Large Federal Defense Agency
Infoblox will enable visibility and one true source of IP information from the desktop and device level all the way up through our centralized management locations.
The Customer
The federal agency’s vision centers around three core competencies: developing personnel, providing technology to warfighters, and integrating operations. Computing networks figure heavily in this vision, and the agency classifies its worldwide network as a weapons system that must meet the highest security, availability, and performance standards.
The Challenge
One of the biggest challenges dealt with visibility. The agency has over a dozen gateways to the hundreds of individually managed locations around the world and had no way to maintain any level of standardization over what versions of BIND and related DNS services were running at each location. DNS management at each location was also in violation of government security standards (DISA STIG), specifically due to running DNS on the same server as the firewalls.
Even worse, the agency lacked the ability to centrally manage the network or achieve visibility across its numerous locations, which reduced the ability to audit, track, and monitor IP-related activity. The solution in place wasn’t scalable, had weak blacklisting features, and lacked the security needed to pinpoint attacks and remediate them. In addition, the server-based system had no provisions for high availability, a key requirement for a network classified as a weapons system.
The requirement called for a very large DNS deployment across 100+ worldwide locations and hundreds of thousands of DNS records, with DNSSEC for two separate Grids, one with 40+ members and the other with 100+ members. The requirements also included providing reports on current and historical DNS query data.
The Solution
In order to convince the agency that Infoblox could do the job, the sales team had to deliver one of the largest simulations in Infoblox history. They spent three months in the lab spinning up 144 VM instances and building a complete simulation down to every one of the agency’s locations. The central-management requirement included top-to-bottom DNS and DNSSEC and integration with Microsoft Active Directory. Performance and load testing required the use of tools such as HP LoadRunner and Ixia testing solutions.
Furthermore, the agency wasn’t the only organization that had to be convinced, The team had to persuade several other government contractors—Northrop Grumman, Lockheed Martin, Booz Allen Hamilton, Telos, General Dynamics, NCI, BAE Systems, Harris, and CENTECH—to include Infoblox in their final proposals.
The solution that resulted—and that was ultimately purchased—was huge. It included 332 Infoblox Trinzic 4010 1410, and TR 4000 appliances with NXDomain Redirect modules on every single DDI appliance. The enterprise DNS portion incorporated twin high-availability (HA) Infoblox Grid™ systems at two central management locations, Trinzic 4010 appliances at all gateways, Trinzic 1410 appliances at 100+ worldwide facilities, HA pairs everywhere, 5 mirrored lab systems, and 2 mirrored training systems.
Going forward, the agency’s entire local infrastructure will be dependent on this extensive Infoblox DNS infrastructure. The Infoblox Grids were able to deliver a high-availability solution that not only offers more resilience, but also delivers the central control needed. The agency is satisfied with the technology itself, and also with the Professional Services team helping with the deployment. The solution has changed their whole outlook on the things they can do to better protect the agency’s network and maintain availability and pinpoint attacks. The agency has completed the certification and accreditation (Authority to Operate) phase and is now actively deploying appliances.
The Results
The Infoblox solution will enable the agency’s IT administrators to manage and monitor hundreds of security-hardened network appliances from a central location with real-time failover and ease-of-use features like one-click automated DNS zone signing, allowing them to more cost-effectively address DNSSEC compliance for one of the world’s largest and most mission-critical networks. Administrators can drill down to the local level when they need to. The system provides:
Resilience
Highly improved visibility
Scalability
The ability to integrate with third-party hardware security modules
Centralized reporting and analytics
For more information, please contact your Infoblox representative or visit www.infoblox.com