Luke, as I’m only a couple of days into the trial, it’s the dashboard, reports, and data analysis in OpenDNS Umbrella that seem to be the value-add. I imagine one could recreate it, but for the cost I’ve been quoted for the product, there is no incentive to reinvent the wheel. The other plus (why I looked at it in the first place), is that Cisco plans to integrate this with their other products e.g. AMP Threat Grid, ASA, Ironport, etc.
Here is an unexpected plus I discovered. One of the reports is for “cloud services," and while at first I thought it only an interesting bit of statistics data, it uncovered something I was totally unaware of. That is, that I have users (likely students) that are using the Hola P2P VPN client. If you’re not familiar with this client, in addition to being a VPN client, it also acts as a traffic exit node for other Hola customers (paid and free) i.e. I now have unknown people transiting data via our network. Not sure yet how we’ll address this. Jeff From: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> on behalf of Luke Whitworth <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Friday, November 20, 2015 at 12:42 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] OT - Anyone using OpenDNS Umbrella DNS security product? Just wondering if anyone has done a comparison of what OpenDNS offers over and above just using DNS RPZ internally (obviously fed by a third party list of known malware sites)? I had a look a while ago and it was clearly a more turnkey solution than configuring BIND and then setting up a dashboard in something like Elasticsearch/Kibana to parse the logs and give actionable data, just wondering if was there anything else that sold people on it. Cheers, Luke On 19/11/15 21:30, Randy Mahurin wrote: We are too, could be interesting. We are still working on the communication. We typically add these types of changes to our daily campus newsletter, help desk webpage, and group emails to support staff. On Thu, Nov 19, 2015 at 2:02 PM, Coehoorn, Joel <[email protected]<mailto:[email protected]>> wrote: I look forward to hearing your results from blocking port 53. What communication have you done for this so far? [http://www.york.edu/Portals/0/Images/Logo/YorkCollegeLogoSmall.jpg] Joel Coehoorn Director of Information Technology 402.363.5603<tel:402.363.5603> <mailto:[email protected]>[email protected]<mailto:[email protected]> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Thu, Nov 19, 2015 at 2:49 PM, Randy Mahurin <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: Here are the comments from our Security Engineer, we've been using it for several months now: "So we've been using OpenDNS Umbrella for about 2 months now. We actually replaced our proxy server with this after some back and forth on what it gained us vs what we lost. While we've been using it for 2 months, we only recently implemented the Virtual Appliances (VA's- talked about towards the end of this) into the mix that really gave us more visibility. Long story real short, we've been happy with it so far and if you want any more info let me know. Pro's: * We use bitsighttech.com<http://bitsighttech.com/> as a 3rd party to rate us against other .edu's. We were sitting in the 600 range for quite awhile, and then in july-sept, we just started getting hammered on score because of potentially exploited machines. We can track it back to pretty much the day we switched over to openDNS to a lot of those falling off the list. Systems still weren't cleaned at the time, but it since they were no longer able to go outbound, the score hit went away and then we were able to start using umbrella to track them down. * Blocks a ton of stuff that our proxy server wasn't blocking before since now it is blocking more than just 80/8080 traffic! * Scheduled reports. I get a daily last 24 hr botnet report to show me systems on campus that are blocked trying to access botnet systems, we're just starting to work through this list. Con's: * They don't auto rescan their sites, if something is blocked for malware, until someone out there using their fabric requests a site be rescanned, it doesn't happen. The first week we had 3 requests, the 2nd 3, the third 2, etc... We're probably averaging 1-2 support tickets a week on sight rescans and 80-90% have come back clean and been removed. A few have come back as still infected and we didn't unblock them. * Blocking sites, for us we used to use the proxy server to block exact pages out of phishes, so http:\\somesite.com<http://somesite.com/>\somefolder\phishme.html; Well now the best we can do is blocking somesite.com<http://somesite.com/>. Looking back at 99% of the phishes we've blocked in the past 3 years blocking the full site hasn't been an issue, but there was a site or two that this will/would have caused issues with. Other pieces * Depends on your point of view if this is a pro or a con. The virtual appliances (talked about below) auto patch if you have 2 of them (which you'd want for redundancy). If you have a strict change management policy, you have no control over when these patch beyond giving it a time window in the middle of the night and it does it automagically. It does one, waits for it to come back up and restablish contact and verify functionality (somehow, bit magically) and then it will do the other. We'll be going through this for the first time within the next month. You have to sign up to even get notices of this happening and it was basically between 11/18 and 12/8 we'll be rolling this out. So no control over it outside of the time window you provide for it to look at doing this daily. One less thing you have to patch or schedule, but something you have no control over also. * Just purchased by Cisco, waiting to see what they do on cost going forward. Part of the reason we moved away from the proxies were because cisco kept increasing the maint cost each year! If you want to make the most use out of it. 1. Roll out their Virtual Appliances and these become your primary DNS servers on campus for all of your clients (servers and workstations). They forward *.local and *.whateveryourdomain(s) are onto your other DNS servers. If you don't do this, reporting is fairly worthless as all you get is your DNS servers IP addresses, so tracking down who may be infected is difficult depending on what type of logging you have locally. These are VMs. 2. Plan on changing your outbound firewall to blocking tcp/udp 53 from all systems except your Primary DNS servers and the VA's in #1 at some point in the future. Basically make sure people aren't bypassing the extra security you've provided by going to google's DNS, their home ISP, etc. We plan on making this change over Christmas break. 3. If an AD shop, look at rolling out their VM that ties into AD and parses DC logs for login events. If/when this is in place it will match the IPs found in #1 to who was logged onto the workstation at that time. We haven't decided when to roll this out, there are some potential gotchas/changes to our setup we'd need to do. Primarily we don't like installing new services onto DC's, so we may instead install it on a stand alone system and then do log forwarding on to it. Haven't looked deep into this one yet, need to get through #2 first!" On Thu, Nov 19, 2015 at 1:31 PM, Hanson, Mike <[email protected]<mailto:[email protected]>> wrote: We use OpenDNS and like it very much. We do not use the Umbrella product though. I pursued the purchase of OpenDNS 5 years ago to reduce our endpoint malware infection rates. The subscription paid for itself in the first year by reducing the amount of time lost by the help desk, IT staff, and employees to infections. It is a easy to setup and mange. Mike Mike Hanson, CISSP Network Security Manager The College of St. Scholastica Duluth, MN 55811 <mailto:[email protected]>[email protected]<mailto:[email protected]> On Thu, Nov 19, 2015 at 2:09 PM, Gregg Heimer <<mailto:[email protected]>[email protected]<mailto:[email protected]>> wrote: We are also investigating OpenDNS as a possible replacement for expensive URL filtering costs integrated into our firewall. Would also love to hear feedback. Gregg Heimer Sr. Network Engineer Montgomery County Community College From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:<mailto:[email protected]>[email protected]<mailto:[email protected]>] On Behalf Of Jeffrey D. Sessler Sent: Thursday, November 19, 2015 11:18 AM To: <mailto:[email protected]> [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] OT - Anyone using OpenDNS Umbrella DNS security product? Bit off topic, but I’m in the process of evaluating OpenDNS’ Umbrella DNS security product and looking for others that may have it deployed. So far it seems like a good addition to end-point security, but the devil is in the details. If anyone on the list is using it, I’d sure appreciate comments/feedback. Jeff -- Jeffrey D Sessler Director of Information Technology Scripps College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ________________________________ Montgomery County Community College is proud to be designated as an Achieving the Dream Leader College for its commitment to student access and success. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. -- Randy Mahurin Office of Information Technology Boise State University 1910 University Drive, Boise, ID, 83725-1249 Phone: (208) 426-4003<tel:%28208%29%20426-4003> ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Randy Mahurin Office of Information Technology Boise State University 1910 University Drive, Boise, ID, 83725-1249 Phone: (208) 426-4003 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at <http://www.educause.edu/groups/> http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
