Infoblox Core Network Services solution
advertisement
Infoblox Core Network Services solution Table of contents: 1. INFOBLOX - AUTOMATION AND RESILIENCE FOR CORE NETWORK SERVICES 3 2. ISSUES OF CORE NETWORK SERVICES ON AD HOC PC SYSTEMS 3 Management and maintenance 4 Security concerns 4 Reliability concerns 4 Scalability issues 4 3. ADVANTAGES OF THE INFOBLOX SOLUTION 4 Simplify 4 Secure 4 Strengthen 5 Total Cost of Ownership 5 4. ADVANTAGES OF THE INFOBLOX GRID SOLUTION 5 Centralized visibility and control with streamlined workflow 5 Centralized Back-up and restore 5 Centralized monitoring and reporting 6 Automatic disaster recovery mechanisms 6 5. INTRODUCING INTEGRATED IP ADDRESS MANAGEMENT 6 6. INTRODUCING PORTIQ 8 7. FORTIFYING MICROSOFT ACTIVE DIRECTORY 9 Difficult to assign and log IP addresses in a controlled way 9 Limitations in the MS DNS protocol engine 9 The challenge of orphan records and scavenging 9 Propagation delay of DNS changes 10 Dependency between DNS and Active Directory 10 Infoblox as dedicated DNS/DHCP solution in support of Microsoft AD neutralizes these issues 10 USING INFOBLOX AS THE FOUNDATION FOR MANY APPLICATIONS SOX-BASEL2 compliance reporting and IP Address Management 8. THE INFOBLOX OFFERING 10 10 11 1. Infoblox - automation and resilience for core network services Infoblox is the pioneer and focused developer of Core Network Service Appliances for DNS, DHCP, IP Address Management, File Distribution and NTP. The Infoblox solution help companies to provide automation and resilience for these core network services. The fast growth of IP connected devices and users, together with their dynamic and mobile nature, are turning networks into an anonymous state. Infoblox core network service appliances provide the essential foundation for identity-driven networks (IDNs), delivering simple, secure, and reliable core network services including DNS, DHCP, IP Address Management, File Distribution and NTP. The integrated Infoblox approach combines the simplicity of appliances with the power of advanced distributed database technology to effectively achieve centralized control and visibility and utility grade resilience, unparalleled by conventional solutions based on legacy software. The Infoblox Grid solution provides an appliance based infrastructure that offers automation and resilience for all core network services. The Infoblox Grid solution provides core network services such as DNS, DHCP, IPAM and other related protocols like (T)FTP/HTTP file distribution and NTP in a unified solution delivered in the form of dedicated hardware under central management. Automated failover and disaster recovery mechanisms guarantee non-stop operation. This can be achieved by replacing legacy software and servers by core network service appliances, managed from one master appliance. Offering dedicated hardware with a purpose built Operating System (NIOS), the Infoblox Grid solution provides the following advantages. - A standardized core network services infrastructure for all applications throughout the network. Including centralized visibility and control, delegated administration and advanced reporting. - Better security in terms of attack mitigation, network access control and compliance reporting. - Advanced Hi-availability mechanisms with immediate and stateful hardware or service failover. - Automated Disaster Recovery mechanisms which allow easy and fast resolution in case of critical outages. 2. Issues of core network services on ad hoc PC systems While all core network services, such as DNS and DHCP, are similar (they all consist of a database and an associated access protocol) they have until now been implemented using unrelated, ad-hoc systems using various PC platforms (eg. Dell server, SUN server,…) running various general purpose operating systems (eg. Microsoft, Open BSD, Solaris,…). Traditionally core network services such as DNS, DHCP and others are deployed in an ad-hoc fashion as software applications on a mix of hardware and operating systems, managed by various consoles and people. Furthermore, the IP number plan and overview of active IP devices in the network often resides in an isolated spreadsheet. This provides challenges in terms of consistency (out of date info), sharing (how to delegate parts of the IP number plan) and reporting (real time and historic usage of IP addresses). As the demands on networks grow, network administrators spend increasingly precious and limited resources addressing the following issues and challenges: Management and maintenance Provisioning, deploying and maintaining servers and updating underlying operating systems and core network service applications. No automation of tasks, no centralized visibility and control on IP devices, no easy delegation of tasks, lack of centralized reporting/audtiting. Security concerns Keeping up to date with the latest OS and application patches, responding to new attacks controlling network access, lack of auditing tools for compliance to regulations. Reliability concerns Ensuring non-stop operation and "dial-tone-like" availability for DNS/DHCP and other core network services. Scalability issues Dealing with the growth in network identity databases (IP, MAC, User,…) and the need to distribute core network services across the enterprise to minimize latency and ensure redundancy. Recognizing the urgent need for unified, manageable, secure, and scalable core network services, Infoblox is the first and only company to approach network services as a unified solution deployed and managed as an important network infrastructure. 