Cisco Umbrella Review

Offers protection from DNS-based attacks and improves visibility

What is our primary use case?

The primary use case for this solution is for DNS based attacks and for malware protection. It has a malware protection engine.

If you install Cisco Umbrella Clients on the remote PC, you can do URL filtering, malware protection, and you can check the health and status of the device itself.

How has it helped my organization?

All of the DNS Queries are sent to Cisco Umbrella and you have more visibility of what users are asking, as well as what users are accessing over the Internet. 

You have all of the details and all of the information of what the users are accessing, even before they get access to the website. For example, if one website is malicious and it has some malware and some viruses in it, and a user sends a request to this URL, it will be reported in the Cisco Umbrella Cloud before the user gets the response back from the webserver. 

It will protect, give you more robustness, and faster responses, compared to any firewalls or any of the proxy web servers.

Based on the DNS, Web proxy, and other servers, it waits until after the DNS request. It will put in its action after the user gets it by the webserver when the response is coming back. 

In the end, the response from the malicious server will come into your network. Cisco Umbrella cloud has stopped it before that. You have one more layer of security on top of the URL filtering or on top of that server response.

The deployment was for two thousand plus users. We have multiple sites, and we have some remote users in different locations.

Cisco Umbrella is a fitting solution for DNS-based attacks and malware protection. It is a very good solution for that, and especially for remote users.

What is most valuable?

The most valuable feature is that it prevents DNS-Based attacks, which is quite common these days.

The DNS Query is first sent by the user and then it will communicate to the URL. If you are requesting for some URL it process also to an IP.

The basic functionality of Cisco Umbrella is to save this type of request and to have a more secure way to communicate the DNS Query back to the user. Any attack based on the DNS Query is stopped by Cisco Umbrella.

If you have a proxy, for example, if my DNS server is and I make a server on the same IP or different IBN with the same DNS name, I can make a proxy and the user request will come to me and I can send this user any way I want. So based on these types of attacks, Cisco Umbrella protects the user.

The user requests a lot of DNS queries. Even if you don't know it or if the user is not accessing any URL, the laptops or any PC keep on accessing different URL's and you are not aware of it or if it is good or not. Cisco Umbrella gives you the visibility and you know what is happening from this laptop or this endpoint.

What needs improvement?

Cisco Umbrella does not have a Malware Protection engine itself. It would be useful if they had a malware protection engine running inside their own VM.

They have some VM appliances with the installing enterprises for limited access for the DNS proxy to the cloud. If they had this feature running inside the VM, it would be much better.

It would improve this solution to have applications hosted on the cloud.

I would like to see the application that they promised. If you have an application running inside your environment, with multiple portals, as an example, we have our employee portal, ERP and some other portals. These portals will be accessed through the Cisco Umbrella Cloud, and the deployment will be a VPN-based deployment, Cisco Umbrella Cloud will be connected to your enterprise and afterward, you can just click on this application using Cisco Umbrella Cloud subscription, and you will have the access to your application anywhere in the world, and you don't have to publish it. You will save public IPs, and a lot of bandwidth because publishing requires bandwidth. 

All of the users from outside will be coming inside your environment and will be accessing the web servers, so there is no need to publish.

It will be some time before this feature is introduced. They are working on it and it is still not ready.

I would like to see IPS-based solutions. To have an IPS solution inside the Cisco Umbrella cloud. 

If there were an IPS product built inside the solution, it would be very good. It would be a one-box solution. With this one-box solution, you wouldn't need any extra security layers,  and you don't need any WAN solution.

There is a solution called Carbon Black. This solution can do sandboxing solution inside the PC. It checks the application which you are accessing, and what you are installing on your PC. It checks everything. It does a compliance check.

If these types of features are available on the Cisco Umbrella, so you wouldn't need any other solutions installed on your PC. It would be one solution that does everything together.  I would, like to see this.

For how long have I used the solution?

I have been using this solution for one year.

What do I think about the stability of the solution?

