Whats new at Infoblox - 2013
NIOS Versions 6.6 – 6.8
18.11.2013
1 | © 2013 Infoblox Inc. All Rights Reserved.
What´s new in NIOS 6.6
2 | © 2013 Infoblox Inc. All Rights Reserved.
2
What’s New in NIOS 6.6
Support for New Products

Infoblox DNS Firewall
Enhancements for Service Providers


IPAM Integration into RIR
4030 Enhancements
Trinzic Product Family




Trinzic Reporting
Infoblox Load Balancer Manager
WAPI
Trinzic IPAM
Administration and Operational
Nurturing
3 | © 2013 Infoblox Inc. All Rights Reserved.
How does the DNS Firewall work?
Infected
Client
Redirect
4
Landing Page /
Walled Garden
Link to malicious
www.badsite.com
Contact botnet
5
3
Infoblox DNS Firewall
/ Recursive DNS Server
Dynamic Grid-Wide
Policy Distribution
Apply Policy
Block / Disallow
session
2
Infoblox DNS Firewall
/ Recursive DNS Server
1
Dynamic Policy
Update
6
Malware Data Feed
from Infoblox
4 | © 2013 Infoblox Inc. All Rights Reserved.
Infoblox DNS Firewall
/ Recursive DNS Server
Write to
Syslog
and send to
Trinzic
Reporting
4
Infoblox DNS Firewall
– New Trinzic Reporting Option
• Information Provided
̶ List of Top Infected Clients
̶ What malicious domains were
requested and # of requests
̶ Mitigation performed (e.g.
Redirect, Block, or Pass)
̶ Lease history by MAC address
via drilldown option
Security Policy Violations report
• Enabling
̶ Pinpoint infected client by MAC
address and by physical location
- Explore the full lease history for
dynamic environments
Click to view history for this IP
̶ Near real-time mitigation or
assignment to task lists
5 | © 2013 Infoblox Inc. All Rights Reserved.
5
DDI Product Family Enhancements
– continued
 Infoblox Load Balancer
Manager
– Enhanced to support F5 BIG-IP
Global Traffic Manager synch
groups
 WAPI

– New REST API
– Allows access to data from
applications in unsecured and
secured (https) modes
– More information can be found
Choice
of NIOS version
on bloxHub
–
NIOS 5.1r5 or r6 (latest version)
–
NIOS 6.3, 6.4, 6.5 (latest version)
6 | © 2013 Infoblox Inc. All Rights Reserved.
DDI Product Family Enhancements
– continued
• Trinzic IPAM enhancements
̶ Default Smart Folders (unmanaged
and conflict
̶ IP Map default view is Advanced
mode
̶ bloxHub Widget
- Provides real-time technical and
product information to the user
- Enables quick access to the bloxHub
community
7 | © 2013 Infoblox Inc. All Rights Reserved.
Administration and Operational
Enhancements
• Staged Grid Upgrade of DNS and
DHCP is now enabled during an
Infoblox Grid upgrade
• Approval Workflow enhancements for
IT groups
• LDAP Authentication
8 | © 2013 Infoblox Inc. All Rights Reserved.
Nurturing Enhancements
• Specifying TTL Settings for Lame
Servers
• Ignoring DHCP Client ID
• Reservation name should be listed
first in Name column
• Extensible Attributes (EAs) types –
Required, Recommended,
Optional
9 | © 2013 Infoblox Inc. All Rights Reserved.
What’s New in NIOS 6.7
10 | © 2013 Infoblox Inc. All Rights Reserved.
Agenda
Features
•
•
•
•
DHCP Fingerprinting
Internationalized Domain Names
REST API Enhancements
IB-4030 Enhancements
Customer Requested
Enhancements
Summary
11 | © 2013 Infoblox Inc. All Rights Reserved.
DHCP Fingerprinting – How It Works
DHCPDISCOVER
Option Sequence 1,15,3,6,44,46,47,31,33,121,249,43
Laptop
DHCPOFFER
X
DHCPOFFER
DHCPDISCOVER
12 | © 2013 Infoblox Inc. All Rights Reserved.
Option Sequence 1,3,6,15,119,78,79,95,252
Tablet
Internationalized Domain Names
• Display Internationalized Domain Names (IDNs) in both
their native character set and Punycode via the Infoblox
GUI and APIs
• Benefits
• Simplify management for non-Latin character DNS
names
• Improve management of web presences worldwide
• Reduce confusion of web site internationalization efforts
13 | © 2013 Infoblox Inc. All Rights Reserved.
