Educause Security Discussion mailing list archives

Re: Blocking URLs

From: "Shamblin, Quinn" <qrs () BU EDU>
Date: Wed, 12 Aug 2015 13:10:41 +0000

Melissa Muth and Josh Beeman of University of Pennsylvania have had great success creating an DNS sinkhole.  Melissa 
developed it for UPenn and presented on it at a regional security conference in Dartmouth earlier this year.  They took 
and opt-in approach and, even so, report a 97% drop in compromised machines.  We have invited her to present at the 
annual Boston University Security Camp (another regional mini-conference to be held next week) as well and will make 
the presentation available afterward.

Best,

Quinn R Shamblin                                                  .
Executive Director of Information Security, Boston University


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
McClenon, Brady
Sent: Friday, July 31, 2015 3:37 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Blocking URLs

How would they “know where everyone at your institution goes on the net?”  Wouldn’t they just know that some on device 
with IP address x.x.x.x requested a lookup of a given FQDN?  There’s no release of PII to let them know who is on the 
other end.  Also, we use OpenDNS as forwarders on our DNS servers, so they only know than the request came from a 
device using our DNS servers.  I don’t see any privacy or compliancy issues.


Brady McClenon
Information Technology Security Administrator
Information Technology Services - IT Security
B237 Milne Library
SUNY College at Oneonta
607-436-3203

“Quotes found on the internet are not always accurate.”  - Abraham Lincoln




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of randy
Sent: Friday, July 31, 2015 1:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Blocking URLs

OpenDNS and RPZ are good solutions. A cautionary note about OpenDNS - they basically become your institution's DNS 
primary. Which means they will know where everyone at your institution goes on the net. There are FERPA, ITAR, PCI, 
GLB, HIPAA issues that you need to examine when considering OpenDNS.
-Randy Marchany
VA Tech IT Security Office

On Fri, Jul 31, 2015 at 1:43 PM, Tevlin, Dave <dtevlin () visi org<mailto:dtevlin () visi org>> wrote:
Just to throw this into the mix on OpenDNS. Cisco announced their intent to acquire OpenDNS yesterday.

Small FYI.

Dave

On Fri, Jul 31, 2015 at 1:22 PM, Chris Green <CGreen () uttyler edu<mailto:CGreen () uttyler edu>> wrote:
I am looking into OpenDNS now. Am I safe in assuming they used to offer a freemium model, but no more? Can anyone tell 
me what we would be looking at in cost to support roughly 1,500 users?

Thanks,

-C.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Pratt, Benjamin E.
Sent: Friday, July 31, 2015 11:58 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] Blocking URLs

At the EDUCAUSE Security Professionals Conference there was a session about using OpenDNS for blocking these types of 
attacks. There are also many other options for controlling DNS to reduce this risk but if someone isn’t using your DNS, 
or is going directly to IPs, then it’s not effective.

--

Benjamin Pratt
ITS Security Team

St. Cloud State University

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Chris 
Green
Sent: Friday, July 31, 2015 11:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Blocking URLs

All,

We are looking for a cost effective solution to prevent users from accessing sites when they fall for phishing 
attempts. Right now we are blocking IPs for those sites in our firewall, but this is not a great solution for us as we 
don’t want to load up our firewall with these types of rules, and the majority of these sites use dynamic IPs, so it’s 
a temporary fix at best.

I wanted to see if anyone had come up with a solution for this dilemma that doesn’t involve dropping six figures on an 
application firewall.

Thanks,

-C.

Chris Green
Information Security Officer
University of Texas at Tyler

Current thread:

Blocking URLs Chris Green (Jul 31)
- Re: Blocking URLs Barton, Robert (Jul 31)
- Re: Blocking URLs Bob Bayn (Jul 31)
- Re: Blocking URLs Pratt, Benjamin E. (Jul 31)
  - Re: Blocking URLs Andre DiMino (Jul 31)
  - Re: Blocking URLs Chris Green (Jul 31)
    - Re: Blocking URLs Tevlin, Dave (Jul 31)
    - Re: Blocking URLs randy (Jul 31)
    - Re: Blocking URLs McClenon, Brady (Jul 31)
    - Re: Blocking URLs Shamblin, Quinn (Aug 12)
- Re: Blocking URLs Ricardo Fitipaldi (Jul 31)
- Re: Blocking URLs Robert Lau (Jul 31)
- <Possible follow-ups>
- Re: Blocking URLs Blackwood, James (Jul 31)
- Re: Blocking URLs Michael Benedetto (Jul 31)