Prevent 90% of Malware with Cisco Umbrella Branch with 3 lines of config.

Malware is everywhere.    Symantec reported more than 430 million new unique malware packages in 2015, 36% more than in previous years.

Here are some additional statistics to explain how serious the Malware issue is right now (Statistics courtesy of Symantec’s 2016 Internet Security Threat Report)

  • One new zero day vulnerability was found every week in 2015 – double the number from 2014
  • 500,000 personal records were lost or stolen in 2015
  • Spear-Phishing campaigns targeting employees increased 55 percent in 2015
  • Ransom-ware Increased 35 percent in 2015

20.8 Million devices are predicted by 2020.  All of these – are at risk for malware.

As traffic moves from branch to branch around your environment, we have a few challenges.   This traffic may not traverse firewalls and IPS devices, malware protection is common at the edge but not at the branch.     Branch offices also sometimes have limited security features, perhaps they only have a small ISR.

Cisco is using a recent acquisition of OpenDNS to help block 90% + of malware.   The architecture is called “Cisco Umbrella Branch”.

“What if I am using direct to IP?” – At this point, not yet, but this is a new technology they are working on.      DNS powers most malware, so when you add in OpenDNS protection, we can short circuit a significant amount (Cisco says 90%) of malware.   A good security protection strategy includes multiple methodologies – this is one more which is quick, short circuits a lot of malware with limited programming and low cost.


With direct internet access becoming less expensive, and customers moving more to VPN technologies as high speed internet becomes significantly less costly than WAN services, end users are accessing the internet directly from the branch.

Intelligence in the Cloud

Cisco along with OpenDNS has created an intelligent cloud to manage all of this data, so using all of these data points they can validate the safety of these web sites in real time without having to update any kind of local database.  As every query is sent, if a domain is found by the Cisco security cloud, it will be marked as bad very quickly in OpenDNS and you are protected.


How it works

On Cisco ISR 4000 devices, the ISR will register to the cloud, a secure tunnel is created and then it is ready for DNS queries to be filtered by the OpenDNS cloud via the Cisco Umbrella Branch Connector.   The Stealthwatch Learning Network will also provide netflow based security analysis.

Screen Shot 2016-07-05 at 10.39.18 AM

The intelligence is all in the OpenDNS cloud, and the verdict of the DNS lookups is forwarded to the ISR.  All ISR configuration for DNS is managed by the connector once it is enabled.

Keep in mind this is in addition to the rest of the OpenDNS feature set that you will also receive like URL filtering.

All DNS entries are filtered and captured by the Cisco Umbrella Branch Connector – the users and servers do not have to use the ISR as the DNS server, you can have the users, or servers using internet DNS – the ISR will intercept it, tunnel the request to OpenDNS and return the response.

A great idea from @ghostinthenet – Jody Lemoine for a great future idea was that it would be cool if the ISR created a dynamic access list based on good verdicts to OpenDNS lookups so a positive response to a DNS lookup would be required before you would even be allowed out of the office.

The Demo

The team at Tech Field Day has a great demo video on the Cisco Umbrella Branch technology in technical detail.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s