We are a system integrator, and we implemented this solution for one of our clients in Morocco. It helps to protect the network against ransomware and phishing attacks.
This solution integrated with eBay, and we use it to check statistics.
Download the Cisco Umbrella Buyer's Guide including reviews and more. Updated: June 2022
Cisco Umbrella offers flexible, cloud-delivered security according to users’ requirements Cisco Umbrella includes secure web gateway, firewall, and cloud access security broker (CASB) functionality all delivered from a single cloud security service. Cisco Umbrella’s protection is extended to devices, remote users, and distributed locations anywhere. As company employees work from many locations and devices, Cisco Umbrella is the easiest way to effectively protect users everywhere in minutes.
Cisco Umbrella uses machine learning to search for, identify, and even predict malicious domains. By learning from internet activity patterns, this DNS-layer security solution can automatically identify attacker infrastructure being staged for the next threat. These domains are then proactively blocked, protecting networks from potential compromise. Cisco Umbrella analyzes terabytes of data in real time across all markets, geographies, and protocols.
Cisco Umbrella works with leading IT companies to integrate its security enforcement and intelligence. Built with a bidirectional API, Cisco Umbrella makes it easy to extend protection from on-premises security appliances to cloud controlled devices and sites.
Cisco Umbrella is suitable for small businesses without dedicated security professionals, as well as for multinational enterprises with complex environments.
Why use Cisco Umbrella?
Reviews from Real Users
Cisco Umbrella stands out among its competitors for a number of reasons. Some of the major ones are its DNS-based protection, ability to protect users no matter where they are located, stability, and high performance.
Daniel B., a network specialist at Syswind Kft, writes, “We primarily use the solution as cloud security for our branches. It protects us from direct internet outbreaks. It makes for good flexibility. The solution is very easy to manage. We found the initial setup, for example, to be quite simple. Efficient protection on the DNS level and even higher. The sandboxing feature analyses and handles the complicated security risks.”
Victor M., SOC & Security Services Director at BEST, notes, “It provides security for the remote workers and it helps to improve enterprise security in a very easy way. We mainly enjoy web software protection capabilities. It prevents the end-users from getting into bad sites or sites that potentially could have malware or could be phishing. It helps end-users avoid the wrong sites. The solution works very smoothly. The user interface is good.”
Cisco Umbrella was previously known as OpenDNS.
Chart Industries, City of Aspen, Eastern Mountain Sports, FLEXcon, George Washington University, Jackson Municipal Airport Authority, Ohio Public Library Information Network, PTC, Richland Community College, Smart Motors, Tulane University, VeriClaim
We are a system integrator, and we implemented this solution for one of our clients in Morocco. It helps to protect the network against ransomware and phishing attacks.
This solution integrated with eBay, and we use it to check statistics.
The most valuable features are the protection against ransomware and phishing.
This solution is easy to use.
This solution is difficult to configure.
I would like to see a graphical representation of the entire network. For example, the network topography that shows connections to the server, as well as the communication that is coming into and going out of Umbrella.
We have not seen any bugs, glitches, or crashes. It is a very nice solution.
Scaling this solution is easy once you have the licenses.
There are three people using this solution. They are network and system administrators, and the ECC.
This was the first solution that we implemented for our client.
The initial setup of this solution is not complex. It is easy to configure and use as a whole. The deployment took approximately one day, which involved configuring the access.
One person is enough for deployment and maintenance.
We had a consultant to assist with the deployment.
Licensing fees are paid on a yearly basis.
Depending on the needs of the client, we consider several solutions. I have worked with Symantec PGP, CyberArk, Cyberwatch, Skybox, and Fortinet.
This is a very important solution, especially if the client does not actually supervise the tool.
My advice for anybody implementing this solution is to make sure that it is configured properly for your network. Depending on your environment, you need to set up access for people who are both out of the office and out of the local network.
This is a very good solution and my clients are impressed with it.
I would rate this solution a ten out of ten.
We use this solution as a web security gateway, block malicious domains and making sure that people don't go to websites that they're not really supposed to.
We are still in the proof of concept stage, which is a small test environment of approximately one hundred users. We will be purchasing it, and it will potentially replace our existing solution.
