opendns whitepaper filtering security

8/3/2019 Opendns Whitepaper Filtering Security

http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 1/7

A Radically Simpler Approach toWeb Content Filtering & Security

As the Internet has grown it’s become increasingly complex and dangerous

or users to navigate. Each day there are new threats to contend with: Web

sites that inect users’ machines with malware, propagating botnets, phishing

scams, and more. On top o that there’s a growing array o inappropriate and

“recreational” uses o the Internet such as adult Web sites, social networking

applications like MySpace and Facebook, and bandwidth-intensive video siteslike YouTube.

So, it’s no surprise that Web content fltering and security have become

essential unctions or most enterprises. Tools that provide these unctions

help ensure sae Internet use, compliance with Internet-use policies, and a

reduction in unproductive Web use and trafc.

The challenge or IT organizations is that traditional solutions have been high

cost and high overhead. They typically require customers to buy hardware

appliances that are placed inline in the network path, slowing down the

overall network and taxing frewall and other system resources. Another issue

is that they can miss a lot o the new non-web trafc, such as P2P.

Fortunately, there are three developments that have made a new, radically

simpler approach to Web content fltering and security possible:

The emergence o cloud-based services (SaaS — Sotware as a Service), which•

require no hardware or sotware to be installed or maintained.

The growth o cloud-accessible domain intelligence — inormation about the•

quality, integrity and nature o Web sites.

And the fnal piece o the puzzle was to realize that recursive DNS service, typically•

provided by an ISP, could be used as an eective fltering and security mechanism

— easily evaluating domains and IPs when the DNS query is requested.

WHITEPAPER



Introducing DNS-basedWeb Content Filtering & Security

DNS service has always been a undamental part o the Internet. A client

provides a domain name and receives the IP address o the server to connect

to. This basic unction has changed little over the years and has largely been

taken or granted. IT managers have primarily demanded that recursive DNS

services oered by ISPs work ast and reliably.

OpenDNS has pioneered a new model — adding a layer o intelligence on top

o DNS — that provides highly eective Web content fltering and security

capabilities, in addition to aster and more reliable DNS service. Using this

DNS approach, domains are evaluated at the point o ACCESSING a Web

site vs. during the ENTIRE COMMUNICATIONS with a Web site. This means

it is not in the direct path o the trafc — once a DNS lookup happens, the

answer is either yes or no and the endpoint is ree to communicate directly

with the server without any urther latency or delay.

The way DNS-based Web content fltering and security works is illustrated

in the diagram below. When a DNS request is made, the domain is frstevaluated to ensure that it is sae and appropriate. It does this by checking

malware, botnet, and phishing databases and also checking policies,

blacklists, and whitelists that have been confgured or the network.

A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 2 OF 7

By putting security directly into one o the core protocols that powers your

network and the Internet, security becomes an integrated, pervasive part o

your network instead o an appliance-based add-on that will slow down yournetwork. It also enables you to simpliy your network architecture by not

orcing all Internet-bound trafc through a single place in the network.

The Internet

Users

OpenDNS Datacenters

Anti-Phishing Botnet and

Malware Site

Protection

Content

Filtering

Management

Console and

Reporting

Internet traffic flows directly

No proxy or in-line appliance

Lightweight,

Reliable DNS

Custom

Block Page

Blocked

Content



Dramatically Simpler Than Using an Appliance

Overall, DNS-based Web content fltering and security is compelling because

it is dramatically simpler and less expensive than traditional approaches.

Rather than installing an expensive appliance at each location that involves

capital expenditure, hardware, shipping, training, sotware, and maintenance,

you can simply “turn on” a cloud-based service that is already running. Just

set up an online account and reconfgure DNS settings. Rather than trying tomanage multiple appliances in multiple locations, which is time-consuming

and difcult, you can use a single web interace to manage policies and

monitor activity or any number o locations. It sounds ar simpler and it is.

The ollowing table presents a side-by-side comparison with a traditional

appliance-based approach.

Appliance-Based DNS-Based

Technology IP packet checking DNS request checking

Cost Very expensive capital expenditure Low per-seat cost

Management & Maintenance Need to manage an appliance at each loca-tion, update sotware, etc. Requires special-ized training and expertise.

Centralized administration through an easy

web interace. No equipment or sotware to

purchase, implement, or maintain.

