Network News: Infoblox improves IP management, shores up security
Note: This column is part of a new semi-regular feature that highlights current events in UIT's network operations group.
With laptop, smartphone, and tablet use steadily growing on campus, the scope of Internet Protocol (IP) address management has far surpassed desktop computers.
To get a better handle on available IP space across all devices, stabilize the University's IP address management environment and open up disaster recovery options, UIT’s network team deployed Infoblox, the campus DDI management solution for IPs, DNS and DHCP.
Some definitions: DDI is an acronym that stands for DNS, DHCP and IP. Domain Name Service (DNS) is a directory for machines on the internet that maps between host names and IP addresses, which UIT provides for all utah.edu domains. Dynamic Host Configuration Protocol (DHCP) allows any device to automatically obtain the correct IP addressing information.
Infoblox's centralized configuration system reduces complexity while improving network stability through consistent use of available IP space, among other things.
Here’s what Network Core Engineer Florian Stellet had to say about Infoblox in practice.
How can departments help new staff get started with Infoblox services?
The best process to obtain access to Infoblox is by making a general service request in ServiceNow. We will need the uNIDs of all team members, as well as the subnets and domains that a team is managing.
When we moved to Infoblox, all users with DDI access were migrated as read-only users. The increase in capabilities and the change in operations made it necessary to design new access policies. The majority of teams with delegated access to our old DDI environment already requested and received required permissions to resume normal operations. For new teams requesting access, we highly recommend prior experience in managing DNS, DHCP and IP Address Management (IPAM) due to the potential impact incorrect configurations can have on production.
What has Infoblox revealed about IP space on campus?
Infoblox provides a number of diagnostic tools that simplify deployment, management, and removal of both IP space and DNS records/zones. The limitations of our old DDI environment and changes in technological requirements have led to configuration on some oudated subnets and domains that no longer align with best practices. Infoblox enables us to more easily identify such outdated configurations and realign our environment with current industry standards.
How has Infoblox changed DDI management at the U?
The most significant changes are in the areas of security and scalability. Our old DDI architecture was very limited and didn’t allow for any growth of resource or user needs. Infoblox is highly scalable and can be adjusted for future demand. We’re better able to measure and plan for an increased need of resources which allows UIT to provide a stable and highly available DDI environment. Infoblox makes use of a number of security tools to better protect users from malware and malicious traffic, and gives us greater visibility so that we can make better use of our current IP space. Increased visibility allows us to identify areas where space is under- or over-provisioned and make necessary adjustments.
What kind of feedback have you received from users?
Thus far, the users who’ve provided feedback have responded well to the new tool. They’re able to recognize the increased security, as well as the added stability of the environment. We have numerous requests from departments expressing a desire to migrate from departmental DDI tools to our common UIT architecture.
What should users expect to see within the next year?
Current DDI architecture constitutes a tremendous improvement as compared to the previous design. However, we’re planning to make a number of changes to not only comply with current demands but build a future proof architecture, and increase the scalability and availability of our service.
One of the most noteworthy changes will be the move towards an Anycast DNS deployment. This will greatly improve the disaster tolerance of DNS. We’re also currently re-designing our DHCP architecture and investigating options for better disaster recovery capabilities, including a possible hybrid DHCP deployment.
If you have any questions about Infoblox, please contact the UIT Help Desk at 801-581-4000 option 1.
- Design phase, RFP and IT governance approval: 2013
- Purchasing process: January to March 2014
- Building and testing new DNS equipment at DDC staging area: April to May 2014
- Installing equipment in final locations: June 2014
- Migrating internal DNS and implementing split DNS: December 2014
- Migrating external DNS: March 2015
- Implementing DNS firewall/response policy zone: May to June 2015
- Disabling recursive DNS on external architecture: December 2015
- Improving wireless DHCP architecture: January to August 2016
- Designing and developing next generation DDI architecture & Anycast DNS: 2016
- Implementing DNS-FireEye integration: August 2016 to January 2017
Our monthly newsletter includes news from UIT and other campus/ University of Utah Health IT organizations, features about UIT employees, IT governance news, and various announcements and updates.