If you’re making the trek to the big Cisco Live show in San Diego next week, you’ll probably feel pulled in many directions between the keynotes, conference sessions and exhibitor displays. Maybe you’re even looking forward to rocking out with Aerosmith at the big party next Wednesday night. Amid all this excitement, here’s why you should make time to visit Infoblox in booth # 3001: We’ll be demonstrating a groundbreaking integration between our Infoblox DNS Firewall and Cisco ACI.
Let me explain. The Domain Name System, or DNS, is protocol that converts domain names such as www.abcxyz.com into IP addresses such as 192.168.1.1 that computers use to communicate with each other. That makes DNS a vital part of network infrastructure, and therefore it is important to make DNS infrastructure as secure as possible. Inside a data center, servers can be vulnerable to attacks from malware and advanced persistent threats (APTs). Infected servers can use DNS to communicate with botnets and command-and-control servers to exfiltrate data. The Infoblox DNS Firewall counters these threats, detecting and mitigating communication attempts by malware to command and control sites.
Cisco Application Centric Infrastructure (ACI) is a new initiative from Cisco that delivers the flexibility of software along with the scalability of hardware performance when building data centers. ACI’s policy framework offers better security by implementing micro-segmentation architectures for better compartmentalization of networks, going beyond traditional perimeter security provided by firewalls.
Infoblox has a built a proof of concept (PoC) that integrates our DNS security solutions with Cisco ACI, which we’ll be showing in our Cisco Live booth.
When the Infoblox DNS Firewall detects a DNS query to a malicious site, the firewall automatically identifies the specific host on an endpoint group in the Cisco ACI fabric by translating the source IP address of the infected host. The Infoblox user interface can be configured with “match-action” rules to specify what actions should be taken, such as:
Blocking the infected host’s IP address through API calls to the Cisco Application Policy Infrastructure Controller (APIC). This is accomplished by adding an Access Control List (ACL) rule to the specific endpoint group (EPG) contract.
Placing the host in quarantine, again through API calls to Cisco APIC. This is implemented by automatically reconfiguring the end host into a separate “quarantine EPG.”
The result: Remedial action is taken before malware on the infected host can inflict any damage.
The Infoblox PoC also demonstrates a method for simplifying and greatly improving policy definitions in APIC by using DNS wildcards and broader Infoblox metadata constructs. This improves security by allowing much more sophisticated policy assignments through DNS wildcards or constructs such as port groups that are represented as metadata in Infoblox.
For example, a generic rule-set can be implemented in Cisco ACI such as “block all traffic from *.abcxyz.com” rather than populating specific IP addresses for *.abcxyz.com into a firewall rule. In addition, any additions or removals of the underlying IP addresses in *.abcxyz.com are automatically reflected in the firewall rules by a “match-action” rule defined in Infoblox that calls an APIC API to update the appropriate firewall Access Control List (ACL) rule. Any firewall, load-balancer or switch port ACL rule can be created and updated through DNS wildcards.
The “match-action” rules can also be applied to any construct represented as metadata in Infoblox. For example, when a new subnet is added to a port group in Infoblox, APIC can automatically update firewalls and load balancers to reflect the new subnet. This is a powerful capability because security administrators can define rules in a language they are comfortable with, and can fine-tune the rules they set. The built-in automated solution between Infoblox DNS and Cisco ACI ensures that these rules are always kept updated with the correct set of IP addresses.
You can see all of this in action at our Cisco Live booth. If you aren’t going to the show and want to know more, please reach out to your local Infoblox sales person.