1. COMPETITIVE COMPARISON AND EVALUATION
OpenDNS Enterprise vs. Web Proxies or Firewall Filters
OpenDNS (step 1) delivers Internet-wide security and Web filtering leading competitive solutions,
(step 2) which rely on lower performance, less effective Web proxy or firewall filter platforms.
Replacing these traditional heavyweight solutions can significantly reduce on-going maintenance and secure Internet
connections faster from every device on any number of networks, anywhere (compare the first two rows below).
Alternatively, adding OpenDNS will extend protection to unmanaged devices or network locations where existing
solutions are cost prohibitive, as well as reduce much of the unwanted heavyweight traffic from configured devices and
networks clogging your existing solutions (compare the last two rows below).
LIGHTWEIGHT TRAFFIC STEP 1 STEP 2 HEAVYWEIGHT TRAFFIC
OpenDNS
AUTHORITATIVE SAFE, FAST, SMART, ALL DEVICES, NO CLIENT SECURE, FAST TCP SERVERS
DNS SERVERS RELIABLE RESPONSES OR NETWORK CHANGES INTERNET CONNECTIONS AND SITES
NO LATENCY
NO BOTTLENECKS
Web Proxy or Firewall Filter
AUTHORITATIVE NOT ALWAYS RELIABLE, CLIENT SETTINGS/SOFTWARE SOME SECURE, BUT SLOW, TCP SERVERS
DNS SERVERS CONSISTENT RESPONSES OR NETWORK TOPOLOGY CHANGES INTERNET CONNECTIONS AND SITES
1 OR MORE ISPs PROXY FILTER
Web Proxy or Firewall Filter plus OpenDNS
AUTHORITATIVE SAFE, FAST, SMART, ALL DEVICES, PLUS SECURE, FEWER SLOW, TCP SERVERS
DNS SERVERS RELIABLE RESPONSES ANY EXISTING CHANGES INTERNET CONNECTIONS AND SITES
PROXY FILTER
OpenDNS protects every device, which supports Bring Your Own Device (BYOD) programs, and secures every Internet
connection, via a user interface not bloated with unused, complex bells and whistles. Like Web proxies and firewall
filters, OpenDNS filters inappropriate sites for compliance, yet can easily scale from 1 to 1000s of network locations.
! BENEFIT SOLUTION " OpenDNS In-the-cloud Web Proxies On-premises Web Proxies On-premises Firewall Filters
Protect every on-net device
without client or network changes # $
Easy to manage without any
$
MANY REQUIRE NEW
software or hardware to maintain # % ON-PREMISES TRAFFIC
TO REDIRECT
DEVICES
Secure any Internet connection –
any application, protocol or port # $
Filter inappropriate sites and
grant overrides to select users #
Scale to 1000s of network
locations cost-effectively # $
For more information please visit: www.opendns.com or call 877-811-2367
2. Many security vendors focus on its solutions’ efficacy to block threats,
but gloss over its usability or performance.
USABILITY It is not uncommon for Web proxies and firewall filters to take days
Vendors often assume administrators are to weeks before it is effectively enforcing devices and reporting
investing their time in addition to their activity. Add on training to learn how to manage all the complex
organization’s money to use the solution, bells and whistles, many which go unused, and on-going
so they do not focus on how easy it is to: maintenance to address performance or efficacy issues, and the
ownership cost increases. OpenDNS can enforce every device – on
• provision and setup, any network – and report activity within an hour of asking for an
• enforce and report, evaluation trial. Our simple Web-based management interface and
issue-free operation, means you set and forget it.
• manage and maintain.
PERFORMANCE Often Web proxies and firewall filters are deployed within the
Also, vendors often offer cryptic or rather network using a less redundant topology than if they never existed,
meaningless specifications regarding the which can result in new points of failure. They add new hops for
product’s performance, which do not Internet connections and/or processes applied to Internet traffic,
always accurately reflect its: which can increase latency and decrease throughput; leading to less
happy users. OpenDNS simply replaces a mandatory, already in-use
• reliability and resiliency, service provided by Internet Service Providers (ISP). Our Anycast and
• connection speed, and SmartCache technologies enable faster, more reliable Internet
connections relative to most ISPs, by reducing hops and processes.
• bandwidth throughput.
EFFICACY Web proxies, in particular, provide minimal network coverage
Finally, while vendors may claim they have depending on the setup of managed devices or networks. Often
superior threat intelligence and only traffic sent by configured browsers is protected; not Web-
prevention, consider more completely its: based outbound botnet traffic from infected devices’ malicious
software. The Web may be the most used protocol, but it is one
• network coverage, amongst hundreds that threats utilize and proxies are blind to.