The most valuable feature is that it secures our network against blacklisted or malicious websites. If we do have an instance of malware then it is unable to home back to these types of sites.
This solution is very easy to use.
While technical support is good, there are features in the backend development side that were initially promised but are not there yet.
More granularity in the product would be helpful.
The reporting functionality should integrate better with SIEM products because it lets us report in PDF, but we want more flexibility.
Support for multiple domains is important to us.
It hasn't been fully deployed, but the stability has been good so far.
This solution is very scalable.
We have dealt with technical support extensively and they are good. We have had issues because of functionality that it didn't support at the time, which is why it has not been fully deployed yet. The functionality has since been introduced, but there are still some kinks that we're working out.
Our current solution isn't working very well and keeps breaking.
The initial setup is advertised as pretty easy, but we did run into some kinks. It shouldn't be that hard, it's just that we had some issues.
We worked with a Cisco partner, PCMD, who provided us with support.
Our licensing fees are on a yearly basis.
Other products were evaluated, but I was not part of that process and do not know which vendors were on the shortlist.
My advice for anybody researching this solution to make sure that it fits in your environment. Reverify the limitations. Our new department has different divisions and the way our Active Directory works causes some problems.
The ease of use is fantastic, but there are things that have to be fixed.
I would rate this solution a seven out of ten.
We use this solution for DNS and IP reputation, for blocking.
Using this solution has meant that we've needed to make fewer firewall changes.
The most valuable features of this solution are the blocking function and its ease of use. The integration with other systems is helpful, as well.
I would like to see DLP integration in the next release of this solution. Including this would give us headroom with some of the infrastructures that we have today.
The stability of this solution is fantastic, and we have no interruptions whatsoever.
There are no limitations when it comes to the scalability of this solution. It's fantastic.
When I have had contact with technical support, I've always had a fast response time.
We implemented this solution because we had a gap in the visibility of our DNS protection, and this was able to remedy that.
The initial setup of this solution is straightforward.
I performed the deployment myself.
Within six months we had ROI for this solution.
Our costs were negotiated, and they are okay.
We did evaluate other options before choosing this solution. We selected this one because we were able to merge it into an ELA (Cisco Enterprise License Agreement), which was beneficial.
If anybody is looking for DNS and IP reputation for protection and blocking, then this is the right product. This is a good solution that is easy to manage, easy to configure, easy to operate, and easy to support. It's very simple.
I really like this solution, and rate it a ten out of ten.
We act as an MSP for our organization, and we use this solution as part of the service. We are the parent company and we acquire insurance agencies. Typically, these agencies have between twenty and one hundred and twenty people. We do not force them to move onto our system; However, we show them what value they will receive by us taking on their network infrastructure. This includes the firewall, switches, IP phones, email platforms, etc.
This solution allows us to manage our four hundred locations under the same umbrella, with the same configurations. It makes it easier to troubleshoot and provide the same solution to everyone.
The most valuable feature of this solution is its reliability.
Security, overall, can always be improved.
The stability is good, and we have had very few problems with the equipment. The problems that we've had have been with our carriers. I can, pretty much, put a solution in place and not even worry about it.
My impression is that this solution is very scalable. It allows us to grow. We can add fifty sites per year, easily, and not really have to redesign from the ground up.
When we need technical support, they're usually very responsive. I usually get a solution or an answer between thirty minutes and a couple of days, depending on what the technology is, and whether the issue is critical or not.
The smaller sites typically use non-enterprise grade equipment, and we switched because it is easier to manage the solution, especially when it's set up to our standards.
The initial setup can vary in complexity depending on the size of the agency, as well as other factors including what they already have in place.
We do all of our integrations in-house.
We have most definitely seen ROI. In most cases, when we take over, we're always saving on monthly costs. The turnaround investment is usually under a year.
There is a one-time cost of approximately $800 USD per user, and then a yearly support fee of about $50 per user. Our fees end up being about $150,000 USD per year.
We have one vendor, and interoperability is not an issue when we use Cisco.
This solution had been pretty good and it fits our needs. If we have business needs change then we will look at whether the current solution can do it. If not then we have to reach out and find something else.
