• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Products & Services

Extending SD-WAN Segmentation to Umbrella Cloud Security

Author avatar of Ryan ShoemakerRyan Shoemaker
Updated — February 27, 2023 • 6 minute read
View blog >

One of the key value propositions of leveraging a Cisco SD-WAN architecture is the ability to implement a highly effective segmentation strategy.  Implementing this allows organizations to separate devices into isolated networks such that there is no communication between each segment without a configuration expressly permitting that connection.  This architecture allows organizations to reduce attack surfaces and keep devices that shouldn’t be communicating with each other separate.  There has been a lot of work done in putting groups of devices such as Guests, IOT, and Corporate into separate segments and thereby eliminating areas of containment. 

With a migration to a SASE architecture and a cloud-first strategy, connecting branch office SD-WAN devices directly to a cloud security platform like Umbrella has become more standard.  But the question arises as to how organizations can continue to effectively extend their isolated segments to Umbrella.  How can they provide a differentiated level of services for each segment? 

Let’s address this question by examining using three key capabilities at Umbrella:  DNS Security, Secure Web Gateway, and Cloud Delivered Firewall.

Graphic showing how Umbrella protects segmented networks.

DNS Security

When designing a segmented network at branch locations and then augmenting those locations with a Direct Internet Access solution, there is a need to connect those DIA paths with a cloud-based security solution.  This is one of the key tenants of a SASE architecture.  In a segmented site however, there may be a desire to provide a different level of cloud-security functionality for different segments.  For example, a guest segment might only need DNS protection, an IOT segment might need DNS and Cloud Delivered Firewall protection, a standard employee segment might need Full DNS and SIG protection. 

SD-WAN has the ability to provide information up to Umbrella Datacenters about the originating device’s VPN and IP address.  It is through providing this information that different Umbrella policies can be enacted to different network segments.

The way to provide a different level of service and/or different policies begins with setting up the SD-WAN environment with different VPNs/VRFs for the different segments.  In the example shown in the accompanying videos, there are three different VPNs:  Employee (VPN 10), Guest (VPN 20), and IOT (VPN 30).  The router is already connected to Umbrella Secure Internet Gateway (SIG) via the simplified templates.

Adding DNS security from users connecting through the router requires a security policy in place that will integrate with Umbrella.  The security policy for this integration only needs to include the DNS component.  In order to get the information exchanged correctly between vManage and Umbrella, the DNS security policy needs to be integrated with Umbrella via APIs. As of 20.9, only the legacy Umbrella API keys can be used with vManage, and the Umbrella Network Devices API is the one needed for this integration.

The other key item to note is that DNSCrypt needs to be enabled between the devices with this security policy and Umbrella.  This is only supported with Umbrella and through DNSCrypt, the router can send additional information via EDNS to Umbrella.  This information includes VPN info from the source making the request.  Without this additional information, Umbrella would just assume the source of the request is from the router itself. 

After creating the security policy, it needs to be applied to the routers where we want DNS security to be added.  This is done in Device Templates under the Additional Templates section.  Simply enable this new DNS security policy under the Security Policy parameter of the template.

After applying, the different VPNs will show up in Umbrella as deployment identities under Network Devices.  But at this point, they are all using the Default Policy for their DNS Policy.

You now need to create DNS policies in Umbrella that will provide different rules for traffic that originates from each of these VPNs.  In the example shown in the accompanying video, there is one DNS policy created for Corporate devices, one for Guest devices, and one for IOT devices. 

Looking at the Identities for each of these policies, you can select the specific VPNs by looking at the different identities available under Network Devices.  From this list of all Network Devices, you can select the specific VPN that should have the DNS policy applied.  In the example, VPN10 will be matched with the Corporate DNS policy, VPN20 with the Guest DNS policy, and VPN30 with the IOT policy.

Once the different DNS policies are created and associated with the Network Device, you can see that association back on the Network Device page.  Then once devices are connected to each of their respective VPNs and traffic is generated, Activity Search in Umbrella shows those policies in effect.  The activity search shows that DNS policy is now blocking the device from reaching these sites and the Identity associated with this block is the Network Device aligned with the DNS policy in the previous steps. 

DNS Policy is now denying the device from reaching the blocked sites. 

 

Web Security

For internal devices, Umbrella won’t allow for specific policies by default.  It won’t build rules on RFC1918 addresses.  So for a use case where a particular segment of a network should have a different policy applied than another, this can be challenging.  With PCs or laptops, this might be solved by integrating an identity source like AD or Okta to provide the context of the source device.  But for other devices like a Guest Network for instance, there would be no identity to pull context from.  In this case, you can add an internal network to Umbrella’s Configuration. 

If the source router has an IPSec connection to Umbrella SIG that shows up in the Network Tunnels Identity list, this process is greatly simplified.  Rather than needing to deploy a Virtual Appliance (VA) to collect the source info of the RFC1918 address, it can be sourced from the Network Tunnel by configuring the subnet, or even host, and designating which tunnel or tunnels this address might originate from.

If the originating router has multiple SIG tunnels to Umbrella, an Internal Network needs to be added for each one as a potential source of that subnet.  The video shows a demonstration where the same internal RFC1918 address blocks have each been added twice.  Address 10.109.10.0/24 has been added using two different internal network associations:  one for the first Umbrella Tunnel from router SITE309SYS1x3x9x1 (Tunnel 1) and the other is the second Umbrella Tunnel from the router SITE309SYS1x3x9x1 (Tunnel 2). 

Web policies can now be created that utilize these internal networks called Site9-Macrosegment-Corporate-Tu1 and Site9-Macrosegment-Corporate-Tu2.  In the Web policies page, the ruleset identities can be selected to be these internal networks.  For testing, a new Web policy is put in place to block access to dating websites along with a few other categories. 

This same type of Web Policy is also created for both the Guest and IoT Internal Networks as well.  Then devices in each of the three VPNs are used to try and access dating websites, and through Activity Search, we can see that the Web Policy prevents its access.  Clicking into the details, we can even see details such as which ruleset is applied, what is the IP address that made the request, and what site is it trying to reach.

 

Cloud-Delivered Firewall Security

To block using the Firewall, a new Firewall policy is created.  This policy simply creates a block from devices on the 10.109.10.0/24 network coming over the Ryan1100-Tunnels and trying to reach IP address 8.8.8.8.  It is then set to block and log that traffic.

For testing, the same client issues a ping test to 8.8.8.8 and it is denied.  After that attempt, a new hit can be seen at the policy page.

Investigating the results in the Activity Search page shows more details about this block.

Further details reveal the policy name that enacted the block as well as the identity coming from the SITE309SYS1x3x9x1-Tunnel1 and the source IP address as well as the protocol that is blocked as part of this rule.

 

Conclusion

Using Umbrella to extend a company’s segmentation strategy is a very effective method to provide differentiated access and controls.  When determining what method might make the most sense to any organization, there are a few key use cases that can be considered.

The first is one where an organization may want the full security capabilities of a SIG for their corporate or managed machines.  The VPN that these machines end up in can then be the source for the full SIG stack.  However, guest or IoT devices may just want to be prevented from accessing malicious sites and key restricted categories of sites.  Leveraging DNS security, backed by Talos, would provide enough protection for this use case. 

The second is one where the previous use case is mostly accurate, but with a change where IoT type devices still might need some firewall protection.  IoT devices contain notoriously poor security capabilities, so this use case might be very critical to maintaining safe operations for the organization. 

Whatever the case is, Cisco can provide a robust, easy to implement, cloud security solution for extending an organization’s segmentation strategy. Request a free demo today to see what Umbrella can do for your network!

See security in action

Let one of our experts show you how Cisco Umbrella can simplify your security and protect your users everywhere.

Schedule a demo

Using Umbrella to extend a company’s segmentation strategy is a very effective method to provide differentiated access and controls.

Tweet this quote

Additional Resources

  • Schedule a personalized demo
  • Ebook: How to streamline cloud security and embrace SASE

Suggested Blogs

  • Embrace SASE With Cisco February 28, 2023 3 minute read
  • Cisco Umbrella + Cisco Duo Are Better Together February 14, 2023 7 minute read
  • Cisco Enhances Cloud DLP With Unified Management and More December 8, 2022 3 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella