Note: IP layer enforcement is only available to customers who have purchased the Umbrella Insights or Umbrella Platform packages, or customers with Umbrella for MSP.
- Enabling IP Layer Enforcement for the Umbrella Roaming Client
- Testing to Ensure IP Layer Enforcement is Functional
- Frequently Asked Questions
Cisco Umbrella already provides some of the most advanced threat protection and predictive security in the world but there are times when malware authors will use an IP address instead of a fully qualified domain name to host their malware. Since Umbrella protects against malicious domains and URLs primarily, we saw this as an area we needed to address.
Malware authors might use IP addresses that bypass DNS lookups when creating a threat. For instance, one of your users might receive a phishing email with a URL that has an IP address in it, for example, http://x.x.x.x/malware.exe while they're not in your office and protected by your firewalls. Or, a user may go home, insert an infected USB stick into their computer to look at their children's homework, and execute malware that contacts http://x.x.x.x:3000/malicious/bad.exe.
Normally, malware authors use domain names and not IP addresses. There's a good reason for that: IP addresses that host malware are quickly blocked or taken down by the ISP that owns them, but a domain name can always resolve to a new IP address. However, there are exceptions and we recognize that in order to provide the best possible security coverage, we'd need to block IPs in certain circumstances. Some IP addresses are simply known to be bad. Other IP addresses may host valid content on non-HTTP ports, while the web ports host malicious content. The inverse is also true: IP addresses can host legitimate HTTP websites but also host malicious command and control hosts on a non-standard port. The IP Layer Enforcement feature handles all of these scenarios.
Note: IP Layer Enforcement is only available for IPv4.
IP Layer Enforcement requires that version 2.0.1 (or above) of the Umbrella roaming client be available to your organization before the feature can be enabled, both for Mac and Windows. If Umbrella roaming clients are not automatically upgrading to this version, they may be offline or the installation may be broken.
- The Umbrella roaming client for Windows or Mac should be installed and functional, showing encrypted and protected in the local UI and in the Umbrella dashboard, running version 2.0.1+ for both Windows and Mac OS X.
- Compatible versions of Windows: 7, 8, 8.1 and 10
Note: IP Layer Enforcement is compatible with Windows 10 version 1511 or later. If IP Layer Enforcement does not work, it would fail gracefully—network connectivity and DNS Layer protection will not be affected.
- Incompatible versions of Windows: Windows XP, Vista
- Supported versions of MacOS: 10.11.6 and above.
Currently, the Umbrella roaming client only supports dual stack IPv4/IPv6 for the Mac OS. Stand alone support for IPv6 for both the Mac and Windows operating systems is not supported. For more information, see Umbrella Roaming Client: IPv6 Support.
- If the Umbrella roaming client is behind a virtual appliance (VA), the policy applied to the Umbrella roaming client will come from the VA identity rather than the policy for the Umbrella roaming client identity and testing will be difficult. For more information, please see the next section of this guide.
- Internet Protocol Security (IPSec) traffic must be allowed through firewalls. The following ports and protocols must be allowed:
- Protocol 50 (ESP)
- Protocol 51 (AH)
- UDP Port 500
- UDP Port 4500
IPSec uses IP protocol 50 for Encapsulated Security Protocol (ESP), IP protocol 51 for Authentication Header (AH), and UDP port 500 for IKE Phase 1 negotiation and Phase 2 negotiations. UDP port 4500 is also used.
To restrict IPSec to only the Umbrella servers providing malicious IP blocking, allow ESP, AH, UDP Port 500 and UDP Port 4500 to these IP ranges only:
126.96.36.199/23 188.8.131.52/23 184.108.40.206/24 220.127.116.11/24 18.104.22.168/23 22.214.171.124/23 126.96.36.199/24 188.8.131.52/22 184.108.40.206/23
If you would like to simply allow access to all of the Umbrella ranges used:
220.127.116.11/19 18.104.22.168/21 22.214.171.124/21 126.96.36.199/21
Note: A full list of the exact IP addresses—not just the ranges—can be found in a text file you can download here.
- Navigate to Policies > Management > All Policies and click Add or expand a policy to edit it.
- At the bottom of the What should this policy do page, expand Advanced Settings, enable the intelligent proxy, and check Enable IP Layer Enforcement.
- Click Next and complete the wizard.
Alternatively, at the bottom of the Summary page, expand Advanced Settings, check Enable IP-Layer Enforcement and then click Save.
IP Layer Enforcement only applies to roaming computers with the Umbrella roaming client installed on Windows or Mac. However, the IP Layer Enforcement feature will still continue to be active and take effect when the Umbrella roaming client is behind a VA. The other security features (and filtering configurations) of the Umbrella roaming client will 'back off' in those instances and the policies for the Network, Internal Network or Active Directory User/Computer policy will be applied instead, depending on your configuration.
If the Umbrella roaming client is being protected by a network that has been added to your Umbrella dashboard, and the roaming computer settings (Deployments > Core Identities > Roaming Computer > Settings) are set to “Disable DNS redirection while on an Umbrella Protected Network,” the Umbrella roaming client essentially disables itself and relies on the protection of the network for all features except IP Layer Enforcement.
IP Layer Enforcement is a separate part of the Umbrella roaming client and as such, behaves differently than the rest of the Umbrella roaming clients when behind the network. This is because most of the features are duplicated by the network or VA but IP Layer Enforcement is unique to the Umbrella roaming client.
To test whether you're blocking malicious IPs with the IP Layer Enforcement, we have set up a test page at: http://ipblock.opendnstest.com/
This page displays correctly when the feature is enabled and working for the Umbrella roaming Client installed on the computer. Feel free to test the additional scenarios to get a sense of how the feature will behave when blocking a malicious IP address.
If things are not working as expected or the feature is not enabled on the roaming computer that you're testing with, Umbrella displays a warning that you are not currently using the IP Blocking system.
If your policy is correctly configured as best as you can determine and the test page is still not reflecting that IP Layer Enforcement is enabled, this could be because the policy applied to this roaming computer does not have the IP Layer Enforcement feature enabled. Double-check the order of policy precedence for this identity in the dashboard.
To start troubleshooting, it's worth checking to ensure these outbound ports are set to allow encrypted DNS requests to be routed through the Umbrella global network:
- Port 53 TCP/UDP to Umbrella
- Port 443 TCP to Umbrella
Double-check the system requirements for this feature and ensure they've been met.
If problems persist, or if there are any unexpected or unusual behaviors when the IP Layer Enforcement feature is enabled, we'd like to hear about it. Email us at: firstname.lastname@example.org.