Securing Internet Access Using Cisco Umbrella
For IT managers and leadership evaluating cloud security investments, Cisco Umbrella — now evolving into Cisco Secure Access — delivers cloud-native internet security that closes critical gaps left by traditional perimeter defences. This article covers what it does, why it matters, and what decisions your organisation should be making now.
What It Is and Why It Matters
Originally launched as OpenDNS in 2006 and acquired by Cisco in 2016, Umbrella operates at the DNS layer — the earliest point at which a threat can be intercepted. Before any device connects to an external resource, a DNS lookup occurs. Umbrella intercepts that request, evaluates it against Cisco Talos threat intelligence in real time, and blocks malicious or policy-violating destinations before a connection is ever established. No malware downloads, no phishing pages loaded.
The scale behind this is significant: Umbrella processes 620 billion internet requests daily from over 30,000 customers across 190 countries, blocking over 170 million malicious DNS queries every day. For leadership, this means the threat intelligence underpinning the platform is among the most comprehensive available commercially.
Crucially, Umbrella is entirely cloud-delivered — no hardware, no appliances. It protects users on-network, in branch offices, and fully remote, all managed through a single console.
Key Capabilities
| DNS Security | is the entry point and immediate value driver. It provides full visibility into every internet-bound request made by users and devices, enabling categorical blocking — adult content, gambling, newly registered domains — deployable in hours without endpoint agents. IT teams gain instant insight into shadow IT, risky cloud applications, and compromised endpoints attempting to reach known-malicious destinations. |
| Secure Web Gateway (SWG) | moves beyond DNS to inspect full HTTPS web traffic, providing URL-level filtering, SSL inspection, and file scanning. This addresses threats hosted on legitimate cloud platforms that DNS alone cannot catch. |
| Cloud-delivered firewall(CDFW) | provides Layer 3/4 visibility and control over all internet-bound traffic — logging all activity and enforcing rules based on IP, port, and protocol. For leadership, this replaces physical firewall appliances at branch offices and for remote workers, reducing both hardware costs and management overhead. |
| Cloud Access Security Broker (CASB) | provides visibility and control over cloud application usage. Umbrella telemetry shows that Generative AI tool usage across enterprise networks increased 100% year-over-year — CASB gives IT teams the ability to discover, assess, and control which AI tools and cloud applications are in use, including data movement involving PII, PCI, and PHI. This directly supports audit readiness and compliance obligations. |
| Remote Browser Isolation (RBI) | executes browsing sessions in an isolated cloud container, keeping threats away from the endpoint entirely. This is especially valuable for high-risk users such as finance, legal, and executive staff |
| AI-Powered Threat Detection | is a recent and material capability addition. Cisco has integrated AI-driven Domain Generation Algorithm (DGA) detection into Umbrella, achieving a 30% increase in real detections and a 50% improvement in accuracy. DGA-based communication is one of the most common techniques used by ransomware to establish command-and-control channels — catching it earlier and more accurately directly reduces breach risk. |
Competitive Landscape
Umbrella uses per-user licensing and also packages the features and benefits using various offerings. And, to note the direct competition to the solution is from the following key vendors
| Zscaler | Market-leading SSE, strong ZTNA architecture |
| Akamai | Strong DNS heritage, broad CDN integration |
| Palo Alto Prisma Access | Deep integration with Palo Alto NGFW estate |
| Fortinet | Cost-effective for existing Fortinet customers |
| Netskope | Best-in-class CASB and data protection |
Deployment Requirements
Umbrella operates over standard DNS ports with minimal firewall changes required:
| Ports and Protocol | Source/Destination |
| UDP 53 | Endpoints/208.67.222.222 Endpoints/208.67.220.220 |
| TCP 53 | Endpoints/208.67.222.222 Endpoints/208.67.220.220 |
| HTTPS 443 | Required for SWG, CASB, dashboard |
The Cisco Umbrella root certificate must be deployed to managed endpoints using the Roaming Security module — distribute via MDM or Group Policy as part of standard rollout.
Summary
Is your organisation’s internet security keeping pace with today’s threat landscape?. In this article, we break down the key capabilities, the strategic shift to SSE, and the actions IT leaders should be taking right now.For more on security and infrastructure content please visit the Cybersecurity section
Choosing the Right NAC Platform for Your Enterprise: A Data-Driven Evaluation
VMware Design Bootcamp-4: NSX-T and AVI Load-balancer
AlgoSec – NSPM Solution Quick Review
About Author
Muhammad Marakkoottathil(MM)
Expert in the field of SDN, cloud computing, virtualization, active-active data center design & migration. Passionate about helping organizations to achieve their digital transformation objectives with strong 15+ years of experience in design, deployment, and managing heterogeneous network solutions across the industry verticals. Major Industry Certifications: Cisco CCIE, CCDP, VMware VCAP-NV_DESIGN, TOGAF, ITIL, NUTANIX NCSE, Google Cloud Architect, Azure Fundamentals More info please visit my page @ LinkedIn: https://www.linkedin.com/in/contactmm/
The port and protocol table is clean and accurate. Good to see the certificate deployment requirement called out explicitly — that catches a lot of teams off guard during rollout. Would have liked to see VA version details for the virtual appliance deployment but overall solid.