Secure and Control Your Network! - Aditinet: networking ... · Secure and Control Your Network!...
Transcript of Secure and Control Your Network! - Aditinet: networking ... · Secure and Control Your Network!...
1 | © 2013 Infoblox Inc. All Rights Reserved. 1 | © 2015 Infoblox Inc. All Rights Reserved.
Secure and Control Your Network! Maurizio Desiderio, Giancarlo Palmieri | Infoblox Italy
Eataly – 26 Maggio 2015
2 | © 2013 Infoblox Inc. All Rights Reserved. 2 | © 2015 Infoblox Inc. All Rights Reserved.
Benvenuti Roma, 26 Maggio 2015 Maurizio Desiderio [email protected]
3 | © 2013 Infoblox Inc. All Rights Reserved. 3 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Overview & Business Update
($MM)
Founded in 1999
Headquartered in Santa Clara, CA
with global operations in 25 countries
Market leadership
• Gartner “Strong Positive” rating
• 50%+ Market Share (DDI)
7,200+ customers, 75,000+
systems shipped
38 patents, 25 pending
IPO April 2012: NYSE BLOX
Leader in technology
for network control
Total Revenue (Fiscal Year Ending July 31)
$35,0
$56,0 $61,7
$102,2
$132,8
$169,2
$225.0
$0
$50
$100
$150
$200
$250
FY2007 FY2008 FY2009 FY2010 FY2011 FY2012 FY2013
4 | © 2013 Infoblox Inc. All Rights Reserved. 4 | © 2015 Infoblox Inc. All Rights Reserved.
TECHNOLOGY MANUFACTURING TELECOM
OTHER
Diverse Customer Base in All Key Verticals
GOVERNMENT
RECENT NEW CUSTOMERS
RETAIL HEALTHCARE FINANCIAL SERVICES
7
9
8
8
7
EXPOSURE TO INDUSTRY
TOP 10 LEADERS
5 | © 2013 Infoblox Inc. All Rights Reserved. 5 | © 2015 Infoblox Inc. All Rights Reserved.
Analyst Report Highlights
Infoblox is the leader in DDI brand
awareness and 45% of install base
Infoblox achieved 50% market
share – 3X next competitor
Centrally managing IP services at this
degree of scale requires robust DDI
solutions
Ad hoc approaches likely will
not be sufficient to meet the
security, management, and
control challenges facing IT
DDI — shorthand for DNS,
DHCP, and IPAM — is a
critical networking technology
for every IT organization
“All Organizations Should Consider Infoblox” -- Gartner
Commercial DDI solutions can
reduce OPEX by 50% or more”
6 | © 2013 Infoblox Inc. All Rights Reserved. 6 | © 2015 Infoblox Inc. All Rights Reserved.
DNS - From Yellow Pages to Simply the “Yellow Pages”?
One of the most critical service (should be comparable to
core switch/routers for a Service Provider)…
…Just think about the effects in case of outage!
Continually evolving since its invention 30 years ago
towards improving:
• Resiliency
• Stability
• Security
in order to cope with growing usage and evolving
attacks and threats
7 | © 2013 Infoblox Inc. All Rights Reserved. 7 | © 2015 Infoblox Inc. All Rights Reserved.
DNS Resiliency and Stability, facing… • Internet population and average usage booming
• Increasing numbers of gTLD or ccTLD
• Increasing DDoS threats (volume and frequency)
• Effects of this growth impacting all levels of hierarchy
• IPv6 slow adoption...
Source:
http://www.verisigninc.com/assets/infographic-
dnib-Q42014.pdf Source: http://www.internetlivestats.com/internet-users/#trend
8 | © 2013 Infoblox Inc. All Rights Reserved. 8 | © 2015 Infoblox Inc. All Rights Reserved.
DNS Security – Unsecure by design!
Original DNS
specifications did not
include security...yellow
pages!
