March 2, 2012

Websense Web Security Gateway vs. OpenDNS

Tom Clare

I’ve had a few customers ask me recently about how we compare to OpenDNS. We only run across OpenDNS once in a while, typically for extremely price-conscious customers. But cheap comes at a cost and when the solution is insufficient the savings can’t be justified.

OpenDNS works by using their cloud-based DNS servers as URL filter databases. Since the huge majority of web requests require DNS resolution to match an IP address to a URL domain name, they provide filtering by having an objectionable URL map to a block page location rather than to the web site.

OpenDNS sells to a lot of schools, so let’s look at a relevant example:

Consider where a category is open by domain rating, but parts of the site violate Children's Internet Protection Act compliance. For instance, Playboy inside of Facebook. Or numerous other porn sites that hide within social networking sites. If social networking is allowed, then all that porn comes through within these sites (even more so on user pages shared within social circles). So the cases where students will see porn when they shouldn’t—a false negative—are much higher with OpenDNS. All it takes is one or two incidents exposed at the local school board level to realize the solution is far from sufficient.

And Open DNS has a number of pretty severe shortcomings vs. Websense Web Security Gateway:

  • The system has no user awareness. Policies are set by IP address range only, so there is no granularity. For example, you can only set one policy per network. This can be problematic if you want to set less restrictive policies for one group (e.g., teachers) than another (e.g., students).
  • They don’t actually inspect any content in real-time. They rely on either their users identifying and reporting bad or inappropriate sites or open-source public black lists. These mechanisms are not at all good at detecting new or modified threats. Websense collects 3-5 billion pieces of content per day from the internet and has built real-time analytics on-box to accurately identify content from web pages that change every day—be it to catch web-based malware or categorize inappropriate content.
  • They block at the domain level, not the page level. DNS queries only resolve the top level domain, not the individual pages. Therefore you get one-size-fits-all filtering. All Facebook pages are treated the same, with no ability to identify malicious or inappropriate pages within the domain.
  • Modern malware comes from trusted top level domains that OpenDNS allows with no real-time analysis on lures, redirects, or web-page content.
  • A long list of other traditional URL filter features are missing: quotas, polices by time of day, etc.

By the way, Websense Web Security Gateway just won TWO SC Magazine awards:

  • Best Enterprise Security Solution
  • Reader’s Trust Award

So the review experts and the customers seem to agree!

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.