My advice to anybody who is researching this type of solution is to do their homework when it comes to comparing products. Compare apples to apples, and ensure feature parity. I would stress that the support organization behind the product is very important. For us, any of the other products that we've used just haven't performed up to the standards of what we are doing.
I would rate this solution a ten out of ten.
We use Cisco Umbrella for one of our customers, one of Jordan banks. We are using that on the gateways, on the cloud to secure our customer web traffic.
They are happy with the distribution because they know it's straight on the DNS.
Cisco Umbrella uses the internet’s infrastructure to block malicious destinations before a connection is ever established. By delivering security from the cloud, it will save money and provide more effective security.
Umbrella stops threats over all ports and protocols—even direct-to-IP connections. Stop malware before it reaches your endpoints or network.
Even if devices become infected in other ways, Umbrella prevents connections to an attacker’s servers. Stop data exfiltration and execution of ransomware encryption
We would like to improve nothing in particular on Cisco Umbrella. They are very good.
I have been using Cisco Umbrella for about two years.
Cisco Umbrella is stable. I have heard no complaints from my customers at all.
Cisco Umbrella is scalable.
Cisco support is one of the best, their response is very fast and they are very supportive.
Yes, we used Bluecoat ASG to block known Malwares.
usually, to complete Sandboxing solution (which used for unknown malwares), we used other solutions like Cisco Umbrella or Bluecoat ASG to block the known malwares on Web GW.
it was very straightforward.
We (BMB company which is a Cisco Gold partner) are familiar with such solution and implementation.
I have no idea about cost.
No I did not.
On a scale from one to ten, I would rate this product a nine. No one's perfect. They are fine with the interface and the dashboard that they have released.
To replace my original DNS servers and configure more than 50,000 computers through domain name resolution.
It has helped reduce my unit's security events. It possesses a visual graphics table, which enables me to understand the resolution of the blacklisted domain. Sometimes, I can understand which URL is visited most often by reviewing the user's resolution.
These can reduce security events and can find out which users have security issues.
The price could be lower.
Our primary use case is security at the DNS level. This solutions was suggested by our account manager at Insight.
we didn't implement it in our environment because of the pricing concern. however, I am sure it would have done a great job considering my observations in the trail pack.
Threats never come close to your network with security at the DNS level. Like i said above, i used it for a very short time so I cannot comment on the what would've been valuable for us but I was pretty amazed by the wide variety of security features and reports on a single dashboard. Leveraging Custom API and reasons and visibility for each deep visibility for the network was something that caught my eye.
There should be a way to monitor traffic at the user level. I use Meraki Dashboard and Cisco Firepower to do this for different networks. I understand this tool monitors the network as a whole but adding that information will let us cut the cost for other tools.
The product is pricey compared to Cisco Firepower.
It is a pretty good product for a small business.
Protection and security provided by using Umbrella are the two top areas that I looked at when considering. With three campuses, Umbrella has proven itself with the detection and blocking of malware, viruses, and preventing users from visiting malicious sites. We have two Umbrella virtual appliances at each campus, with two campuses using Hyper-V, and the primary data center running VMware.
The reports have given us insight into what the Internet is being used for at all three campuses. They provide insight into internet usage and information helpful in creating QoS rules.
If the virtual appliances could also gather traffic bandwidth reports, that would be great.
The customer support is exceptional.
They have a wealth of articles in their knowledge base. This has given me the freedom to troubleshoot on my own time.
Cisco Umbrella's interface is easy to use and the visibility of user activity is extremely useful.
We are in trial mode and use it for a distributed national environment. It provides category and security coverage for endpoints regardless of their location. As a mobile-first workforce, Umbrella always provides DNS-based security, even if endpoints roam in unfriendly waters.
It provides centralized, device-agnostic management of the Internet experience. It has the ability to quickly block new threats.
It needs a better price point.
My customers would like to protect users in company and outside their companies.
Improves security through DNS visibility, which can block malware, phishing, C&C, etc.
It is easy to implement.
If I want to see which users access a website, I need an Active Directory registered on Umbrella's cloud.
No stability issues.
No scalability issues.
I would rate technical support as an eight out of 10.
We did not switch solutions. We just added an extra layer of defense.
The initial setup is straightforward.
The pricing is fair.
You can request an evaluation license.
No.
