MX and Umberella SIG

SOLVED
taikuritaipale
Here to help

MX and Umberella SIG

Does anyone know anything about this? As far as i know MXs can't really do TLS encryption even though that is possible with beta firmware it's not really efficient because it can degrade performance up to 95% or something like that.

I would really like to hear more about this Umberella SIG possibility with Meraki.

1 ACCEPTED SOLUTION
CptnCrnch
Kind of a big deal
Kind of a big deal

MX can be integrated with Umbrella SIG but you'll have to get Meraki support involved for setting up the required tunnels.

 

The bigger "issue" here is that Umbrella SIG is not fully implemented yet, e.g. Layer 7 firewall is not there yet. TLS decryption can be "offloaded" to Umbrella though which makes perfect sense cause doing this on MX itself is not that much of a good idea (as you already mentioned).

View solution in original post

8 REPLIES 8
CptnCrnch
Kind of a big deal
Kind of a big deal

MX can be integrated with Umbrella SIG but you'll have to get Meraki support involved for setting up the required tunnels.

 

The bigger "issue" here is that Umbrella SIG is not fully implemented yet, e.g. Layer 7 firewall is not there yet. TLS decryption can be "offloaded" to Umbrella though which makes perfect sense cause doing this on MX itself is not that much of a good idea (as you already mentioned).

Thanks for quick reply! So we only need to buy Umberella licenses and try this with Meraki support? I would at least like to know how it works to be ready when it's completely implemented. Cannot find documentation about this at least from Meraki side at all yet.

CptnCrnch
Kind of a big deal
Kind of a big deal

Unfortunately, the mentioned documentation (as concise as it is) doesn't refer to Umbrellas SIG. The trick with it is that you're not "only" transparently offload DNS queries to the cloud but build up tunnels to shift actual data traffic out to Umbrella.

Up there you're (currently) able to have "Cloud Firewall" or Proxy in place that will take care of that traffic.

 

I've had the chance to play around this with an ISR, unfortunately not an MX but the process (aprt from configuring the MX together with Meraki support) isn't any different.

You would be better off to use the Umbrella Roaming Agent on the computers, which does support TLS inspection.

https://support.umbrella.com/hc/en-us/articles/230901168-Umbrella-Roaming-Client-How-it-Works-on-You... 

The difference is that Roaming Client (or the AnyConnect module) will do DNS inspection and perform tunneling of user data only for the „Intelligent Proxy“ part. This way, only „unknown“ traffic will be deeper inspected, which clearly is a more lightweight option.

 

There‘s a fair share of customers that require to have deeper insight and control about their clients traffic and this is where SIG comes into play.

Don‘t get me wrong: Umbrella is a frickin‘ great and especially easy security tool and SIG adds way more complexity to it. Everything added by this functionality is not only bloat but fulfills customers requirements. 

That is not correct.  The Umbrella Roaming Agent defaults to inspecting all TLS traffic.  You have to specifically configure it to not inspect traffic classes.

 

It does give you deep insight and control.

 

 

ps. I'm using the Umbrella Roaming client.

 

I tend to disagree here @PhilipDAth but perhaps I'm not getting your point right. Roaming client will only do DNS layer enforcement (as long as you don't add IP-Layer enforcement on top it). It will never relay user traffic through Umbrella as long as it's not dependent on the Intelligent Poxy functionality but this is for a limited set of traffic only.

 

My actual point is: without SIG, you'll never see all user traffic in Umbrella because of its workings. See above: Umbrella was originally meant to operate on DNS queries 90% all of the time as long as Intelligent Proxy was not involved.

With SIG, you're actually relaying all traffic through Umbrella to have Cloud Firewall / -Proxy in place.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels