The intelligent proxy is the ability for Umbrella to intercept and proxy requests for malicious files embedded within certain so-called "grey" domains. Some websites, especially those with large user communities or the ability to upload and share files, have content that most users want to access while also posing a risk because of the possibility of hosting malware. Administrators don't want to block access to the whole "grey" domain for everyone but they also don't want your users to access files that could harm their computers or compromise company data.
With the use of a proxy, we avoid the need to proxy requests to domains that are already known to be safe or bad. Most phishing, malware, ransomware, and other threats are hosted on domains that are classified as malicious. It's simple: Umbrella block those threats at the DNS layer, with no need to proxy. A domain that poses no threat, such as a content-carrying domain (CDN) for Netflix or YouTube? Umbrella allows it, and again, no proxy is required.
Yet some domains are a little trickier—for example, domains associated with a web server or sites that have the possibility of hosting malware. These can include sites that allow users to upload and share content making them difficult to police. Obviously, if you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the Umbrella intelligent proxy delivers more granular visibility and control.
The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.
The Umbrella intelligent proxy is built using a container-based microservices architecture. The proxy itself, and the services Umbrella integrates into the proxy, run and auto-scale independently from one another. For example, if the proxy notices a lot of files coming through for antivirus (AV) scanning, it automatically scales and provides more capacity for that function. This results in more effective performance for the Umbrella intelligent proxy.
Normally, when you send DNS request to the Umbrella DNS resolvers, we check to see if it's a malicious site, or if it's blocked by a destination list or a content setting. If it is blocked, we return our block page for the request. If it's not blocked we return the IP address of the domain and you can visit the site.
With the intelligent proxy, if a site is considered potentially suspicious or could host malicious content, we'll return the IP address of our intelligent proxy. The request to that domain is then routed through our cloud-based secure gateway, and malicious content is found and stopped before it's sent to you.
The stumbling block for most proxies in the past was that they couldn't scale with the internet. The internet grows in ways that proxy hardware manufacturers can't prepare for—massive streaming video feeds, video conferencing, Voice over IP, and so on. With other proxies, all of that traffic needed to be proxied and all of it needed to be scanned, which slows down traffic at the gateway proxy, and devices outside of the gateway are not protected.
The intelligent proxy has some big advantages that make it not just more secure, but faster, too:
- Umbrella's services are cloud-based and can be scaled to handle any amount of internet traffic. This means while other proxy services—especially full proxy solutions—might slow you down, Umbrella does not.
- If you your laptop leaves your corporate network, the intelligent proxy makes sure its protection follows you, keeping you secure 24/7/365.
- Umbrella's predictive intelligence allows it to determine what gets proxied, and thus not all traffic is proxied. Some domains Umbrella knows are bad; those are stopped right away by Umbrella's DNS service. Other domains Umbrella knows are going to always be good; these are always allowed by Umbrella's DNS service and are never proxied. For those domains that are on the grey list, Umbrella proxies HTTP and HTTPS traffic to and from the device to protect you from accessing malicious files.
Lots of big name domains like Google and Facebook are not proxied because there is a very low risk of these domains hosting malicious content. In fact, we have a list of highly popular domains—approximately 100 at the moment—that are low risk and will never be proxied.
Localized (language-specific) web content like Google searches or bandwidth intensive SaaS apps like Office 365 can experience issues when sent through a cloud-based proxy. But because these types of services don’t host malware, they aren’t considered “risky”. So, by default, our proxy doesn’t intercept this traffic. This means that your users receive accurate, localized content and services without the burden of creating a proxy exceptions.
The 'greylist' of risky domains is comprised of domains that host both malicious and safe content—we consider these “risky” domains. These sites often allow users to upload and share content—making them difficult to police, even for site administrators.
There's no reason to proxy requests to domains that are already known to be safe or bad. Umbrella’s intelligent proxy only routes the requests for risky domains for deeper inspection.
Note: Umbrella does not proxy traffic on non-standard ports for web traffic.
You can exclude content categories (and thus related sites) from being proxied by creating a Selective Decryption list. When enabling SSL decryption, create a list and then requests to access destinations within a selected content category will not be proxied even though the intelligent proxy is enabled. For more information see, Enable the Intelligent Proxy.
Currently, the decision whether to proxy a domain is made by Umbrella security researchers, based on the intelligence of the Umbrella threat intelligence.