Retailers have often been at the forefront of IT innovation as a way to differentiate and provide strategic and tactical advantages over competitors. Due to the razor-thin margins in retail, investments in infrastructure are closely scrutinized to ensure that they deliver incremental revenues and/or reduced operating costs. In addition, retail businesses are heavily affected by any system downtime that compromises the ability to distribute goods, serve customers, and conduct transactions. As such, local survivability of systems, including those deployed in stores and distribution centers (in addition to data centers) is paramount. A further complicating factor is the stress on small IT staffs and the near total absence of skilled IT personnel deployed to remote locations. The result is a highly automated environment that needs to operate nonstop, and without the need for manual intervention to fix problems.

Within this already challenging environment, the IT organizations of retail companies are coping with a number of key trends and initiatives, including:

Rapid Increase in Networked Devices
A wide variety of devices are now IP-enabled and connected to store networks. These include point of sale systems, cameras, refrigeration and climate control systems, physical security devices, shelf displays, kiosks, and the like. As a result, in-store networks are increasingly complex, and the effort required to configure and track each device is outpacing manual approaches. This requires robust DHCP and TFTP services and IP address management (IPAM) tools.

Within this already challenging environment, the IT organizations of financial services companies are coping with a number of key trends and initiatives, including:

Wireless Initiatives
Mobile connectivity enables store personnel to use hand-held bar-code scanners to check inventory and report back to distribution centers in real time. Wireless networks need to be accessed by a range of people, including store personnel, regional managers who periodically visit stores, suppliers, and even customers-each of whom need to be authenticated and require different levels of network access. This requires highly available RADIUS services for 802.1X authentication.

Server Consolidation
With the number of stores in a typical retail environment and the potential payoff, there is a large impetus to reduce operating costs by taking servers out of stores and consolidating applications in data centers. But the need for responsive customer-facing critical and local survivability for point of sale (POS) and other applications service dictates that core services like DNS, DHCP, and RADIUS must continue to be delivered locally in each store.

PCI Compliance
Most retailers need to comply with PCI audits in order to be authorized to conduct credit card transactions and retain customer data. PCI regulations include an explicit requirement regarding DNS, as follows:

“DNS Server Check -- The ASV scanning solution must be able to
       detect the presence of a DNS server and detect any known
       vulnerability and configuration issues.”

Disaster Recovery
Access to financial transactions, inventory information, pricing data, and store results must be real-time and always available. In a disaster, the first systems that need to be available are those used to deliver and manage DNS and DHCP, so that administrators can quickly map around failed servers and re-partition the network if needed.

VoIP Adoption
As a way to reduce operating costs, retail stores are looking to deploy VoIP throughout the store network. However, this demands a new level of performance and reliability from services like DHCP and TFTP in each store to ensure that phones are always able to connect to the network and retrieve up-to-date software and configurations.

Network Access Control
As retail networks go wireless and open up to suppliers and customers, it becomes essential to be able to limit different classes of users to different parts of the network. For example, store personnel may need to be restricted to systems in the local store, regional personnel may need access to data center applications while in the field, and suppliers and customers may need access to the public Internet from within store locations. This requires flexible authentication systems and the ability to dynamically provision different types of network access for different types of users. While conventional network access control (NAC) solutions may be appropriate for deployment at headquarters, they often require large network investments that often don't have the payback required by the retail margin model.

Inadequacies of Conventional Core Network

Services Infrastructure

IT organizations within the retail sector are increasingly aware of their dependence on core network services to support their complex applications:

• DNS is essential to just about every application today, including retail transaction processing systems, and infrastructure services like Microsoft Active Directory.
• DHCP is needed to supply addresses for cash registers, point-of-sale devices, barcode scanners, inventory systems, and even physical security systems like IP-enabled cameras, security card readers, and door locks. TFTP and HTTP are critical for providing updated firmware and configurations for these devices.
• IP address management (IPAM) tools are required to enable efficient and error-free allocation of IP addresses and for providing the data needed for tracking users, devices, and network access. The typical retail environment wants to ensure that each store is provisioned with exactly the same network configuration, thus requiring robust “templating” systems.
• RADIUS with local survivability for each store is critical for providing 802.1x security for both wired and wireless networks.

All of these services must be easy to deploy, easy to manage, available nonstop, and completely auditable to support regulatory requirements.

Shortcomings in conventional core network services solutions (i.e., general-purpose servers, operating systems, and/or freeware) can unexpectedly disrupt core network services, the applications that depend on them and general network security. Specific concerns with conventional solutions in a retail environment include:

• Security vulnerabilities: General-purpose operating systems and older BIND versions are open to attack, which can compromise system availability and integrity-and also prevent compliance with PCI requirements. Maintaining security consumes already limited IT resources that can be applied to more advanced and pressing projects,
• High administrative costs: Administrators must choose between using labor-intensive and error-prone manual processes and spreadsheets for managing address and name spaces or using complex and expensive conventional IPAM systems.
• Poor resiliency: Conventional DNS, DHCP, and RADIUS servers have no built-in support for high-availability. Providing disaster recovery typically means choosing between slow, labor-intensive manual processes that compromise times or expensive third party mirroring systems to keep disaster recovery sites ready and up-to-date.
• Data silos: Disjointed systems and disjointed databases for DNS, DHCP and RADIUS make it difficult or impossible to track which user and device had a particular IP address or attempted to gain network access.
• Insufficient administrative control and auditing: Providing granular, delegated administrative rights is often difficult or impossible, and audit logs are often insufficient to enable regulatory compliance.