Perormance High-bandwidth rated appliance required to

prevent trafc latency and bottlenecking.Driving trafc through an appliance at a cen-tral location can add as much as 2 seconds o

latency.

Extremely light-weight and ast – oten speeds

up Internet perormance by 20%

Setup Install and confgure dedicated appliance andsotware at each site.

Very simple: set up an online account,

confgure policies, and reconfgure DNS

settings.

Location Requires physical install at each site. Cloud-based. Leverages existing equipment

at each site.

Reliability Single point o ailure – driving all trafcthrough a central appliance, which can ail.

No single point o ailure. Utilizes a worldwide

network o DNS servers. No downtime.

Scalability Need to scale hardware appliances as band-

width grows. May need to cluster, which addsmore overhead and complexity.

Scaling o DNS requests handled by cloud.

Level o Control Per user confguration and logging Policies applied to trafc rom outward acing

IPs. Dierent group level policies can be set

or trafc separated onto dierent IPs.

Domain Intelligence Maintain a proprietary database Utilize Internet community to help keep “open

databases” such as PhishTank up-to-date

alongside data sets provided by security

partners.




Issues with Other Cloud-Based Services

Besides appliances, there are a number o companies claiming to have

“cloud” based products that provide Web content fltering. The main

problem with these approaches is that they proxy all trafc rom your

company, through their network (and computers) to the Internet and back.

Most companies go to great lengths in paying or the best connectivity to

the Internet — which is completely deeated by this approach, since your

connection to the Internet is completely limited by the speed and ability

o the “cloud” provider to actually process the content. Since 100% o

your content is going through the proxy, you have to be confdent that your

trafc, along with the trafc o every other customer, is being handled as

well or better than your current Internet connection. This is highly unlikely.

Another issue is that this dramatically increases latency and decreases

throughput or all Internet trafc.

Proxy-based solutions can work or smaller deployments where the amount

o trafc is not large and the requirements or overall product speed are

not signifcant. However, as a customer’s network speed and sophistication

increases, having a provider that will actually get in the middle o your

network trafc and not have the same speed and bandwidth can be anissue.

Ideal Applications in the Enterprise

A number o ideal applications o DNS-based web content fltering

and security include: organizations with many locations, such as retail

operations, remote, branch or sales ofces, organizations that have

adopted site-wide policies that apply to all users and organizations or have

the ability to segment dierent groups onto dierent outward acing IPs,

and those oering public Wi-Fi.

Locations with Site-Wide PoliciesOne ideal application o DNS-based Web content fltering and security is

when an organization has decided to have site-wide Internet use policies

that are the same or everyone, and doesn’t want or need to set up per-user

control and logging oered by traditional appliances. Many organizations

believe per-user control is an important capability, but then don’t actually

use it due to the overhead involved.


“

We have minimal fltering needs and enabled OpenDNS at our Caliornia headquarters

to flter several categories o content, including Phishing and various work-inappropriate

categories. OpenDNS is an excellent solution or our use case and we’re in the process o

phasing out pre-existing solutions and deploying company-wide.”

— Ray Dzak, Specialized Bicycles, North America headquarters



Retail Operations

Providing Web content fltering across organizations with widespread

locations, such as retail operations, has historically been a challenge. It’s

simply cost prohibitive and overly time consuming to deploy and manage

appliances at each site, particularly when there is no local IT sta. One

solution is or an organization to have all o their trafc routed back through

their VPN, but this entails a signifcant perormance penalty and costs.

Because o these challenges, many retail locations currently go unprotected.

DNS-based web content fltering and security can be a perect solution or

retail. It’s easy, ast, inexpensive, and hundreds o sites can be managed

rom a single console. And policies can be confgured so that they are

consistent with other Web content fltering tools already in use. For example,

many organizations ensure that DNS requests are orced to OpenDNS with

the use o frewall policies and that users are unable to modiy their local

Hosts fle to prevent bypassing the DNS or lookups.

Content fltering or retail locations can help ensure that unsupervised

employees are not distracted by “recreational” applications at the expense o

helping customers or doing productive work.