It's quite stable. It's a very stable product, and, it's quite straightforward. We deployed this solution a year ago with no issues afterward. We didn't get any complaints. There are some categories, and filtering that will block you for something which is not malicious, but it is considered as a threat to Cisco Umbrella. You will need to white list some IP address or some URLs manually if it's under your corporate use for some reason.

What do I think about the scalability of the solution?

This solution is quite scalable. It is a cloud-based solution. If your users are spread all over the world they can access Cisco Umbrella using an internet connection and it's quite straightforward. The scalability is quite robust and we can implement it anywhere in the world.

We are using this solution every day. Even if I try to access something now from my corporate laptop, the request will go to Cisco Umbrella, the DNS is configured as Cisco Umbrella.

Currently, we don't plan to increase our usage because we don't have more users at this time. If we scale or we are expanding and we have more offices, in the future we will increase the number of endpoints or number of users.

As we are running our virtual environment in our enterprise, it's not a problem. Normally if you are going to implement VMs, it will be a large scale deployment. If you have more than 2000 or 3000 users and you want a faster response from Cisco Umbrella, you have this VM.

If you have this type of environments, of course, you have a virtual environment, you have any hypervisor like VMware or Hyper-V and you have a big compute, you can manage two VMs from that. It's not an extra cost.

We have four people who have access to Cisco Umbrella. However, it doesn't require much administrative work. It does its job, and only needs a one-time concentration, afterward, all that needs attention is checking to if there are any blocks on anything.

If Cisco Umbrella blocks a user, they will notify the user. The user will get a message that they are locked under this condition and this category. The user will then notify us and complain that they have been blocked. We will check the status on the Cisco Umbrella portal and proceed to whitelist it if, it is a legitimate request.

How are customer service and technical support?

The technical support is quite good. This solution itself is not complex and everything is cloud-based. If there are issues or if something indicates that you cannot manage two portals, you can just open a claim with Cisco Umbrella and they will support you. 

The only concern is that if something goes wrong, or, something is getting blocked and if something is not as per your requirements, you don't have any visibility. You will never know what was done to correct the issues. Because it is cloud-based, they will not show you what they are doing on the server level. Without having the visibility for the solution itself you will never know what actual solution is working behind the scene.

Which solution did I use previously and why did I switch?

Before Cisco Umbrella, we were using the Infoblox solution. It was not an easy or flexible solution. Infoblox is an on-premises solution that requires a VPN, or all of the users need to connect to a VPN, just to get the DNS resolutions. This was not easy, and it was not easy to implement.

How was the initial setup?

The initial setup was quite straightforward. When you subscribe to the Cisco Umbrella services they give you some public IPs. With these IPs you have a few options:

  • You can copy these IPs and user features for the DNS and the communication will happen directly through the cloud. 
  • You can install the VMs in your corporate environment having all of the communication through the VMs and the VMs will communicate to the cloud. 
  • You can install a Cisco Umbrella application on your PC and install the external script that has the public IP for the DNS for the Cisco Umbrella.

The deployment strategy was straightforward, and it took approximately two days for deployment.

Because we had over two thousand users, we created a script on SSCM. This is a software center manager for Microsoft, making the script accessible to all of the users. This script changed all the DNS IPs to the Cisco IP addresses. Once this was complete, we installed the Virtual machines, which are the DNS proxies for Cisco Umbrella and we configured the public IPs for Cisco Umbrella. These were the only two steps that were required, taking two days for two-thousand-plus users. It was quite simple, but, if you had to do it manually, it might take some time having to do one at a time for more than two thousand users.

If you have some automation, it is quite easy.

    It has a public cloud and it is like a hybrid type of deployment. We have umbrella VMs installed in our enterprise areas, in DNS, in our remote offices, and our main HQ.

    These VMs, are like proxy DNS servers. They will save a URL resolution and has a policy-based engine as well. For example, if you are searching or something that is being searched quite frequently, it will store that data, and it doesn't communicate to the cloud every time, giving you a faster response with limited cloud access.

