Whats new at Infoblox - 2013 NIOS Versions 6.6 – 6.8 18.11.2013 1 | © 2013 Infoblox Inc. All Rights Reserved. What´s new in NIOS 6.6 2 | © 2013 Infoblox Inc. All Rights Reserved. 2 What’s New in NIOS 6.6 Support for New Products Infoblox DNS Firewall Enhancements for Service Providers IPAM Integration into RIR 4030 Enhancements Trinzic Product Family Trinzic Reporting Infoblox Load Balancer Manager WAPI Trinzic IPAM Administration and Operational Nurturing 3 | © 2013 Infoblox Inc. All Rights Reserved. How does the DNS Firewall work? Infected Client Redirect 4 Landing Page / Walled Garden Link to malicious www.badsite.com Contact botnet 5 3 Infoblox DNS Firewall / Recursive DNS Server Dynamic Grid-Wide Policy Distribution Apply Policy Block / Disallow session 2 Infoblox DNS Firewall / Recursive DNS Server 1 Dynamic Policy Update 6 Malware Data Feed from Infoblox 4 | © 2013 Infoblox Inc. All Rights Reserved. Infoblox DNS Firewall / Recursive DNS Server Write to Syslog and send to Trinzic Reporting 4 Infoblox DNS Firewall – New Trinzic Reporting Option • Information Provided ̶ List of Top Infected Clients ̶ What malicious domains were requested and # of requests ̶ Mitigation performed (e.g. Redirect, Block, or Pass) ̶ Lease history by MAC address via drilldown option Security Policy Violations report • Enabling ̶ Pinpoint infected client by MAC address and by physical location - Explore the full lease history for dynamic environments Click to view history for this IP ̶ Near real-time mitigation or assignment to task lists 5 | © 2013 Infoblox Inc. All Rights Reserved. 5 DDI Product Family Enhancements – continued Infoblox Load Balancer Manager – Enhanced to support F5 BIG-IP Global Traffic Manager synch groups WAPI – New REST API – Allows access to data from applications in unsecured and secured (https) modes – More information can be found Choice of NIOS version on bloxHub – NIOS 5.1r5 or r6 (latest version) – NIOS 6.3, 6.4, 6.5 (latest version) 6 | © 2013 Infoblox Inc. All Rights Reserved. DDI Product Family Enhancements – continued • Trinzic IPAM enhancements ̶ Default Smart Folders (unmanaged and conflict ̶ IP Map default view is Advanced mode ̶ bloxHub Widget - Provides real-time technical and product information to the user - Enables quick access to the bloxHub community 7 | © 2013 Infoblox Inc. All Rights Reserved. Administration and Operational Enhancements • Staged Grid Upgrade of DNS and DHCP is now enabled during an Infoblox Grid upgrade • Approval Workflow enhancements for IT groups • LDAP Authentication 8 | © 2013 Infoblox Inc. All Rights Reserved. Nurturing Enhancements • Specifying TTL Settings for Lame Servers • Ignoring DHCP Client ID • Reservation name should be listed first in Name column • Extensible Attributes (EAs) types – Required, Recommended, Optional 9 | © 2013 Infoblox Inc. All Rights Reserved. What’s New in NIOS 6.7 10 | © 2013 Infoblox Inc. All Rights Reserved. Agenda Features • • • • DHCP Fingerprinting Internationalized Domain Names REST API Enhancements IB-4030 Enhancements Customer Requested Enhancements Summary 11 | © 2013 Infoblox Inc. All Rights Reserved. DHCP Fingerprinting – How It Works DHCPDISCOVER Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43 Laptop DHCPOFFER X DHCPOFFER DHCPDISCOVER 12 | © 2013 Infoblox Inc. All Rights Reserved. Option Sequence 1,3,6,15,119,78,79,95,252 Tablet Internationalized Domain Names • Display Internationalized Domain Names (IDNs) in both their native character set and Punycode via the Infoblox GUI and APIs • Benefits • Simplify management for non-Latin character DNS names • Improve management of web presences worldwide • Reduce confusion of web site internationalization efforts 13 | © 2013 Infoblox Inc. All Rights Reserved. Customer Requested Enhancements • IPAM Plugin – supports VMware Cloud orchestrator (vCO) 5.1 ̶ VMware Cloud Director ( vCD) and vCO can talk to each other for more simplified workflows • Per Member Forwarder – Infoblox can now forward regional queries for a zone of type forward to the regional remote name servers ̶ This limits WAN traffic by better regionalizing it • Zone Transfer Enhancement – Infoblox added advanced GUI-configurable options. Offers better flexibility to handle certain customer environments • Small Network Discovery – We have expanded our discovery engine to include /31 and /32 networks, so the discovery engine can now scan any network size, all the way down to a /32 14 | © 2013 Infoblox Inc. All Rights Reserved. What´s new in NIOS 6.8 15 | © 2013 Infoblox Inc. All Rights Reserved. Agenda Appliance Platform Update • 10GE Platforms • vNIOS Update NIOS 6.8 Release • • • • • • Named ACL EA Inheritance Multi-Tab Dashboard QoS Marking (DSCP) IB-4030 NIC failover DNS Response Logging and Capture • Recursive Delete Permission • Recurring NIOS Discovery 16 | © 2013 Infoblox Inc. All Rights Reserved. New: vNIOS TE-V100; vNIOS Platform Update Renaming vNIOS for VMware IB-BOB on Cisco UCS Express to TE-V100 • Patch release of NIOS 6.7 • Same documented performance as before, but 55GB disk, 1 GB memory TE-V100: Support for VMware ESXi, Microsoft Hyper-V, (& Cisco UCS Express) • More choices for the branch TE-V4010 (not a recommended VM) • Not on pricelist – requires ARB and management approval • Does not perform equivalent to IB-4010 • Use case: Gridmaster > 1.8M objects vNIOS for VMware ESXi 5.1 Support • Patch release of NIOS 6.7 • Dropping support for ESXi 4.0 Riverbed is moving to ESXi on the new EX platforms • RIOS 8 allows to install ESXi on top of RIOS (“VSP”) on EX platforms – testing continues, i.e. this is not supported yet. • Note: EX platforms are also capable of running RIOS 7 with NIOS 6 “vNIOS for Riverbed” • Older platforms will continue to be supported with “vNIOS for Riverbed”– some are only NIOS 5 capable (250, 550) Trinzic V820 Trinzic V810 Trinzic 100 Branch Office Trinzic V100 17 | © 2013 Infoblox Inc. All Rights Reserved. 17 Trinzic DDI and Trinzic Reporting 10GE • • • • • Connectivity to 10GE network infrastructure DDI and Reporting platforms Factory mounted, new platform SKUs (i.e. not a FRU) 4 ports (replace system copper ports, i.e. they are not active) Mixed SFP and SFP+ (e.g. for 1GE Copper management interface or 1GE-SX for transition from 1GE to 10GE) • SFP+ Short Range 10GE (SR) (Infoblox part) • SFP+ Long Range 10GE (LR) (Infoblox part) • SFP+ Direct Attach (10GSFP+Cu) (HP HpJ9283B / CiscoSFPH10GBCU5M – reference, not a Infoblox part) • SFP Short Range 1GE (SX) (Infoblox part) • SFP Long Range 1GE (LX) (Finisar part FTLF1318P3BTL – reference, not a Infoblox part) • SFP Copper 1GE (Infoblox part) IB-4010 TE-2220 TE-2210 TE-1420 TE-1410 18 | © 2013 Infoblox Inc. All Rights Reserved. TR-1400 TR-2200 TR-4000 Infoblox Trinzic DDI Appliances • • • • • • Hardened operating system – now Common Criteria certified Centralized management, software updates and reporting Remote management: lights out management IPMI 2.0; UID Easy & fast repairs; local spares for PSU*, disks*, fans** Redundancy for PSU*, disks**, fans** Scalable solution with different performance levels and choice of physical and virtual platforms • Flexibility: DC PSU and SFP fiber interfaces * • Go green! latest, low power technology IB-4030 Highest Performance DNS Cache, DDOS Protection IB-4010 Large HQ / Data Center; Carrier CO Trinzic 2220 * 1400, 2200, 4000 series ** 2200, 4000 series Trinzic V2220 Medium HQ / Central Office Trinzic 2210 Trinzic V2210 Trinzic1420 Trinzic V1420 Regional Office / DR Site Trinzic 1410 Trinzic V1410 Medium / Large Office Trinzic 820 Trinzic V820 Branch / Large Store Trinzic 810 Smaller Office / Store Trinzic V810 Trinzic 100 Branch Office Trinzic V100 19 | © 2013 Infoblox Inc. All Rights Reserved. RIOS 7 EX- 560 (RB-550) EX-760 (RB-1050) EX-1160 (RB-1050) EX-1260 (RB-2050) 250 (RB-550) (NIOS 5 only) 550 (RB-550) (NIOS 5 only) 1050 (RB-1050) 2050 (RB-2050) 5050 (RB-2050) AXP (NIOS 5 only) New Features in NIOS 6.8 20 | © 2013 Infoblox Inc. All Rights Reserved. 20 Named Access Control Lists (ACL) ̶ ACL for DNS, file distribution and GUI simplifies repetitive single access control entries(ACE). Improving administration efficiency. • With NIOS 6.8 create and manage ACL’s • Convert existing ACE’s into an ACL • Introduces the ability to test ACLs for efficiency, errors and duplications New Selection Convert into List New Tab Action Panel 21 | © 2013 Infoblox Inc. All Rights Reserved. Reduce OPEX Validating List Extensible Attributes Inheritance With extensible attributes inheritance one avoids adding extensible attributes individually to a network block so that subnets and ranges within that block have the same extensible attributes With NIOS 6.8 we enable the inheritance of extensible attributes key/value pairs from their parents. - Descendants in lineage can inherit attributes so users do not have to configure it at object levels - You can also define other options for inheritable extensible attributes, such as network view -> network container -> network -> range -> host/fixed address/reservation inheritance chain ̶ Also enables users to override inheritance and provide an alternative value for the child • Benefits ̶ Increases the use of extensible attributes for tagging DNS, DHCP and IPAM objects information useful in search, filtering and organization of that information (Smart Folders). ̶ Reduces manual entry of extensible attribute & automates the allocation of extensible attributes on DNS, DHCP and IPAM objects. 22 | © 2013 Infoblox Inc. All Rights Reserved. DNS Response Logging / Capture • Logging DNS query responses on Infoblox DNS Servers offers information for troubleshooting, research and identifying security issues • In addition to DNS queries, you can also capture DNS responses in the syslog or export them in a capture file through the reporting server • Benefits ̶ Debugging / troubleshooting: misconfigurations or lack of DNS records ̶ Security: Identifying poisoning ̶ Security: See & log the actual DNS responses sent to the client; forensic research ̶ Security: internal policies from the Security team Example: query A record 07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP: query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2; 23 | © 2013 Infoblox Inc. All Rights Reserved. DiffServ code point (DSCP) Marking • DNS traffic prioritization is essential for organizations that are dependent on DNS for their core applications/services. - For instance, mobile/wireless service providers that use DNS in their mobile infrastructure for resolving access point names (APNs) when selecting signaling gateways and roaming gateways are required to prioritize DNS traffic over regular or other best-effort network traffic ̶ Ability to configure the DSCP value for all out going traffic ̶ Classify and manage your critical network traffic ̶ Implements (quality of service) QoS rules Benefit ̶ Ensures DNS service continuity ̶ Offers a mechanism for prioritizing DNS traffic 24 | © 2013 Infoblox Inc. All Rights Reserved. Priority DNS Fast DNS Nurturing Features • • Recursive Delete Permission You can now restrict recursive deletions of networks and zones to specific groups of users through the Infoblox GUI. Users who can perform recursive deletions are presented with the options of deleting a parent object only or deleting the parent object and all its child objects, when they delete a network container or DNS zone. • • Recurring NIOS Discovery When you configure a network discovery, you can now define a recurrence pattern that repeats on a regular basis. The appliance automatically starts the recurring discovery based on the configured schedule. 25 | © 2013 Infoblox Inc. All Rights Reserved. Trinzic Reporting 26 | © 2013 Infoblox Inc. All Rights Reserved. Trinzic Reporting Deployment Grid Master VM Grid Members Reporting Grid Member Grid Member 27 | © 2013 Infoblox Inc. All Rights Reserved. Grid Member Historical Views and Trending Reporting Views of Integrated DNS, DHCP & IPAM Discovery DNS DHCP Network IP Endpoints 28 | © 2013 Infoblox Inc. All Rights Reserved. Switch/Routers 28 Merci 29 | © 2013 Infoblox Inc. All Rights Reserved.