Remote Ofces and Sales Ofces

Remote ofces with mobile workers have also been under-served by web

fltering due to the difculty o using traditional tools, but it is a critical area

since many organizations get inected by malware through remote/mobile

workers who access the Internet without passing through corporate fltering

tools. A DNS-based approach allows remote and mobile workers to access

the Internet directly, but still be under centralized policy control. To set up

a remote ofce, a network administrator simply logs in remotely to reconfgure

DNS settings on the local router or individual laptops and then manages

policies or many remote locations rom a single web interace.

“We looked at installing hardware appliances in each o our retail locations, but the orecasted

cost turned out to be way more than we were willing to spend. We chose OpenDNS because

it’s not only ree but allows us to control the fltering or all o our retail locations rom a

single interace.”

— Dale Hobbs, LUSH Cosmetics, 149 store locations in North America

“OpenDNS represents the easiest way to do content fltering at our remote ofce locationsacross the United States. Deploying at all sites took us under an hour and we can manage

all sites through one Web-based account. Purchasing an appliance or each site would have

absolutely been cost-prohibitive.”

— Michael Dragone, Titleserv, remote and branch ofces across the US



OpenDNS for the Enterprise

All o these applications are ideal uses or OpenDNS Enterprise, which was

developed ater three years o experience running a global network o DNS

servers, now handling 20+ billion DNS queries per day, and working with

some o the World’s most trusted brands to understand their fltering and

security needs.

OpenDNS Enterprise brings an unmatched level o intelligence on top o

DNS that provides powerul award-winning web content fltering and security

as well as new reporting and navigational eatures. OpenDNS Enterprise

is designed to ensure sae, appropriate, reliable, and productive use o the

Internet. It allows network administrators to instantly gain visibility, control,

and protection or accessing and using the Internet. They can easily secure

their users and networks rom online threats, enorce Internet-use policies,

increase perormance, and reduce costs.

OpenDNS Enterprise was launched in October 2009 to meet thesophisticated requirements o a complex enterprise environment. Some o

the key eatures added to the Enterprise version are:

Advanced customization•

Delegated administration•

Audit Log•

Malware site protection•

White list only mode•

Advanced reporting and logging eatures•

To learn more about OpenDNS Enterprise, please consult the data sheet on

our website at www.opendns.com/solutions.


Whitelist/blacklist up to 500•

domains

Block page bypass•

Service level agreement (SLAs)•

And much more..•

““And as a government entity, we continually strive to reduce costs while increasing our

security eorts. OpenDNS meets all o our security needs or our ree, public Wi-Fi perectly

and saves the City o Nashville a signifcant amount o money.”

— Allan Que, City o Nashville, TN, operates ree, public Wi-Fi citywide

City of Nashville, Tennessee

Public Wi-Fi

For organizations that provide public Wi-Fi, with many hot spots and an

unlimited number o guest users, a DNS-based approach fts very well. Its

easy to put in place policies that ensure appropriate use o the ree service

and apply to all guest users, and it’s easy to protect them rom dangerous

web sites and security threats without incurring high overhead.



OpenDNS — A Platform for a Growing Array of Services

We’ve ocused on the enterprise-level web content fltering and security that

is oered on the OpenDNS platorm, but DNS is also a natural place or

providing many types o new “navigational services” beyond those critical

unctions. There are our main areas o unctionality that have emerged on

top o DNS so ar: security, control, reporting, and assistance, and certainly

more to be developed in the uture.

Security — ensuring that users are not accessing dangerous sites that can

download malware, propagate botnets, or be used or phishing. Since virtually

all botnets use DNS to resolve their connections to command and control

sites (such as the recent Confcker virus) a DNS-based approach can easily

detect and stop the 1000’s o sites that such worms can connect to through

the network.

Control (web content fltering) — ensuring that users are accessing

appropriate web sites and content. Block or limit access to adult sites, social

networking sites, and high-bandwidth sites such as video sharing.

Reporting — gives network administrators a new level o visibility by providingdetailed inormation and statistics about what domains their users are

accessing.

Assistance — provides assistance when users make mistakes entering a

domain name or try to reach a blocked site.

Moving to a cloud-based DNS approach will yield immediate benefts and

cost savings and also oer a growing array o other valuable “navigational

services” going orward.


OpenDNS

199 Fremont St, 12th Floo

San Francisco, CA 94105

www.opendns.com

opendns whitepaper filtering security

Documents