August 8, 2013

828 words 4 mins read

OpenDNS Umbrella – Safety or Zombies?

200px-Umbrella_Corporation_logo
We started evaluating OpenDNS Umbrella at the office while back. While I’ve always been a big fan of OpenDNS (and even applied to work there once), I was reluctant to get into this “Umbrella” service. Not because I fear Umbrella Corp, but because it just didn’t seem useful. What little info I skimmed on the web wasn’t exactly what one would call exciting. After taking it for a spin, I’ve found that it actually is useful, though their marketing material is convoluted.

Umbrella breaks down into 3 major components: Laptop/Desktop protection, Mobile device protection, and Administrative/Dashboard. I’ll address each piece, but first I want to make something clear. Umbrella is the corporate version of what you may have been using with OpenDNS for years already. A lot of the feature set is basically just relabeled from their old services (this is not a bad thing). For example, they talk about web filtering and malware protection. If you’ve used

OpenDNS (now “for home”) before via their public DNS IPs, you may be aware that you can do web filtering (or “parental controls”) along with the built in malware protection. This is the same stuff you get under Umbrella, just amped up… and all… enterprise-y.

Screen Shot 2013-07-27 at 9.39.07 PM
For Laptops/Desktops you get Umbrella Roaming Client. The point of this is to install it on every single user computer in your enterprise. It hijacks, encrypts, and tunnels every DNS request your machine makes up to OpenDNS. This means that A) Your user (theoretically) can’t be hit by a MITM attack B) Your user is protected from all the bad links just like they would at Corporate HQ (where you’ve got OpenDNS set as the default DNS servers, right?) C) Their requests are logged down to an individual computer basis (You can select different logging level, to protect privacy). It is also smart enough to detect if you’re a coffee shop or other walled garden (IE Gogo wifi) and show you a broken lock (and stop intercepting DNS) to indicate you’re insecure.

I’ve been running the Umbrella Client on my computers for a couple months now and I haven’t had a single issue related to DNS. I have some administrative issues with it, but that’s a story for another day (when I’m in full IT Manager mode). One of the greatest features of the client is, as you can see in the screenshot, that there is nothing to do with it. Your users can’t fiddle with it, can’t screw it up, can’t change anything. The only thing you can do with the client (as a user) is install it and uninstall it (and I’m sure any enterprising IT person could figure out how to prevent the latter).

Mobile devices, cell phones, tablets, etc. The protection concept is much the same as with the computer but, of course, you can’t change just the DNS servers on a cellphone. Unfortunately the support is for iOS only right now, but all you need is to install the Umbrella app for iOS and provide a username & password. Alternatively they’ve added an “invite via email” feature. When activated the app installs an iOS profile for VPN. This adds a VPN connection that is always-on when on WiFi. All of your traffic is tunneled up to the OpenDNS cloud then bounced out to your destination. This adds a tiny bit of latency, but the slow down is next to non-existent especially when talking about the vagaries of iPhone data speed on WiFi.

Screen Shot 2013-07-27 at 9.58.33 PM
Dashboard and administrative. I’m not going into detail with every feature and nuance in the dashboard, but it has met every need I can imagine. You have the ability to get reports and logs by machine, by domain, by threat, etc etc. More importantly, you have the ability to configure your protection to several levels of detail more fine grained than I remember possible in the old product. I could, for example, block porn at headquarters but allow users offsite unrestricted access. More fun though, I can apply policies down to specific machines, should I desire. So I could, for example, create a policy that blocks only my assistant from accessing Facebook and Reddit without effecting anyone else’s reddit-tivity in the office (This is a less theoretical and more practical example, in case you can’t tell).

So, it turns out all this Umbrella-ness is useful for myself and my users. A fair portion of my sales & support crew are “road warriors”, which is who this product really kicks butt for. If all of my users were in the office, I probably wouldn’t consider the full Umbrella treatment (since the “change your DNS” would get me 80% of the way there, for base protection). As more and more of the corporate world becomes mobile, and telecommuting becomes more common — Umbrella will be more useful. I wish they’d do a little more with it beyond just “protect DNS requests”, but I think it is a really good start.