Initially designed to be a
public database, with
authentication and
integrity of data out of
scope
9 | © 2013 Infoblox Inc. All Rights Reserved. 9 | © 2015 Infoblox Inc. All Rights Reserved.
DNS Hijackings in the news: 2013 & 2014
10 | © 2013 Infoblox Inc. All Rights Reserved. 10 | © 2015 Infoblox Inc. All Rights Reserved.
The Rising Tide of DNS Threats
In the last
year alone
there has been
an increase of
200% DNS attacks1
58% DDoS attacks1
With possible amplification up to
100x on a DNS attack, the
amount of traffic delivered
to a victim can be huge
28M Pose a significant threat
to the global network
infrastructure and can
be easily utilized in DNS
amplification attacks2
33M Number of open
recursive DNS servers2
With enterprise level businesses receiving an
average of 2 million DNS queries every single
day, the threat of attack is significant
2M
1. Quarterly Global DDoS Attack Report, Prolexic, 4th Quarter, 2013 2. www.openresolverproject.org
Financial services
Technology
company Government
Financial impact is huge
Avg estimated loss per DDoS event in 20123
-$7.7M
-$13.6M
-$17M
The average loss for a 24-hour
outage from a DDoS attack3
42% Enterprise
29% Commerce
Miscellaneous 5%
Automotive 1%
Healthcare 2%
Business
Services
21%
Financial
Services
13%
Public Sector
5%
Media &
Entertainment
17%
High Tech
7%
Consumer
Goods
2%
Hotels 5%
Retail 22%
Top Industries Targeted4
$27 million
3. Develop A Two-Phased DDoS Mitigation Strategy, Forrester Research, Inc. May 17, 2013 4. State of the Internet, Akamai, 2nd Quarter, 2013
11 | © 2013 Infoblox Inc. All Rights Reserved. 11 | © 2015 Infoblox Inc. All Rights Reserved.
Overall Malware Threats Booming
11
• Around 7.8 million new Malware
threats per quarter in 2012
• Mobile threats grew about 10X
in 2012*
• 855 successful breaches / 174 million
records compromised
in 2012**
• 69% of successful breaches
utilized Malware**
• 54% took months to discover,
29% weeks**
• 92% discovered by external party**
0
2.000.000
4.000.000
6.000.000
8.000.000
10.000.000
Q1 2010
Q2 2010
Q3 2010
Q4 2010
Q1 2011
Q2 2011
Q3 2011
Q4 2011
Q1 2012
Q2 2012
Q3 2012
New Malware
0
5.000
10.000
15.000
20.000
25.000
2004 2005 2006 2007 2008 2009 2010 2011 2012
Total Mobile Malware Samples in the Database
Startling statistics
* Source: McAfee Threats Report: Third Quarter 2012
** Source: Verizon Security Study 2012
12 | © 2013 Infoblox Inc. All Rights Reserved. 12 | © 2015 Infoblox Inc. All Rights Reserved.
Nasdaq, Visa, JCPenney among hacking victims:
prosecutors
NEWARK, New Jersey (Reuters) - The United States on Thursday
named major corporations including Nasdaq OMX Group Inc, New
York Times, J.C. Penney Co Inc and Visa Inc as among the victims
of what federal prosecutors said is the largest hacking and data
breach case prosecuted in the nation.
July 25, 2013
Security Breaches – 2013 Advance Persistent Threat is on the Rise….
$300 Million
Stolen
13 | © 2013 Infoblox Inc. All Rights Reserved. 13 | © 2015 Infoblox Inc. All Rights Reserved.
Malware attack hits thousands of Yahoo users per
hour
(CNN) -- A malware attack hit Yahoo's advertising server over the
last few days, affecting thousands of users in various countries, an
Internet security company said.
In a blog post, Fox-IT said Yahoo's servers were releasing an
"exploit kit" that exploited vulnerabilities in Java and installed
malware.
"Clients visiting yahoo.com received advertisements served by
ads.yahoo.com," the Internet security company said. "Some of the
advertisements are malicious."
December 31, 2013
Security Breaches – 2014 Malware from Yahoo….
For a time during the attack, which started on Dec. 31, 2013, and
was discovered on Jan.3, 2014, the malware was creating an
estimated 27,000 infections per hour.
The Infoblox DNS Firewall Subscription service had identified
and blocked the malicious IP before Yahoo noticed the
malware.
15 | © 2013 Infoblox Inc. All Rights Reserved. 15 | © 2015 Infoblox Inc. All Rights Reserved.
The DNS Security Challenge
Securing the DNS Platform
(HW/OS Hardening)
Defending against threats to the DNS
(Network and Application threats)
Defending against threats from DNS (Application threats)
16 | © 2013 Infoblox Inc. All Rights Reserved. 16 | © 2015 Infoblox Inc. All Rights Reserved.
Automate the Network and its Core Services
Network
Routing, Switching…
Core Services:
DNS / DHCP / IPAM
Closed Loop
Automation
Real Time Visibility
and
Task Automation Applications
Track and automate change
Automate IP Mgt, DNS & DHCP
Communicate /
Take Action
Infoblox NetMRI
Infoblox DDI,
Trinzic Enterprise
17 | © 2013 Infoblox Inc. All Rights Reserved. 17 | © 2015 Infoblox Inc. All Rights Reserved. 17
Coordinated by the Grid Master
Sharing a Distributed Database (with Zero Maintenance)
Grid: a collection of secure member appliances, all running the same software, providing one or more services (DNS, DHCP, Discovery, File Delivery, NTP etc.)
Communicating via an SSL VPN
Provides:
- Centralized visibility and control
- Real time IPAM & discovery
- Monitoring and reporting
- Failover and disaster recovery
for services, data & management
Grid Master
Infoblox Grid
Infoblox Grid™ Technology Simple, Secure and Reliable
Grid Manager GUI
External DNS
External DNS DNS, DHCP, NTP
DNS
NTP
Member
Member
Reporting
Member
Member
Member
Grid Master Candidate
DNS, DHCP, NTP
IPAM, DNS
DHCP, NTP
Configuration Examples Security Functions
ADP
ADP DNS
Firewall
DNS
Firewall
18 | © 2013 Infoblox Inc. All Rights Reserved. 18 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Physical and Virtual Appliance
Infoblox Grid
Replacing Servers with Appliances in Branch Offices Improves Performance,
Provides Local Survivability and Drives Compelling ROI
18
Virtual Grid
Member
Grid Master Candidate
VMWare ESX / ESXi
Infoblox vNIOS
Virtual Appliance
Software
Virtual Grid
Member
Cisco 28/29xx & 38/39xx
ISR with Infoblox vNIOS
Virtual Grid
Member
Riverbed Appliance with
Infoblox vNIOS
Grid Member
Microsoft®
DNS / DHCP
Agent-less
Microsoft®
DNS / DHCP
Virtual Grid
Member
Virtual Grid
Member
Grid Master
Management
Interface
19 | © 2013 Infoblox Inc. All Rights Reserved. 19 | © 2015 Infoblox Inc. All Rights Reserved.
The DNS Security Challenge
Defending Against DNS Attacks 2
Preventing Malware from using DNS 3
Securing the DNS Platform 1
20 | © 2013 Infoblox Inc. All Rights Reserved. 20 | © 2015 Infoblox Inc. All Rights Reserved.
The Infoblox Solution: Secure DNS
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Hardened Appliance & OS under Grid™ Management
Secure the DNS Platform, Manage it Easily
21 | © 2013 Infoblox Inc. All Rights Reserved. 21 | © 2015 Infoblox Inc. All Rights Reserved.