Customer Requested Enhancements
• IPAM Plugin – supports VMware Cloud
orchestrator (vCO) 5.1
̶ VMware Cloud Director ( vCD) and vCO can talk
to each other for more simplified workflows
• Per Member Forwarder – Infoblox can now forward
regional queries for a zone of type forward to the
regional remote name servers
̶ This limits WAN traffic by better regionalizing it
• Zone Transfer Enhancement – Infoblox added
advanced GUI-configurable options. Offers better
flexibility to handle certain customer environments
• Small Network Discovery – We have expanded our
discovery engine to include /31 and /32 networks,
so the discovery engine can now scan any network
size, all the way down to a /32
14 | © 2013 Infoblox Inc. All Rights Reserved.
What´s new in NIOS 6.8
15 | © 2013 Infoblox Inc. All Rights Reserved.
Agenda
Appliance Platform Update
• 10GE Platforms
• vNIOS Update
NIOS 6.8 Release
•
•
•
•
•
•
Named ACL
EA Inheritance
Multi-Tab Dashboard
QoS Marking (DSCP)
IB-4030 NIC failover
DNS Response Logging and Capture
• Recursive Delete Permission
• Recurring NIOS Discovery
16 | © 2013 Infoblox Inc. All Rights Reserved.
New: vNIOS TE-V100; vNIOS Platform Update
Renaming vNIOS for VMware IB-BOB on Cisco UCS Express to TE-V100
• Patch release of NIOS 6.7
• Same documented performance as before, but 55GB disk, 1 GB memory
TE-V100: Support for VMware ESXi, Microsoft Hyper-V, (& Cisco UCS Express)
• More choices for the branch
TE-V4010 (not a recommended VM)
• Not on pricelist – requires ARB and management approval
• Does not perform equivalent to IB-4010
• Use case: Gridmaster > 1.8M objects
vNIOS for VMware ESXi 5.1 Support
• Patch release of NIOS 6.7
• Dropping support for ESXi 4.0
Riverbed is moving to ESXi on the new EX platforms
• RIOS 8 allows to install ESXi on top of RIOS (“VSP”) on EX platforms – testing continues, i.e. this is not supported yet.
• Note: EX platforms are also capable of running RIOS 7 with NIOS 6 “vNIOS for Riverbed”
• Older platforms will continue to be supported with “vNIOS for Riverbed”– some are only NIOS 5 capable (250, 550)
Trinzic V820
Trinzic V810
Trinzic 100
Branch Office
Trinzic V100
17 | © 2013 Infoblox Inc. All Rights Reserved.
17
Trinzic DDI and Trinzic Reporting 10GE
•
•
•
•
•
Connectivity to 10GE network infrastructure
DDI and Reporting platforms
Factory mounted, new platform SKUs (i.e. not a FRU)
4 ports (replace system copper ports, i.e. they are not active)
Mixed SFP and SFP+ (e.g. for 1GE Copper management interface
or 1GE-SX for transition from 1GE to 10GE)
•
SFP+ Short Range 10GE (SR) (Infoblox part)
•
SFP+ Long Range 10GE (LR) (Infoblox part)
•
SFP+ Direct Attach (10GSFP+Cu) (HP HpJ9283B /
CiscoSFPH10GBCU5M – reference, not a Infoblox part)
•
SFP Short Range 1GE (SX) (Infoblox part)
•
SFP Long Range 1GE (LX) (Finisar part FTLF1318P3BTL –
reference, not a Infoblox part)
•
SFP Copper 1GE (Infoblox part)
IB-4010
TE-2220
TE-2210
TE-1420
TE-1410
18 | © 2013 Infoblox Inc. All Rights Reserved.
TR-1400
TR-2200
TR-4000
Infoblox Trinzic DDI Appliances
•
•
•
•
•
•
Hardened operating system – now Common Criteria certified
Centralized management, software updates and reporting
Remote management: lights out management IPMI 2.0; UID
Easy & fast repairs; local spares for PSU*, disks*, fans**
Redundancy for PSU*, disks**, fans**
Scalable solution with different performance levels and choice of
physical and virtual platforms
• Flexibility: DC PSU and SFP fiber interfaces *
• Go green! latest, low power technology
IB-4030
Highest Performance DNS Cache, DDOS Protection
IB-4010
Large HQ / Data Center; Carrier CO
Trinzic 2220
* 1400, 2200, 4000 series
** 2200, 4000 series
Trinzic V2220
Medium HQ / Central Office
Trinzic 2210
Trinzic V2210
Trinzic1420
Trinzic V1420
Regional Office / DR Site
Trinzic 1410
Trinzic V1410
Medium / Large Office
Trinzic 820
Trinzic V820
Branch / Large Store
Trinzic 810
Smaller Office / Store
Trinzic V810
Trinzic 100
Branch Office
Trinzic V100
19 | © 2013 Infoblox Inc. All Rights Reserved.
RIOS 7
EX- 560 (RB-550)
EX-760 (RB-1050)
EX-1160 (RB-1050)
EX-1260 (RB-2050)
250 (RB-550) (NIOS 5 only)
550 (RB-550) (NIOS 5 only)
1050 (RB-1050)
2050 (RB-2050)
5050 (RB-2050)
AXP (NIOS 5 only)
New Features in NIOS 6.8
20 | © 2013 Infoblox Inc. All Rights Reserved.
20
Named Access Control Lists (ACL)
̶ ACL for DNS, file distribution and
GUI simplifies repetitive single
access control entries(ACE).
Improving administration efficiency.
• With NIOS 6.8 create and manage
ACL’s
• Convert existing ACE’s into an ACL
• Introduces the ability to test ACLs for
efficiency, errors and duplications
New
Selection
Convert
into List
New
Tab
Action
Panel
21 | © 2013 Infoblox Inc. All Rights Reserved.
Reduce OPEX
Validating List
Extensible Attributes Inheritance
With extensible attributes inheritance one avoids adding extensible attributes individually to a network
block so that subnets and ranges within that block have the same extensible attributes
With NIOS 6.8 we enable the inheritance of extensible attributes key/value pairs from their parents.
- Descendants in lineage can inherit attributes so users do not have to configure it at object levels
- You can also define other options for inheritable extensible attributes, such as network view ->
network container -> network -> range -> host/fixed address/reservation inheritance chain
̶ Also enables users to override inheritance and provide an alternative value for the child
•
Benefits
̶ Increases the use of extensible attributes for tagging DNS, DHCP and IPAM objects information
useful in search, filtering and organization of that information (Smart Folders).
̶ Reduces manual entry of extensible attribute & automates the allocation of extensible attributes on
DNS, DHCP and IPAM objects.
22 | © 2013 Infoblox Inc. All Rights Reserved.
DNS Response Logging / Capture
• Logging DNS query responses on Infoblox
DNS Servers offers information for
troubleshooting, research and identifying
security issues
• In addition to DNS queries, you can also capture
DNS responses in the syslog or export them in a
capture file through the reporting server
• Benefits
̶ Debugging / troubleshooting: misconfigurations
or lack of DNS records
̶ Security: Identifying poisoning
̶ Security: See & log the actual DNS responses
sent to the client; forensic research
̶ Security: internal policies from the Security team
Example: query A record
07-Apr-2013 20:16:49.083 client 10.120.20.198#57398 UDP:
query: a2.foo.com IN A response: NOERROR +AED a2.foo.com. 28800 IN A 1.1.1.2;
23 | © 2013 Infoblox Inc. All Rights Reserved.
DiffServ code point (DSCP) Marking
• DNS traffic prioritization is essential for organizations that are
dependent on DNS for their core applications/services.
- For instance, mobile/wireless service providers that use DNS in their mobile
infrastructure for resolving access point names (APNs) when selecting signaling
gateways and roaming gateways are required to prioritize DNS traffic over regular or
other best-effort network traffic
̶ Ability to configure the DSCP value for all out going traffic
̶ Classify and manage your critical network traffic
̶ Implements (quality of service) QoS rules
Benefit
̶ Ensures DNS service continuity
̶ Offers a mechanism for prioritizing DNS traffic
24 | © 2013 Infoblox Inc. All Rights Reserved.
Priority DNS
Fast DNS
Nurturing Features
•
•
Recursive Delete Permission
You can now restrict recursive deletions of networks and zones to
specific groups of users through the Infoblox GUI. Users who can
perform recursive deletions are presented with the options of deleting a
parent object only or deleting the parent object and all its child objects,
when they delete a network container or DNS zone.
•
•
Recurring NIOS Discovery
When you configure a network discovery, you can now define a
recurrence pattern that repeats on a regular basis. The appliance
automatically starts the recurring discovery based on the configured
schedule.
25 | © 2013 Infoblox Inc. All Rights Reserved.
Trinzic Reporting
26 | © 2013 Infoblox Inc. All Rights Reserved.
Trinzic Reporting Deployment
Grid Master
VM Grid
Members
Reporting Grid
Member
Grid Member
27 | © 2013 Infoblox Inc. All Rights Reserved.
Grid
Member
Historical Views and Trending
Reporting Views of Integrated DNS, DHCP & IPAM
Discovery
DNS
DHCP
Network
IP Endpoints
28 | © 2013 Infoblox Inc. All Rights Reserved.
Switch/Routers
28
Merci
29 | © 2013 Infoblox Inc. All Rights Reserved.