The U.S. Department of Defense
“One huge factor for us is that Infoblox is a Microsoft Gold Partner and its DDI solution ties in with Active Directory. We’ve seen significant savings in time—it’s night and day. Prior to Infoblox all IP management was done by hand, which opened us up to errors and didn’t give us the visibility we required. I don’t know how to put it into words, but certainly it’s been a life changer for our environment.”
—Preston, IT architect
The customer is an IT organization that supports mission-critical processing servers within the U.S. Department of Defense. Because the organization’s IT team has challenges getting new hardware into its data center, it has embraced virtualization and become a large VMware virtualization shop, using virtual rather than hardware appliances to deploy new services more quickly.
“We’re not unlike any other IT organization that’s large, that has a large number of servers that are mission critical,” says Preston, the group’s IT architect. “We run Windows and Linux, and in our heterogeneous environment, we needed a single centralized management resource.” In the past, the organization made use of disparate management tools including Microsoft MMC as well as multiple text files across servers running BIND, ISC, and DHCP—tools that don’t measure up to tasks such as frequent global DNS name refreshes as naming conventions change. The goal was to eliminate these legacy processes to improve efficiency, eliminate errors from manual processes, and streamline operations. Additional requirements were a single sign-on and role-based access. But the over-arching concern was efficiency—winning time back from manual processes and increasing productivity.
The Infoblox Solution
The organization has been an Infoblox customer for more than five years, and was an early adopter of Infoblox virtual appliances. “Obviously, the product has a bullet-proof reputation,” says Preston,” and we’ve been able to add some new capability every year.” The IT team is currently running six Infoblox 1410 physical appliances in a high-availability configuration and nine virtual ones to manage DNS, DHCP, and IPAM in the production environment, and is also using Infoblox adapters for VMware vCloud Automation Center and vCenter Orchestrator in a development lab.
“What we intend to do,” says Preston, “is let our customers spin up and spin down resources in an elastic cloud utilizing vCloud Automation Center. We’ve created workflows that are going to allow us to select an IP address, be given a host name from Infoblox by accessing the API, and when the machine is torn down, make another call to actually remove it from Infoblox, including the host name and IP. In other words, we’re going to do a complete automation. Instead of humans being involved, we’re going to dynamically build and destroy servers on the fly.”
The organization purchased Infoblox after some careful thought and a bake-off with BlueCat Networks. “We ended up choosing Infoblox for a variety of reasons,” Preston says, “and we’re glad we did. The integration with Microsoft gave us a really solid feeling after we tried it and realized how simple it was instead of doing something by hand or relying on something in post implementation.” Infoblox IPAM was another selling point, because it provided a single place for all teams to get information for troubleshooting or for starting new deployments.
Perhaps the most conspicuous benefit the organization has gained is productivity. “Things that took too much time and had too much human error have now been automated,” says the architect, “and only take seconds.” As an example, he cites changing a client from Windows to Linux. “We don’t actually switch the hardware out,” he says. “We provision the box with Linux, and of course the name is going to change, depending on how it fits in our Active Directory zone. You don’t have to put a ticket in and wait for that DNS update to happen overnight. It happens in real time.”
Upgrades are equally painless. In the virtual environment, IT spins up a new appliance before shutting down the old one, and then switches the identity from one to the other and moves the license key over. It takes about an hour—and hardware doesn’t take much longer. “We reboot it once, and it is able to come right back up and start answering queries and take the place of the old appliance—that’s pretty impressive,” Preston says.
“One huge factor for us is that Infoblox is a Microsoft Gold Partner and its DDI solution ties in with Active Directory. We’ve seen significant savings in time—it’s night and day. Prior to Infoblox, all IP management was done by hand, which opened us up to errors and didn’t give us the visibility we required. I don’t know how to put it into words, but certainly it’s been a life changer for our environment.”
Security compliance, of course, is an important issue in any defense organization, and Infoblox helps with that, too. IT can address BIND vulnerabilities quickly because the solution is baked into the Infoblox operating system, its automated patching capability simplifies Microsoft Patch Tuesday, the attack surface of the Infoblox appliances is much smaller, and Infoblox provides reporting, so compliance audits are accomplished a lot more quickly.
The IT team has also found creative ways to leverage product features. Infoblox Extensible Attributes, for instance—fields in DHCP for providing additional information—enable them to assign information such as VLAN IDs to end-user devices and to utilize MAC filtering security to assist the organization’s Information Assurance division with its tasks.
“We wrote a script internally that pulls the extensible data as well as the default database values out of Infoblox,” says Preston. “If someone provisions a workstation, it looks at the data in this file, and verifies that they’re requesting the right information. And if the admin enters a wrong value, an error pops up and says ‘go back to Infoblox and get the right information.”
This expanded access to DHCP information enhances security as well. “DHCP was actually something that we were never allowed to utilize in our environment, based on the security vulnerabilities that are inherent with it,” says Preston. “And because we proved that the security mechanisms within the product allow us to do additional checks and balances prior to handing out the IPs, we were allowed to use DHCP for the first time.”
When asked what he likes most of all about Infoblox, Preston replies, “If I had to pick one feature, it would be the central management. A lot of tools are geared toward one discipline, but this one is used by all support teams. That’s got to be the single best thing that makes it successful in our environment. I know this is a simple use of the product, but for any organization it’s huge.”