IP networks are the bedrock of service provider revenue growth, the catalyst for mobilizing enterprise applications and delivering a favored customer experience. Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP) and IP Address Management (IPAM) (or DDI) are all familiar terms and concepts. Yet, there has been a lot of change to support the growing needs of IP networks. DDI solutions have advanced to include DNS security technologies, cloud and network automation of advanced IP services, support for IPv6 capabilities, DHCP client-grade performance and converged services. As critical as this is to your business, and considering the rate of technology development, when was the last time you took inventory of your DDI operations? The following is a brief checklist to help you assess what may be missing from your current DDI practice.
Where Do You Stand? Let’s Find Out.
Combining IP inventory, DHCP and DNS configuration via integrated and automated processes reduces errors, saves time, enhances reporting and visibility, and increases the efficiency and quality of network management. Take the following 10-question self-assessment to see how well your organization is performing. If you are meeting or exceeding the described practices for each category, rate your organization a 10. If you are not meeting any of the practices, rate yourself a 0. And, if you’re somewhere in between, consider the factors described and use your best judgment. In the end, add up the totals, assess your strengths and weaknesses, and see where you need to fill the gaps. Ready? Set? Go…
1. Do We Use Centralized DDI Management?
Using manual spreadsheets, home-grown or non-integrated solutions often results in duplicate entries, keying errors, rework and wasted time especially in multi-server, multi-platform (e.g., BIND, ISC, and Microsoft) environments. Centralized DDI is the essential networking technology to link branch offices, remote workers, mobile devices, cloud and more. As networks evolve, centralized DDI extends beyond protocol services like single-point data entry, accurate address assignment, inter-system data federation, inventory tracking, change control delegation and name resolution to improve security, gain actionable network insights, and integrate with technology ecosystems.
Your Score ( )
2. Are Our DDI Functions Automated?
Leveraging templates and automating routine tasks like configuring DNS domain, resource records, reverse zones, and updating IP address, subnet, and DHCP pool assignments saves time, minimizes manual processes and reduces errors and rework associated with distributing the same data through various user interfaces to multiple systems. Automation enables adding new services, identifying DNS security breaches, optimizing application performance, gaining deep insight into network properties, efficient, dynamic IP resource allocation, reduced manual troubleshooting, faster network and service provisioning, better capacity planning and more efficient use of resources.
Your Score ( )
3. Does Our DDI System Support Role-Based Access Control and Delegation?
Depending on the size and reach of an organization, responsibility for DDI management can be assigned to multiple users across subsidiaries, business units, locations, systems, domains or network topology. The ability to define, expand, limit and delegate DDI system administrator and super-user functionality, roles and access to information based on responsibility is critical.
Your Score ( )
4. Do We Maintain High Availability (HA) Services?
Keeping internal and external business critical apps up and running at peak performance is essential for quality service, brand reputation, and revenue. Deploying DDI services in geo-diverse configurations enables continuity during disaster recovery. Delivering HA apps can also be achieved using multiple DNS servers, DHCP failover solutions and redundant hardware appliances co-located, configured and connected end-to-end, especially for the most critical servers. DNS-based global server load balancers (GSLBs) configured with round robin, ratio, network topology, global or other algorithms provide network visibility and can help balance network traffic to ensure availability and performance of HA services. HA IPAM systems can also be layered on top of DNS/DHCP services to enable always on, high performing applications.
Your Score ( )
5. Do We Consistently Monitor DDI Services?
Application availability and performance not only relies on an accurate, timely and consistent deployment of the DDI infrastructure but also requires ongoing visibility across the entire network. Do you know what devices are connected to your network anytime, anywhere, and what they’re doing? Are you watching your services to know if they’re up and performing as expected? Are users able to secure IP addresses or hostnames? Can you predict when your IP resources will reach capacity? Should a failure occur, redundant systems will help minimize service outages or performance issues, but having the visibility and forensic tools to monitor, quickly triage, drill down into event and query logs, find the root cause, resolve and rectify the problem will enable ongoing business continuity.