3. Advantages of the Infoblox solution As indicated, Infoblox bundles core network services such as DNS/DHCP/IPAM and others in a unified solution delivered in the form of dedicated appliances under central management. Offering dedicated hardware with purpose built firmware, the Infoblox solution provides the following advantages: Simplify - - Centralized visibility and control, with delegated administration and advanced reporting/auditing. The Infoblox solution eases installation, configuration and maintenance. Instead of building the core network service component yourself (eg. DNS name server using BIND on Linux) which needs time and expertise, just plug in the Infoblox appliance and create your first domain name, zone or DHCP range in minutes. Easy configuration of all aspects by using the graphical WebGUI, with build in error prevention, automation and migration tools. Upgrading the Infoblox appliance just needs a few clicks in the GUI, including easy rollback to previous firmware versions. Simplify and shorten learning curve for administrators (no complex BIND options to learn) Integrated IP Address Management for the inventory of your networks and connected devices. Just create host objects, with all info you want to tie to it, and the Infoblox solution will insert the necessary entries in the DNS and DHCP configuration for you. Secure - The purpose built Infoblox firmware, called NIOS, is much less vulnerable for the many exploits that exist for general purpose operating systems or network service applications. Infoblox has a dedicated team of security watchers that will build, test and distribute patches very quickly in case a vulnerability would be found in NIOS. Patching the Infoblox appliance just needs a few clicks in the GUI - Built in DOS attack prevention mechanisms No unused open ports, management traffic is encrypted and authenticated Centralised auditing allows forensic analyses of all events, such as admin changes or tracing back which IP address was used by which user/machine at what time Strengthen - The Infoblox appliance can be setup in high availability pairs for quick and statefull failover using standard VRRP (eg. DHCP failover maintaining the complete lease table). Automated service failover for all protocols Automated disaster recovery mechanisms across multiple physical locations Total Cost of Ownership - Together the above advantages decrease the operational costs, bringing down the overall TCO of the core network service infrastructure. Detailed cost studies show that, compared to traditional software based implementations, the Infoblox solution offers a return of investment period of 8 to 12 months. 4. Advantages of the Infoblox GRID Solution The Infoblox Grid Solution provides automation and resilience for all core network services by replacing the traditional DNS/DHCP software by dedicated core network service appliances. Infoblox offers a unique ‘Grid’ concept that brings multiple Infoblox appliances under central administration. Multiple Infoblox appliances that are distributed physically over the network can be brought under the administration of a single GRID Master appliance. This concept allows central management of the IP number plan, DNS, DHCP, File Distribution, NTP and others without having to install separate management software or dedicated and expensive database systems. Hence, multiple Infoblox appliances can be joined together into a group of members under the administration of the master appliance. This allows administrators to remotely manage the configuration and data contained in multiple appliances from the GRID Master. This Infoblox GRID solution provides the following advantages: Centralized visibility and control with streamlined workflow - - - Centralized visibility and control with automation and delegated administration. Configure something once and assign it to the complete Grid. With multi-appliance configuration and data entry from a single GUI interface, many operations are streamlined to save you time. For example, when adding a new DNS zone, it can be created, mapped to several appliances (as name servers), configured with specific zone parameters, and even have the contents imported from an existing DNS server, all through one dialog. This approach simplifies the initial configuration and the ongoing lifecycle management