Cloud-Sourced Web Security Safeguards

Posted on January 4, 2012 by

The idea is as simple as it is genius and effective: Let the DNS server decide to grant or not to grant access to a requested URL.

After all, almost all requests outbound of the organization’s internal network have to be resolved by an external DNS server and many (if not most) malware bots are using DNS names rather than static IP addresses (because it makes them more flexible). In other words, the DNS server will inevitably see a lot of what’s going on Internet-wise, – which actually makes it a perfect Internet security control candidate…

… which is an idea that, for example ComCast DNS, Google Public DNS and OpenDNS have translated into concrete technology and into a service and respectively a business model.

The latter one, OpenDNS, is the one of our choices to complement our organization’s Cyber Security controls. After evaluating the free version for a while, I have now decided to go for the Enterprise Edition subscription of that cloud-sourced URL filter service.

DNS based web filters are an effective first level of defence. Known malicious (phishing etc) web sites are blocked before the user can even load them, and before the multi-level anti-virus/malware scanners have to kick in. Also, it allows for category-based filtering of web content that is very likely not in compliance with the organization’s Internet Use Policy. On top of that comes the DNS-requests-based reporting on numbers such as request types, domains and botnet activity.

We are talking about a cloud-sourced service here. No hardware to install, to operate and to maintain. No data center (server room) rack space needed. No HA support specialist. No backup or DR plan either. We are talking about web-console based administration that works from an internet-everywhere, about monitoring and reporting and service costs based on fixed (rather moderate) annual service subscription fees.

Cloud-sourced cyber security controls like OpenDNS allow for the use of effective state of the art web safeguards at a cost unmatched by controls that require local operations.

Posted in: Observation, Opinion