Council Rock School District
“If you’re responsible for safeguarding your network and you’re not using Infoblox DNS Firewall, you’re not doing your job.” —Matthew Frederickson, Director of IT, Council Rock School District
Location: Bucks County, Pennsylvania
Number of Users: 13,500
Solution: Infoblox DDI, DNS Firewall, and NetMRI
Located in Lower Bucks County, Pennsylvania, the Council Rock School District (CRSD) has ten elementary schools, three middle schools, and two high schools. Technology has transformed the way the teachers teach, and the IT organization supports approximately 13,500 users on a daily basis—providing support for more than 5,000 computers, 100 servers, 300 access points, 257 switches, and 200 printers and copiers. The district is connected via a fiber network, operating at 1 GB between buildings and providing a 300 MB pipe to the Internet.
Matthew Frederickson has been Director of IT at CRSD for 12 years, and has seen the district’s network evolve from an aging asynchronous transfer mode (ATM) infrastructure that was “simply not working at all” to a state-of-the-art fiber and wireless network that serves 18 buildings, 16 of which are schools. Part of that evolution involved replacing Microsoft DNS and DHCP services with appliances and software designed specifically for managing core network services.
“We needed a better way than spreadsheets to manage our IP addressing scheme,” says Frederickson, “We also had DHCP servers all over the place with Microsoft, and it didn’t give me the functionality I was looking for. We don’t have a team dedicated to managing the DHCP. There are only ten of us, and that includes my secretary and me, so we really didn’t have time to properly manage the DHCP servers in all the buildings. I wanted to consolidate, and wanted to make our lives easier.”
He was also looking for something to manage the district’s 257 switches that would give him a single pane of glass—where he could see all the switches and apply updates—and an archive that would tell him when and why configurations had been changed.
The Infoblox Solution
“I started to do some research,” Frederickson says, “and I came across Infoblox. I sat in on a webinar and read a white paper, and the description of what the product would do was exactly what I was looking for.” He purchased two Infoblox 1410 security-hardened appliances running Infoblox DDI—an integrated suite of DNS, DHCP, and IP address management solutions—to replace all those Microsoft DHCP servers scattered around the district, and Infoblox NetMRI to manage the switches.
“It was a major change for my staff,” he says, “so of course they resisted it because people always resist change. Now they love it. You go one place to find information, one place to get what you want. There’s just so much intuitive stuff built into the product that I wouldn’t even have thought of, but now I’ve come to rely on.”
The final component in CRSD’s Infoblox solution was Infoblox DNS Firewall, software that turns DNS servers—which are particularly vulnerable to malware and advanced persistent threats—into self-protecting strong points that leverage the central location of DNS in the network to detect outbound malicious communications and block them before they can exfiltrate sensitive information or replicate themselves on additional devices.
This kind of network security is an important concern in the CRSD. For one thing, the district’s systems contain sensitive information that is an attractive target for hackers seeking monetary gain. In addition, there is a potential internal threat from curious and computer-savvy students. “I had a couple of middle-school kids last year who watched a YouTube video and downloaded a program that creates an internal denial-of-service attack on the network,” he says. “I had controls in place that kept them from actually launching it, but they tried. They tried really hard.”
Frederickson learned about DNS Firewall at a local Infoblox user event, he says. “When I heard about the DNS Firewall I thought, wait a minute, that just makes so much common sense. Why isn’t everybody doing it? Now I feel that if you’re responsible for keeping your network safe and you’re not using Infoblox DNS Firewall, you’re not doing your job.”
Infoblox Professional Services, which Frederickson utilizes to supplement his small staff, helped with the deployment. Frederickson points out that knowledge transfer is an important benefit of engaging Professional Services, because they often alert him to product features he’s not using, and share tips they’ve learned working with other Infoblox customers.
When asked about the results he’s gotten from Infoblox, Frederickson cites the Professional Services first. “They’re subject-matter experts,” he says, “and they stay current with what’s going on in the marketplace, so they’ve just been phenomenal. They were able to come in and say, ‘We’ve been in a couple of other districts with networks similar to yours, and they’re doing this, or they’re doing that.’ They give me suggestions and ideas, and I can use them as a sounding board. Professional services can be just a guy showing up and doing something, or it can be a partner relationship, and I feel that I have a partner relationship with Infoblox.”
As for the products themselves, he’s happy with them too. By centralizing DHCP on his Infoblox appliances and being able to control it with role-based access, Frederickson has been able to stop well-intentioned technicians from accidently creating problems when they make changes. “They can see everything when they need to look something up,” he says, “but only two of us can make changes. I don’t have to worry anymore about people accidentally causing issues.”
The DDI solution, with its automated management of DNS records and IP addresses, has eliminated time-consuming and error-prone spreadsheets. And NetMRI has simplified the management of switches in an environment that is regularly adding IP phones and IP speakers as well as rolling out new applications for teachers and students.
As for the security component, Frederickson has a story. “I was running a response policy zone (RPZ) report on the DNS Firewall,” he says, “and it detected something at a 192.160 IP address—which is bizarre because I don’t hand out 192.160 IP addresses.” Using a monitoring application installed on all his desktops, he was able to locate the IP address and machine name of the source of the communication. He determined that it was infected with a botnet, which he was able to remove.
The whole process,” he says, “took about five minutes. Without the DNS Firewall RPZ report, it would probably have taken me weeks to find out that the network performance in one of our buildings was slow because there was a self-replicating botnet on a machine in a lab. That in my mind justified every expense I’ve made in the last two years on infrastructure in terms of security monitoring.”
In closing, he says, “I want products that will allow me to satisfy all my customers, 100 percent of the time, while I sit in my office and work on new services to deliver to them. Infoblox moves me closer to that, because it allows me to stop worrying about the little stuff. Do I worry about DHCP? No. Since I put in Infoblox, I haven’t had to worry about it at all. Do I worry about IP management? Nope. Am I getting really interesting reports from DNS Firewall telling me where my users are going and what I should be concerned about? Absolutely.