of devices, rather than having to individually setup and administer each device independently. With the inheritance model you have the granularity to configure specifications for a group of devices, but still provide changes to an individual device for specified capabilities. Role based administration and unified management of administrator accounts allows delegation and management according to your organization. Centralized Back-up and restore - As all configuration information for the is available at the master level, easy singl-point, backup and restore is possible. Facilitates versioning and roll back to previous configuration versions. Centralized monitoring and reporting - Operational reports: The real time monitor gives instant information about the health of your Infoblox appliances and services NAC reports: All members forward their system events to the master allowing one-touch investigation and analysis of IP, MAC, user activity. Audit reports: auditing and reporting are available from one point to track administrator activities at all times. This includes an Undo function to recover from configuration mistakes. Automatic disaster recovery mechanisms - Statefull failover of the Infoblox GRID master to a candidate GRID master In case a link fails between the GRID master and a member, the member will continue its services and will automatically resynchronize with the master when the link is restored Should an individual appliance in a remote location suffer a hardware failure, recovery is as fast as swapping in an empty replacement unit, giving it the same IP address and tell it which GRID to join. The empty appliance will contact the Grid Master and will pull down his configuration automatically. 5. Introducing Integrated IP Address Management IP Address management is about keeping the information about all your IP Networks and its connected devices in one place. This IPAM inventory keeps information about things like available networks, available IP addresses, used IP addresses, static hosts and dynamic hosts with their name, MAC address, location, owner, asset tag number, etc. This inventory is often kept isolated from the DNS/DHCP configurations in a separate Excel file or database which is not always up to date. When in need of a new IP address assignment, an administrator always needs to check the separate IPAM inventory first, followed by a DNS configuration in another console and a DHCP configuration in yet another console. When the IP address is finally assigned to a device and configured, the administrator still needs to update the separate inventory including the extra information of the assignment including which devicetype (eg. webserver), location (eg. Brussels, Floor 2, Rack 3), telephone number, etc. Having this information and related DNS/DHCP configurations in separate disconnected locations imposes some fundamental challenges: -Inconsistency of the DNS/DHCP configuration. For example DNS configuration was done, but the IP was not reserved in the DHCP service, leading to duplicate IP addresses. -The separate IPAM inventory is just a snapshot of a certain moment and never reflecting the real time situation. For example the separate IPAM inventory only show the ranges used by DHCP but doesn’t teel anything about the usage of these ranges and the hosts using these ranges. -Auditing of the network identity aspects becomes difficult. For example, show me which printers I have on that location or show me the DHCP history of a certain host or user. Infoblox has recognized these challenges and has developed built-in IP Address Management (IPAM) as an integral part of the solution. Infoblox has combined today’s state-of-the-art technology for data management—a semantic database—and today’s state-of-the-art vehicle for network services delivery—purpose-built appliances—to deliver the first integrated DNS, DHCP, and IPAM appliance. Unlike both new and legacy IPAM systems that are add-ons to a data delivery infrastructure, the Infoblox approach to IPAM can be best summed up as, “built-in, not built-on”. Infoblox provides the key IPAM features required by the majority of networked organizations, including managing DNS and IP address data, real-time and historical reporting on address usage, role-based access control, and delegated administration. All this is managed from one central web based GUI. In stead of doing DNS/DHCP configurations separately, the admin can create a host object which consolidates and synchronizes all data related to an IP-addressed device (e.g. name, IP address, MAC address, forward and reverse records, and aliases,) into a single logical object. This ensures synchronization of the data over the life of the device and eliminates the tendency for outdated or orphaned records to accumulate. Furthermore, extra information can be tied to this object such as device-type, location, asset tag number, etc. This allows easy investigation and auditing of all IP connected