EMEA-Based Internet and Communications Provider Secures Schools’ Networks with Infoblox
THE CUSTOMER: EMEA-BASED TELECOM SERVICE PROVIDER
An “EMEA-based internet and communications provider responsible for ensuring Internet security and providing telecommunications services to academic institutions was selected to build a large-scale national education network. The project was founded on the premise of providing safe Internet connectivity for 4.5 million children using 700,000 school computers across 25,000 primary and secondary schools.”
THE CHALLENGE
Ensuring Secure Internet Access Across Large-Scale Network
The telecom service provider wanted to make sure that network connections and the user experience were not only stable but also secure, especially because the users were school children. In addition, it wanted to ensure these children did not go to inappropriate websites or inadvertently download malware. For such an extensive project, implementing secure web gateways (SWGs) alone for content filtering was a high risk. No one had done such a large implementation of SWGs before. (The estimated download traffic is over 1Tbps, which requires around 200 appliances from main SWG vendors.) In the event that something went wrong, the internet provider wanted a way to augment SWGs. However, the provider did not want to rely on SaaS-based security solutions. Instead, it needed the security implementations to be on-premises because it was building its own networks, cloud and data centers.
The massive private network the provider was building called for 100-megabit links with routers for each of the 25,000 schools. The project was divided into three phases: delivery of the links, delivery of the networking equipment, and security. Security was implemented in two stages. The first involved foundational security using DNS application delivery controllers (ADCs) and firewalls. The second entailed the deployment of web gateways.
Customer: Internet and Communications Provider
Industry: Telecom Service Providers
Location: EMEA
Objectives: Build stable network for large-scale education system, Provide safe Internet connectivity, Implement on-premise solution
Results: Secure and clean browsing experience, Malware mitigation, DNS-based content filtering, Foundational security services, Cost-effective, scalable solution
Products: NIOS DDI, Threat Insight
THE SOLUTION
DNS-Based Foundational Security on an Internal Private Network
Infoblox assessed the school’s project and suggested that DNS-based foundational security should be considered as a first step to protecting the school networks. Although SaaS vendors also approached the company, it never really considered them because it wanted something that could be deployed on the internal private network it was building for schools. Most service providers build their own infrastructure, and for that reason, will not use a SaaS-based service.
Several additional factors led the provider to select Infoblox over other competitors:
- Infoblox offered differentiated functionality, such as Threat Insight, which can detect malware command and control traffic hidden in DNS queries. It can also detect the presence of DNS tunneling, a common method that some students can potentially use to bypass SWG security policy limitations.
- The provider felt that Infoblox was a better technical partner by way of its local technical expertise, something that other competitors could not match because they did not have technical experts in the region.
- Infoblox provided references of many other service providers and similar deployments that use Infoblox technology.
As part of its discussions, Infoblox held an in-depth security workshop that covered different examples of malware and how they use DNS for command and control. In addition a basic malware mitigation discussion with Infoblox soon became a broader discussion that included:
- How content categorization using DNS can cost-effectively bolster the performance of secure web gateways
- How DNS-level traffic inspection can provide stable, scalable augmentation for SWGs. For example, through Infoblox, the provider is now able to prevent students from accessing obviously inappropriate content, such as adult websites, by blocking traffic at the DNS level. More nebulous sites were filtered based on URLs using SWGs.
- How this combined approach limits the amount of malicious traffic that SWGs must handle and brings down the total cost of threat defense
THE RESULT
An Easy, Stable Implementation Providing Immediate Value
During the first, limited-scale deployment, an Infoblox partner implemented the DNS solution in just seven days for two of the service provider locations. This deployment showed that the Infoblox solution was easy to implement and stable, giving the provider confidence that the solution would work for large-scale deployments. Implementation for the remaining 16 locations is ongoing as of June 2019. The provider has already noticed several benefits, including central security policy management on DNS firewalls and mitigation of temporary problems with traffic control on ADC and SWG thanks to content filtering on Infoblox DNS servers, which has proven to be a valuable augmentation and offloading solution. Through Infoblox, the provider was thus able to provide a safe, secure, and clean browsing experience for students throughout the region.