We needed the product to enable a whitelist-only browsing mode for certain computers for a client. After that was implemented, I was able to configure a virtual appliance (which became the DNS server) to connect to a local AD server and relate traffic to an AD user name. From there, we could track and monitor where users were going and perform web content filtering to prevent video streaming and certain social media sites. This in turn positively affected productivity.
I don’t remember the specific examples of data I was trying to filter out but it was related to ads being hosted by a CDN such as Akamai. Links and images were being hosted there for quicker localized delivery yet the users were not actually going to those sites. Due to that it was showing that those sites were being visited the most, which wasn’t the case.
There was a positive effect on productivity because we could track and confront the users that were frequently using social media or streaming video during the work day. They weren’t wasting as much time after OpenDNS was implemented.
It gave us new capabilities and made users accountable for their browsing while at work.
I would like to have the ability to prevent certain sites/data from showing on the reports. I have had this feature request open for a couple of years. It would be useful to have for filtering out unuseful data.
I have been using this solution for the past two years. I previously used the free solution 6-8 years ago.
I did not encounter any issues with deployment, stability or scalability. I had a Sales Engineer assist with the setup for one portion, but was able to figure out the rest with no issues.
No
Excellent
Technical Support:Excellent, their Sales Engineer was very helping in getting the AD sync setup.
No
Initial setup was straightforward. Any questions I had were already answered on the forums.
A vendor team was only needed for one small portion, which was setting up the virtual appliance. I would recommend trying to figure out the setting on your own first before reaching out to support. I found it very simple.
We were able to resell the service for a 100-200% profit.
Due to past experience, I knew it would do what we needed and the website has an intuitive interface, so there was no reason to research alternatives.
It has the ability to block malware threats in the cloud and control web content access from inside or outside the office.
It has significantly reduced the threat of virus/malware infections, CryptoLocker infections and has made our client’s networks more secure.
Improvement could be made in the area of detailed reporting analytics broken down by client name for individual custom reporting.
I have been using it for about three years.
I have not encountered any deployment, stability or scalability issues. The installer can be scheduled and rolled out using our set of Managed Services tools.
Customer service and technical support is excellent. I give it a 9.5.
We have used Websense, Barracuda and iPrism in the past. The flexibility of OpenDNS supporting a high-performance cloud infrastructure and not requiring any hardware or software cost was a major factor. The monthly pricing model fits into our company’s core services as a Managed Services provider and eliminates the need for annual renewal licenses.
Initial setup was straightforward for the most part, but it can become complex depending on the granular content filtering features that need to be implemented for each client.
In-house implementation. I would recommend an automated procedure on a domain network instead of a manual remote install. I recommend a default of blocking malware, phishing and pornography only, and allowing the client to determine if any additional categories need to be blocked on their network.
ROI benefits both the reseller and the client in Managed Services because of its proactive approach to network security. Our technicians aren’t spending hours of wasted time removing malware and viruses from desktops and notebooks. Customers appreciate the productive benefit of multi-layered protection that builds upon their legacy firewall and spam prevention. The pricing for the subscription is minimal (literally a few cents a day). The price is based on content management and security of client networks, as a bundled solution with an existing service.
Try it before you buy it, to test it out. Test the content filtering categories.
Custom whitelist/blacklist/block page allows us as consultants to tune web content filtering for the SMB market.
OpenDNS supplements other security solutions to allow for blocking through DNS requests, which is common for malware to use to bypass other security mechanisms.
This product needs policy scheduling for enforcement by category. Notice in all the packages, there’s no scheduling. In the Insights or Platform package offerings, you can now essentially have multiple ‘policies’ per AD user or network group. What’s missing is that I still can’t set enforcement to block certain website use at this time of day or these days of the week. For instance, a company may allow streaming audio sites for music only for night shift workers to help them keep awake and versus dayshift workers.
I have been using the web-based, small-teams edition since 2007 (nine years).
We have never encountered issues with general deployment.
We would rate customer service and tech support after the Cisco acquisition a 5 out of 10.
We’ve used and deployed ZScaler, Websense, and other UTM-based blocking solutions. This product is not always the best if you need complex policy and scheduling, and other user soft-pass through authentication.
