cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19
Views
0
Helpful
6
Replies

Does OpenDNS add extra value on top of Next Gen Firewall

Remko de Koning
Level 1
Level 1

Hi guys, does anyone know if OpenDNS gives extra value when using a NextGen Firewall with URL filtering, malware protection, etc. Is it worth an extra subscription?

 

6 Replies 6

rotblitz
Level 6
Level 6

OpenDNS has no "URL filtering", because it is DNS based as the name clearly expresses, not web based.  It can filter by domain name only.  You cannot compare it with Next Gen Firewall which uses a totally different technical approach.  But OpenDNS adds extra value, depending also on what of their services you will be using.

mattwilson9090
Level 4
Level 4

@rotblitz I think his reference to URL filtering was referring to OpenDNS being able to supplement the URL filtering that the firewall does.

@remko.de.koning It's been my experience that URL filtering on a firewall will stop most traffic before the DNS lookup request is sent to OpenDNS, but overall it makes a very good supplement to what the firewall can do, especially the malware that Umbrella can filter that might not yet be included in the firewall's signatures. Also, if you have the appropriate Umbrella agent on mobile devices, especially laptops, it will continue protecting those devices when they are outside of your network.

Overall I'd say it's worth the subscription, but it needs to be examined with your overall costs and security environment.

rotblitz
Level 6
Level 6

You're right.  It looks like he meant the Next Gen Firewall URL filtering.  I should have read more thoroughly...

Remko de Koning
Level 1
Level 1

Thanks guys for the feedback.

We have a Palo Alto Networks firewall with AntiVirus and WildFire subscription. I stumpled upon OpenDNS a few weeks ago and have it active on my home network now. I was just wondering if it would give extra value if we would purchase it for the company as well. I know Palo Alto does an excellent job on the malware filtering but we are still facing some challenges. For example, the Palo Alto does not see malware over a HTTPS connection unless a decryption rule is implemented.

I guess I am still strugling with all the options I have to make sure we reduce the amount of malware as much as possible.

The option to have laptops use the OpenDNS service once they leave the site sounds good. The only way I have now to protect these is to set up a permanent VPN tunnel to the company so all traffic is routed through the firewall (no split tunnel). This is not a good option if people are travelling to another continent due to the extra latency added.

 

I appreciated your comments!

 

Remko

rotblitz
Level 6
Level 6

"the Palo Alto does not see malware over a HTTPS connection unless a decryption rule is implemented."

Not a problem for a DNS service like OpenDNS.  DNS traffic happens before web traffic, so malware domains can be recognized even and only before a connection is attempted.

"This is not a good option if people are travelling to another continent due to the extra latency added."

Not a problem for OpenDNS either.  They have data centers across the world. 
https://www.opendns.com/data-center-locations/

Remko de Koning
Level 1
Level 1

Great, will investigate further. I have contacted sales to see if they have more info on the service. Thanks for your info.