08-30-2016 04:17 AM
Hi guys, does anyone know if OpenDNS gives extra value when using a NextGen Firewall with URL filtering, malware protection, etc. Is it worth an extra subscription?
08-30-2016 05:29 AM
OpenDNS has no "URL filtering", because it is DNS based as the name clearly expresses, not web based. It can filter by domain name only. You cannot compare it with Next Gen Firewall which uses a totally different technical approach. But OpenDNS adds extra value, depending also on what of their services you will be using.
08-30-2016 02:00 PM
@rotblitz I think his reference to URL filtering was referring to OpenDNS being able to supplement the URL filtering that the firewall does.
@remko.de.koning It's been my experience that URL filtering on a firewall will stop most traffic before the DNS lookup request is sent to OpenDNS, but overall it makes a very good supplement to what the firewall can do, especially the malware that Umbrella can filter that might not yet be included in the firewall's signatures. Also, if you have the appropriate Umbrella agent on mobile devices, especially laptops, it will continue protecting those devices when they are outside of your network.
Overall I'd say it's worth the subscription, but it needs to be examined with your overall costs and security environment.
08-30-2016 02:59 PM
You're right. It looks like he meant the Next Gen Firewall URL filtering. I should have read more thoroughly...
08-31-2016 01:42 AM
Thanks guys for the feedback.
We have a Palo Alto Networks firewall with AntiVirus and WildFire subscription. I stumpled upon OpenDNS a few weeks ago and have it active on my home network now. I was just wondering if it would give extra value if we would purchase it for the company as well. I know Palo Alto does an excellent job on the malware filtering but we are still facing some challenges. For example, the Palo Alto does not see malware over a HTTPS connection unless a decryption rule is implemented.
I guess I am still strugling with all the options I have to make sure we reduce the amount of malware as much as possible.
The option to have laptops use the OpenDNS service once they leave the site sounds good. The only way I have now to protect these is to set up a permanent VPN tunnel to the company so all traffic is routed through the firewall (no split tunnel). This is not a good option if people are travelling to another continent due to the extra latency added.
I appreciated your comments!
Remko
08-31-2016 05:19 AM
"the Palo Alto does not see malware over a HTTPS connection unless a decryption rule is implemented."
Not a problem for a DNS service like OpenDNS. DNS traffic happens before web traffic, so malware domains can be recognized even and only before a connection is attempted.
"This is not a good option if people are travelling to another continent due to the extra latency added."
Not a problem for OpenDNS either. They have data centers across the world.
https://www.opendns.com/data-center-locations/
08-31-2016 05:24 AM
Great, will investigate further. I have contacted sales to see if they have more info on the service. Thanks for your info.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide