DNS Policies Only
The intelligent proxy is only available for DNS policies.
Umbrella's intelligent proxy intercepts and proxies requests for URLs, potentially malicious files, and domain names associated with certain uncategorized or "grey" domains. Some websites, especially those with large user communities or the ability to upload and share files, have content that most users want to access while also posing a risk because of the possibility of hosting malware. Administrators don't want to block access to the whole "grey" domain for everyone but they also don't want your users to access files that could harm their computers or compromise company data.
With the intelligent proxy, Umbrella avoids the need to proxy requests to domains that are already known to be safe or bad. Most phishing, malware, ransomware, and other threats are hosted on domains that are classified as malicious. It's simple: Umbrella blocks those threats at the DNS layer, with no need to proxy. If a domain poses no threat, such as a content-carrying domain (CDN) for Netflix or YouTube, Umbrella allows the domain, and again, no proxy is required.
Yet some domains are a little trickier—for example, domains associated with a web server or sites that have the possibility of hosting malware. These can include sites that allow users to upload and share content making them difficult to police. If you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility and control.
The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.
The intelligent proxy is built using a container-based microservices architecture. The proxy itself, and the services Umbrella integrates into the proxy, run and auto-scale independently from one another. For example, if the proxy notices a lot of files coming through for antivirus (AV) scanning, it automatically scales and provides more capacity for that function. This results in more effective performance for the intelligent proxy.
- How the Intelligent Proxy Works
- Advantages of Using the Intelligent Proxy
- Sites That are Not Proxied by the Intelligent Proxy
- Best Practices
- SSL Decryption Requirements and Implementation
- Selective Decryption
Normally, when you send DNS request to Umbrella's DNS resolvers, we check to see if it's a malicious site, registered on a destination list, or if it's blocked by a content setting. If it is blocked, Umbrella returns a block page for the request. If it's not blocked, Umbrella returns the IP address of the domain and you can visit the site.
With the intelligent proxy, if a site is considered potentially suspicious or could host malicious content, Umbrella returns the intelligent proxy's IP address. The request to that domain is then routed through our cloud-based secure gateway, and malicious content is found and stopped before it's sent to you.
The stumbling block for most proxies in the past was that they couldn't scale with the internet. The internet grows in ways that proxy hardware manufacturers can't prepare for—massive streaming video feeds, video conferencing, Voice over IP, and so on. With other proxies, all of that traffic needed to be proxied and all of it needed to be scanned, which slows down traffic at the gateway proxy, and devices outside of the gateway are not protected.
The intelligent proxy has some big advantages that make it not just more secure, but faster, too:
- Umbrella's services are cloud-based and can be scaled to handle any amount of internet traffic. This means that while other proxy services—especially full proxy solutions—might slow you down, Umbrella does not.
- If your laptop leaves your corporate network, the intelligent proxy makes sure its protection follows you, keeping you secure all the time.
- Umbrella's predictive intelligence allows it to determine what gets proxied; thus, not all traffic is proxied. Some domains Umbrella knows are bad and these are stopped immediately by Umbrella's DNS service. Other domains Umbrella knows are going to always be good; these are always allowed by Umbrella's DNS service and are never proxied. For domains that are on Umbrella's grey list, Umbrella proxies HTTP and HTTPS traffic to and from the device to protect you from accessing malicious files.
Lots of big-name domains like Google and Facebook are not proxied because there is a very low risk of these domains hosting malicious content. We have a list of highly popular domains—approximately 100 at the moment—that are low risk and never proxied.
Localized (language-specific) web content like Google searches or bandwidth-intensive SaaS apps like Office 365 can experience issues when sent through a cloud-based proxy. But because these types of services don’t host malware, they aren’t considered “risky”. So, by default, our proxy doesn’t intercept this traffic. This means that your users receive accurate, localized content and services without the burden of creating proxy exceptions.
The 'grey list' of risky domains is comprised of domains that host both malicious and safe content—we consider these “risky” domains. These sites often allow users to upload and share content—making them difficult to police, even for site administrators.
There's no reason to proxy requests to domains that are already known to be safe or bad. Umbrella’s intelligent proxy only routes the requests for risky domains for deeper inspection.
Note: The intelligent proxy does not proxy traffic on non-standard ports for web traffic.
When enabling the intelligent proxy, we highly recommend also selecting SSL Decryption, which broadens the scope of your protection. With SSL Decryption selected, you can also create a list of content categories to exclude from being sent to the intelligent proxy. The SSL Decryption feature allows the intelligent proxy to decrypt and inspect traffic that's sent over HTTPS.
Note: We do not recommend that you apply the same deployed identities in both your DNS policies with the intelligent proxy configured and Web policy rules with secure web gateway (SWG) controls enabled. Choose the type of policy, deployments, and configuration components that best match the identities and traffic in your organization.
You must install the Cisco Umbrella root certificate on computers that are using SSL decryption for the intelligent proxy. When you enable SSL decryption, the intelligent proxy inspects URLs and unknown domains and blocks these HTTPS URLs if they're considered malicious in your DNS policies. These uncategorized sites can include popular sites, such as file-sharing services. While many uncategorized sites contain perfectly harmless URLs, these sites can potentially host malware on certain specific URLs. In this case, Umbrella considers the site uncategorized and proxies the site for users even if they're acting in good faith.
Without the root certificate, when your users go to the intelligent proxy service, they receive browser errors and the site is not accessible. The browser correctly determines that the traffic is being intercepted (and proxied) by a 'man in the middle', which, in this case, is the Umbrella service. Traffic is not decrypted and inspected; instead, the website is unavailable.
With the root certificate installed, errors do not occur and the site is accessible when it's been proxied and allowed. For information on installing the root certificate, see Install the Cisco Umbrella Root Certificate.
You can exclude content categories (and thus related sites) from being proxied by creating a Selective Decryption list. When configured, requests to access destinations within a selected content category are not proxied even though the intelligent proxy is enabled. For example, if you add the category News / Media to the Selective Decryption list and then visit www.cnn.com, this destination is not inspected by the intelligent proxy.
Updated about 20 hours ago