Initial OpenDNS setup is straightforward if you have a static IP address and you apply the DNS forwarders appropriately. This is literally a five-minute-or-less change.
We always implement for ourselves and for others in-house because of ease of use. Implementation-wise, companies should be aware that changing DNS forwarders might impact their global DNS operational needs. OpenDNS servers are also slower than something like Google DNS.
Pricing needs to be reduced for SMB based on the blocking capabilities and the lack of other features that you just cannot do in DNS, such as authentication-based filtering.
Also, scalability-wise, the pricing is more of a challenge for enterprise-class environments because of the pricing model.
OpenDNS is either a good complement to your existing web content filtering solution at the enterprise level, or it is a good free or easy-to-deploy alternative for home and SMB use.
It transparently protects users from rogue web sites.
OpenDNS filters DNS query/reply without any software to be installed on the client side, so in my mind, the transparency I was talking about relates to:
It provides native integration into the multiple cloud services, for example, Microsoft OMS.
I used it during a two-week POC (proof of concept).
I have not encountered any deployment, stability or scalability issues.
Technical support is good.
This is the first time we used one of these products, one of the known DNS firewalls.
Initial setup is simple, although some pre-requisites were not communicated to us, and they can make the final solution a bit more complicated.
We implemented it in-house with the support of the vendor.
The product has been rejected by business due to the pricing; no ROI as such.
It is a great product in the company security portfolio. It can be used together with the proxy to provide end-user security. However, the cost of this product is too high for what some businesses can afford.
The feature that most interested me was protection against DNS-based attacks. Umbrella offers protection against malicious websites by stopping users from visiting them. This is important because of its host / endpoint protection, an important concept as businesses decentralize their operations and employees find themselves working from unmanaged sites on untrusted networks.
Employees can do their jobs and know that they'll be protected from malicious websites.
The product itself is excellent. What I'd like to see improved is the purchasing process; specifically, I'd like to see OpenDNS offer its customers the ability to purchase any number of licenses instead of a bundle.
Cisco & Open DNS don't make it easy to add additional users/licenses to an existing account. Instead they want you to go to their store (can't get to it while you're logged into your Umbrella console) and do a purchase, like you're in some line at the grocery store.
I have been using it since April 2015.
Deployment is straightforward, the product and the back end systems that support it are stable and the product is scalable as long as the customer purchases the necessary number of licenses.
The purchasing process could be easier. What I'd like to see is the ability to contact a live person at OpenDNS and over the phone be able to purchase additional licenses.
Technical Support:Technical support is good.
Umbrella is the first product of its type that I've used. Otherwise, my company has relied upon anti-virus products to protect hosts.
Initial setup was straightforward. I simply downloaded the client, installed it on a host and that was it.
Implementation was straightforward and was done in-house.
Regarding ROI, that falls into the category of security and that is always a tough sell to management.
What I'd like to see improved is the purchasing process, specifically I'd like to see OpenDNS offer its customers the ability to any number of licenses instead of a bundle.
Plan, plan and plan some more.
Web content filtering: Cisco ASA 5505 doesn’t have a straight content filtering feature, so we used OpenDNS and it worked like a charm. It is security beyond the firewall, and hence more beneficial, as it stops the threats before reaching the firewall and enhances security.
We were able to implement web content filtering to block unwanted traffic, and to prevent bandwidth choking and malicious attacks without deploying any hardware/software, within a few hours.
I would like the product to offer more security features, such as IPS, IDS, DDoS prevention, etc.
I have been using it for six months.
I have not yet encountered any deployment, stability or scalability issues.
Implementation was straightforward with minimal changes to existing infrastructure.
It was self-implemented.
We have tried a Linux-based proxy server, but that was complex to manage and wasn’t foolproof.
I highly recommend SMBs and enterprises use it to enhance their network security with minimal cost through the OpenDNS cloud solution.
Deployment and management are easy.
It made web filtering and malware protection easy.
I think there is some room for improvement with regard to the Windows client. While providing great protection for roaming laptops, on occasion users in the office would get the "yellow triangle" showing up over their wifi connection. It would state that the users were not connected to the internet, when in fact they were. This caused a few gripes and was difficult to troubleshoot. Other than that, not much else.
Only other suggestion might have been a URL to automate requests when checking if a blocked site is in fact a valid block.
