Cisco's decided that the network perimeter is the wrong place for a Web gateway, so it's floating one into the cloud.
Switchzilla, bowing to the inevitable decomposition of products into software, is pouring scorn on hardware gateways as inadequate and insecure as part of the pitch for its new "Umbrella" product.
As a cloud-based secure internet gateway (SIG), Umbrella “stops current and emergent threats over all ports and protocols for the most comprehensive coverage. It blocks access to malicious domains, URLs, IPs, and files before a connection is ever established or a file downloaded.”
That, quoth Cisco, sets Umbrella apart because the typical perimeter Web inspection proxy (to quote from the company's download-with-registration white paper) “only gives insight into web-based threats over ports 80 and 443” and don't catch things like malware command-and-control callbacks.
Umbrella is, in essence, Cisco's Web application-level protection software integrated with its 2015 OpenDNS acquisition.
There are two other problems the company points to as falling outside a product deployed at the enterprise gateway: companies no longer “trombone” their branch office traffic to head office for Internet access; and individuals working remotely probably don't VPN to head office for Internet access.
For both these use-cases, Cisco reckons clouding the gateway is the answer. Instead of users suffering the performance penalty of shipping all their traffic through head office, Umbrella decentralises the security services they need.
Here's the checkbox list Cisco offers for Umbrella:
- ”Visibility and enforcement on and off the corporate network, even when users are off the VPN and without backhauling all traffic to the corporate network;
- ”Protection against threats over all ports and protocols;
- ”Proxy-based inspection of web traffic and file inspection with AV engines and behavioural sandboxing;
- ”Live threat intelligence derived from global internet activity analysed in real-time, with updates enforced everywhere within minutes;
- ”Open platform with a bidirectional API to integrate with your existing security stack;
- Discovery and control of SaaS applications.
SaaS discovery is delivered by integration with Cisco's CloudLock platform.
To make the rollout painless for users, Umbrella uses Anycast routing: “every data centre announces the same IP address so that requests are transparently sent to the fastest available with automated failover to maintain 100 percent uptime.”
Not to mention that it's a lot easier to direct users through a security system via DNS addressing than asking them to remember to click on a VPN application before they connect.
Of course, if the software's running in the cloud, it's a lot easier to fix a chip-level product problem, but that's probably another story ... ®