Campuswide Malware Protection Over the Cloud: Q&A

Thanks to our partners OpenDNS who presented with us on their cloud-based malware protection service Umbrella. Senior product manager David Thornton (DT) of OpenDNS presented the state of the campus malware threat and how to solve it using the Umbrella solution. We also discussed the integration between Aruba and OpenDNS.

A compilation of the webinar Q&A is now available. Thanks to all who joined the webinar. A copy of the提供演示文稿。这是一个演讲的录音Aruba's website。If you have any questions, please post them here in the comments section.

Q: How can I get more information on the OpenDNS solution?

答：如果您想审判Opendns的雨伞安全服务或开始免费的恶意软件审核，请发送电子邮件salesinfo@opendns.com。The case studies mentioned in the webinar and more information is available onumbrella.com/higher-ed/

Q: In a K-12 scenario how can we block adult content within facebook or other services without actually blocking facebook itself? If this cannot be done yet, when might this be possible for OpenDNS.

A: This is not live today but is something we are working on for later this year with the Umbrella service.

Q: what is the perfomance impact when using Umererlla?

A: Unlike other security services, most customers actually report a performance improvement when using Umbrella. This is not only because of the engineering efforts in building the fastest, most reliable DNS service but also because we operate some of the worlds largest DNS caches with extensive peering. More information on our peering fabric can be found athttp://www.peeringdb.com/view.php?asn=36692

Q: can we use cache servers with Umerallla service?

A: Forwarding internal DNS Caches to Umbrella is a very common deployment method for colleges and universities. Simply point your caches to our resolvers and enter your public/external IP addresses in the Umbrella dashboard.

Q: Botnets relying on IP #'s only are not included? Any thoughts on denylist service in conjunction with DNS?

A: An IP denylist, perhaps operated in conjunction with a traditional stateful inspection port and protocol focused firewall is a recommended additional layer of security. The Umbrella service is not meant to replace the core source/destination network controls of a firewall, and combining the two is a good best practice approach for layered security.

Q: Why do we need a firewall within Aruba if we have a firewall at the edge for the Internet?

A: Edge firewalls are great stopping stuff that is heading for or leaving your network, but it doesn't help with the traffic inside the network. For example, if I deployed Eduroam to allow academic roaming across campus, all my faculty, students, and guests would be on the same SSID. How would you secure internal resources? With the Aruba firewall that's easily accomplished by assigning roles based on the user's credentials, and setting up firewall policies for those roles. This can even be done to differentiate students from one another, such as those from the engineering school vs. the business school, you might want to give each access to different resources.

Q: Is there an too much overlap between PaloAlto and OpenDNS? If so, what type of firewalls would you get that does not too much overlap?

答：Palo Alto专注于在网络上提供更好的可见性和控制范围，以便您可以监视使用Facebook的方式，或者防止Facebook游戏，并执行允许人们在Twitter上阅读流的事情，但不要发布帖子。雨伞服务目前尚未提供这种控制水平 - 相反，我们专注于一种高度可扩展且易于管理的方法，以防止和包含恶意软件感染，而无需购买额外的昂贵硬件以进行Web的深入分析（代理）交通。如前所述，传统的状态检查防火墙是伞服务的很好的补充。

Q: Is the integration that Aruba has with PaloAlto the same as the integration that Aruba has with OpenDNS

A: These are different services, each with their own interfaces and functions. They will not be exactly the same integration as they don't perform the same functions, and are delivered in two different ways from two different companies.