devices in a network. The Infoblox integrated IPAM solution allows automation and delegation of all phases in the IPAM lifecycle including architecture, daily operations and insight. - In terms of architecture, Infoblox includes the following IP Address Management features to plan and allocate IP and name space - - Graphical Network Maps Management of overlapping Networks Role-based administration with admin roles and admin groups Granular administration rights down to the individual object level Name Server Groups and templates Split networks and Join networks in an easy way Network Templates, Range/Scope templates and Fixed address templates In terms of daily operations, the solution include the following IP Address Management features to provision and manage the IP and name space Graphical IP Maps Bookmarks Smart Folders to group objects based on IPAM info fields Customizable Web Console with built-in workflow Wizards for popular IPAM tasks Next Available IP Scheduled Changes Recycle Bin with “undo” function DNS Hostname Templates Zone Locking In terms of insight, Infoblox offers the following IP Address Management features to analyze and track the IP and name space Discovery of IP devices and reconciliation with IP number plan Customizable Dashboard with links into favorite tasks and GUI panels Audit history with reporting IP address history reports IPAM extensible attributes (IPAM info fields) CSV export Alerts for IP space usage Global search Customizable reporting server with predefined and custom reports 6. Introducing PortIQ The Infoblox PortIQ appliance provides complete visibility into switch port usage for port capacity planning, security audits and ease of troubleshooting. With Infoblox PortIQ appliances, network administrators can quickly identify the location of all connected devices and get reports on how often network ports are used. With this visibility, IT departments can better plan switch purchases by utilizing existing ports before making additional purchases and by understanding historical port usage trends to predict when they will need additional hardware. In addition, the ability to quickly locate where devices are connected increases security and eases troubleshooting efforts. The PortIQ appliance uses network discovery to obtain switching infrastructure information in a fast, non-intrusive way. It uses multiple protocols (like SNMP, CDP, LLDP, STP, etc), and methods to gather the information and works with multiple switch vendors (Cisco, HP, Extreme, 3Com, etc.). With PortIQ appliances in your network you can: • Gain comprehensive insight into what is connected to your network • Optimize the utilization of your switch infrastructure • Improve security by quickly identifying the physical location of devices connected to the network. The Port IQ appliance discovers network information and adds it to the Infoblox IPAM database. Combined with an Infoblox Grid, the Infoblox PortIQ appliance brings powerful new data into the Infoblox IPAM system. The PortIQ appliance adds the following information to the Infoblox IPAM database for each IP address: Switch Name, Switch Port, VLAN Name, VLAN Number, Switch status, Port Speed/Duplex, Port/Link status, First seen and Last seen. Armed with this additional information, network engineers can quickly associate an IP address with a VLAN and switch to pinpoint trouble spots and resolve problems. This has many applications, including quickly shutting infected devices off the networks when virus or worm attacks occur; removing an unauthorized device from the network when discovered by Infoblox discovery process etc. 7. Fortifying Microsoft Active Directory Microsoft Active Directory is a central data store holding information about the Microsoft Users in a network (name, user-group, credentials, etc.). It is often used as an inventory to authorize access to various applications (e.g. file shares). In a Microsoft environment the Domain Controller (DC) is the component storing and providing Active Directory information. In order for Active Directory to operate, the DNS and DHCP service need to function properly. When a host (e.g. laptop) is plugged into a network where Active Directory is running, a few things, related to DNS and DHCP happen: -The host asks for an IP address and correct options (e.g. which DNS server to use). The assignment of the IP address and correct options is done by the DHCP service. -Next, the host will look for his Domain Controller (DC) to logon to the MS Windows domain (AD). The host does this by asking the DNS for the name and IP address of the DC. This is information is present in the DNS in the form of “SRV” records. These SeRVice records in DNS advertise where which service lives in a network, including Microsoft AD services, print services, etc. -The host will contact the Microsoft DC and logon to the companies Microsoft domain. -Finally, the host will also be registered in the DNS via a Dynamic DNS update (DDNS). The