Financial services companies face a slew of daunting IT challenges. Their systems are the key enablers of our global economy, supporting enormous volumes of commercial transactions around the clock, 365 days a year. Availability is paramount-there is simply no tolerance for errors or delays, because minutes of downtime can cost millions. Security is a real and ever-present concern as increasingly sophisticated criminals see financial services companies and their data as high-value targets. Regulatory agencies demand proof of compliance with a wide range of requirements that touch all aspects of IT operations. And all of this occurs in a fiercely competitive industry that pushes people and systems to their limits-demanding the most innovative and flexible systems and yet carefully scrutinizing every investment in IT systems and personnel.

Within this already challenging environment, the IT organizations of financial services companies are coping with a number of key trends and initiatives, including:

Industry Consolidation
Mergers and acquisitions are fairly commonplace in the financial services industry. Network designers and administrators need powerful and flexible IP address management (IPAM) tools that enable them to bring together and manage complex networks and provide local administrative autonomy while retaining central control, management, and accountability.

Server Consolidation
Cost-cutting mandates are driving a need to reduce branch IT operating costs by taking servers out of branches and consolidating them in the data center. But the need for responsive customer-facing applications and local survivability dictates that core services like DNS, DHCP, and RADIUS must continue to be delivered locally in the branch.

Disaster Recovery
Access to financial services data and applications cannot be interrupted. In a disaster, the first systems that need to be available are those used to deliver and manage DNS and DHCP, so that administrators can quickly map around failed servers and re-partition the network if needed.

PCI
PCI audit requirements include a check for DNS servers and proof that they are up to date and immune to security vulnerabilities.

VoIP
Adding voice services to branch and back-office networks demands a new level of performance and reliability from services like DHCP and TFTP to ensure that phones are always able to connect to the network and retrieve up-to-date software and configurations.

NAC
Headquarters, regional, and branch office networks all require tighter controls on which users and devices are able to gain access to networks and applications. But few organizations have even basic control over DHCP and, therefore, cannot prevent unauthorized users or infected devices from acquiring an IP address.

Inadequacies of Conventional Core Network

Services Infrastructure

IT organizations within the financial services sector are increasingly aware of their dependence on core network services to support their complex applications:

• DNS is essential to just about every application today, including online banking and trading, transaction processing systems, and infrastructure services like Microsoft Active Directory.
• DHCPis needed to supply addresses for desktops, laptops, mobile devices, and even physical security systems like IP-enabled cameras, security card readers, and door locks. TFTP and HTTP are critical for providing updated firmware and configurations for these devices.
• IP address management (IPAM) tools are required to enable efficient and error-free allocation of IP addresses and for providing the data needed for tracking users, devices, and network access.
• RADIUS is critical for providing 802.1x security for both wired and wireless networks.

All of these services must be easy to deploy, easy to manage, available nonstop, and completely auditable to support regulatory requirements.

Shortcomings in conventional core network services solutions (i.e., general-purpose servers, operating systems, and freeware) can unexpectedly disrupt core network services, the applications that depend on them, and general network security. Specific concerns with conventional solutions in a financial services environment include:

• Security vulnerabilities: General-purpose operating systems and older BIND versions are open to attack, which can compromise system availability and integrity-essential to maintain in environments where malicious attacks and intrusions are frequent. Maintaining security consumes already limited IT resources that can be applied to more advanced and pressing projects.
• High administrative costs: Administrators must choose between using labor-intensive and error-prone manual processes and spreadsheets for managing address and name spaces or using complex and expensive conventional IPAM systems.
• Poor resiliency: Conventional DNS, DHCP, and RADIUS servers have no built-in support for high-availability. Providing disaster recovery typically means choosing between slow, labor-intensive manual processes that compromise recovery times or expensive third party mirroring systems to keep DR sites ready and up to date.
• Data silos: Disjointed systems and databases for DNS, DHCP, and RADIUS make it difficult or impossible to track which user and device had a particular IP address or attempted to gain network access.
• Insufficient administrative control and auditing:Providing granular, delegated administrative rights is often difficult or impossible, and audit logs are often insufficient to enable regulatory compliance.
  
  

To provide nonstop core network services, improve security and visibility, support local survivability, and lower operating costs, financial services organizations need to consider a next-generation approach to delivering and managing core network services infrastructure.

Infoblox Core Network Services Platform

The Infoblox core network services platform, with over 22 patents pending, offers significant advantages over conventional or competing alternatives:

Built-in High Availability and Security
Infoblox solutions are based on purpose-built appliance platforms designed to deliver the highest levels of security and availability. The appliances are designed to FIPS 140-1 Level 2 standards and use a locked-down operating system with no unnecessary open ports or services. “One-button” upgrades make it easy to deploy new features or deploy patches should vulnerabilities be discovered.

Built-in high availability (HA) between appliances, which uses industry-standard Virtual Router Redundancy Protocol (VRRP) for sub 5-second network failover, in conjunction with bloxSYNC technology ensures that data for all services-DNS, DHCP, RADIUS, TFTP, etc.-remain perfectly in sync between active and backup appliances. Support for Anycast DNS leverages existing routers to direct DNS traffic away from non-responsive servers automatically, without any reconfiguration.

Centralized Management and Control
Infoblox grid technology enables a collection of distributed appliances to be managed and operated as a single, unified system. Administrative changes and events–such as issuing an IP lease–are propagated automatically to remote appliances are visible in real time across the grid.

If an appliance at a remote branch fails, services can be instantly redirected to other appliances. A failed device can be replaced easily with a new device by junior IT personnel-the grid automatically loads the latest software and configuration to the replacement device, in minutes. In the event of a WAN link failure to a data center, local services continue uninterrupted for maximum survivability. This is key to maintaining availability of basic network connectivity and local branch operations in the event of a WAN or data center problem.

Built-In Disaster Recovery
Infoblox grids enable “one-click” recovery from catastrophic failures of major data centers or WAN links. Administrators can configure any number of active appliances to serve as “master candidates” that can be designated as the seat of administration at any time with a single command. Master candidates automatically contact and synchronize with remote appliances and recover full administration for DNS, DHCP, RADIUS, IPAM, TFTP, and all configured services in minutes, with no data loss. This easy ability to move the seat of administration from site to site is used by some financial institutions who routinely “fail over” to backup sites to maintain a constant state of readiness.

Granular Administration and Detailed Logging
Senior IT personnel can define classes of junior administrators that have read-only access to some data and read/write access to a more limited set of data, such as particular networks, DNS zones, or even DNS record types. This enables delegation of administrative tasks to different departments and provides local autonomy while retaining centralized visibility and control. It also prevents lower-skilled personnel from making inadvertent changes to critical configurations and data. All administrative actions are logged, including the name of the administrator and the details of the changes that were made. This data is crucial for complying with administrative audits.

Unique Infoblox Solutions
Infoblox appliances support high-value applications that further leverage the investment in a robust core network services infrastructure:

• Configuration Management: The TFTP service automatically synchronizes files loaded onto the grid master to all remote appliances. This service can be used to distribute any type of file including firmware images for routers and IP telephones, antivirus and anti-malware signature files, video and other media files and more-minimizing WAN utilization and ensuring high-performance, survivable delivery of files at remote sites. For Cisco VoIP environments, the Infoblox Grid Connector for Cisco Call Manager automatically pushes new phone firmware and configuration files to the grid master with no user intervention.
• Distributed 802.1x Authentication: The RADIUS service automatically distributes user credentials to remote appliances, ensuring that wireless users at branch locations can still authenticate and gain access to the branch network even in the event of a WAN failure. The Infoblox Grid Connector for Microsoft Active Directory automatically detects user password additions, modifications, and deletions on Microsoft domain controllers. The connector pushes the modified data to the grid master for automatic replication to remote appliances, ensuring local survivability for authentication at remote sites with greatly reduced administrative overhead.
• Network Access Control: The Infoblox NAC Foundation module includes an embedded captive web portal and a policy engine that controls the DHCP module to intelligently assign IP addresses based on user, device, and endpoint policy status. For example, administrators can assign valid, authenticated users with compliant endpoints to the production network, assign visitors to a guest network with access only to the Internet, and can assign unknown users or non-compliant endpoints to a quarantine network. Administrators can use IP lease and log information to later determine which user and device had a particular IP address at any given time.

Summary

Financial institutions are dynamic, fast-changing environments that are expected to deliver flawless services continuously. Their increasingly complex networks and applications require core network services that are secure, robust, flexible, manageable, and cost effective. Conventional solutions are inadequate for the task. Financial institutions worldwide are turning to Infoblox to provide a proven, next-generation solution for core network services that can keep pace with the demands of an “always-on” economy.

To learn more about Infoblox solutions or to evaluate Infoblox products in your environment, please contact us at info@infoblox.com or call +1.408.625.4200.