What is DNS filtering?

DNS stands for Domain Name System, which is the protocol on the Web that converts a text name for a Web address into an IP address. As inferred from the name, DNS filtering is an application that filters DNS requests, blocking some requests while permitting others to proceed. When accessing a filtered site, the filter can redirect an unauthorized user to another page, usually a “you are not authorized…” message, or simply dropped (“Page not found” error).

IT staff can apply DNS filtering to inbound Internet traffic, outbound Internet traffic or both.  Organizations filter inbound traffic for two main reasons. First, as a security measure, where requests from unknown or suspicious addresses are blocked from accessing the URL (uniform resource locator, or simply Web address), belonging to the organization. Second, some organizations use DNS filtering to permit access to certain locations based on the origin address. For example, a company sets up a paywall where users who pay a fee have access to additional content.  On the outgoing side, organizations typically use DNS filtering to prevent staff access to questionable locations or to restrict access to non-business locations, such as social media.

An organization can also use DNS filtering as a tool within its IT environment to control user access to organization information.  The organization can set up an intranet with address-based data locations and then control user access through DNS filtering.

Typically, IT staff sets DNS filters according to standard logic rules (allow anyone from these address to access this location, allow anyone except these addresses to access this location). Most filters support multi-variable criteria (“AND” and “OR”, for example). In addition to web addresses, most filters can also add a time dimension (for example, “company staff cannot access social media sites during standard work hours”) or a class dimension (for example, “Silver Partners can access these sites in our network, Gold Partners can access Silver sites and additionally these sites”).

Why does ETTE recommend Cisco Umbrella for DNS filtering?

Cisco Umbrella is best described as DNS filtering on steroids. In addition to DNS filtering, Cisco Umbrella has a number of security features that touch on other elements of a comprehensive network defense system including endpoint protection and SIEM-ready linkages. Cisco Umbrella has these key features:

Intelligent Proxy: Most DNS filters work by proxying user requests for a Web site to ensure an element of safety. However, proxy requests can create a time delay in accessing content. To address this delay, many DNS filters use whitelists (trusted sites) and blacklists (blocked sites). These lists allow most of the user requests to pass freely (or not) through the filter. The issue arises from sites with mixed content, where addresses have been known to have both good and bad traffic. Umbrella routes request to the risky domains for deeper URL and file inspection, effectively protecting the users without a delay or performance impact.

Cisco Ecosystem: One of the greatest advantages of using applications from a major provider like Cisco is Cisco’s enormous Web presence. Cisco’s presence permits it to collect terabytes of information on the 175 billion daily Internet requests passing through the 30 worldwide data centers Cisco operates. Cisco current lists over 7 million malicious destinations tracked daily.

Command and Control Callback Blocking: This feature can help stop an attack dead in its tracks. If Umbrella discovers an event such as data filtration or ransomware deployment from an infected source, the application cuts access from the attacking source servers. This action stops data exfiltration or execution of ransomware encryption.

On and Off Network Traffic Visibility: Umbrella provides visibility into internet activity across all devices, overall ports, even when users are off your organization’s network. Organizations can retain activity logs forever, and the traffic visibility makes an excellent source for SIEM data.

Statistical Threat Modeling:  Umbrella analyzes data to identify patterns, detect anomalies and create models to predict if a domain or IP address is likely malicious. Cisco analyzes the request patterns to detect many types of threats and anomalies. For example, Umbrella can determine if a system is compromised based on the types of requests its making. If a device is making requests to a number of known-bad domains, it is more likely to be compromised. The user requests patterns across Cisco’s user base provides great insight into potential threats.

In the second part of the process, if the global cache doesn’t have a non-expired response to the request, then Cisco recursively contacts all of the nameservers that are authoritative for the domain requested. This process gathers authoritative logs for virtually every domain daily, which Cisco uses to find newly staged infrastructures and other types of anomalies. This two-part analysis creates a level of proactivity not present in many other DNS filters.

Endpoint protection:  Umbrella can provide protection to most of your network endpoints, whether they are removable devices, or an integral part of your network. For removable devices, Umbrella’s lightweight roaming client or built-in Cisco AnyConnect integration can protect laptops when the VPN is off.  For fixed network devices, organizations with Cisco devices, such as SD-WAN, ISR 1K and 4K, Meraki MR, and WLAN, Umbrella provides protection across hundreds of network devices with one click.

Cloud-based: Like most cloud-based applications, Cisco Umbrella is automatically upgraded with each new release.  Automat upgrades mean you never have to worry about whether you have the latest version to provide the most effective coverage. Similarly, as Cisco gains information about questionable sites, that information is immediately transferred to the Umbrella engine and available for all users. Cloud-based systems also save your organization the costs of acquiring thousands of dollars in hardware required to support a host of network defenses.

ETTE can help

Cisco Umbrella comes in 3 subscription-based packages, designed to meet the security needs of every organizational size and budget. ETTE can configure your Cisco Umbrella system, configuring all the settings for your organizations particular IT environment. Contact ETTE to find out more about how we, in conjunction with Cisco Systems, can help you defend against Web-based threats at a price that is surprisingly affordable.