Umbrella from OpenDNS is a security service that protects all devices within the organization, regardless of whether the employee is connected to the work wireless network or working remotely from a coffee shop. Location doesn’t matter; once the administrator defines and applies a security policy on the device, that device is protected as long as it is connected to the Internet.
There are many tools for managing what sites employees can or cannot visit when connected to the corporate network, but it is a little bit more challenging to manage users who are roaming. Umbrella isn’t exactly a VPN service, although it creates a VPN connection to the OpenDNS Global Network so that all user traffic is encrypted. Since users are all connecting to the OpenDNS Global Network, administrators can also push out cloud-based anti-malware, anti-phishing, and anti-botnet protections to each device.
The service is tremendously straightforward to administer, and nearly transparent for users, making it a must-have for any IT administrator concerned about what is happening on the wireless network.
Umbrella is offered in three packages. Umbrella Mobility covers “mobile and roaming devices” and is priced at $25 a user a year. It offers cloud-based anti-malware protection and content policies for iOS, Windows, and Macs. Umbrella Enterprise costs $20 per user per year and applies anti-malware protection and policies to distributed networks. Umbrella Insights is priced at $25 per user per year and protects distributed networks and has Active Directory support. The listed price is for 100 users, but the actual price may vary with the actual number of users.
This review focuses on Umbrella Mobility.
The Web Dashboard
OpenDNS sent me the login details to the Web dashboard, but IT administrators would typically receive initial startup instructions over email after signing up for Umbrella Mobility. When I logged into the Web dashboard with my credentials, I saw three tabs on top of the screen, Overview, Configuration, and Reports. The Overview screen has four areas, a “Message Center,” “Top Domains,” “Top Identities,” and “DNS Requests.”
The core features are in the Configuration tab as this is where an administrator would apply policies, manage what devices are connected, and define rules. The Report tab has some pre-built reports, such as top domains and activity volume, as well as a way to filter the collected data by connected device, domain, date, and whether or not the action was blocked or not. The reporting felt a little limited as there was no way to customize the search or filters. That isn’t necessarily a bad thing, since for most customers, what is available is just enough without becoming too overwhelming.
As the administrator, I sent an invitation to the user to connect my test iPad, much in the same way I sent out email invitations when provisioning iPads with iSimplyConnect. The invitation was an email with detailed download instructions on getting the VPN profile from the iTunes App Store. I did have a problem with the email instructing the user to “tap on the attachment to this email from your mobile device, and the security system will be automatically applied.”
On one hand, IT is telling users don’t click on links, don’t open attachments or install apps you receive via email. And then comes this message from IT. I expected better from a security-savvy company like OpenDNS. The IT team should clearly warn users ahead of time that this email would be arriving and prepare the user that this is an exception to the “don’t execute attachments” rule.
The dashboard also has the agent for Windows and Mac laptops. Administrators can distribute the zip file to users or push it out on to computers themselves. Android is not yet supported, although OpenDNS said that is in the works.
When the agent was installed on the laptop, it shows up as a little gray icon in systray indicating I was connected to the OpenDNS Global Network. It took about 90 seconds for the VPN icon to appear on the iPad’s status bar.
From a user perspective, even with the way iOS is set up, installation was a breeze and automatic. It’s lightweight, almost transparent, and doesn’t really interfere with normal use.
The fun part is playing with the policies. All the devices are grouped accordingly to type, so the test iPad appeared under Configuration -> Identities -> Mobile Devices and the test laptop under Configuration -> Identities -> Roaming Computers. I could see the laptop’s name, the policy assigned to the laptop (“Default Policy”), a green indicator to indicate the policy was active, the last time it was connected, a lock icon to indicate the connection was encrypted, and the version number for the client agent. I could modify the hardware name to whatever I wanted.
Clicking on Default Policy shifted me to Configuration -> Policies where I could view the rules and decide which devices to apply it to. I could say “All Mobile Devices” or specify individual devices. I decided I wanted to apply a different policy to my laptop, so I switched to Configuration -> Policy Settings to define whitelists, blacklists and other settings, and to Configuration -> Block Page Settings to create the error message that users would see. I modified the Global Block List under Configuration -> Policy Settings -> Domain Lists to block the Internet Movie Database (IMDB.com) and Twitter. It took me a few tries to realize I had to enter in the URL without http://. I wish there had been some messaging on the screen to explain the proper format. —Next: Applying Configuration Settings in Umbrella
Category blocking is defined under Configuration -> Policy Settings -> Category Settings, where I could pick from pre-defined settings or create a custom block by selecting from a list of 58 categories. “High” blocks adult-related sites, illegal activity, social networking sites, video sharing sites and “general time-wasters,” “Moderate” blocks all adult-related Websites and illegal activity, and “Low” blocks adult-related content. I selected blogs for this test.
Configuration -> Policy Settings -> Security Settings defined whether I wanted to enable protective features against malware, botnets, phishing, and “suspicious response,” which refers to preventing DNS binding attacks where public DNS entries are used to access the internal network.
Under Configuration -> Block Page Settings, I could specify the language that would display to the user when they tried to access a site that was blocked in the policy, or redirect them to a different site. I could display different pages for different rules, which I thought was a nice touch.
I went back to Configuration -> Policies to create a new policy using the new rules I defined and apply it to the laptop. As soon as I saved the policy, I tried going to Twitter, IMDB.com, and WordPress.com on the laptop and was blocked for all three, but the iPad had no trouble.
However, when I added Twitter to the whitelist, the domain remained blocked on the laptop, even though the site specifically says that if the same domain appears on both the blacklist and the whitelist, the whitelist takes precedence. It took a few minutes for that change to propagate.
Pages didn’t refresh automatically on the dashboard, so I had to regularly switch to a different screen and return to see updated content. The dashboard isn’t really cut-out for continuous monitoring, but rather a way to periodically manage devices. That is, I can’t just keep the window open all day and keep track of who is online.
A Persistent Umbrella
Employees are increasingly working remotely and doing more things online, accessing a plethora of cloud-based services from a wide-range of locations from multiple devices. It is a challenge for IT to know what employees are using, let along protecting them from online threats. There are a number of mobile security products (such as K9 Web Protection Browser) which offer URL filtering and blacklists, but Umbrella extends its coverage over both laptops and mobile devices. Umbrella lets IT extend its reach to devices that are roaming outside the organization. I can see why the iOS set up is the way it is, but I consider that invitation email a serious security risk as it encourages bad habits.
With Umbrella, IT can make sure the right security policy is being applied on the right device for the right user at the right time in a straightforward and unobtrusive way. Umbrella is an Editors’ Choice security utility for network admins.
More Networking Reviews:
|OS Compatibility||Windows Vista, Windows XP, Mac OS, Windows 7, Windows 8|
Copyright © 2012 Ziff Davis, Inc