Security Risks with Conventional Approach
Dedicated hardware with no unnecessary logical
or physical ports
No OS-level user accounts – only admin accts
Immediate updates to new security threats
Secure HTTPS-based access to device
management
No root-shell access, remote SSH can be disabled
Encrypted device to device communication
– Many open ports subject to attack
– Users have OS-level account privileges on
server
– Requires time-consuming manual updates
Conventional Server Approach Infoblox Appliance Approach
Multiple
Open Ports
21
Limited
Port Access
Infoblox
Update
Service
Secure
Access
22 | © 2013 Infoblox Inc. All Rights Reserved. 22 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Purpose Built Appliance and OS
• Minimal attack surfaces
• HA & Active/Active DR recovery
• Common Criteria Certification
• FIPS 140-2 Compliance
• Encrypted Inter-appliance
Communication (Grid™)
• Centralized management with
role-based control
• Secured Access,
Communication & API/WAPI
• Detailed audit logging
• Fast/easy upgrades
• DNSSEC (easy management)
23 | © 2013 Infoblox Inc. All Rights Reserved. 23 | © 2015 Infoblox Inc. All Rights Reserved.
Centralized
Management Interface
Grid Master
IPAM
Grid
Grid Member
Cache/forwarder DNS
Authoritative DNS
Inte
rnet
DMZ
Grid Master
Candidate
Grid Member
DHCP Failover
Grid Member
Cache/forwarder DNS
Authoritative DNS
Grid Member
DHCP Failover
Failover
Association
Grid Member
DNS Secondary
Grid Member
DNS Primary
Infoblox Grid™ Technology Enterprise
Grid Member
Reporting Server
DNS Firewall
ADP
24 | © 2013 Infoblox Inc. All Rights Reserved. 24 | © 2015 Infoblox Inc. All Rights Reserved.
Centralized
Management Interface
Grid Master
IPAM
Hidden Primary DNS
Grid
Main Site
Grid Member
Cache/forwarder
Inte
rnet
Grid Member
Secondary DNS
Grid Member
Secondary DNS
Grid Member
Cache/forwarder
DMZ
Site 2
Site 3
Site 4
Site 1
Load B
ala
ncer
…
Infoblox Grid™ Technology Service Provider
Grid Member
Reporting Server
ADP + DFW
25 | © 2013 Infoblox Inc. All Rights Reserved. 25 | © 2015 Infoblox Inc. All Rights Reserved.
The Infoblox Solution: Secure DNS
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
Hardened Appliance & OS under Grid™ Management
Secure the DNS Platform, Manage it Easily
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
26 | © 2013 Infoblox Inc. All Rights Reserved. 26 | © 2015 Infoblox Inc. All Rights Reserved.
The Position
Protect Now or Wait until its Too Late?
27 | © 2013 Infoblox Inc. All Rights Reserved. 27 | © 2015 Infoblox Inc. All Rights Reserved.
Solution Components and Features
Infoblox Advanced Appliance
PT-1400, PT-2200, PT-4000
Infoblox Advanced DNS
Protection Service
Continuously monitor, detect,
and drop packets of DNS-based
attacks
Respond to legitimate traffic even
when under attack
Automatically update for protection
against new and evolving threats
Tune traffic thresholds for rules
DNS only
DNS appliance purpose built with
security in mind
Enhanced processing and dedicated
compute for threat mitigation
28 | © 2013 Infoblox Inc. All Rights Reserved. 28 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox - Differentiation and Value
Infoblox
Standard
Infoblox
Advanced
Load
Balancers
Pure
DDoS NGFW IPS Cloud
DNS server ✓ ✓ ✓
General DDoS ✓ ✓ ✓
DNS DDoS ✓ ✓ ✓ ✓
DNS server OS and
application
vulnerabilities ✓ ✓ ✓
Flood attacks ✓ ✓ ✓ ✓ ✓ ✓
Semantic attacks ✓ ✓ ✓
Cache poisoning ✓
DNS Reflection ✓
Tunneling ✓ ✓ ✓
DNS Amplification ✓
29 | © 2013 Infoblox Inc. All Rights Reserved. 29 | © 2015 Infoblox Inc. All Rights Reserved.
Reporting Server
Automatic Threat-rules
updates
Block DNS attacks
Infoblox Threat-rule Server
Infoblox Advanced DNS Protection (External DNS)
GRID Master
Reports on attack types, severity
Send reports
New
Grid-wide rule distribution
Leg
itim
ate
Tra
ffic
Infoblox Advanced DNS Protection (Internal DNS)
New
Fully Integrated into Infoblox Grid
Management
Interface
30 | © 2013 Infoblox Inc. All Rights Reserved. 30 | © 2015 Infoblox Inc. All Rights Reserved.
DNS Top
attacks
DNS amplification:
Use amplification in DNS reply to
flood victim
TCP/UDP/ICMP floods:
Flood victim’s network with large
amounts of traffic
Protocol anomalies:
Malformed DNS packets causing
server to crash
DNS cache poisoning:
Corruption of a DNS cache
database with a rogue address
DNS hijacking:
Subverting resolution of DNS queries
to point to rogue DNS server
DNS tunneling:
Tunneling of another protocol
through DNS for data ex-filtration
Reconnaissance:
Probe to get information on network
environment before launching attack
DNS based exploits:
Exploit vulnerabilities in
DNS software
Fragmentation:
Traffic with lots of small out of
order fragments
DNS reflection/DrDos:
Use third party DNS servers to
propagate DDoS attack
NXDOMAIN:
Flood DNS server with requests
for non-existent domains
Phantom Domain:
Force DNS server to resolve multiple
non-existent domains and wait for responses
What Attacks Do We Protect Against? The Rising Tide of DNS Threats
31 | © 2013 Infoblox Inc. All Rights Reserved. 31 | © 2015 Infoblox Inc. All Rights Reserved.
Internet
ADP
Infoblox DNS Protection: The Basics of ADP
ADP DCA
Smart NIC
Host Appliance
BIND
3-Synthesized Response (Pre-Recursion)
7-Synthesized Response (Post-Recursion)
4-Recursion
5-Response
3-DCA Cached Response
1-DNS Query
2-Drop/Rate Limit
Client
BIND
Cached?
Yes
No
Yes
DFW
Match?
No 7-Recursive Response
Threat
Rule
Match? No
Yes
DCA
Cached?
Yes
Yes
No No
6-Drop/Rate Limit
BLK-LIST
Match?
32 | © 2013 Infoblox Inc. All Rights Reserved. 32 | © 2015 Infoblox Inc. All Rights Reserved.
The Infoblox Solution: Secure DNS
Hardened Appliance & OS under Grid™ Management
Secure the DNS Platform, Manage it Easily
Infoblox Advanced DNS Protection
Defend Against DNS Attacks
Infoblox DNS Firewall
Prevents Malware/APT from Using DNS
33 | © 2013 Infoblox Inc. All Rights Reserved. 33 | © 2015 Infoblox Inc. All Rights Reserved.
Protect for Real or Play Around?
Protect Now or Wait until its Too Late?
34 | © 2013 Infoblox Inc. All Rights Reserved. 34 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox DNS Firewall Blocking Malware
An infected device brought into
the office. Malware spreads to
other devices on network.
1
2
3
Malware makes a DNS query
to find “home.” (botnet / C&C).
DNS Firewall detects & blocks
DNS query to malicious domain
Malicious
domains
Infoblox DDI
with DNS
Firewall Blocked attempt
sent to Syslog
Malware /
APT
1
2
Malware / APT spreads
within network; Calls home
4
Pinpoint. Infoblox Reporting lists
blocked attempts as well as the:
• IP address
• MAC address
• Device type (DHCP fingerprint)
• Host name
• DHCP lease history
DNS Firewall is updated every 2
hours with blocking information
from Infoblox DNS Firewall
Subscription Service
Infoblox Malware Data Feed Service
4
IPs, Domains, etc. of Bad Servers
Internet
Intranet
3
2
35 | © 2013 Infoblox Inc. All Rights Reserved. 35 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Malware Data Feed Service
Geographic
Blocks
Inbound
Attacks
Malware
Droppers
Botnet C&C /
DNS Servers
Infoblox
DNS Firewall
Infoblox
Malware Data
Feed Service
RPZ data
pushed thru
signed XFR
• 24/7 service
• Data from over 35 different public and
proprietary sources – 7 feed types
• Incremental threat data changes are
pushed every 2 hours
• Significant threats cause immediate
updates (notify)
External Feed:
Legge Gentiloni
36 | © 2013 Infoblox Inc. All Rights Reserved. 36 | © 2015 Infoblox Inc. All Rights Reserved.