I have been using it for two years.
Deployment and scaling are very easy. The only issue was as mentioned.
Technical support is excellent, with quick responses.
iPrism was inline, did not scale, and not easy to manage.
Initial setup was easy; just forward your DNS.
An in-house team implemented it; it was pretty straightforward. Just get the appropriate teams involved.
ROI was all about added security and a decrease in malware.
Pricing was fair.
Go for it; there is no better way to secure guest networks without any headaches.
The various powerful query options are the most valuable features of this product to me. Using the Investigate API, we can gather the detailed history of a domain, whois information, NS records, etc. All of this information helps us determine whether a domain is malicious or not.
It helps us identify malicious domains.
I would be happy if they could add the whois information of an IP. That would further help us determine whether an IP is malicious or not by identifying the domains associated with the IP, whether there are any known bad domains associated with the IP, and more.
I have been using this solution for two months.
I did not encounter any issues with deployment, stability or scalability.
We implemented it in-house.
The APIs are very powerful. You can use any programming language and integrate it with your products. It can be really handy for security analysts.
We have a number of terminals that are NOT on our MPLS network, so we depend on the OpenDNS services to provide URL filtering where we normally have no visibility or control.
By using OpenDNS, we block sites that are looked at as malicious and cut down on incoming threats.
One thing I can mention is network security. There's no real mention about the potential of malware & virus protection for locations that we are using OpenDNS on. In certain areas, we only have a few people on-site and there’s no real need for a firewall at that point.
That would be the only thing I can think of with OpenDNS that we have NO information on.
Otherwise, for me, I think it’s a good packaged deal. I wouldn’t really change anything.
We have been using this solution since 9/25/15.
I did not encounter any issues with deployment at all. It was pretty straightforward.
Their customer service is pretty good from what I remember. We called them at one point to ask a question about one of our devices not showing up and they were pretty quick at resolving the issue.
Previously, it was the Wild West at our locations that are not on our MPLS network. They were looking at whatever they wanted as they were only on a personal wireless device. We upgraded them to a Cisco 819 or a Cradlepoint but didn’t have much in the way of filtering or DNS with their GUI.
I believe, for the most part, initial setup was straightforward. You just have to look around and set it up, link it to the device, etc. It’s not too difficult where you couldn’t just figure it out, but to be sure, we called support and they confirmed what we were doing. They even helped by showing us the policy setup area.
We implemented this ourselves. We had the access points, set them up, tested them and shipped them out.
The pricing is fair. We’re paying under $40 per license for 60 licenses.
If you have locations where there are a small number of users that doesn’t merit a dedicated line with high monthly costs, it’s quite easy and efficient to give them some kind of access point and use OpenDNS for security and filtering.
The ability to use custom categories to block out websites was valuable because the predefined categories were either too restrictive or not restrictive enough. For example, one category would block everything from social media to webmail, while another category did not block either. So to be able to customize categories made it a lot easier.
This product has made it easier for our IT team to keep employees on track to work and away from distracting websites.
Perhaps an option to be able to block only specific users would be a way to improve the free version of OpenDNS. In our department, there are multiple users that need different levels of access. For example, those who work in the advertising department need access to social media, while those in the accounting department do not. The ability to be able to set different rules for each user would have been nice to have.
I have used it for about six months.
I did not encounter any stability issues.
I did not encounter any scalability issues.
I did not need to contact technical support when using OpenDNS. The product is very self-explanatory.
This was the first product we used for filtering websites.
The initial setup was very straightforward. I did not have any issues.
I was using the free version of OpenDNS, so I am not aware of the pricing.
We were choosing between pfSense and their packages versus. OpenDNS looked easier to setup, so we went for that first. Eventually, we moved to using pfSense’s SquidGuard, because it allows us to be more precise with filtering websites.
This product is very straightforward and simple to setup. I would recommend others to just give the product a try. I am sure they will be happy with the results. OpenDNS has different filtering levels, but I found it easier to just go for the custom level versus the ones they had set up already.
OpenDNS allows us to maintain low network resource overhead on our (relatively) small network. Intuitive, flexible web filtering controls also help us enforce compliance over logically separated networks at our school for teachers, students, and non-academic staff.
