Buy or Renew
Buy or Renew
NOTICE: OpenDNS Service Currently Not Available To Users In Belgium. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
64
Views
0
Helpful
3
Replies

Linking to AD (security concerns)

visionist.
Level 1
Level 1

‎02-03-2014 06:43 AM

Hi,

I have read the AD implementation guide, but one of my clients' security folk are nervous about sharing our AD information with what is (to them) effectively an untrusted web based service.  Umbrella fits the bill perfectly, but I need to understand more about the connections made between the AD Agent on the Virtual Appliances and the cloud services.

  • Are all connectors wrapped in SSL (if so, what level of encryption is applied - is it FIPS140-2 compliant).
  • What information is extracted from AD (user name, group membership etc).   Need to understand the scale of any residual risks. 
  • Their concern is a culmination of information - if leaked / hacked - could identify a specific individual to a specific role, which may pose a security risk.  What information can I provide my customer to reassure them more?

Perhaps it will help if I define my requirements better:

 

1) I need to be able to report against white / black listed activity by user (not device, as devices are shared) from the internal domain.  Therefore, the AD connector is required.

2) I need to understand whether the certificate or token of an authenticated user which is passed to OpenDNS contains anything which would cause security folk concerns, such as cached / hashed credentials, which if obtained during a breach, would put the internal network at risk.

 

Many thanks

Peter Miller

Visionist (MSP).

 




example.jpg
Labels:
0 Helpful
3 Replies 3

rotblitz
Level 6
Level 6

‎02-03-2014 09:40 AM

"I have read the AD implementation guide"

Was it this?  http://info.opendns.com/rs/opendns/images/TD-Umbrella-Insights-Deployment-Guide.pdf

If this does not help. you'll want to open a support ticket, or contact support by phone.  Enterprise/Umbrella issues are almost not being discussed here, because of the other premier communication channels Umbrella comes with.

0 Helpful

Brian Hartvigsen
Level 1
Level 1

‎02-05-2014 05:19 PM

rotblitz is right that there is very little discussion in this forum regarding Umbrella and the AD integrations.  There is actually a dedicated forum forum for that as well contacting the Support team.

That said, and for future posterity:

  • All connections to OpenDNS are done over SSL (HTTPS) with the exception of DNS which happens over standard DNS protocols. As per Chrome:

    Your connection to api.opendns.com is encrypted with 128-bit encryption.

    The connection uses TLS 1.0.

    The connection is encrypted using RC4_128, with SHA1 for message authentication and RSA as the key exchange mechanism

    We have not been audited or tested for FIPS140-2 compliance.
  • We use user & computer name, group membership, and GUID.  We do not retrieve, access, or store the users password hash(es) as they are not necessary for us to identify/report on the user activity.

The information passed to OpenDNS with the DNS request are hashed user & device identifiers.  No credential, in the traditional sense, is passed and the hashes could not be used for anything other then receiving the filtering for that user or device.

0 Helpful

visionist.
Level 1
Level 1

‎02-06-2014 02:36 AM

Hey, many thanks guys - that is exactly the level of detail I require to convince my clients. 

Now... if only I could get someone from OpenDNS to email me a quote for up to 10,000 users...

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents