse data reveals

internet activity patterns, which we learn from to identify attacker

infrastructure

How We Do It

Security Efficacy and Performance

DNSxyz.com 1.2.3.4

Blocks malicious domain requests and IP responses

as DNS queries are resolved

No Extra Agents or User Actions

Integrated into Cisco AnyConnect for Windows and Mac, and there’s nothing new for end-users to do


Requests Per Day

80BCountries160

Daily Active Users

65MCustomers12K

Our PerspectiveDiverse Set of Data


StatisticalModels

• Identifies other domains looked up in rapid succession of a given domain

• Correlations uncover other domains related to an attack

“C-Rank” Model (co-occurrences)

• Detect domain names that spoof brand and tech terms in real-time

“NLP-Rank” Model(Natural Language Processing)

• Live DGA• SecureRank

Many More Models• Geo-Diversity• Geo-Distance

Earliest & Most Accurate Predictions & Classifications

• Detect domains with sudden spikes in traffic

• Finds domains involved in active attacks

“SP-Rank” Model (Spike Rank)

• Analyzes how servers are hosted to detect future malicious domains

• Identifies steps that precede malicious activity

Predictive IP Space Monitoring

1M+ Live Events

Per SecondFULLY AUTOMATED


No One Combines Better Performance & Effectiveness

#1Fastest & Most Reliable DNS w/ 65M+ Users

3M+Daily New Domain Names Discovered

60K+Daily Malicious Destinations Identified

7M+Total Malicious Destinations Enforced


OpenDNS and AnyConnectWorking Together To Simplify Security


• OpenDNS Umbrella: Cloud-delivered, predictive network security service for DNS and IP activity.

• Cisco Umbrella Roaming: Limited version of OpenDNS Umbrella. For off-network/off-VPN protection. Sold alongside AnyConnect, ASA and NGFW. Cisco-branded.

Key Definitions


• Umbrella Roaming Client (URC): A lightweight, standalone agent that tags and directs an endpoint’s DNS requests to Umbrella. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X.

• Umbrella Roaming module for AnyConnect: A new AnyConnect 4.3 module that performs the same functions as the standalone URC. Comes with OpenDNS Umbrella* and Cisco Umbrella Roaming. For Windows and OS X.

Key Definitions

* OpenDNS Umbrella Professional, Insights, Platform, and MSP


• On-premises users are protected by stacks of security products• Remote workers must use VPN to get the same level of protection

Umbrella Roaming: The ChallengeUnder-protected off-network users

VPNon

SANDBOXPROXY

NGFWNETFLOW


• But VPN utilization is decreasing• 82% of workers admit to not always using VPN when remote

Umbrella Roaming: The ChallengeUnder-protected off-network users

SANDBOXPROXY

NGFWNETFLOW

VPNoff


Cisco Umbrella Roaming

VPNon

VPNoff

ODNSactive

SANDBOX

PROXY

NGFW

NETFLOW

Umbrella

MalwarePhishing SitesC2 Callbacks

Block

Cloud-Delivered Security Service for Cisco NGFW

Protection when off the VPN no additional agent required*

Visibility and enforcementat the cloud-edge via DNS

Block requeststo malicious domains and IPs

Predictive intelligenceuncover current

and emergent threats

* When used with the AnyConnect Umbrella module


Security or SystemAdmin’s Machine

Building Installation Package

Download Profile for AnyConnect Module

dashboard2.opendns.com*

Download AC Push- or Pull-Deploy Image

software.cisco.com

4.3

*Currently at dashboard2.opendns.com, but will switch to dashboard.umbrella.com in November

One-Time Process


Uploading Installation Package

4.3Create/Edit VPN Policy toInclude Umbrella Module

“PUSH” OPTIONUpload AC 4.3 and All Files to Endpoint Software Distribution

“PULL” OPTIONUpload AC 4.3 and

All Files to ASA or ISE


Optional Automatic UpdatesEliminates On-Going Maintenance for AnyConnect

AnyConnect update on cisco.com

Umbrellaservice

Umbrella moduleenabled in AnyConnect

Umbrella service regularly checks for new AnyConnect versions,

which includes all modules, not just “Roaming Security”

Umbrella moduleregularly checks for

updates, and automatically installs new version without admin or user intervention


Easy Upgrade Experience:Demo


AnyConnect Module: How We Enforce Security at the DNS Layer


Built-in OS Component

s.NET APIWindows RegistryWMI Configuration

Any Running

App

Cisco AnyConnect

Roaming Module

CISCONGFWCISCO

UMBRELLA

STEP 2adomains resolved by OpenDNS when outside VPN and not local

or STEP 2bdomains resolved by your

DNS server when VPN tunneled or

if local LOCAL DNS

SERVER

Any Running

App

Cisco AnyConnect

Roaming Security

CISCO UMBRELL

A

AnyRunning

App

LOCAL DNS

SERVER

Cisco AnyConnect

Roaming Module

CISCO UMBRELL

A

DNS Forwarded to Umbrella or Local DNS Server

encrypted EDNS

request w/device ID

forwards the

identical DNS

request

enforces security policy based on threat intel & device ID

response from your DNS server

returns IP to requested domain or block page

DNS requests

to internal

domainsSTART HERE!

DNS requests

to Internet domains

START HERE!

STEP 1watch for new networks,

exempted domains & VPN status

device ID device ID device ID

LOCAL DHCP

SERVER

Internal, split tunnel, & search domain lists for

customer

AnyConnect

Driver

AnyConnect

Driver

AnyConnect

Driver


Powerful Security With No Complexity or Latency:Demo


Simple for Both Security & Sysadmin Teams

1 Enable roaming in minutes

2 Global security by default

3 Instant visibility into threats

4 Detailed logs for incident response


Where Does Umbrella Fit With CWS?INTERNET

ON NETWORK

ALLOTHERTRAFFIC

WEBTRAFFIC

EMAILTRAFFIC

INTERNETALL

OTHERTRAFFIC

WEBTRAFFIC

EMAILTRAFFIC

OFF NETWORK

ASA/FirePOWERDPI/block by IP, URL,packet, or file

ESA/CESblocks by sender,

content, or file

WSA/CWSproxy/block by URL, content, or file

ESA/CESblocks by sender,

content, or file

CWSproxy/block by URL, content, or file

Umbrellaresolve/block by domain, IP, or URL

Umbrellaresolve/block by domain, IP, or URL

AMP FOR ENDPOINT

check/block hash

AMP FOR ENDPOINT

check/block hash


• What version of the AnyConnect Client does this work on? o Minimum 4.3 MR1 (4.3.01095) for Windows and Mac

• Is there a minimum ASA version required?o Not for the Umbrella Roaming module

• Do I have to change the configuration on my ASA?o Not for pre-deploy. The ASA won’t override manual installations and profiles for Umbrella module.

• Does it require a separate license?o The Roaming Security module is included with AnyConnect Plus or Apex subscriptions. Devices

without AnyConnect can use the Umbrella Roaming Client (standalone) that is included with most Umbrella subscriptions. In either case, an Umbrella subscription is still required.

• Is it available for iOS, Android or Chromebook?o While on-network, these devices can be protected with network-level policies (Umbrella Professional

and above). There are no off-network agents for these platforms at this time.

FAQ


• IP Layer Enforcement*• Active Directory integration for policies and reporting*• Change Root CA from OpenDNS to Cisco**• And much more…

AnyConnect Umbrella Module: Roadmap

* OpenDNS Umbrella Insights, Platform, and MSP** Most relevant to OpenDNS Umbrella Insights and above

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thank you for watching.


Appendix


Umbrella Roaming: Order of Operations

Umbrellaservice

AnyConnect Umbrella module1. Probe to determine network state2. Tell AnyConnect to pass DNS queries3. (If non-local domain) Creates EDNS0* packet, embeds

unique device id4. (and if port 443 is open) Encrypt data w/DNScurve**5. Gives packet to AnyConnect, to forward to OpenDNS’s

anycast IP address for DNS resolution

rootcom.domain.com.

AuthoritativeNameservers

*https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS**https://dnscurve.org/

Umbrella service1. (if encrypted) decrypts DNS query2. Checks domain and hostname for policy3. (if not blocked or globally cached) resolves IP4. Checks IP against intel5. (if domain & IP safe) returns destination IP

or (if domain or IP bad) returns block page IP

Umbrella module in AnyConnect


AnyConnect Module: States of Operation

PROTECTED BY UMBRELLA

Protected by UmbrellaNon-local domain requests forwarded to 208.67.222.222 over 53/UDP

Protected & EncryptedNon-local domain requests forwarded to 208.67.222.222 over 443/UDP

Protected… …by Umbrella Network*…by Umbrella VA*Probes Umbrella service; unlikely state as its for different Umbrella packages

ConfiguringProbing after network state change

Unprotected- Can’t Connect- Missing Profile- Service Unavailable

Disabled- Full-Tunnel VPN Active- Trusted Network Detected*

NOT PROTECTED BY UMBRELLA

ADDITIONAL STATES SHOWN IN PORTAL

OfflineService unable to sync with module for a certain time period(e.g. computer not turned on)

UninstalledEnd-user or admin properly removed module

* For other Umbrella packages, IP-Layer Enforcement may be provided by the module even in these states


2016 Cisco Annuual Security Report

WEBNON-WEB

15%of C2 bypasses

Web ports 80 & 443

DNSIP IP

91%of C2 can be blocked

at the DNS layer

Why Add Security at the DNS Layer?

Lancope Research

68%of orgs don’t monitor

recursive DNS

Technology

TechWiseTV Workshop: OpenDNS and AnyConnect