Articles in this section

See more

IP Layer Enforcement with the Umbrella Roaming Client

Avatar
Matt Prytuluk
  • Updated
Follow

Overview

 

 

IP Layer Enforcement is an option in your policy configuration and you may have questions about it.  It's found under Advanced Settings in the policy summary:

83ca1c0-advanced-iple-settings.png

 

 

What is IP Layer Enforcement?

 

Cisco Umbrella already provides some of the most advanced threat protection and predictive security in the world but there are times when malware authors will use an IP address instead of a fully qualified domain name to host their malware. Since Umbrella primarily protects against malicious domains and URLs, we saw this as an area we needed to address.

Malware authors might use IP addresses that bypass DNS lookups when creating a threat. For instance, one of your users might receive a phishing email with a URL that has an IP address in it, for example, http://x.x.x.x/malware.exe while they're not in your office and protected by your firewalls. Or, a user may go home, insert an infected USB stick into their computer to look at their children's homework, and execute malware that contacts http://x.x.x.x:3000/malicious/bad.exe.   

Normally, malware authors use domain names and not IP addresses. There's a good reason for that: IP addresses that host malware are quickly blocked or taken down by the ISP that owns them, but a domain name can always resolve to a new IP address. However, there are exceptions and we recognize that in order to provide the best possible security coverage, we'd need to block IPs in certain circumstances. Some IP addresses are simply known to be bad. Other IP addresses may host valid content on non-HTTP ports, while the web ports host malicious content. The inverse is also true: IP addresses can host legitimate HTTP websites but also host malicious command and control hosts on a non-standard port. The IP Layer Enforcement feature handles all of these scenarios. 

Documentation for the IP Layer Enforcement 

This feature requires several prerequisites be met, and also works for both the Roaming Client standalone and the integrated AnyConnect client version (Umbrella Roaming security module).  As such, the full documentation can be found here:

https://docs.umbrella.com/product/umbrella/6-adding-ip-layer-enforcement/

Related articles

Comments

0 comments

Article is closed for comments.