Upload
knuckle007
View
221
Download
0
Embed Size (px)
Citation preview
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 1/7
A Radically Simpler Approach toWeb Content Filtering & Security
As the Internet has grown it’s become increasingly complex and dangerous
or users to navigate. Each day there are new threats to contend with: Web
sites that inect users’ machines with malware, propagating botnets, phishing
scams, and more. On top o that there’s a growing array o inappropriate and
“recreational” uses o the Internet such as adult Web sites, social networking
applications like MySpace and Facebook, and bandwidth-intensive video siteslike YouTube.
So, it’s no surprise that Web content fltering and security have become
essential unctions or most enterprises. Tools that provide these unctions
help ensure sae Internet use, compliance with Internet-use policies, and a
reduction in unproductive Web use and trafc.
The challenge or IT organizations is that traditional solutions have been high
cost and high overhead. They typically require customers to buy hardware
appliances that are placed inline in the network path, slowing down the
overall network and taxing frewall and other system resources. Another issue
is that they can miss a lot o the new non-web trafc, such as P2P.
Fortunately, there are three developments that have made a new, radically
simpler approach to Web content fltering and security possible:
The emergence o cloud-based services (SaaS — Sotware as a Service), which•
require no hardware or sotware to be installed or maintained.
The growth o cloud-accessible domain intelligence — inormation about the•
quality, integrity and nature o Web sites.
And the fnal piece o the puzzle was to realize that recursive DNS service, typically•
provided by an ISP, could be used as an eective fltering and security mechanism
— easily evaluating domains and IPs when the DNS query is requested.
WHITEPAPER
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 2/7
Introducing DNS-basedWeb Content Filtering & Security
DNS service has always been a undamental part o the Internet. A client
provides a domain name and receives the IP address o the server to connect
to. This basic unction has changed little over the years and has largely been
taken or granted. IT managers have primarily demanded that recursive DNS
services oered by ISPs work ast and reliably.
OpenDNS has pioneered a new model — adding a layer o intelligence on top
o DNS — that provides highly eective Web content fltering and security
capabilities, in addition to aster and more reliable DNS service. Using this
DNS approach, domains are evaluated at the point o ACCESSING a Web
site vs. during the ENTIRE COMMUNICATIONS with a Web site. This means
it is not in the direct path o the trafc — once a DNS lookup happens, the
answer is either yes or no and the endpoint is ree to communicate directly
with the server without any urther latency or delay.
The way DNS-based Web content fltering and security works is illustrated
in the diagram below. When a DNS request is made, the domain is frstevaluated to ensure that it is sae and appropriate. It does this by checking
malware, botnet, and phishing databases and also checking policies,
blacklists, and whitelists that have been confgured or the network.
A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 2 OF 7
By putting security directly into one o the core protocols that powers your
network and the Internet, security becomes an integrated, pervasive part o
your network instead o an appliance-based add-on that will slow down yournetwork. It also enables you to simpliy your network architecture by not
orcing all Internet-bound trafc through a single place in the network.
The Internet
Users
OpenDNS Datacenters
Anti-Phishing Botnet and
Malware Site
Protection
Content
Filtering
Management
Console and
Reporting
Internet traffic flows directly
No proxy or in-line appliance
Lightweight,
Reliable DNS
Custom
Block Page
Blocked
Content
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 3/7
Dramatically Simpler Than Using an Appliance
Overall, DNS-based Web content fltering and security is compelling because
it is dramatically simpler and less expensive than traditional approaches.
Rather than installing an expensive appliance at each location that involves
capital expenditure, hardware, shipping, training, sotware, and maintenance,
you can simply “turn on” a cloud-based service that is already running. Just
set up an online account and reconfgure DNS settings. Rather than trying tomanage multiple appliances in multiple locations, which is time-consuming
and difcult, you can use a single web interace to manage policies and
monitor activity or any number o locations. It sounds ar simpler and it is.
The ollowing table presents a side-by-side comparison with a traditional
appliance-based approach.
Appliance-Based DNS-Based
Technology IP packet checking DNS request checking
Cost Very expensive capital expenditure Low per-seat cost
Management & Maintenance Need to manage an appliance at each loca-tion, update sotware, etc. Requires special-ized training and expertise.
Centralized administration through an easy
web interace. No equipment or sotware to
purchase, implement, or maintain.
