Campuswide Malware Protection Over the Cloud: Q&A

Share Post

Thanks to our partners OpenDNS who presented with us on their cloud-based malware protection service Umbrella. Senior product manager David Thornton (DT) of OpenDNS presented the state of the campus malware threat and how to solve it using the Umbrella solution. We also discussed the integration between Aruba and OpenDNS.

A compilation of the webinar Q&A is now available. Thanks to all who joined the webinar. A copy of the presentation is available. Here is a recording of the presentation on Aruba's website. If you have any questions, please post them here in the comments section.

Q: How can I get more information on the OpenDNS solution?

A: If you would like to trial OpenDNS's Umbrella security service or get started with a free malware audit, email The case studies mentioned in the webinar and more information is available on

Q: In a K-12 scenario how can we block adult content within facebook or other services without actually blocking facebook itself? If this cannot be done yet, when might this be possible for OpenDNS.

A: This is not live today but is something we are working on for later this year with the Umbrella service.

Q: what is the perfomance impact when using Umererlla?

A: Unlike other security services, most customers actually report a performance improvement when using Umbrella. This is not only because of the engineering efforts in building the fastest, most reliable DNS service but also because we operate some of the worlds largest DNS caches with extensive peering. More information on our peering fabric can be found at

Q: can we use cache servers with Umerallla service?

A: Forwarding internal DNS Caches to Umbrella is a very common deployment method for colleges and universities.  Simply point your caches to our resolvers and enter your public/external IP addresses in the Umbrella dashboard.

Q: Botnets relying on IP #'s only are not included?  Any thoughts on denylist service in conjunction with DNS?

A: An IP denylist, perhaps operated in conjunction with a traditional stateful inspection port and protocol focused firewall is a recommended additional layer of security. The Umbrella service is not meant to replace the core source/destination network controls of a firewall, and combining the two is a good best practice approach for layered security.

Q: Why do we need a firewall within Aruba if we have a firewall at the edge for the Internet?

A: Edge firewalls are great stopping stuff that is heading for or leaving your network, but it doesn't help with the traffic inside the network. For example, if I deployed Eduroam to allow academic roaming across campus, all my faculty, students, and guests would be on the same SSID. How would you secure internal resources? With the Aruba firewall that's easily accomplished by assigning roles based on the user's credentials, and setting up firewall policies for those roles. This can even be done to differentiate students from one another, such as those from the engineering school vs. the business school, you might want to give each access to different resources.

Q: Is there an too much overlap between PaloAlto and OpenDNS? If so, what type of firewalls would you get that does not too much overlap?

A: Palo Alto focuses on providing better visibility and control into application traffic on your network, so you can monitor how Facebook is utilized, or prevent Facebook games and do things like allow people to read streams on twitter, but not post. This level of control is not currently offered by the Umbrella service -- instead, we focus on a highly scalable and manageable way to prevent and contain malware infections, without requiring the purchase of additional expensive hardware for in-depth analysis (proxying) of web traffic. As mentioned previously, a traditional stateful inspection firewall is a good complement to the Umbrella service.

Q: Is the integration that Aruba has with PaloAlto the same as the integration that Aruba has with OpenDNS

A:  These are different services, each with their own interfaces and functions. They will not be exactly the same integration as they don't perform the same functions, and are delivered in two different ways from two different companies.