Anatomy of an Attack Cryptolocker “Ransomware”
Why DNS Security is Important?
• Targets Windows-based computers
• Appears as an attachment to legitimate
looking email
• Upon infection, encrypts files: local hard
drive & mapped network drives
• Ransom: 72 hours to pay $300US
• Fail to pay and the encryption key is
deleted and data is gone forever
• Only way to stop (after executable has
started) is to block outbound connection to
encryption server
37 | © 2013 Infoblox Inc. All Rights Reserved. 37 | © 2015 Infoblox Inc. All Rights Reserved.
IP Address Management (IPAM)
Network Services Network
Automation Security
Infoblox Grid™
Real-time Network Database
Infoblox Advanced Reporting
The Infoblox Solution Portfolio
IPAM
Network Insight
IPAM for Microsoft (Windows
Server)
IPAM for Microsoft System
Center Orchestrator
Infoblox DDI:
(DNS, DHCP, IPAM)
Load Balancer Manager
NetMRI
Switch Port Manager
Security Device Controller
Automation Change
Manager
Advanced DNS Protection
DNS Firewall-FireEye
Adapter
DNS Firewall
Su
bscrip
tio
ns
IPAM for VMware vCenter
Orchestrator
Physical & Virtual Appliances
3rd Party Adapters
38 | © 2013 Infoblox Inc. All Rights Reserved. 38 | © 2015 Infoblox Inc. All Rights Reserved.
IP Address Management (IPAM)
Network Services Network
Automation Security
Infoblox Grid™
Real-time Network Database
Infoblox Advanced Reporting
New Products in Last 12 Months
IPAM
Network Insight
IPAM for Microsoft (Windows
Server)
IPAM for Microsoft System
Center Orchestrator
Infoblox DDI:
(DNS, DHCP, IPAM)
Load Balancer Manager
NetMRI
Switch Port Manager
Security Device Controller
Automation Change
Manager
Advanced DNS Protection
DNS Firewall-FireEye
Adapter
DNS Firewall
Su
bscrip
tio
ns
IPAM for VMware vCenter
Orchestrator
Physical & Virtual Appliances
3rd Party Adapters
39 | © 2013 Infoblox Inc. All Rights Reserved. 39 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Appliances Family
Regional Centers
Branch Offices
Edge/Remote Locations
Headquarters
Trinzic Reporting
PT-4000
PT-2200
PT-1400
Network
Automation
4000
Network
Automation
2200
Network
Automation
1400 Trinzic 810
Trinzic 820
Trinzic 1410
Trinzic 1420 Trinzic 2210
Trinzic 2220
Trinzic 4010
Trinzic 4030
Trinzic 100
ND-1400
ND-800
ND-4000
ND-2200
40 | © 2013 Infoblox Inc. All Rights Reserved. 40 | © 2015 Infoblox Inc. All Rights Reserved.
This is the perfect opportunity to help
your customer to review their
infrastructure and rebuild the “house
properly”
It is no longer a “Nice to Have” but a
“Must Have”
Most customers have finally
acknowledge that their DNS is the
weakest link and have to address the
issue ASAP
If I build a house without Emergency
Exits, adding them later on is very
difficult and expensive.
Conclusion – Security by Design
42 | © 2013 Infoblox Inc. All Rights Reserved. 42 | © 2015 Infoblox Inc. All Rights Reserved.
