Linking to AD (security concerns)

Follow

visionist.

February 03, 2014 14:43

Hi,

I have read the AD implementation guide, but one of my clients' security folk are nervous about sharing our AD information with what is (to them) effectively an untrusted web based service.  Umbrella fits the bill perfectly, but I need to understand more about the connections made between the AD Agent on the Virtual Appliances and the cloud services.

• Are all connectors wrapped in SSL (if so, what level of encryption is applied - is it FIPS140-2 compliant).
• What information is extracted from AD (user name, group membership etc).   Need to understand the scale of any residual risks. 
• Their concern is a culmination of information - if leaked / hacked - could identify a specific individual to a specific role, which may pose a security risk.  What information can I provide my customer to reassure them more?

Perhaps it will help if I define my requirements better:

 

1) I need to be able to report against white / black listed activity by user (not device, as devices are shared) from the internal domain.  Therefore, the AD connector is required.

2) I need to understand whether the certificate or token of an authenticated user which is passed to OpenDNS contains anything which would cause security folk concerns, such as cached / hashed credentials, which if obtained during a breach, would put the internal network at risk.

 

Many thanks

Peter Miller

Visionist (MSP).

 

example.jpg

0

• 

  rotblitz February 03, 2014 17:40

  "I have read the AD implementation guide"

  Was it this?  http://info.opendns.com/rs/opendns/images/TD-Umbrella-Insights-Deployment-Guide.pdf

  If this does not help. you'll want to open a support ticket, or contact support by phone.  Enterprise/Umbrella issues are almost not being discussed here, because of the other premier communication channels Umbrella comes with.

  0

  Comment actions Permalink
• 

  Brian Hartvigsen February 06, 2014 01:19

  rotblitz is right that there is very little discussion in this forum regarding Umbrella and the AD integrations.  There is actually a dedicated forum forum for that as well contacting the Support team.

  That said, and for future posterity:

  • All connections to OpenDNS are done over SSL (HTTPS) with the exception of DNS which happens over standard DNS protocols. As per Chrome:

    Your connection to api.opendns.com is encrypted with 128-bit encryption.

    The connection uses TLS 1.0.

    The connection is encrypted using RC4_128, with SHA1 for message authentication and RSA as the key exchange mechanism

    We have not been audited or tested for FIPS140-2 compliance.
  • We use user & computer name, group membership, and GUID.  We do not retrieve, access, or store the users password hash(es) as they are not necessary for us to identify/report on the user activity.

  The information passed to OpenDNS with the DNS request are hashed user & device identifiers.  No credential, in the traditional sense, is passed and the hashes could not be used for anything other then receiving the filtering for that user or device.

  0

  Comment actions Permalink
• 

  visionist. February 06, 2014 10:36

  Hey, many thanks guys - that is exactly the level of detail I require to convince my clients. 

  Now... if only I could get someone from OpenDNS to email me a quote for up to 10,000 users...

  Thanks again.

  0

  Comment actions Permalink

Please sign in to leave a comment.