This article contains best practices and recommendations around Umbrella Virtual Appliance and AD Connector deployments to mitigate the risk of any internal attacks arising from the use of these components.
Umbrella Virtual Appliance
When you download the Umbrella Virtual Appliance (VA) software from the Umbrella dashboard, this is downloaded as a .tar file that contains the actual VA image as well as a signature for that image. Validation of the signature is recommended to verify the integrity of the VA image.
The VA runs a hardened version of Ubuntu Linux 20.04. By default, upon deployment, only ports 53 and 443 are open for inbound traffic. If you are running the VA on Azure, KVM, Nutanix, AWS or GCP, then port 22 is also enabled by default, to allow SSH connections for configuring the VA. For VAs running on VMware and Hyper-V, port 22 is opened only if the command to enable SSH is run on the VA.
The VA makes outbound queries over specific ports/protocols to the destinations mentioned here. It is recommended that you set up rules on your firewall to block any traffic from your VAs to all other destinations. Note that all HTTPS communication to/from the VA happens over TLS 1.2 only - older protocols are not used.
The initial login on the VA mandates a password change. Cisco recommends rotating the password on the VA periodically after this initial password change.
To mitigate the risk of an internal Denial of Service attack on the DNS service running on the VA, you can configure per-IP rate limiting of DNS on the VA. This is not enabled by default and must be explicitly configured using the instructions documented here.
If you are monitoring your VAs over SNMP, it is recommended to use SNMPv3 with authentication and encryption. Instructions for the same are documented here. Once you enable the SNMP monitoring, port 161 on the VA is opened for inbound traffic. You can monitor various attributes like the CPU, load and memory on the VA over SNMP.
If you are using the VAs with Active Directory integration, it is a best practice to tune the user cache duration on the VA to match your DHCP lease time. Refer to instructions documented here. This will minimize the risk of incorrect user attributions.
The VA maintains an audit log of all configuration changes executed on the VA. You can configure remote logging of this audit log to a syslog server per the instructions documented here.
At least 2 VAs need to be configured per Umbrella site and the IP address of these 2 VAs can be distributed as the DNS servers to endpoints. For additional redundancy, you can configure Anycast addressing on the VA - this will allow multiple VAs to share a single Anycast address. So effectively, you can deploy multiple VAs while still distributing just 2 DNS server IPs to each endpoint. If any VA fails, Anycast ensures that the DNS queries are routed to the other VA that shares the same Anycast IP. Steps to configure Anycast on the VA are documented here.
Umbrella Active Directory Connector
One of the best practices for the Umbrella AD Connector is to use a custom account name instead of the default OpenDNS_Connector. This account can be created prior to connector deployment and granted the required permissions. The account name needs to be specified as part of the connector installation.
The Umbrella AD connector attempts to retrieve user-group information over LDAPS (data transmitted over a secure channel), failing which it switches to LDAP over Kerberos (packet level encryption) or LDAP over NTLM (only authentication, no encryption) in that order. It is recommended to set up LDAPS on your domain controllers, so that the connector can retrieve this information over an encrypted channel.
The connector will, by default, store the details of the users and groups retrieved from the domain controllers in an .ldif file locally. Since this may be sensitive information and is stored in plain text, you should restrict access to the server that runs the connector. Alternately, at install time, you can choose not to store the ldif files locally.
Because the connector is a Windows service, it does not enable/disable any ports on the host machine. It is recommended to run the Umbrella AD Connector service on a dedicated Windows server. Similar to the VA, the connector makes outbound queries over specific ports/protocols to the destinations mentioned here. It is recommended that you set up rules on your firewall to block any traffic from your connectors to all other destinations. Note that all HTTPS communication to/from the connector happens over TLS 1.2 only - older protocols are not used.
Cisco recommends rotating the connector password periodically - this can be done by changing the connector account password in Active Directory and then updating the password using the PasswordManager tool in the connector folder.
By default, the connector communicates private IP - AD user mappings to the VA over plaintext. You may choose to configure the VA and connector to communicate over an encrypted channel as per the instructions documented here. Note that certificate management and revocation are out of scope for the VA and you are responsible for ensuring that the latest certificate/certificate chain is present on the VA and the connector as relevant. Also note that setting up an encrypted channel for this communication will impact performance on the VA and the connector.