Perormance High-bandwidth rated appliance required to
prevent trafc latency and bottlenecking.Driving trafc through an appliance at a cen-tral location can add as much as 2 seconds o
latency.
Extremely light-weight and ast – oten speeds
up Internet perormance by 20%
Setup Install and confgure dedicated appliance andsotware at each site.
Very simple: set up an online account,
confgure policies, and reconfgure DNS
settings.
Location Requires physical install at each site. Cloud-based. Leverages existing equipment
at each site.
Reliability Single point o ailure – driving all trafcthrough a central appliance, which can ail.
No single point o ailure. Utilizes a worldwide
network o DNS servers. No downtime.
Scalability Need to scale hardware appliances as band-
width grows. May need to cluster, which addsmore overhead and complexity.
Scaling o DNS requests handled by cloud.
Level o Control Per user confguration and logging Policies applied to trafc rom outward acing
IPs. Dierent group level policies can be set
or trafc separated onto dierent IPs.
Domain Intelligence Maintain a proprietary database Utilize Internet community to help keep “open
databases” such as PhishTank up-to-date
alongside data sets provided by security
partners.
A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 3 OF 7
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 4/7
Issues with Other Cloud-Based Services
Besides appliances, there are a number o companies claiming to have
“cloud” based products that provide Web content fltering. The main
problem with these approaches is that they proxy all trafc rom your
company, through their network (and computers) to the Internet and back.
Most companies go to great lengths in paying or the best connectivity to
the Internet — which is completely deeated by this approach, since your
connection to the Internet is completely limited by the speed and ability
o the “cloud” provider to actually process the content. Since 100% o
your content is going through the proxy, you have to be confdent that your
trafc, along with the trafc o every other customer, is being handled as
well or better than your current Internet connection. This is highly unlikely.
Another issue is that this dramatically increases latency and decreases
throughput or all Internet trafc.
Proxy-based solutions can work or smaller deployments where the amount
o trafc is not large and the requirements or overall product speed are
not signifcant. However, as a customer’s network speed and sophistication
increases, having a provider that will actually get in the middle o your
network trafc and not have the same speed and bandwidth can be anissue.
Ideal Applications in the Enterprise
A number o ideal applications o DNS-based web content fltering
and security include: organizations with many locations, such as retail
operations, remote, branch or sales ofces, organizations that have
adopted site-wide policies that apply to all users and organizations or have
the ability to segment dierent groups onto dierent outward acing IPs,
and those oering public Wi-Fi.
Locations with Site-Wide PoliciesOne ideal application o DNS-based Web content fltering and security is
when an organization has decided to have site-wide Internet use policies
that are the same or everyone, and doesn’t want or need to set up per-user
control and logging oered by traditional appliances. Many organizations
believe per-user control is an important capability, but then don’t actually
use it due to the overhead involved.
A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 4 OF 7
“
We have minimal fltering needs and enabled OpenDNS at our Caliornia headquarters
to flter several categories o content, including Phishing and various work-inappropriate
categories. OpenDNS is an excellent solution or our use case and we’re in the process o
phasing out pre-existing solutions and deploying company-wide.”
— Ray Dzak, Specialized Bicycles, North America headquarters
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 5/7
Retail Operations
Providing Web content fltering across organizations with widespread
locations, such as retail operations, has historically been a challenge. It’s
simply cost prohibitive and overly time consuming to deploy and manage
appliances at each site, particularly when there is no local IT sta. One
solution is or an organization to have all o their trafc routed back through
their VPN, but this entails a signifcant perormance penalty and costs.
Because o these challenges, many retail locations currently go unprotected.
DNS-based web content fltering and security can be a perect solution or
retail. It’s easy, ast, inexpensive, and hundreds o sites can be managed
rom a single console. And policies can be confgured so that they are
consistent with other Web content fltering tools already in use. For example,
many organizations ensure that DNS requests are orced to OpenDNS with
the use o frewall policies and that users are unable to modiy their local
Hosts fle to prevent bypassing the DNS or lookups.
Content fltering or retail locations can help ensure that unsupervised
employees are not distracted by “recreational” applications at the expense o
helping customers or doing productive work.
A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 5 OF 7
Remote Ofces and Sales Ofces
Remote ofces with mobile workers have also been under-served by web
fltering due to the difculty o using traditional tools, but it is a critical area
since many organizations get inected by malware through remote/mobile
workers who access the Internet without passing through corporate fltering
tools. A DNS-based approach allows remote and mobile workers to access
the Internet directly, but still be under centralized policy control. To set up
a remote ofce, a network administrator simply logs in remotely to reconfgure
DNS settings on the local router or individual laptops and then manages
policies or many remote locations rom a single web interace.