Your Score ( )
6. Do We Manage Patches and Upgrades Efficiently?
Ecosystems with distributed DNS and DHCP servers often face a tedious and potentially costly, disruptive, error-prone patch and upgrade process. Server inventories must be maintained, hardware, OS and DNS/DHCP versions must be tracked, compatibilities, resources, costs, logistics, business cycles and schedules must all be considered. Deploying DNS and DHCP appliances with centralized integrated upgrade management enables staging, remote server management, planned kernel, OS and DNS/DHCP updates, rollbacks, and a streamlined version control process that minimizes many of the costs and challenges associated with system maintenance.
Your Score ( )
7. Does Our DDI Enable Core Business Processes and Workflows?
Each business, each IP network and the methods for managing these networks can be very different, but the tools for configuring IP subnet, network topology and device attributes can be less flexible. Customizable systems that allow visibility, search, modification of DNS domains, topology, subnets, resource records, and other extensible attributes like URLs, drop down lists, text boxes and other user-defined elements can help drive core business. Adapting data elements and other extensible attributes to business processes, and integrating IPAM into enterprise workflows, saves costs and enables automation. This makes launching new sites, managing IP address requests, tracking device profiles, working trouble tickets and a host of other processes faster, easier, more accurate and less prone to errors and rework.
Your Score ( )
8. Does Our Reporting Provide Comprehensive Visibility into Our Network?
Pre-built and customizable reporting tools that provide a complete view of the network help to keep applications running, detect security threats, and anticipate resource utilization. Dashboards can deliver visibility into essential network data, access to standard reports, and the ability to build quick custom reports to identify security issues. Reporting also supports audit requests via standard and custom reports and historical views. Advanced reporting tools engage predictive analytics to track and anticipate IP address utilization, resource planning and avoid outages.
Your Score ( )
9. Is Our Network Protected Against DNS-Based Attacks?
According to recent media reports, 91% of attacks use DNS to infiltrate and exploit its targets. These include DNS DDoS, NXDOMAIN, DNS data exfiltration (through known tunnels), malware, ransomware, and other DNS hijacking exploits. These attacks are growing daily. It’s no longer sufficient for IT teams to rely on infrastructure over-provisioning or response-rate limiting to protect their networks. Teams must be able to distinguish legitimate from malicious queries, respond to the legitimate requests while mitigating the bad actors. Beyond that, the ability to update defenses against new and evolving threats and communicate needed and actionable network threat intelligence are essential to business continuity and application availability and performance.
Your Score ( )
10. Can We Proactively Identify and Prevent Cyberthreats?
A variety of advanced security tools including Next-Generation Firewalls, threat intelligence research, systems and data exchanges can help prevent data exfiltration and malware command and control (C&C) communications via DNS. These tools enable a rapid investigation to establish context and prioritize threats, centrally aggregate curated internal and external threat intelligence, validate threat data and distribute it to the security ecosystem for remediation.
Your Score ( )
So, how did you do? Surprised? Not surprised? Did you score a 100? Here’s a guide to see where you’re at:
Your Total Score ( )
80-100 Awesome
60-79 Pretty good
40-59 Getting there
20-39 Yikes
0-19 Call Infoblox at 1.866.463.6256 (or visit www.infoblox.com)
What’s Next?
Drilling a bit deeper, where do you excel? What are your most critical priorities? What do you think your team would say? Why not test them and discuss it in a team meeting? Even if you did score 100, you may not be out of the woods. Even companies with the best-protected networks are susceptible to a cybersecurity attack. Comprehensive network visibility enables you to recognize strengths and weaknesses, be ready and have plans in place to keep your organization’s infrastructure available and running at peak performance. If you’re less than peak, it’s likely someone has already found you. Don’t wait. Take action. Close the gaps. You’ll be glad you did.