Given the small to medium scale of our network architecture, our current gateway/firewall DMZ infrastructure is specced too low, and our budget too limited to accommodate more fully featured security appliances. While some organisations may utilise higher specced security appliances with powerful software features available directly on the device including user management, granular IP filtering and more, we must make do with lower spec appliances.
Furthermore, while our network is based around a gigabit fibre core, we have seen bandwidth utilisation increase greatly over the past several years due to cloud hybridisation of our infrastructure (AWS, Google Nearline, et.al.), and as a result are currently stretching the performance limits of what our current hardware stack can do. Given these limitations, the granular control which OpenDNS provides us for Web Content Filtering, malware protection and data logging are crucial in filling gaps in our network security stance.
To add, we are also an educational institution. Our standards for compliance, both internal and external, can be quite strict. We are beholden to security and compliance standards enforced by the Government of Japan, its Ministry of Education, as well as internal compliance enforced by our own Business Administration department.
This is not to mention the sort of 'soft compliance' which comes from the families of our students regarding how we handle sensitive data and personal records.
It has been our experience that the following features available within OpenDNS have helped us meet compliance reporting requirements quite readily:
The management interface for these features is highly user friendly and it is simple and easy to make configuration changes on the fly. This is important to us as specific security policies can and do change on a weekly or even daily basis. The size of our department also dictates that we do not have any single engineer dedicated to network security (or even networking) and so it is crucial that each of our members have the ability to log in and manage this service when needed.
All in all, I can not recommend OpenDNS as a one-size-fits-all solution for security and compliance, especially for larger organisations. I can, however, strongly recommend that any Systems and Network Engineering team consider this product on its merits regardless of scope. Personally speaking, this tool has proven itself invaluable in allowing myself and my team to perform our duties efficiently and securely.
Because we have a small sysadmin team, the less time we need to devote to responding to threats, parsing data logs and putting out fires, the better. OpenDNS saves us time in this regard, as well as providing fast and easy configuration control.
Difficult to answer as we haven't yet pushed the outer limits of what this product can do.
Nonetheless, one thing to keep in mind when using OpenDNS is how it will interact with your internal network and DNS architecture. You run the risk of breaking any local subnet DNS lookups in a domain-bound enterprise environment. While this criticism can be applied to other third-party DNS providers, it is nonetheless one reason for withholding a perfect rating.
Additionally, OpenDNS will handle server caching differently than your local service provider. This can cause service slowdown or interruptions, and generally prevents OpenDNS from becoming the "one-size-fits-all" solution that some would like it to be.
Finally, although this has never posed a problem in our environment specifically, OpenDNS has been known to grab NXDOMAIN records and redirect traffic to their own internal ad pages. Some people may find this unethical; however, that might depend upon whether you are utilising paid or unpaid services from OpenDNS as well.
I have been using for over a year.
We currently have OpenDNS deployed across two sites providing coverage to more than 500 active clients. No problems so far. We will be further expanding this year and hope to leverage OpenDNS web filtering at our new sites as well.
On the rare occasions we have used it, technical support has been prompt and professional, if a bit lacking in personal touch.
Previous infrastructure relied on router/gateway-installed software for filtering and security. It simply isn't enough for a modern network, especially not one as complicated and security-conscious as education.
With a basic understanding of networking, implementation should be straightforward. For non-technical people, there is probably enough documentation floating around that basic configuration is possible for anybody motivated enough.
An in-house team implemented it.
Implementation was a no-brainer. We do recommend notifying and educating users in advance of implementation to avoid potential headaches caused by sudden changes to filtering policies and such.
ROI for OpenDNS: time saved, checkboxes ticked, and organizational leadership satisfied.
Get a quote! You also need to weigh any licensing costs against potential risk factors. (I.e., what is the potential cost factor of not implementing this or other solutions?) OpenDNS licensing structure and policy is generally straightforward and easy to understand. In our case, managing a network in use by students, many of them younger, necessitates certain compliance and security implementations not found in typical corporate environments.
Plan out your security coverage and filtering strategy in advance of purchasing and implementation. Think about what role you expect OpenDNS to fill in your security architecture. Do you have Layer 3 security in place? Where do your vulnerabilities lie and what threats can you expect to counter?