Feature Briefs

How the roaming client for Windows works

Issue link: https://learn-umbrella.cisco.com/i/801861

Contents of this Issue

Navigation

Page 0 of 1

Breach protection and internet-wide visibility everywhere Cisco Umbrella prevents system compromise and data exfiltration over any port or protocol — whether infections happen on or off the corporate network or if malware initiates command & control callbacks via DNS requests or direct IP connections. Our advanced threat prevention is transparent because there is no additional latency, memory hogs, or end user prompts. A virtual "bump-in-the-wire" for any internet activity Starting with DNS, we route over 80 million IP connections away from malicious destinations every day — covering nearly all attempts to compromise systems or exfiltrate data. But there are exceptions. A small number of malicious payloads use hard-coded IP addresses to establish direct command & control connections — bypassing the need to resolve a domain name. Unique innovations built into our network infrastructure and client software, as well as our predictive threat intelligence, address these targeted threats. Suspect IP connections are tunneled to our global network, then either the connection is blocked or traffic to safe URLs is further inspected via our transparent proxy. There's nothing you need to change on the device. There is no additional latency because most traffic is safe. Your users and apps won't even notice it's happening. Protect roaming users 1. Your CFO, Bob, is targeted by attackers while traveling. An email attachment with unique malware is opened, and compromises his laptop. 2. While Bob uses Office 365 to get some work done, the malware tries to call back to a command & control server over port 2000 using an encrypted P2P protocol. 3. Bob forgot to turn on his VPN, so there's no firewall. And there's no web traffic for a cloud proxy to inspect. But using Umbrella, the DNS request to a malicious domain and the non-DNS connection to a malicious IP is blocked. © 2017 Cisco and/or its affiliates. All rights reserved. How the Cisco Umbrella roaming client for Windows works at the DNS and IP layers. F E AT U R E B R I E F Umbrella global network 208.67.222.222 Safe trac Suspect trac Tunnel IP connection Safe IP or URL Bad IP or URL Windows device Windows device Windows device If trac destination matches a suspect IP, we inject a route to 208.67.222.222 Send suspect Ips to watch for Umbrella roaming client Built-in OS networking stack Any running app Umbrella roaming client Built-in OS networking stack Any running app Umbrella roaming client Built-in OS networking stack Any running app Internet Internet Internet Umbrella's suspect IP list Umbrella global network 208.67.222.222 Umbrella global network 208.67.222.222 Step 1 continuously update list & watch for suspect traffic Step 2a safe traffic routed directly to internet Step 2b suspect traffic tunneled through Umbrella or Figure 1: Allow, block, or proxy non-DNS internet activity Note: The [Built-In Networking Stack] includes the Windows IPsec VPN Client, Network Routing Table, and Base Filtering Engine

Articles in this issue

view archives of Feature Briefs - How the roaming client for Windows works