    Our service provider is Cisco. They have their Telos Cloud, hosting the Cisco Umbrella Solution.

    After this deployment, you need to do quite a lot of fine-tuning because there will be many false positives blocks, especially if you're using the malware engine. It will keep blocking some ADME files that are used in your corporate environment, or if it's an in-house developed application, it will be blocked because the code of the application is not registered with the Cisco Umbrella Cloud, It will keep on blocking, until you whitelist that code and whitelist that UUID, just to have this application running.

    What about the implementation team?

    We did the implementation ourselves with some assistance from Cisco support. We didn't have any on-site engineer to do the deployment or implementation.

    It only took two people for the installation process. I was on the network and phone system side and another colleague was installing the service on the Cisco Umbrella Solution.

    We require four people who maintain Cisco Umbrella. 

    What was our ROI?

    This is a good solution, and there are many advantages to this solution. 

    There is a return of investment. 

    If you have this solution you don't need a big firewall or many security solutions in your environment. Because it's a cloud-based solution, you can access this over the cloud anywhere in the world. You don't need to build a big infrastructure. It will give you more return on the cost than you are putting on it.

    What's my experience with pricing, setup cost, and licensing?

    We have Cisco ELA, it's an enterprise agreement, which covers everything under security, that is offered by Cisco Umbrella. With this, we have the complete Cisco Umbrella portfolio. We have everything related to security from Cisco Umbrella. This also includes the Cisco Umbrella suites.

    We are paying yearly for all of the Cisco Umbrella applications and appliances.

    Cisco has a model called ELA. With ELA, if you buy the solution you will have the complete security portfolio and you can pay it yearly or after three years, it depends on the contract.

    It's a subscription-based solution. If you're running multiple solutions it is more cost-effective. For example, currently we have Cisco Umbrella, IronPort, WSA, Cisco CWS Cloud, and we have Cisco's FTD solution. If we were running these solutions separately it would be more expensive. 

    If you are doing a VM deployment and you have a VM appliance, you will need some compute. 

    The only additional cost will be for a server.

    Which other solutions did I evaluate?

    We evaluated another solution but the Cisco Umbrella solution is much more compelling. It doesn't have the on-premises appliances or any restrictions for the user to connect through the corporate environment.

    If the user is anywhere and the user is connecting to the internet, they will make a micro VPN through the cloud and it will connect to the VMs in our corporate environment automatically. It doesn't require any manual configuration nor does the user have to initiate anything on the PC.

    The other solution has a touch button application, on the PC. If you click it, it will create a channel with the appliance in your HQ or your remote office and then you will be able to connect to the internet or you can resolve DNS with queries. 

    As this solution was not flexible, the management chose not to go with it.

    What other advice do I have?

    If somebody is looking toward the Cisco Umbrella solution or if they have an NGIPS, NG firewalls, next-generation firewall solutions and if they are looking for DNS-based security, and if they are implementing it then Cisco Umbrella is a good solution.

    Keep that in mind that it will make a lot of noise, users will be blocked at the beginning and many of the URLs will be blocked. It will need to be fine-tuned.

    The fine-tuning is required one month after implementation. You will need to fine-tune the OpenDNS Cisco Umbrella database, just to have all the URLs there for your corporate environment, because there will be some false positive blocks. These issues will have to be fixed yourself. You will need to make sure that you are doing it. Other than that, it is a quite straightforward solution.

    I would rate this solution an eight out of ten.

    If the suggestions are implemented I would then rate it a ten out of ten. They would be one of the first companies on the market doing this. You will not find anyone on the market with any DNS security solutions like this for Cisco Umbrella. They are the market leaders for DNS-based security at the moment. If they have these suggestions in their portfolio it would be the best solution, covering every point of its endpoint security.

    **Disclosure: I am a real user, and this review is based on my own experience and opinions.
    More Cisco Umbrella reviews from users
    ...who work at a Financial Services Firm
    ...who compared it with Zscaler Internet Access
    Add a Comment