To provide nonstop core network services, improve security and visibility, support local survivability, and lower operating costs, retail organizations need to consider a next-generation approach to delivering and managing core network services infrastructure.

The Infoblox core network services platform, with over 22 patents pending, offers significant advantages over conventional or competing alternatives:

Built-in High Availability and Security
Infoblox solutions are based on purpose-built appliance platforms designed to deliver the highest levels of security and platform availability. The appliances are designed to FIPS 140-1 Level 2 standards and use a locked-down operating system with no unnecessary open ports or services. “One-button” upgrades make it easy to deploy new features or deploy patches should vulnerabilities be discovered.

Built-in high availability (HA) between appliances, which uses industry-standard Virtual Router Redundancy Protocol (VRRP) for sub 5-second network failover, in conjunction with bloxSYNC technology ensures that data for all services—DNS, DHCP, RADIUS, TFTP, etc.—remain perfectly in sync between active and backup appliances. Support for Anycast DNS leverages existing routers to direct DNS traffic away from non-responsive servers automatically, without any reconfiguration.

Centralized Management and Control
Infoblox grid technology enables a collection of distributed appliances to be managed and operated as a single, unified system. Administrative changes are propagated automatically to remote appliances, and events at remote appliances-such as issuing an IP lease-are visible in real time across the grid.

If an appliance at a store fails, services can be instantly redirected to other appliances. A failed device can be replaced easily with a new device by low-skilled personnel. The grid automatically loads the latest software and configuration to the replacement device, in minutes. In the event of a WAN link failure to a data center, local services in each store continue uninterrupted for maximum survivability. This is key to ensuring that stores continue to operate and generate revenue in the even of a WAN or data center problem.

Built-In Disaster Recovery
Infoblox grids enable “one-click” recovery from catastrophic failures of major data centers or WAN links. Administrators can configure any number of active appliances to serve as “master candidates” that can be designated as the seat of administration at any time with a single command. Master candidates automatically contact and synchronize with remote appliances and recover full administration for DNS, DHCP, RADIUS, IPAM, TFTP, and all configured services in minutes, with no loss of data. This easy ability to move the seat of administration from site to site is used by some financial institutions who routinely “fail over” to backup sites to maintain a constant state of readiness.

Granular Administration and Detailed Logging
Senior IT personnel can define classes of lower-level administrators that have read-only access to some data and read/write access to a more limited set of data, such as particular networks, or DNS zones, or even DNS record types. This enables delegation of administrative tasks to different departments and provides local autonomy while retaining centralized visibility and control. It also prevents lower-skilled personnel from making inadvertent changes to critical configurations and data. All administrative actions are logged, including the name of the administrator and the details of the changes that were made. This data is crucial for complying with administrative audits.

Unique Infoblox Solutions
Infoblox appliances support high-value applications that further leverage the investment in a robust core network services infrastructure:

• “Right-sized” appliances:The Infoblox product line includes a wide range of appliances that are priced and “right-sized.” This includes models targeted at data centers, with redundant power supplies, fans, and RAID storage, to the low-cost Infoblox-250 which is designed for branch deployments. The new Infoblox-250 appliance has a low entry point price—virtually no premium to a white-box server—and has tiered capacity to address both smaller store environments (less than 100 active devices) and larger stores (less than 300 active devices).
• Distributed 802.1x Authentication:The RADIUS service automatically distributes user credentials to remote appliances, ensuring that wireless users at store locations can still authenticate and gain access to the network even in the event of a WAN failure. The Infoblox Grid Connector for Microsoft Active Directory automatically detects user-password additions, modifications, and deletions on Microsoft domain controllers and pushes the modified data to the grid master for automatic replication to remote appliances, ensuring local survivability for in-store authentication with greatly reduced administrative overhead.
• Network Access Control: The Infoblox NAC Foundation module includes an embedded captive web portal and a policy engine that controls the DHCP module to intelligently assign IP addresses based on user, device, and endpoint policy status. For example, administrators can assign valid, authenticated employees with compliant endpoints to the production network, assign contractors and guests to a guest network with access only to the Internet, and can assign unknown users or non-compliant endpoints to a quarantine network. Administrators can use IP lease and log information to later determine which user and device had a particular IP address at any given time.
  

Summary

Retail companies require large investments in their distributed store network in order to drive revenues, gain operational efficiencies, and drive additional profit. The systems for this environment must be able to provide distributed availability of DHCP, DNS, RADIUS, and other core services while maintaining centralized visibility and control. Retail companies worldwide are therefore turning to Infoblox for a proven, next-generation solution for core network services that can keep pace with the demands of the challenging retail environment.

To learn more about Infoblox solutions or to evaluate Infoblox products in your environment, please contact us at info@infoblox.com or call +1.408.625.4200.