📘CompTIA Security+ (SY0-701)
Overview of Cisco Umbrella Secure Internet Gateway (SIG)
Cisco Umbrella Secure Internet Gateway (SIG) is a cloud-based security service that protects users from internet-based threats.
It works by controlling, monitoring, and inspecting web traffic before it reaches users or systems.
Umbrella SIG combines multiple security functions:
- DNS security
- Secure Web Gateway (SWG)
- Cloud firewall
- Malware protection
- URL and application control
- TLS/SSL decryption
Because it is cloud-based:
- No hardware is required
- It protects on-premises, remote, and roaming users
- Policies are managed centrally
Key Components of Cisco Umbrella SIG
| Component | Purpose |
|---|---|
| Umbrella Dashboard | Central management interface |
| DNS Layer Security | Blocks threats at DNS request level |
| Secure Web Gateway (SWG) | Inspects HTTP/HTTPS traffic |
| Cloud Firewall | Layer 3–4 traffic control |
| Threat Intelligence | Cisco Talos threat feeds |
| Policy Engine | Applies security rules |
Traffic Forwarding Methods (Exam Relevant)
Umbrella can protect traffic using:
- DNS Forwarding
- DNS requests sent to Umbrella resolvers
- Fast threat blocking
- Limited visibility into full URLs
- Proxy / SWG Forwarding
- Full web traffic inspection
- Supports URL filtering and TLS decryption
- Umbrella Roaming Client
- Protects users outside corporate network
- Enforces same policies everywhere
Web Security Features in Cisco Umbrella SIG
1. Blocklisting (Blacklist / Allowlist)
What is Blocklisting?
Blocklisting means manually blocking specific domains, IP addresses, or URLs, regardless of category.
Why it is used
- Block known malicious domains
- Block unwanted services
- Immediate enforcement
Types
- Domain blocklist
- IP blocklist
- URL blocklist
- Allowlist (bypass security for trusted sites)
How it works
- When a user tries to access a blocklisted destination
- Umbrella blocks the request immediately
- User sees a block page
Exam Notes
✔ Blocklists override category settings
✔ Allowlists bypass security checks
✔ Used for precise control
2. URL Filtering
What is URL Filtering?
URL filtering allows Umbrella to permit or block web access based on URL categories.
Examples of URL categories
- Malware
- Phishing
- File sharing
- Adult content
- Cloud storage
- Social networking
How it works
- User requests a website
- Umbrella checks the URL category
- Policy decides:
- Allow
- Block
- Monitor only
Advantages
- Easy to manage
- Category-based control
- Scalable for large organizations
Exam Notes
✔ URL filtering uses Cisco Talos intelligence
✔ Works at DNS and proxy level
✔ Policies can differ by user or location
3. Malware Scanning
What is Malware Scanning?
Umbrella inspects web traffic and files to detect malicious software.
Types of Malware Detected
- Viruses
- Trojans
- Ransomware
- Spyware
- Malicious scripts
How it works
- Files downloaded via HTTP/HTTPS are inspected
- Hash and behavior analysis is used
- Threats are blocked before download completes
Integration
- Uses Cisco Talos threat intelligence
- Works with Secure Web Gateway
Exam Notes
✔ Malware scanning occurs during web sessions
✔ Prevents malware delivery from web downloads
✔ Works best with proxy/SWG enabled
4. URL Categorization
What is URL Categorization?
URL categorization is the process of classifying websites into predefined groups.
Who provides categorization?
- Cisco Talos
Why it matters
- Enables policy-based filtering
- Helps enforce acceptable use policies
- Simplifies administration
Dynamic Categorization
- New websites are analyzed in real time
- Unknown URLs can be temporarily blocked
Exam Notes
✔ Categories are constantly updated
✔ Supports real-time threat classification
✔ Can override category manually
5. Web Application Filtering
What is Web Application Filtering?
Web application filtering allows administrators to control access to specific web-based applications, not just websites.
Examples
- Cloud storage services
- Webmail platforms
- Collaboration tools
- Streaming platforms
Control Options
- Allow full access
- Block completely
- Read-only access (view but no upload)
Why it is important
- Controls data movement
- Reduces risk of data leakage
- Improves productivity control
Exam Notes
✔ Works at application level
✔ More granular than URL filtering
✔ Requires proxy/SWG traffic inspection
6. TLS (SSL) Decryption
What is TLS Decryption?
TLS decryption allows Umbrella to inspect encrypted HTTPS traffic.
Without decryption:
- Umbrella sees only destination domain
- Cannot inspect content
With decryption:
- Full visibility into web traffic
- Malware and policy enforcement inside HTTPS
How it works
- Umbrella intercepts HTTPS traffic
- Decrypts traffic securely
- Inspects content
- Re-encrypts traffic before sending to destination
Certificate Requirement
- Umbrella root certificate must be installed on client devices
What can be inspected
- Downloads
- Scripts
- Web applications
- Malicious payloads
Privacy Considerations
- Certain categories can be excluded (banking, healthcare)
- Selective decryption is supported
Exam Notes
✔ TLS decryption is essential for full security
✔ Required for deep malware inspection
✔ Certificate deployment is mandatory
Policy Configuration in Cisco Umbrella
Policy Elements
- Identity (user, group, location)
- Destination (URL, category, app)
- Action (allow, block, monitor)
- Security features enabled
Policy Order
- Policies are evaluated top-down
- First match is applied
Verification
- Dashboard reports
- Activity logs
- Security events
- Block page feedback
Monitoring and Reporting
Umbrella provides:
- DNS request logs
- Web activity logs
- Threat activity reports
- Policy enforcement reports
These help in:
- Verifying configuration
- Troubleshooting issues
- Exam scenario analysis
Key Exam Summary (Must Remember)
✔ Cisco Umbrella SIG is cloud-based web security
✔ Blocklisting overrides category rules
✔ URL filtering is category-based
✔ Malware scanning protects downloads
✔ URL categorization uses Cisco Talos
✔ Web application filtering controls apps
✔ TLS decryption enables HTTPS inspection
✔ Policies are identity-based and centralized
