Cisco Umbrella is one of the most interesting cisco security solutions. Basically, Umbrella is a cloud based solution and a big DNS Services It all starts with DNS and Precedes file execution and IP connection. Which means that Umbrella blocks malicious websites at the DNS level before establishing an IP connection with the malicious web server. If the Website is categorized as clean, the Cisco Umbrella as a regular DNS server returns the IP address of the web server then the PC establishes direct IP connection to the web server.
Cisco Umbrella was launched as a replacement of Cisco Cloud Web Security which operates as a proxy server for HTTP and HTTPS traffic.
When the Cisco Umbrella returns the IP address of the legitimate web server and we want to inspect the legitimate traffic web traffic. How to intercept this direct IP connection with the legitimate web server? especially the HTTPS traffic which needs to be decrypted in order to inspect if a malicious file is embedded.
The solution is the “Intelligent Proxy” with “SSL Decryption” features. The intelligent proxy is the ability for Cisco Umbrella to intercept and proxy web requests to inspect the content of the web traffic. We can classify by categories which type of web traffic we want to proxy and apply SSL decryption. When Intelligent Proxy is enabled, instead of returning the IP address of the Web Server, Cisco Umbrella returns the IP address of the Intelligent Proxy server.
Basically, Intelligent Proxy in Cisco Umbrella inherits the function of the old solution CWS Cloud Web Security.
Domains that are bad: those are stopped right away by the DNS service.
Domains that are good: Cisco Umbrella returns the ip address of the legimate website and never proxied.
Domains that are on the grey list and present a risk: Cisco Umbrella returns the IP address of the Intelligent Proxy, cloud proxy servers uses the ip address in the range 18.104.22.168/16.