• threat coverage, Firewalls often only filter by destination for Web traffic; some using
a built-in Web proxy. Firewalls filtering other protocol or application
• accuracy and traffic often do not distinguish between good or bad destinations
timeliness. for this traffic. OpenDNS ensures that malware, phishing,
inappropriate sites and botnets never touch your network,
regardless of application, protocol, port or device. OpenDNS
maximizes the return on your security investments.
PE
TY
RF
ILI
OR
AB
LOW TCO,
MA
The evaluation matrix on the following page provides
US
HIGH ROI,
N
more detail on how OpenDNS’s in-the-cloud solution
CE
HAPPY
USERS compares to Web proxies – delivered in-the-cloud or on-
premises – or on-premises firewall filters. We believe that
you will draw the same conclusions, that OpenDNS
EFFICACY delivers a more usable, high performance and effective
solution than competitors’ traditional solutions.
3. SOLUTION OPENDNS WEB PROXIES FIREWALL FILTERS
Delivery
• In-the-cloud • In-the-cloud • On-premises • On-premises
Platform
USABILITY
• Lightweight DNS query • Receive and deploy • Receive and deploy
• Heavyweight TCP traffic
redirection without appliance per site appliance per site
redirection per site
network topology changes • Heavyweight TCP traffic • Significant configuration
Provision • Requires network
for 1 to 1000s of sites redirection per site to control network traffic
& Setup • No appliances or client
topology change, client
• Requires network flow is likely required to
software or setting
software topology change, client migrate from current
changes
• No client setting changes software or changes firewall
• Network-level granularity • User-level granularity via • Network-level granularity
• User-level granularity via
via public IP directory integration via internal IP
directory integration
Enforce • Grant override requires complex setup or • User-level granularity
requires complex setup
& Report permissions to users network-level granularity requires complex setup
• Data retention limited by
• Full data retention for 2 • Data retention often • Data retention limited by
internal storage available
years with no hidden fees limited or else extra fees internal storage available
• Simple set and forget • Often security rules are • OS patch conflicts or • Complex and focused on
• No OS patches or complex, and require upgrade downtime network management, not
appliance upgrades fine-tuning to reduce • Often security rules are policy or security, so it is
Manage &
• No security rule tuning false positives/negatives complex and require fine- often confusing
Maintain • SSL or auth. issues tuning • If SSL or auth. is
• No site exceptions to
address SSL decryption require frequent site • SSL or auth. issues included, then issues will
or authentication issues exceptions require site exceptions require site exceptions
PERFORMANCE
• No outages since launch • Many have had outages • Often reduced network • Sometimes reduced
Reliability &
in 2006 despite SLA redundancy in topology or network redundancy in
Resiliency • Uses Anycast IPs • Lack Anycast IPs else expensive topology
• No new latency • Adds new latency due to • May add new latency
• Often reduced response • Adds new latency due to another intermediate hop depending on internal
Connection
time via SmartCache one or more intermediate • Spikes in traffic will processes and the
Speed • Spikes in traffic will not hops cause noticeably slower number of add-on
cause slower speeds speeds features enabled
• Virtually unlimited via • Likely unlimited, but • Limited by resources • Limited by resources
Bandwidth
lightweight queries & heavyweight traffic available on appliance or available on appliance or
Throughput responses redirection can be limited server; often a bottleneck server
EFFICACY
• Depending on setup, only • Depending on setup, only • Any on-net device;
• Any on-net device; managed devices and managed devices and managed or not
managed or not configured browser configured browser • Filters by destination over
Network
• Filters by destination over applications applications HTTP/S, 80/443
Coverage any application, any • Filters by destination over • Filters by destination over • May include protocol or
protocol and any port only HTTP/S and ports only HTTP/S and ports application filters, but
80/443 80/443 not by destination
• Industry-leading • Ineffective outbound • Ineffective outbound
outbound botnet protection due to protection due to • Outbound protection
protection inadequate network inadequate network usually not a focus
Threat • Inbound malware and coverage coverage • Inbound protection is
Coverage phishing protection • Inbound protection use • Inbound protection use usually via 3rd-parties so
• Web filtering categories proprietary and/or 3rd- proprietary and/or 3rd- efficacy is not controlled
for regulatory & AUP party systems party systems • On-par Web filtering
compliance • On-par Web filtering • On-par Web filtering
• Proactive protection is • Not usually a core focus
Accuracy & • Often need to fine-tune • Often need to fine-tune
updated 24x7 via of business or products,
security rules to prevent security rules to prevent
Timeliness engineers and partners so accurate or timely
inaccuracies inaccuracies
• Very few false positives protection may suffer
*Cisco acquired ScanSafe & IronPort
For more information please visit: www.opendns.com or call 877-811-2367