“We looked at installing hardware appliances in each o our retail locations, but the orecasted
cost turned out to be way more than we were willing to spend. We chose OpenDNS because
it’s not only ree but allows us to control the fltering or all o our retail locations rom a
single interace.”
— Dale Hobbs, LUSH Cosmetics, 149 store locations in North America
“OpenDNS represents the easiest way to do content fltering at our remote ofce locationsacross the United States. Deploying at all sites took us under an hour and we can manage
all sites through one Web-based account. Purchasing an appliance or each site would have
absolutely been cost-prohibitive.”
— Michael Dragone, Titleserv, remote and branch ofces across the US
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 6/7
OpenDNS for the Enterprise
All o these applications are ideal uses or OpenDNS Enterprise, which was
developed ater three years o experience running a global network o DNS
servers, now handling 20+ billion DNS queries per day, and working with
some o the World’s most trusted brands to understand their fltering and
security needs.
OpenDNS Enterprise brings an unmatched level o intelligence on top o
DNS that provides powerul award-winning web content fltering and security
as well as new reporting and navigational eatures. OpenDNS Enterprise
is designed to ensure sae, appropriate, reliable, and productive use o the
Internet. It allows network administrators to instantly gain visibility, control,
and protection or accessing and using the Internet. They can easily secure
their users and networks rom online threats, enorce Internet-use policies,
increase perormance, and reduce costs.
OpenDNS Enterprise was launched in October 2009 to meet thesophisticated requirements o a complex enterprise environment. Some o
the key eatures added to the Enterprise version are:
Advanced customization•
Delegated administration•
Audit Log•
Malware site protection•
White list only mode•
Advanced reporting and logging eatures•
To learn more about OpenDNS Enterprise, please consult the data sheet on
our website at www.opendns.com/solutions.
A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 6 OF 7
Whitelist/blacklist up to 500•
domains
Block page bypass•
Service level agreement (SLAs)•
And much more..•
““And as a government entity, we continually strive to reduce costs while increasing our
security eorts. OpenDNS meets all o our security needs or our ree, public Wi-Fi perectly
and saves the City o Nashville a signifcant amount o money.”
— Allan Que, City o Nashville, TN, operates ree, public Wi-Fi citywide
City of Nashville, Tennessee
Public Wi-Fi
For organizations that provide public Wi-Fi, with many hot spots and an
unlimited number o guest users, a DNS-based approach fts very well. Its
easy to put in place policies that ensure appropriate use o the ree service
and apply to all guest users, and it’s easy to protect them rom dangerous
web sites and security threats without incurring high overhead.
8/3/2019 Opendns Whitepaper Filtering Security
http://slidepdf.com/reader/full/opendns-whitepaper-filtering-security 7/7
OpenDNS — A Platform for a Growing Array of Services
We’ve ocused on the enterprise-level web content fltering and security that
is oered on the OpenDNS platorm, but DNS is also a natural place or
providing many types o new “navigational services” beyond those critical
unctions. There are our main areas o unctionality that have emerged on
top o DNS so ar: security, control, reporting, and assistance, and certainly
more to be developed in the uture.
Security — ensuring that users are not accessing dangerous sites that can
download malware, propagate botnets, or be used or phishing. Since virtually
all botnets use DNS to resolve their connections to command and control
sites (such as the recent Confcker virus) a DNS-based approach can easily
detect and stop the 1000’s o sites that such worms can connect to through
the network.
Control (web content fltering) — ensuring that users are accessing
appropriate web sites and content. Block or limit access to adult sites, social
networking sites, and high-bandwidth sites such as video sharing.
Reporting — gives network administrators a new level o visibility by providingdetailed inormation and statistics about what domains their users are
accessing.
Assistance — provides assistance when users make mistakes entering a
domain name or try to reach a blocked site.
Moving to a cloud-based DNS approach will yield immediate benefts and
cost savings and also oer a growing array o other valuable “navigational
services” going orward.
A RADICALLY SIMPLER APPROACH TO WEB CONTENT FILTERING & SECURITY · PAGE 7 OF 7
OpenDNS
199 Fremont St, 12th Floo
San Francisco, CA 94105
www.opendns.com