Bolster DNS security with BlueCat and Cisco Umbrella

BY Ben Ball

Cisco and BlueCat are teaming up to extend the breadth and depth of domain name system security across the enterprise.  Through a connection between BlueCat and Cisco Umbrella, valuable context gleaned from DNS infrastructure is now shared between both systems, giving security teams the granular information they need to mitigate threats in real time.

Digging deeper into DNS security

Find threats faster with endpoint visibility: Unfortunately, the architecture of most networks effectively prevents visibility into the context of DNS-based threats as seen by Cisco Umbrella at the network boundary. At a technical level, the problem is that boundary-level DNS security systems only see the “last hop” DNS server. The BlueCat-Cisco Umbrella integration provides instant access to endpoint-level DNS data. This allows security personnel to match threat intelligence with the IP addresses used at the endpoint for quick, effective mitigation of malicious activity before it spreads.

"Who makes a query, I don’t know. I can’t tell where this originated from, sometimes I see it and sometimes I can't."

Control the 60% of network traffic flowing through internal DNS: Internal DNS data is a treasure trove for security teams. Attacks using DNS are on the rise, yet most digital signatures involving DNS go unmonitored. Visibility into this “east-west” traffic provides a complete picture for the full range of threat hunting, forensic investigations, and preventive application of security policies across the enterprise.

Deploy granular DNS security policies: With combined visibility into (and control over) boundary-level and device-level data flows, security personnel can implement targeted security policies based on specific attack patterns. Through integrations with Cisco ISE, Cisco ISRs, Active Directory, and other core network management elements, BlueCat delivers these policies consistently across internal and external access points. This is more than a simple DNS firewall. This is an integrated security system which touches the entire enterprise.

Optimize SD-WAN deployments: Using the power of service points, DNS routing policies can be deployed anywhere, including the data center, campus, or branch, to deliver sophisticated LAN-side DNS traffic-steering services that facilitate internet breakout in SD-WAN deployments. This can assist with global DNS resolution, hybrid cloud deployments and simplified DNS resolution.

"The fact that BlueCat can just forward external queries to Umbrella without creating a separate policy is a big benefit as well. It means less work, and less potential for error."

Adding new visibility

Here’s how it works. BlueCat sits at the “first hop” of any network query, acting as the initial recursive server for all internal DNS records. This gives BlueCat direct visibility into both the source IP as well as the “east-west” queries which sit underneath the external network boundary. This happens not through clunky and expensive hardware, but through lightweight service points which can be deployed quickly across the enterprise at a much lower cost than traditional DDI solutions.

Through an integrated solution, BlueCat now sends that source IP and other contextual data to Cisco Umbrella, allowing visibility into device-level infections. With the visibility into the source IP, Cisco Umbrella can now enhance network security by applying more granular policies and identifying infected endpoints. For its part, Cisco Umbrella sends the threat information gleaned from inbound DNS queries to BlueCat, providing additional context around malicious domains.

BlueCat DNS Edge can also capture all internal DNS queries and apply internal policies to endpoints.

Easy, lightweight deployment

It gets better. Normally this kind of insight would require deployment of additional sensors and tools across the network - a logistical challenge to deploy and manage. With BlueCat sitting at the first hop as a DNS resolver, all of that information is collected without all of that extra effort – you simply get the visibility you need across all devices.

Even better than that: if you have BlueCat and Cisco Umbrella today, there’s nothing to download or install. This integration is already available – all you have to do is configure the connection and you’re ready to go.

Learn more about BlueCat integrations with Cisco Umbrella, Cisco DNA Center, Cisco ACI, and more.

Ben Ball

Ben Ball is the Director of Strategy and Content Marketing at BlueCat. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball