We are too, could be interesting. We are still working on the
communication. We typically add these types of changes to our daily
campus newsletter, help desk webpage, and group emails to support staff.
On Thu, Nov 19, 2015 at 2:02 PM, Coehoorn, Joel <jcoeho...@york.edu
<mailto:jcoeho...@york.edu>> wrote:
I look forward to hearing your results from blocking port 53. What
communication have you done for this so far?
Joel Coehoorn
Director of Information Technology
402.363.5603 <tel:402.363.5603>
*jcoeho...@york.edu <mailto:jcoeho...@york.edu>*
The mission of York College is to transform lives through
Christ-centered education and to equip students for lifelong
service to God, family, and society
On Thu, Nov 19, 2015 at 2:49 PM, Randy Mahurin
<randymahu...@boisestate.edu <mailto:randymahu...@boisestate.edu>>
wrote:
Here are the comments from our Security Engineer, we've been
using it for several months now:
"So we've been using OpenDNS Umbrella for about 2 months now.
We actually replaced our proxy server with this after some
back and forth on what it gained us vs what we lost. While
we've been using it for 2 months, we only recently implemented
the Virtual Appliances (VA's- talked about towards the end of
this) into the mix that really gave us more visibility.
Long story real short, we've been happy with it so far and if
you want any more info let me know.
Pro's:
* We use bitsighttech.com <http://bitsighttech.com/> as a
3rd party to rate us against other .edu's. We were
sitting in the 600 range for quite awhile, and then in
july-sept, we just started getting hammered on score
because of potentially exploited machines. We can track
it back to pretty much the day we switched over to openDNS
to a lot of those falling off the list. Systems still
weren't cleaned at the time, but it since they were no
longer able to go outbound, the score hit went away and
then we were able to start using umbrella to track them down.
* Blocks a ton of stuff that our proxy server wasn't
blocking before since now it is blocking more than just
80/8080 traffic!
* Scheduled reports. I get a daily last 24 hr botnet report
to show me systems on campus that are blocked trying to
access botnet systems, we're just starting to work through
this list.
Con's:
* They don't auto rescan their sites, if something is
blocked for malware, until someone out there using their
fabric requests a site be rescanned, it doesn't happen.
The first week we had 3 requests, the 2nd 3, the third 2,
etc... We're probably averaging 1-2 support tickets a
week on sight rescans and 80-90% have come back clean and
been removed. A few have come back as still infected and
we didn't unblock them.
* Blocking sites, for us we used to use the proxy server to
block exact pages out of phishes, so http:\\somesite.com
<http://somesite.com/>\somefolder\phishme.html; Well now
the best we can do is blocking somesite.com
<http://somesite.com/>. Looking back at 99% of the phishes
we've blocked in the past 3 years blocking the full site
hasn't been an issue, but there was a site or two that
this will/would have caused issues with.
Other pieces
* Depends on your point of view if this is a pro or a con.
The virtual appliances (talked about below) auto patch if
you have 2 of them (which you'd want for redundancy). If
you have a strict change management policy, you have no
control over when these patch beyond giving it a time
window in the middle of the night and it does it
automagically. It does one, waits for it to come back up
and restablish contact and verify functionality (somehow,
bit magically) and then it will do the other. We'll be
going through this for the first time within the next
month. You have to sign up to even get notices of this
happening and it was basically between 11/18 and 12/8
we'll be rolling this out. So no control over it outside
of the time window you provide for it to look at doing
this daily. One less thing you have to patch or schedule,
but something you have no control over also.
* Just purchased by Cisco, waiting to see what they do on
cost going forward. Part of the reason we moved away from
the proxies were because cisco kept increasing the maint
cost each year!
If you want to make the most use out of it.
1. Roll out their Virtual Appliances and these become your
primary DNS servers on campus for all of your clients (servers
and workstations). They forward *.local and
*.whateveryourdomain(s) are onto your other DNS servers. If
you don't do this, reporting is fairly worthless as all you
get is your DNS servers IP addresses, so tracking down who may
be infected is difficult depending on what type of logging you
have locally. These are VMs.
2. Plan on changing your outbound firewall to blocking
tcp/udp 53 from all systems except your Primary DNS servers
and the VA's in #1 at some point in the future. Basically
make sure people aren't bypassing the extra security you've
provided by going to google's DNS, their home ISP, etc. We
plan on making this change over Christmas break.
3. If an AD shop, look at rolling out their VM that ties into
AD and parses DC logs for login events. If/when this is in
place it will match the IPs found in #1 to who was logged onto
the workstation at that time. We haven't decided when to roll
this out, there are some potential gotchas/changes to our
setup we'd need to do. Primarily we don't like installing new
services onto DC's, so we may instead install it on a stand
alone system and then do log forwarding on to it. Haven't
looked deep into this one yet, need to get through #2 first!"
On Thu, Nov 19, 2015 at 1:31 PM, Hanson, Mike <mhan...@css.edu
<mailto:mhan...@css.edu>> wrote:
We use OpenDNS and like it very much. We do not use the
Umbrella product though.
I pursued the purchase of OpenDNS 5 years ago to reduce
our endpoint malware infection rates. The subscription
paid for itself in the first year by reducing the amount
of time lost by the help desk, IT staff, and employees to
infections.
It is a easy to setup and mange.
Mike
Mike Hanson, CISSP
Network Security Manager
The College of St. Scholastica
Duluth, MN 55811
mhan...@css.edu <mailto:mhan...@css.edu>
On Thu, Nov 19, 2015 at 2:09 PM, Gregg Heimer
<ghei...@mc3.edu <mailto:ghei...@mc3.edu>> wrote:
We are also investigating OpenDNS as a possible
replacement for expensive URL filtering costs
integrated into our firewall. Would also love to hear
feedback.
Gregg Heimer
Sr. Network Engineer
Montgomery County Community College
*From:*The EDUCAUSE Wireless Issues Constituent Group
Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>] *On
Behalf Of *Jeffrey D. Sessler
*Sent:* Thursday, November 19, 2015 11:18 AM
*To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
*Subject:* [WIRELESS-LAN] OT - Anyone using OpenDNS
Umbrella DNS security product?
Bit off topic, but I’m in the process of evaluating
OpenDNS’ Umbrella DNS security product and looking for
others that may have it deployed. So far it seems like
a good addition to end-point security, but the devil
is in the details. If anyone on the list is using it,
I’d sure appreciate comments/feedback.
Jeff
--
Jeffrey D Sessler
Director of Information Technology
Scripps College
********** Participation and subscription information
for this EDUCAUSE Constituent Group discussion list
can be found at http://www.educause.edu/groups/.
------------------------------------------------------------------------
Montgomery County Community College is proud to be
designated as an Achieving the Dream Leader College
for its commitment to student access and success.
********** Participation and subscription information
for this EDUCAUSE Constituent Group discussion list
can be found at http://www.educause.edu/groups/.
********** Participation and subscription information for
this EDUCAUSE Constituent Group discussion list can be
found at http://www.educause.edu/groups/.
--
Randy Mahurin
Office of Information Technology
Boise State University
1910 University Drive, Boise, ID, 83725-1249
Phone: (208) 426-4003 <tel:%28208%29%20426-4003>
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.
--
Randy Mahurin
Office of Information Technology
Boise State University
1910 University Drive, Boise, ID, 83725-1249
Phone: (208) 426-4003
********** Participation and subscription information for this
EDUCAUSE Constituent Group discussion list can be found at
http://www.educause.edu/groups/.