I look forward to hearing your results from blocking port 53. What communication have you done for this so far?
Joel Coehoorn Director of Information Technology 402.363.5603 *[email protected] <[email protected]>* The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Thu, Nov 19, 2015 at 2:49 PM, Randy Mahurin <[email protected]> wrote: > Here are the comments from our Security Engineer, we've been using it for > several months now: > > "So we've been using OpenDNS Umbrella for about 2 months now. We > actually replaced our proxy server with this after some back and forth on > what it gained us vs what we lost. While we've been using it for 2 months, > we only recently implemented the Virtual Appliances (VA's- talked about > towards the end of this) into the mix that really gave us more visibility. > > Long story real short, we've been happy with it so far and if you want any > more info let me know. > > Pro's: > > - We use bitsighttech.com as a 3rd party to rate us against other > .edu's. We were sitting in the 600 range for quite awhile, and then in > july-sept, we just started getting hammered on score because of potentially > exploited machines. We can track it back to pretty much the day we > switched over to openDNS to a lot of those falling off the list. Systems > still weren't cleaned at the time, but it since they were no longer able to > go outbound, the score hit went away and then we were able to start using > umbrella to track them down. > - Blocks a ton of stuff that our proxy server wasn't blocking before > since now it is blocking more than just 80/8080 traffic! > - Scheduled reports. I get a daily last 24 hr botnet report to show > me systems on campus that are blocked trying to access botnet systems, > we're just starting to work through this list. > > > Con's: > > - They don't auto rescan their sites, if something is blocked for > malware, until someone out there using their fabric requests a site be > rescanned, it doesn't happen. The first week we had 3 requests, the 2nd 3, > the third 2, etc... We're probably averaging 1-2 support tickets a week on > sight rescans and 80-90% have come back clean and been removed. A few have > come back as still infected and we didn't unblock them. > - Blocking sites, for us we used to use the proxy server to block > exact pages out of phishes, so http:\\somesite.com\somefolder\phishme.html; > Well now the best we can do is blocking somesite.com. Looking back at > 99% of the phishes we've blocked in the past 3 years blocking the full site > hasn't been an issue, but there was a site or two that this will/would have > caused issues with. > > Other pieces > > - Depends on your point of view if this is a pro or a con. The > virtual appliances (talked about below) auto patch if you have 2 of them > (which you'd want for redundancy). If you have a strict change management > policy, you have no control over when these patch beyond giving it a time > window in the middle of the night and it does it automagically. It does > one, waits for it to come back up and restablish contact and verify > functionality (somehow, bit magically) and then it will do the other. > We'll be going through this for the first time within the next month. You > have to sign up to even get notices of this happening and it was basically > between 11/18 and 12/8 we'll be rolling this out. So no control over > it outside of the time window you provide for it to look at doing this > daily. One less thing you have to patch or schedule, but something you > have no control over also. > - Just purchased by Cisco, waiting to see what they do on cost going > forward. Part of the reason we moved away from the proxies were because > cisco kept increasing the maint cost each year! > > > > If you want to make the most use out of it. > 1. Roll out their Virtual Appliances and these become your primary DNS > servers on campus for all of your clients (servers and workstations). They > forward *.local and *.whateveryourdomain(s) are onto your other DNS > servers. If you don't do this, reporting is fairly worthless as all you > get is your DNS servers IP addresses, so tracking down who may be infected > is difficult depending on what type of logging you have locally. These are > VMs. > 2. Plan on changing your outbound firewall to blocking tcp/udp 53 from > all systems except your Primary DNS servers and the VA's in #1 at some > point in the future. Basically make sure people aren't bypassing the extra > security you've provided by going to google's DNS, their home ISP, etc. We > plan on making this change over Christmas break. > 3. If an AD shop, look at rolling out their VM that ties into AD and > parses DC logs for login events. If/when this is in place it will match > the IPs found in #1 to who was logged onto the workstation at that time. > We haven't decided when to roll this out, there are some potential > gotchas/changes to our setup we'd need to do. Primarily we don't like > installing new services onto DC's, so we may instead install it on a stand > alone system and then do log forwarding on to it. Haven't looked deep into > this one yet, need to get through #2 first!" > > On Thu, Nov 19, 2015 at 1:31 PM, Hanson, Mike <[email protected]> wrote: > >> We use OpenDNS and like it very much. We do not use the Umbrella product >> though. >> >> I pursued the purchase of OpenDNS 5 years ago to reduce our endpoint >> malware infection rates. The subscription paid for itself in the first year >> by reducing the amount of time lost by the help desk, IT staff, and >> employees to infections. >> >> It is a easy to setup and mange. >> >> Mike >> >> Mike Hanson, CISSP >> Network Security Manager >> The College of St. Scholastica >> Duluth, MN 55811 >> [email protected] >> >> >> >> On Thu, Nov 19, 2015 at 2:09 PM, Gregg Heimer <[email protected]> wrote: >> >>> We are also investigating OpenDNS as a possible replacement for >>> expensive URL filtering costs integrated into our firewall. Would also >>> love to hear feedback. >>> >>> >>> >>> Gregg Heimer >>> >>> Sr. Network Engineer >>> >>> Montgomery County Community College >>> >>> >>> >>> *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: >>> [email protected]] *On Behalf Of *Jeffrey D. Sessler >>> *Sent:* Thursday, November 19, 2015 11:18 AM >>> *To:* [email protected] >>> *Subject:* [WIRELESS-LAN] OT - Anyone using OpenDNS Umbrella DNS >>> security product? >>> >>> >>> >>> Bit off topic, but I’m in the process of evaluating OpenDNS’ Umbrella >>> DNS security product and looking for others that may have it deployed. So >>> far it seems like a good addition to end-point security, but the devil is >>> in the details. If anyone on the list is using it, I’d sure appreciate >>> comments/feedback. >>> >>> >>> >>> Jeff >>> >>> >>> >>> -- >>> >>> Jeffrey D Sessler >>> >>> Director of Information Technology >>> >>> Scripps College >>> >>> >>> >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> >>> ------------------------------ >>> >>> Montgomery County Community College is proud to be designated as an >>> Achieving the Dream Leader College for its commitment to student access and >>> success. >>> ********** Participation and subscription information for this EDUCAUSE >>> Constituent Group discussion list can be found at >>> http://www.educause.edu/groups/. >>> >>> >> ********** Participation and subscription information for this EDUCAUSE >> Constituent Group discussion list can be found at >> http://www.educause.edu/groups/. >> >> > > > -- > Randy Mahurin > Office of Information Technology > Boise State University > 1910 University Drive, Boise, ID, 83725-1249 > Phone: (208) 426-4003 > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
