DDI Solutions and why you need them in your network

  

 Email Article  

Tweet  

  

 delicious  

  

Author: Dhiva Navaratnam
Principal Consultant for DDI Solutions

Scalar recently co-hosted an event with our partners Infoblox and F5, in which Cricket Liu, author of the O’Reilly books on DNS and BIND, gave compelling arguments for DNSSEC (DNS Security). Together with other core network services (like DNS, DHCP and IPAM), it forms the foundation of all IP-based applications, including new security initiatives, convergence applications like VoIP, and growing compliance reporting requirements. Today’s core network services tend to reside on vulnerable, general-purpose operating systems and servers, managed by disparate entities each with their own manual processes throughout an organization. This makes services difficult to update, manage, and secure both at the local level and system-wide. This situation is now reaching a crisis point, due in part to the following trends:

• An explosion in the number and diversity of network users, devices, and policies;
• An increasing number of attacks specifically targeting the network services infrastructure, such as DNS cache poisoning;
• The deployment of real-time IP applications such as voice over IP (VoIP) which depends on a robust, highly available core network service infrastructure to function;
• Compliance with new security regulations such as Sarbanes-Oxley

The convergence of these trends has led to a greater need than ever for a solution that provides reliable, scalable and secure core network services. Infoblox’s DDI (DNS, DHCP and IPAM) solution addresses the problems inherent in core network services today such as non robust designs, no DHCP failover, lack of centralized management, manual IPAM etc, and manual error-prone processes, which in turn lead to application downtime and increased costs to businesses. In reality most problems are due to core network services such as DNS, DHCP, NTP, Radius etc being deployed and managed as separate applications, on disparate hardware platforms, each susceptible to downtime due to the underlying OS vulnerabilities, requirements for patching, and each service being managed by several different teams. Infoblox manages the IPAM data as well as the core network services using an integrated database to prevent data inconsistencies. An Infoblox solution will provide high availability and robustness in your core network service infrastructure while consolidating servers, reducing costs and automating complex, error-prone manual tasks.

DNSSEC implementation is another area where Infoblox’s implementation shines. Recently discovered vulnerabilities in DNS implementations allow for DNS cache poisoning attacks, in which a user is redirected to another site via poisoned DNS data, potentially allowing for fraudulent collection of usernames and passwords from unsuspecting users. DNS Security Extensions or DNSSEC protects against such attacks by utilizing multiple keys to verify the authenticity and integrity of DNS data. DNSSEC must be deployed at each step in the lookup from root zone to final domain name (e.g. www.scalar.ca). TLD’s (Top Level Domains) such as dot gov, and dot org have been signed in 2010 and Canada’s dot ca TLD is scheduled to be signed in Dec 2010. This should lead to a mandate to have government websites DNSSEC compliant, as has been the case in the US. Infoblox provides a one- touch zone signing process, eliminating the dozens of steps required to manually sign and keep zones and keys up to date. Infoblox’s one click signing process automates a potentially error-prone task which must be repeated every time a zone is updated (possibly many times a day for large organizations).

IPv6 adoption will be another business driver towards an appliance-based DDI solution. The IPv4 IP address range is limited (approx. 4.3 billion IP’s worldwide), and is forecast to run out in 2012, helped by the explosion in IP enabled devices and Internet growth. While IPv4 exhaustion will not affect corporations internally within their intranet, businesses that require routable IPs will be forced to implement IPv6. An IPv6 address is a 128 bit hex address and will not be as easily managed on command line or in manual spreadsheets as 32 bit decimal IPv4 addresses have been. It will no longer be feasible to manage IPv6 address utilizing the current DDI applications.

If all of this doesn’t convince you of the necessity of DDI solutions, I should also mention that with Infoblox and Scalar, you can reduce the capital and operating costs of your network by up to 50%, while boosting availability and application performance. Additionally, IPAM automation yields up to 90% savings in IP management and monitoring related activities, and Infoblox received the highest ranking in Gartner DDI Marketscope of September 2009. Scalar has invested in training and demo gear to ensure we are uniquely positioned to deliver the Infoblox solution.

I encourage you to visit Scalar Labs and view a demo of the Infoblox solution. To schedule a demo with me, just complete the short form here.