Market Dynamics:
Private Clouds Deployments on the Rise
• Commodity gear
• Better utilization
Cost Savings IT & Business
Agility
• Faster App roll-out
• Self-service
LOB Productivity
• Less time waiting
• More time producing
IT Departments Increasingly Want Their Own
Amazon-like Cloud In-house…here is why:
43 | © 2013 Infoblox Inc. All Rights Reserved. 43 | © 2015 Infoblox Inc. All Rights Reserved.
Private Cloud Perception vs. Reality
• Perception
Snap of the fingers
Measured in seconds or
minutes
• Reality
Slow with manual processes
Measured in hours, days or
weeks
How long does it take deploy a new virtual instance?
44 | © 2013 Infoblox Inc. All Rights Reserved. 44 | © 2015 Infoblox Inc. All Rights Reserved.
Hidden Achilles Heel for Cloud Deployments
Manual
Traditional Approach
Provision Virtual
Instance
1
Request IP or Use
Allotment
2
Forward IP Data for Tracking
3
Update Database or Spreadsheet
4
Request DNS
Record
5
Allocate and Manually
Enter DNS
6
Clean Up When
De-provisioned
Automated
• Multiple teams and handoffs
• Shortcuts cause gaps and dangers
• Lack of correlated view across the organization
• Risk for compliance and auditing
45 | © 2013 Infoblox Inc. All Rights Reserved. 45 | © 2015 Infoblox Inc. All Rights Reserved.
Cloud Network Pain Points
No visibility to IP address/DNS records for VM/network resources No central reporting on lease history, DNS/IP associations
Lack of reliable DDI for Private Cloud Stability and simplified upgrades of underlying network inhibits Cloud rollout
Requires too much administrator overhead Manual IP address/DNS provisioning is slow, error-prone
Network provisioning is too slow for application delivery No Amazon-like capabilities i.e., on-demand, self-service, DevOps
46 | © 2013 Infoblox Inc. All Rights Reserved. 46 | © 2015 Infoblox Inc. All Rights Reserved.
Understanding Cloud Architecture
& Where Infoblox Fits
Hypervisors
VMware ESXi / MS Hyper-V
Cloud Orchestration Layer
Cloud Management Platform OpenSource: OpenStack
Commercial: VMware vCAC, MS SC/VMM
Network Functions:
Routing, switching,
firewalls, load-balancers
Cloud Consumer
Compute Storage Network
Physical Infrastructure
Cloud Network
Automation
Management UI
Infoblox Adapters VMware/Microsoft/OpenStack
Infoblox DNS/DHCP/IPAM
Core Network Services
Infoblox Cloud Network Automation helps you get more agility, scale and
reliability from your clouds – with fewer human resources.
47 | © 2013 Infoblox Inc. All Rights Reserved. 47 | © 2015 Infoblox Inc. All Rights Reserved.
id Master
id Master
Infoblox Cloud Network Automation
(Adapters Only)
Corporate
Wide DNS
Private Cloud
Data Center 1
Internal
DNS
Reporting
Server
Private Cloud
Data Center 2
Grid Master
VMs
Grid Member
id Master Internal
DNS
VMs
Grid Member
Corporate Data Center
DHCP
Grid Member
CMP 1 with IB Adapter
(E.g. OpenStack) CMP 2 with IB Adapter
(E.g. VMware vCAC)
48 | © 2013 Infoblox Inc. All Rights Reserved. 48 | © 2015 Infoblox Inc. All Rights Reserved.
id Master
id Master
Infoblox Cloud Network Automation
(Cloud Platform)
Corporate
Wide DNS
Private Cloud
Data Center 1
Internal
DNS
Reporting
Server
Private Cloud
Data Center 2
Grid Master w/
Cloud Network Automation
CMP 1 with IB Adapter
(E.g. OpenStack)
WAPI
VMs
Cloud Platform
Appliance
id Master Internal
DNS
CMP 2 with IB Adapter
(E.g. VMware vCAC)
WAPI
VMs
Cloud Platform
Appliance
Corporate Data Center
DHCP
Cloud Platform
Appliance
New
New
New
New
49 | © 2013 Infoblox Inc. All Rights Reserved. 49 | © 2015 Infoblox Inc. All Rights Reserved.
