Here are the comments from our Security Engineer, we've been using it for several months now:
"So we've been using OpenDNS Umbrella for about 2 months now. We actually replaced our proxy server with this after some back and forth on what it gained us vs what we lost. While we've been using it for 2 months, we only recently implemented the Virtual Appliances (VA's- talked about towards the end of this) into the mix that really gave us more visibility. Long story real short, we've been happy with it so far and if you want any more info let me know. Pro's: - We use bitsighttech.com as a 3rd party to rate us against other .edu's. We were sitting in the 600 range for quite awhile, and then in july-sept, we just started getting hammered on score because of potentially exploited machines. We can track it back to pretty much the day we switched over to openDNS to a lot of those falling off the list. Systems still weren't cleaned at the time, but it since they were no longer able to go outbound, the score hit went away and then we were able to start using umbrella to track them down. - Blocks a ton of stuff that our proxy server wasn't blocking before since now it is blocking more than just 80/8080 traffic! - Scheduled reports. I get a daily last 24 hr botnet report to show me systems on campus that are blocked trying to access botnet systems, we're just starting to work through this list. Con's: - They don't auto rescan their sites, if something is blocked for malware, until someone out there using their fabric requests a site be rescanned, it doesn't happen. The first week we had 3 requests, the 2nd 3, the third 2, etc... We're probably averaging 1-2 support tickets a week on sight rescans and 80-90% have come back clean and been removed. A few have come back as still infected and we didn't unblock them. - Blocking sites, for us we used to use the proxy server to block exact pages out of phishes, so http:\\somesite.com\somefolder\phishme.html; Well now the best we can do is blocking somesite.com. Looking back at 99% of the phishes we've blocked in the past 3 years blocking the full site hasn't been an issue, but there was a site or two that this will/would have caused issues with. Other pieces - Depends on your point of view if this is a pro or a con. The virtual appliances (talked about below) auto patch if you have 2 of them (which you'd want for redundancy). If you have a strict change management policy, you have no control over when these patch beyond giving it a time window in the middle of the night and it does it automagically. It does one, waits for it to come back up and restablish contact and verify functionality (somehow, bit magically) and then it will do the other. We'll be going through this for the first time within the next month. You have to sign up to even get notices of this happening and it was basically between 11/18 and 12/8 we'll be rolling this out. So no control over it outside of the time window you provide for it to look at doing this daily. One less thing you have to patch or schedule, but something you have no control over also. - Just purchased by Cisco, waiting to see what they do on cost going forward. Part of the reason we moved away from the proxies were because cisco kept increasing the maint cost each year! If you want to make the most use out of it. 1. Roll out their Virtual Appliances and these become your primary DNS servers on campus for all of your clients (servers and workstations). They forward *.local and *.whateveryourdomain(s) are onto your other DNS servers. If you don't do this, reporting is fairly worthless as all you get is your DNS servers IP addresses, so tracking down who may be infected is difficult depending on what type of logging you have locally. These are VMs. 2. Plan on changing your outbound firewall to blocking tcp/udp 53 from all systems except your Primary DNS servers and the VA's in #1 at some point in the future. Basically make sure people aren't bypassing the extra security you've provided by going to google's DNS, their home ISP, etc. We plan on making this change over Christmas break. 3. If an AD shop, look at rolling out their VM that ties into AD and parses DC logs for login events. If/when this is in place it will match the IPs found in #1 to who was logged onto the workstation at that time. We haven't decided when to roll this out, there are some potential gotchas/changes to our setup we'd need to do. Primarily we don't like installing new services onto DC's, so we may instead install it on a stand alone system and then do log forwarding on to it. Haven't looked deep into this one yet, need to get through #2 first!" On Thu, Nov 19, 2015 at 1:31 PM, Hanson, Mike <[email protected]> wrote: > We use OpenDNS and like it very much. We do not use the Umbrella product > though. > > I pursued the purchase of OpenDNS 5 years ago to reduce our endpoint > malware infection rates. The subscription paid for itself in the first year > by reducing the amount of time lost by the help desk, IT staff, and > employees to infections. > > It is a easy to setup and mange. > > Mike > > Mike Hanson, CISSP > Network Security Manager > The College of St. Scholastica > Duluth, MN 55811 > [email protected] > > > > On Thu, Nov 19, 2015 at 2:09 PM, Gregg Heimer <[email protected]> wrote: > >> We are also investigating OpenDNS as a possible replacement for expensive >> URL filtering costs integrated into our firewall. Would also love to hear >> feedback. >> >> >> >> Gregg Heimer >> >> Sr. Network Engineer >> >> Montgomery County Community College >> >> >> >> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: >> [email protected]] *On Behalf Of *Jeffrey D. Sessler >> *Sent:* Thursday, November 19, 2015 11:18 AM >> *To:* [email protected] >> *Subject:* [WIRELESS-LAN] OT - Anyone using OpenDNS Umbrella DNS >> security product? >> >> >> >> Bit off topic, but I’m in the process of evaluating OpenDNS’ Umbrella DNS >> security product and looking for others that may have it deployed. So far >> it seems like a good addition to end-point security, but the devil is in >> the details. If anyone on the list is using it, I’d sure appreciate >> comments/feedback. >> >> >> >> Jeff >> >> >> >> -- >> >> Jeffrey D Sessler >> >> Director of Information Technology >> >> Scripps College >> >> >> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> ------------------------------ >> >> Montgomery County Community College is proud to be designated as an >> Achieving the Dream Leader College for its commitment to student access and >> success. >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > -- Randy Mahurin Office of Information Technology Boise State University 1910 University Drive, Boise, ID, 83725-1249 Phone: (208) 426-4003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
