Internetwork Engineering Blog

Cisco Umbrella and Web Filtering for a Remote Workforce

Written by Caleb Oosterhouse | October 22, 2020

 

Web Filtering History

Web filtering is a general technology and a security need that has been around for years. This is still the standard for many businesses using physical or virtual appliances that redirect all web traffic to them via client browser proxy settings or inline filtering. This design model would then catch all web, port 80 and 443 traffic, and provide content filtering and security filtering as neededThe client browser proxy settings would work well, but only if the proxy setting was setup to point to the web content filter via manual or GPO settings push.  

 

Client machines would also need a public certificate from internal private CA on their machines, so the encrypted https/443 traffic could be filtered correctly with man-in-the-middle technology. Thus, most IT departments have moved to inline web content filters which should catch all traffic at the edge of the network and filter as needed. This would, in theory, catch everything including client computers, guest networks, servers, and ALL network traffic, but only traffic that could be seen depending on encryption/decryption settings. If the user was authenticated to the network, the web content filter could even supply policies based on users and groups. Great, right? 

  

Web Filtering for Remote Users 

The primary focus for IT generally included everything within the four walls of the business. This is where all the ‘business’ really took place and if that was secure, everything was secure. Some businesses mostly kept to this model up until the COVID-19 pandemic, with only a few users working remoteHowever, many saw the writing on the wall even before the COVID-19 pandemic and had strategized to accommodate the remote worker 

 

Commonly, any remote working would require a Virtual Private Network (VPN) back into the corporate network for business data and thus IT would then U-turn the web traffic back out and catch the web content filter system in the process providing the security they requiredHowever, this double booked the HQ internet connection and thus split tunnel was another option used to have internet traffic go out using the local internet of the client’s device and only traffic for business data use the VPN 

 

In these situations, security concerns were casually pushed to the back burner. Data has long since moved from just inside the four walls of the HQ data center and now cloud, multi-cloud, and hybrid environments are the new normal as IT strategy continues to evolveWith this change and others, many businesses have just moved to client Endpoint Detection and Response (EDR) software to protect the local and remote client machines while dropping any antiquated web filtering technology

 

Many IT departments have moved to the model of trust and hope that end user web traffic is okay as employees had signed an Acceptable Use Policy (AUP). In that case, why should IT spend the extra resources to control web trafficLet’s just let our Endpoint Detection and Response software take the load and move on to more critical issues, right? 

  

Web Content Filtering is More than Content Filtering 

Previously, web content filtering was the primary focus for known categories that needed to be blocked. However, the web has moved from basic http and https to micro applications, and almost everything uses https encryption.  

 

Over half of the web traffic seen today uses https encryption, making traditional web filters less the 50% useful. You can only filter what you can see. Add another fact that over 20% of internet traffic is malicious and 90% of that is using https, which calculates out with other challenges that your traditional web filter is only about 30% effective. Yikes, we need to filter differently and not just for content, but security! 

 

DNS (Domain Name System) based web filtering should now become the new security direction and products like Cisco Umbrella, WebTitan, or Webroot have come into play. For traditional corporate networks, it is as simple as redirecting your DNS servers to a new location and matching your public IP to the configuration profile and life moves on.  

 

Almost all external traffic, web or other, uses DNS request and as a result this new strategy will catch the previously troublesome encrypted HTTPS traffic and more. This can still integrate with local authentication servers, run as virtual VM DNS servers, and provide user/group policies as needed. Blocking all outbound DNS traffic except from your DNS servers and add filtering bypass sites to a blocked category and you will round up the security for internal, guest, and BYOD in your network.  

  

Web Content Filtering with Cisco Umbrella for Remote Workers  

When COVID-19 hit earlier this year, most of the workforce went remote. This great DNS-based web filtering technology you set up in the office is now useless, rightWrongCisco Umbrella comes with the client software included in your subscription pricing. You can load this lightweight software on your client machines manually or with the Cisco AnyConnect add-on module if they already had VPN software setup.  

 

This software now can extend your DNS filtering anywhere that computer goes. That 30% successful web filtering with old technology is now 100% web filtering with local software install. You can load the Cisco Umbrella client on computers, tablets, and even phones to provide security for all business-active devices wherever they may be locatedIs it time to make the switch to true web filter? 

Web Content Filtering for Remote Users

Q & A 

 

Q: Can I create different web policies based on user location or timeWe blocked Facebook when users were in the office, but now that remote computer is part of the home? 

 

A: With Cisco Umbrella you can create policies based on users, groups, device types, locations, and time as needed. This can provide flexible content filtering policies while still blocking malicious activity always. 

  

Q: Lots of command and control malicious software uses IP vs DNS to bypass DNS filtering. Is this still blocked? 

 

A: If Cisco Umbrella client software is local on the device being filtered, this software will filter ALL web-based traffic, IP, or DNSLocal application traffic over IP is not filtered by Umbrella so as not to adversely affect application performance. Umbrella filters all DNS traffic, web, or application.

  

Q: Can remote users disable the Umbrella software on their devices to bypass the filtering? 

 

A: Devices that are controlled by the IT department can be locked down to prevent Cisco Umbrella Roaming client software being disabled by end usersThis control is based on device control and is not directly related to Cisco Umbrella Roaming Client software. Locking a device down for end users can be performed in different ways from Active Directory GPO to Microsoft IntuneSpeak with your IE Solution Engineer to see what option is best for your environment. 

  

Q: Will a cloud DNS filtering provider slow down web browsing since it is filtering? 

 

A: No, in most cases it causes the speed to increase as Cisco Umbrella uses a unique Geo sensing anycast technology to spread the DNS load between sites for 100% up time and to respond with closest location to youCompared to inline web filters, DNS filtering is 2-4 times faster since no extra TCP/UDP transactions are required. 

  

Q: I heard that DNS is now moving to DNS encryption in some locationsWill this cause issues like HTTPS did for our previous web filter? 

 

A: Cisco Umbrella supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. DNSSEC uses cryptographic signatures to prove both validity of the answer and identity of the signer. Customers can have the confidence that Umbrella is protecting their organization from cache poisoning attacks, without having to perform validation locally. 

  

Q: If Cisco Umbrella is so great then I do I still need my EDR (Endpoint Detection and Remediation) software? 

 

A: Cisco Umbrella is a key piece to endpoint security, but only a piece to the puzzleThis piece can then integrate tightly with other software like Cisco AMP for endpoints and share information to provide even better protectionCisco Threat Response or SecureX Integrated Security Platform are both free software integration points that collect and connect the shared knowledge from Cisco Umbrella, Cisco AMP, and other hardware/software locations creating an integrated and open security platform. 

 

Want to learn more? Consult with IE’s team of experts. We can help you build a secure web content filtering system for your remote workers.