Infoblox Cloud Network Automation
Cloud-focused discovery
and visibility
Centralized, integrated management user interface
Cloud widgets for monitoring cloud network elements
Cloud-specific reports
2
Scalable cloud platform
deployment
Virtual appliances that supports communication with
Cloud Management Platforms through Infoblox
Adapters
Deployed per data center to support scale-out
3
1 Integrated adapters
Free adapters to integrate with key cloud
management / orchestration platforms
Leveraging RESTful API
50 | © 2013 Infoblox Inc. All Rights Reserved. 50 | © 2015 Infoblox Inc. All Rights Reserved.
Cloud Network Automation – New GUI
51 | © 2013 Infoblox Inc. All Rights Reserved. 51 | © 2015 Infoblox Inc. All Rights Reserved.
Provisioning a VM using a Cloud Management Platform
with Infoblox Integration
Hypervisor
CMP/Orchestrator
Infoblox
Adapter
2 - CMP/Orchestrator calls the
Infoblox Adapter 1 - A cloud admin/user requests a VM to be created through
self service portal
6 - VM starts up
either with
injected static IP
or IP allocated via
DHCP Request to
Member (Fixed
Address)
5 – CMP/Orchestrator
Spins up VM on
Hypervisor
Infoblox Grid Member
DNS/DHCP
3 - Infoblox Adapter
contacts NIOS via WAPI
for Next Available IP and
creates DNS Records
for VM
End User
7 - End User accesses VM
using DNS FQDN
Infoblox Grid Master
4 - GM synchronizes
Host record or Fixed
Address + A/AAAA/PTR
with Grid Member
52 | © 2013 Infoblox Inc. All Rights Reserved. 52 | © 2015 Infoblox Inc. All Rights Reserved.
Grid Master
Grid
Member Grid
Member
DDI Support for OpenStack
Description
Extend DDI to manage VM networks created by
OpenStack
Infoblox Grid
Creates/Deletes networks via OpenStack
UI/CLI/APIs
Allocates/De-allocates IP addresses when
VMs are created or floating IPs are assigned
Creates/Deletes DNS host records or
A/AAAA/PTR/CNAME records for allocated IPs
Provides DNS and DHCP Services to VMs
Manages internal and external networks
Benefits
Centralized Cross Platform DDI Service
(OpenStack/VMware/Microsoft Compatible)
High Availability
Operational Efficiency
Lower cost of migration (Physical to Virtual to
Cloud)
Project 9
IP IP IP
Project 10
IP IP IP
Project 11
IP IP IP
Infoblox Adapter
API
DDI Service DDI Service
Grid
Member
DDI Service
Reporting
Server
53 | © 2013 Infoblox Inc. All Rights Reserved. 53 | © 2015 Infoblox Inc. All Rights Reserved.
Delivering the Cloud Promise with Infoblox
IPAM & DNS Automation
Multi-vendor Cloud
Integration
Enhanced and
Extended Visibility
Auditing and Compliance
Centralized and
Integrated Management
Always On Core
Network Services
Speed Deployment Times with Infoblox Cloud Network Automation
54 | © 2013 Infoblox Inc. All Rights Reserved. 54 | © 2015 Infoblox Inc. All Rights Reserved.
The Power of Cloud Network Automation
Manual
Traditional Approach
Provision Virtual
Instance
1
Request IP or Use
Allotment
2
Forward IP Data for Tracking
3
Update Database or Spreadsheet
4
Request DNS
Record
5
Allocate and Manually
Enter DNS
6
Clean Up When
De-provisioned
1 6 2 3 4 5
Automated
Provision Virtual
Instance
Automated
Automated
Infoblox Cloud Network Automation