DDNS update will register the current name to IP mapping of the host in DNS (e.g. laptop1.company.corp > IPaddress 10.1.1.10). This way every host can be found on the basis of its name in the DNS, even if the address is assigned dynamically via DHCP. Historically, many organizations have turned on DNS and DHCP services on the Microsoft Domain Controller itself. In many cases because there was no alternative, or because it was the default setting when installing a DC. While this might seem the easy way, however, over time, some challenges and limitations were introduced that started to threat the well-being of the Active Directory service itself and many other applications in need of a solid DNS/DHCP operation. Microsoft and Infoblox started a partnership to overcome the following limitations: Difficult to assign and log IP addresses in a controlled way The MS DHCP service is anonymous making it difficult to control the assignment of IP addresses based on access control mechanisms. Furthermore, it’s not always easy to investigate MS DHCP events/logs or trace back which device or user was behind a particular IP address at a given moment. Limitations in the MS DNS protocol engine The MS DNS protocol engine was developed with Active Directory in mind making it sometimes insufficient for other applications or functions. As an example, it is hard to restrict who can query the DNS (ACL’s), difficult to delegate isolated tasks to multiple people in a controlled way, no support for special DNS features such as views, difficult to do audit, etc. Unfortunately, as a result of these limitations, many organizations are obliged to deploy a mix of MS DNS and UNIX DNS. The challenge of orphan records and scavenging Orphan records are illegal outdated name to IP-address mappings in the DNS. The name to IPaddress mapping of a host is registered in the DNS by means of a DDNS update (Dynamic DNS). When hosts are mobile, moving continuously in the network (e.g. Wireless, from desk to meeting room, etc.), it will continuously change its IP address. As a result the host will register multiple times in DNS. However, old DDNS updates tend to stay in the Microsoft DNS, polluting and possibly making it inconsistent. A workaround for this is to have a frequent scavenging process on every DC in an attempt to clean out the illegal orphan records from DNS. However, practice learns that this scavenging process might be cumbersome and inefficient. Propagation delay of DNS changes When the Microsoft DNS is running on the DC as part of active directory (AD integrated), all changes in the DNS content are propagated to the other DNS servers using the AD replication cycle. This means that all changes in the DNS are depending on the AD replication cycle to be communicated throughout the network. Depending on the configuration, in practice the AD replication cycle can take some time. When users start to be mobile in a network, the replication traffic and delay can become a challenge Dependency between DNS and Active Directory In an AD integrated DNS environment DNS and Active Directory are intertwined and completely dependent on each other. Through the DNS service AD controllers can find each other and through AD replication DNS information can be exchanged. This means that a degradation in one of these services triggers a chain reaction that can lead to total outages. If the DNS service degrades, AD services are affected that on its turn brings down DNS, etc. By separating DNS from Active Directory, these dependencies can be easily neutralized. Infoblox as dedicated DNS/DHCP solution in support of Microsoft AD neutralizes these issues In order to overcome the above challenges and limitations, Microsoft started a partnership with Infoblox to offer a Microsoft certified DNS/DHCP solution that can be used as a dedicated component in support of Active Directory, and all the other applications. By offloading DNS and DHCP from the Microsoft DC to the Infoblox technology, the limitations described above can be neutralized and the following advantages can be achieved: -Controlled assignment of IP addresses based on access control mechanisms. -No limitations in the DNS protocol engine. All features to use DNS at its full potential for all applications are available in the Infoblox solution (ACL’s, RBA, views, auditing, etc.). -No Orphan records. The Infoblox ID grid concept has built-in intelligence to make sure that new DDNS updates from the same host replace old ones. Also when the lease of the host’s IP address expires or is disabled, the DDNS registration will be removed. This means, that there is also no need for scavenging. Furthermore, all mechanisms to support secure dynamic DNS updates are available including Microsoft’s GSS-TSIG concept. -Real time propagation of changes in DNS. As the Infoblox ID grid concept makes sure that DNS changes are propagated in real time amongst all member appliances, DNS info is always consistent across the complete network. -All other Infoblox advantages improving simplicity, security and reliability can also be applied the DNS/DHCP service in support of the Active Directory environment. Using Infoblox as the foundation for many applications The Infoblox solution provides a simple, secure and reliable network identity infrastructure that can be used for many applications in a network. Next to IP Address Management, network access control and fortifying the Microsoft AD environment, the Infoblox solution can be used for many other applications. These applications include: SOX-BASEL2 compliance reporting and IP Address Management As described in section 5, the Infoblox IPAM feature allows you to manage and monitor your IP address space. It answers critical questions like, which host and user at which location is currently on the network? What is the history of a certain source IP address? Which IP addresses have been assigned over time to a certain user? Government regulation translated in laws like Sarbanes-Oxley (US), Basel2 (EMEA), HIPAA (health care) stipulate and enforce that compliance reporting answering these questions need to be in place. If not, the IT Manager himself might be held personally responsible in case of incidents that cannot be traced or investigated. 8. The Infoblox Offering Infoblox offers purpose-built core network service appliances. Built on a proprietary technology platform with more than 20 patents pending, our technology provides a simple, secure and reliable solution for enabling nonstop network identity services that are integral to successfully running all IP applications. Our current products and technologies include: Infoblox-250, -550, -1050, -1550, -1552 and Infoblox-2000 Appliances These purpose-built, high-performance appliances serve as the foundation of Infoblox solutions. They run the proprietary, security-hardened Infoblox NIOS™ network identity operating system. Both can be deployed individually or in high-availability (HA) pairs for optimal core network services infrastructure resiliency. Multiple Infoblox appliances can participate in an Infoblox GRID and be managed from one single point of administration. Infoblox NIOS™ Network Identity Operating System A hardened, high-performance, proprietary operating system that powers all Infoblox core network service appliances. The operating system supports both database-level and networklevel failover for nonstop operation. It combines all network identity information into a single bloxSDB™ semantic database, and the object-oriented API enables easy data migration and supports custom front-ends and integration with enterprise applications. Infoblox NIOS™ software Infoblox NIOS software, running on Infoblox appliances, delivers nonstop core network services— including DNS, DHCP, IPAM, HTTP, FTP, TFTP, NTP and others—that are critical to the operation of all IP-based networks. Appliance delivery of these services has become a recommended industry best practice for any size organization, because appliances are inherently more reliable, manageable, scalable, and secure than software on general-purpose servers. For large organizations, distributed Infoblox appliances can be connected into unified Grids that provide unparalleled management, control, visibility, and service resiliency. Infoblox NIOS software is a security-hardened, real-time operating system that includes a built-in, zero-administration database, extensive support for high-availability operation, and comprehensive capabilities that automate appliance deployment and maintenance and simplify data management. Infoblox NIOS supports a series of modules provide a range of network services, including: • • • • • • • Naming services via Domain Name System (DNS); Addressing services via Dynamic Host Configuration Protocol (DHCP); Network visibility and control via IP address management (IPAM); Network access control services via the NAC Foundation module and captive portal; File delivery services via File Transfer Protocol (TFTP), FTP and HTTP; Time synchronization services via Network Time Protocol (NTP); Logging services via Syslog Infoblox NIOS software also supports several additional modules that provide unique capabilities: • The Grid module which provides patented Infoblox technology for linking distributed appliances into an Infoblox Grid: unified, centrally managed system of appliances sharing a common, real-time distributed database. The Infoblox Grid uses a secure SSL-based VPN among appliances and also uses sophisticated transaction management technology to maintain data integrity. This ensures that all appliances in the Grid have the timely and accurate data and that the Grid continues to deliver services without data loss or corruption in the face of device or WAN failures. Infoblox Grid technology also supports intelligent data replication to minimize the use of bandwidth in the Grid and to enable “right-sized” appliances to be deployed at each location.
