With many IT departments looking for creative ways to deliver ‘more for less’, one area ripe for review is incumbent web filtering products.
Web filtering allows companies to filter their employees internet access – most commonly for unsuitable and non work related sites, meeting legal obligations, improving productivity and conserving bandwidth. Some filters can also be used to improve security – blocking sites that are known to host malware.
Once a fairly specialist and expensive area, dominated largely by the big players such as Websense, the technology has filtered down to the small business arena with many companies now offering web filtering services for smaller businesses. Often this is implemented through anti-virus software, a dedicated server or an appliance. Most require a considerable investment in infrastructure, hardware, training and expensive subscriptions.
One company offering an alternate service to these costly models is OpenDNS, with their Enterprise product. By utilising the DNS system, OpenDNS is able to offer effective cloud based filtering to companies of all sizes, requiring no additional software or hardware and very little configuration by the network administrator. In most SME network configurations, an effective basic policy can be deployed in minutes.
In this post I’m going to run through what is involved setting up a basic configuration of OpenDNS Enterpise, as well as outlining a few of the important differences between this system and in-house systems.
It is of course important to consider the effect on users of implementation before performing on a live network. It’s very easy to swap back quickly (by changing dns servers), but it’s best to have a play at home or on a test network before implementing in your workplace.
Once you recieve your OpenDNS Enterprise trial account login, the first step is to define which networks you will be filtering. This may be as simple as supplying a single fixed IP address from your ISP, or very slightly more complex if you have dynamic or multiple IP ranges.
You can then select a default policy – ranging from low (blocks pornography only) to high (blocks all adult content, illegal activity, social networking sites, video sites, games etc). Alternately you can select from any of the 50 categories you wish to block to create a custom policy. By default, botnet & phishing filters
will be applied to add an additional layer of security and keep your network free of viruses.
Whitelists and blacklists are available to customise your chosen policy further. For example, a recruitment company may wish to block ‘social networking’ to block facebook and myspace, but may wish to whitelist professional social networking services such as linkedin.
Once your policy is in place, the next step is to switch your DNS servers to OpenDNS servers (208.67.222.222 & 208.67.220.220). On a very small peer to peer network, this may involve setting it manually on the workstations, but for most businesses will be a 5 minute job of configuring the DNS service on their server or router to use these addresses as DNS forwarders.
Thats it – up & running. There is a lot more we can do to prevent users attempting to bypass the service – but that will be convered in another post. For now its time to test out a few sites.
Assuming everything is set up right, you should now find that any blocked category is welcomed with a block page. This page may be customised from the control panel with logos and contact details.
One thing you may notice that sites which have been recently accessed are not being blocked as expected. This is down to the nature of the DNS service in general and is not specific to OpenDNS. Lookups are cached to minimise network traffic. This will clear in a few hours. If you are in a hurry you can immediately force this by stopping and starting the DNS service on the server/router, and the DNS client service on the workstation.
There are some support implications (and workarounds) for this, for example when a site is required to be unblocked immediately – for the sake of brevity I will detail this in a later post.
Where a ‘one size fits all’ policy is not suitable, individual users can be setup within OpenDNS Enterprise. This allows users to have a specific policy tailored to their requirements. When attemping to visit a site outside of the default policy, the user will be given the option to login with their username and password. Unfortunately at this stage there is no active directory link within OpenDNS, so transparent authentication is not yet possible. This username and password method works well when only a few key staff need such policies, but may be a bit of a burden on support if many individual accounts need to be set up and administered, as accounts cannot yet be grouped by policy.
The administrator can also configure a one time use password which will temporarily allow any user to bypass filtering for a specific amount of time.
So far we have covered a few differences between OpenDNS and tradional URL filters like Websense,
To summarise for those looking for a quick OpenDNS vs Websense comparision:
1. Implementation of OpenDNS is vastly quicker & cheaper, and requires no additional hardware or software resources.
2. By operating at a DNS level rather than URL level, OpenDNS does not provide the immediacy of configuration changes provided by Websense. This can however be worked around via dns cache configuration.
Another positive for url filters like Websense is that they can offer more granular filtering of specific sites by inspecting the entire URL and page rather than simply the DNS name.
3. OpenDNS (at this stage) does not link in any way to Active Directory user accounts. This means that if authentication is required, is provided via the web browser and is not the transparent process that websense can provide.
4. OpenDNS (at this stage) is lacking in assigning users to groups and filtering based on membership. Policies are configured on a per person basis. This is likely to be improved in future upgrades.
5. Costwise, OpenDNS Enterprise works out to be around a third the cost of Websense, with even greater savings for small installations.
6. OpenDNS Enterprise is available in as little as 10 seats, as compared to 25 user blocks for Websense.
7. OpenDNS Enterpise is monitored for license abuse, but has no built-in hard limits to the license. No more block pages for going one iphone over the license!
8. OpenDNS does no protocol filtering. This must be handled at the firewall.
For smaller businesses, OpenDNS as it stands offers excellent value. The cost is very low, and the current lack of enterprise management features is unlikely to affect them.
However larger companies with more complex filtering policies would need to perform a careful evaluation to appreciate how (or if) the current limitations will affect them.
If you are looking to trial OpenDNS Enterprise for yourself, RSCC are an authorised UK OpenDNS Enterprise Distributor (We also supply Websense and Barracuda filters), with full UK based support. Please call 0845 3889308 if you’d like to chat with an engineer with regards to how OpenDNS may benefit your network security, or to get a trial account setup.