Cisco+ Secure Connect - Manage DNS Policies
Overview
Domain Name System (DNS) protection is your first line of defense. Nothing stops attacks earlier than DNS-layer security. DNS protection identifies where malicious domains and other dangerous internet infrastructures are staged. Secure DNS servers then block requests coming from these staging sites over any port or protocol, preventing both infiltration and exfiltration attempts. DNS-layer security stops malware earlier and prevents callbacks to attackers if infected machines connect to your network. In addition, you can use DNS protection to enforce your organization internet usage policies by blocking unwanted website categories.
Cisco+ Secure Connect is integrated with Cisco Umbrella for DNS Security. Cisco Umbrella uses statistical and machine learning models to uncover new attacks staged on the internet in combination with the threat intelligence data from Cisco Talos, a team of over 300 security researchers. A more detailed guide to DNS Security and Cisco Umbrella can be found here.
Plan Before You Start
Before you start implementing policies, we recommend that you read through these policy sections of our documentation in full. Decide what security and access controls should be put in place by users or groups of users.
You can have more than one DNS policy and your identities can be added to any number of policies, however, the order of the policies matter. Umbrella applies the first matching policy to your identity and immediately stops evaluating policies. If no matching policy is found, Umbrella applies the DNS default policy. Because of the way Umbrella evaluates identities against policies, it's important that you configure policies correctly for each of your organization's identities. An error in configuration may result in unintended results: identities being left unprotected to various threats or users accessing destinations you may want blocked. Plan and design your policies before you build them. For some helpful suggestions, see Best Practices for DNS Policies.
There is always at least one policy—the Default policy. This default policy applies to all identities and cannot be deleted—you can, however, configure it to meet your organization's unique requirements. The default policy is applied to an identity when no other policy matches that identity. Thus, the Default policy is a catch-all to ensure that all identities within your organization receive at least a minimum of Umbrella protection.
You create DNS policies through the Policy wizard, which is made up of two parts. In the first part of the wizard, you select the identities to which the policy applies and select which components should be enabled and configured for the policy. In the second part of the wizard, you configure each component of the policy that was selected in part one of the wizard. These components are made available as steps in the wizard. Once the new policy is saved, it may take upwards of five minutes for the policy to replicate through Umbrella’s global infrastructure and start taking effect.
Adding Policies
Presently DNS policies are being configured on the Cisco Umbrella dashboard. You will need to navigate to Umbrella dashboard from Cisco+ Secure Connect.
- To get to the Umbrella DNS Policies page from the Secure Connect Dashboard click on the DNS link in the Policy count area or go to the menu and click on DNS under Policies column.
- Below is the Umbrella DNS Policy page. You click on the Add button in the top right corner to add a policy.
- Go to the Resources section below for more information on how to create and test web policies.
Resources
The Cisco Umbrella sites has detailed information on configuring and testing policies. Below are links to the key DNS policy guides.
Best Practices for DNS Policies
Enforce SafeSearch for DNS Policies
Group Roaming Computers with Tags