We are too, could be interesting. We are still working on the
communication. We typically add these types of changes to our daily
campus newsletter, help desk webpage, and group emails to support staff.
On Thu, Nov 19, 2015 at 2:02 PM, Coehoorn, Joel <[email protected]
<mailto:[email protected]>> wrote:
I look forward to hearing your results from blocking port 53.
What communication have you done for this so far?
Joel Coehoorn
Director of Information Technology
402.363.5603 <tel:402.363.5603>
*[email protected]*
The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong
service to God, family, and society
On Thu, Nov 19, 2015 at 2:49 PM, Randy Mahurin
<[email protected]> wrote:
Here are the comments from our Security Engineer, we've been
using it for several months now:
"So we've been using OpenDNS Umbrella for about 2 months
now. We actually replaced our proxy server with this after
some back and forth on what it gained us vs what we lost.
While we've been using it for 2 months, we only recently
implemented the Virtual Appliances (VA's- talked about
towards the end of this) into the mix that really gave us
more visibility.
Long story real short, we've been happy with it so far and if
you want any more info let me know.
Pro's:
* We use bitsighttech.com <http://bitsighttech.com/> as a
3rd party to rate us against other .edu's. We were
sitting in the 600 range for quite awhile, and then in
july-sept, we just started getting hammered on score
because of potentially exploited machines. We can track
it back to pretty much the day we switched over to
openDNS to a lot of those falling off the list. Systems
still weren't cleaned at the time, but it since they were
no longer able to go outbound, the score hit went away
and then we were able to start using umbrella to track
them down.
* Blocks a ton of stuff that our proxy server wasn't
blocking before since now it is blocking more than just
80/8080 traffic!
* Scheduled reports. I get a daily last 24 hr botnet
report to show me systems on campus that are blocked
trying to access botnet systems, we're just starting to
work through this list.
Con's:
* They don't auto rescan their sites, if something is
blocked for malware, until someone out there using their
fabric requests a site be rescanned, it doesn't happen.
The first week we had 3 requests, the 2nd 3, the third 2,
etc... We're probably averaging 1-2 support tickets a
week on sight rescans and 80-90% have come back clean and
been removed. A few have come back as still infected and
we didn't unblock them.
* Blocking sites, for us we used to use the proxy server to
block exact pages out of phishes, so http:\\somesite.com
<http://somesite.com/>\somefolder\phishme.html; Well now
the best we can do is blocking somesite.com
<http://somesite.com/>. Looking back at 99% of the
phishes we've blocked in the past 3 years blocking the
full site hasn't been an issue, but there was a site or
two that this will/would have caused issues with.
Other pieces
* Depends on your point of view if this is a pro or a con.
The virtual appliances (talked about below) auto patch if
you have 2 of them (which you'd want for redundancy). If
you have a strict change management policy, you have no
control over when these patch beyond giving it a time
window in the middle of the night and it does it
automagically. It does one, waits for it to come back up
and restablish contact and verify functionality (somehow,
bit magically) and then it will do the other. We'll be
going through this for the first time within the next
month. You have to sign up to even get notices of this
happening and it was basically between 11/18 and 12/8
we'll be rolling this out. So no control over it outside
of the time window you provide for it to look at doing
this daily. One less thing you have to patch or
schedule, but something you have no control over also.
* Just purchased by Cisco, waiting to see what they do on
cost going forward. Part of the reason we moved away
from the proxies were because cisco kept increasing the
maint cost each year!
If you want to make the most use out of it.
1. Roll out their Virtual Appliances and these become your
primary DNS servers on campus for all of your clients
(servers and workstations). They forward *.local and
*.whateveryourdomain(s) are onto your other DNS servers. If
you don't do this, reporting is fairly worthless as all you
get is your DNS servers IP addresses, so tracking down who
may be infected is difficult depending on what type of
logging you have locally. These are VMs.
2. Plan on changing your outbound firewall to blocking
tcp/udp 53 from all systems except your Primary DNS servers
and the VA's in #1 at some point in the future. Basically
make sure people aren't bypassing the extra security you've
provided by going to google's DNS, their home ISP, etc. We
plan on making this change over Christmas break.
3. If an AD shop, look at rolling out their VM that ties
into AD and parses DC logs for login events. If/when this is
in place it will match the IPs found in #1 to who was logged
onto the workstation at that time. We haven't decided when
to roll this out, there are some potential gotchas/changes to
our setup we'd need to do. Primarily we don't like
installing new services onto DC's, so we may instead install
it on a stand alone system and then do log forwarding on to
it. Haven't looked deep into this one yet, need to get
through #2 first!"
On Thu, Nov 19, 2015 at 1:31 PM, Hanson, Mike
<[email protected] <mailto:[email protected]>> wrote:
We use OpenDNS and like it very much. We do not use the
Umbrella product though.
I pursued the purchase of OpenDNS 5 years ago to reduce
our endpoint malware infection rates. The subscription
paid for itself in the first year by reducing the amount
of time lost by the help desk, IT staff, and employees to
infections.
It is a easy to setup and mange.
Mike
Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811
[email protected]
On Thu, Nov 19, 2015 at 2:09 PM, Gregg Heimer
<[email protected]> wrote:
We are also investigating OpenDNS as a possible
replacement for expensive URL filtering costs
integrated into our firewall. Would also love to hear
feedback.
Gregg Heimer
Sr. Network Engineer
Montgomery County Community College
*From:*The EDUCAUSE Wireless Issues Constituent Group
Listserv [mailto:[email protected]]
*On Behalf Of *Jeffrey D. Sessler
*Sent:* Thursday, November 19, 2015 11:18 AM
*To:*
<mailto:[email protected]>[email protected]
*Subject:* [WIRELESS-LAN] OT - Anyone using OpenDNS
Umbrella DNS security product?
Bit off topic, but I’m in the process of evaluating
OpenDNS’ Umbrella DNS security product and looking
for others that may have it deployed. So far it seems
like a good addition to end-point security, but the
devil is in the details. If anyone on the list is
using it, I’d sure appreciate comments/feedback.
Jeff
--
Jeffrey D Sessler
Director of Information Technology
Scripps College
********** Participation and subscription information
for this EDUCAUSE Constituent Group discussion list
can be found at
<http://www.educause.edu/groups/>http://www.educause.edu/groups/.
------------------------------------------------------------------------
Montgomery County Community College is proud to be
designated as an Achieving the Dream Leader College
for its commitment to student access and success.
********** Participation and subscription information
for this EDUCAUSE Constituent Group discussion list
can be found at
<http://www.educause.edu/groups/>http://www.educause.edu/groups/.
********** Participation and subscription information for
this EDUCAUSE Constituent Group discussion list can be
found at
<http://www.educause.edu/groups/>http://www.educause.edu/groups/.
--
Randy Mahurin
Office of Information Technology
Boise State University
1910 University Drive, Boise, ID, 83725-1249
Phone: (208) 426-4003 <tel:%28208%29%20426-4003>
********** Participation and subscription information for
this EDUCAUSE Constituent Group discussion list can be found
at
<http://www.educause.edu/groups/>http://www.educause.edu/groups/.
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/ <http://www.educause.edu/groups/>.
--
Randy Mahurin
Office of Information Technology
Boise State University
1910 University Drive, Boise, ID, 83725-1249
Phone: (208) 426-4003
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
<http://www.educause.edu/groups/>http://www.educause.edu/groups/.
