San Mateo County Community College District Gains Vital Resiliency and Security with Infoblox

OVERVIEW

The San Mateo County Community College District (SMCCD), established in 1922, comprises three colleges: Cañada College, College of San Mateo, and Skyline College.

Located between San Francisco and Silicon Valley, the colleges serve nearly 40,000 students annually, providing the first two years of college-level education through a wide variety of transfer and career-technical programs. Students can either earn an associate’s degree in arts or science or receive a certificate of proficiency in their chosen field. Additionally, the district offers robust services for middle college high schools at each campus, as well as dual and concurrent enrollment for high school students.

THE SITUATION

Diverse Infrastructure to Serve Diverse Campuses
One of the district’s main missions is to provide accessible secondary education to a diverse student population across its three institutions, as well as to its online courses and programs. A top priority for SMCCD is to support each student no matter where classwork takes place. “We’re really focusing on making sure they get everything they need when they’re not in class,” says Daman Grewal, the district’s CIO. To support this initiative, students gain free access to Microsoft accounts, Google Workspaces, online learning management systems, and cloud applications, such as Salesforce and LinkedIn.

From an IT standpoint, each institution is distinct. “We’re not a district with three campuses; we’re one with three colleges,” notes Adam West, SMCCD’s information security officer. Each college has its own IT department and budgets. “The colleges are completely separate, and we try to respect that and treat them the same way,” says West.

Over the past few decades, the district’s networking infrastructure relied on Microsoft DNS for its internal DNS and Linux for external DNS, along with Microsoft for DHCP . That implementation co-existed with multi-cloud deployments, including Microsoft Azure and Oracle Cloud Infrastructure (OCI). For security, SMCCD relied on firewalls, web gateway filters, and various extended detection and response (XDR) measures.

THE CHALLENGE

Lack of Resiliency and Agility
Over time, the limitations of the district’s Microsoft- and Linux-based DNS network management solution grew more apparent. College students expect instant access to the Internet and cloud services. However, the district’s existing implementations were not up to the task. Students and faculty faced connectivity issues and slow performance due to DNS record errors or network misconfigurations. Tracking down the root cause of a problem was an arduous, manual effort requiring the use of specialized management consoles.

The lack of visibility and centralized control worsened as device numbers soared. For example, many of SMCCD’s 5,000 staff and 40,000 students use multiple devices in the course of a day, including laptops, tablets, and smart watches, each with their own IP address. Maintaining fast connectivity across devices and multi-cloud workloads became increasingly hard to achieve. The Microsoft implementation lacked the agility to meet the demands of an increasingly cloud-driven learning environment.

A larger concern involved the Linux DNS solution, which was not distributed. The district needed a way to move DNS services between sites, a risky undertaking should one of the Linux servers go down while a backup was underway. “It’s not designed in such a way that you can make changes if one of the nodes goes down,” says West. Additionally, a node failure could potentially take the district offline completely.

Along with connectivity issues, security was also never far from West’s mind, concerns he neatly sums up with one overarching worry: “People clicking on something they shouldn’t.”

THE SOLUTION

Eliminating Points of Failure While Shoring Up Security

On the networking side, SMCCD knew it needed a solution that would deliver rock-solid availability while simplifying complex management tasks. For Grewal, the choice of Infoblox was obvious: he had already seen its solution for consolidated DNS, DHCP, and IP address management (DDI) in action. Earlier in his career, Grewal successfully implemented the Infoblox system on a standalone ship in the middle of the ocean, providing steady Internet access and DHCP for maritime students and crews. “Infoblox was a lifesaver for the folks on the ship,” he says. Grewal trusted that if Infoblox could deliver networking speed and reliability in the middle of the ocean, it could do the same for the district’s students, faculty, and staff.

For network management, the Infoblox solution consists of the Infoblox Grid, which, by virtue of its distributed database technology, eliminates the single point of failure issue that SMCCD had with Linux. To further enhance reliability, the district takes advantage of a multi-grid primary option. The solution also includes two physical servers running as a high availability (HA) pair and two virtual servers at each of the three campus locations. “I wanted everybody to be independently redundant,” says West. Rounding out the solution is a reporting server and a discovery server.

For security, the district protects all users across its three campuses with BloxOne Threat Defense. The solution helps detect and block ransomware and other malware attacks, 92 percent of which rely on DNS. In addition, it complements the security products from Palo Alto Networks that the district relies on. It does so by catching threats at the DNS control plane before they are visible to firewalls, endpoints, or other solutions, thereby reducing security alerts from those other tools.

THE RESULT

Passing the COVID-19 Test and Beyond—with Flying Colors

As far as technology deployments go, SMCCD’s timing could not have been better. The new Infoblox solutions were implemented by the summer of 2019, just months before the global pandemic hit. “COVID obviously changed everything,” West says. Before the pandemic, the ability for students to access the Internet and cloud resources was a nice-to-have. “It wasn’t mission critical,” says West. “Now it absolutely is. I don’t think a student could come to class without a working laptop and be functional.”

As COVID-19 unfolded and teaching moved from in-person to virtual, service availability became a paramount concern for Grewal. “The Infoblox piece came into play because we thought if our primary data center went down, can we still do payroll?” Grewal wondered at the time. “Can we still provide basic services? Can we still get Internet access for classroom technologies, and can we still serve our students? And the answer was, ‘Yes.’ We had enough redundancy built into our systems.” West agrees. Those initial apprehensions were very much front and center for him as well. “We don’t have to worry about them anymore. Infoblox just works.”

The ability to create multiple Infoblox Grid primaries not only made SMCCD’s network more resilient but also made it easier to manage. “When we learned about Infoblox and the distributed multi-primary mode they use, that was the killer app for us,” West says. It enabled his teams to access the system from any location. “Compound that with the fact that you can use a web interface to make the changes,” he notes. System admins can use a device of their choosing without having to install remote desktop software. The Infoblox deployment automates common tasks, for example, eliminating the need to manually edit text files on a Linux server.

With Infoblox, West no longer hears from system admins about sites going down or configuration issues that disrupt performance. “The number of DNS problems that we had before Infoblox has gone way, way, way, way down.”

In addition, the Infoblox solution made SMCCD’s network speedier because of DDI automation across onpremises, hybrid, and multi-cloud infrastructure. “The minute you plug in that laptop, the minute you connect to the Wi-Fi, you get the IP address, you get the right DNS information, and you get out to the Internet,” says Grewal. “So, you can start your day right away.”

BloxOne Threat Defense plays a vital role in boosting the district’s overall security posture. The solution complements other security deployments in SMCCD’s security stack and adds the essential capability of fortifying protection for the district’s multi-cloud workloads and data. “Having Infoblox across our infrastructure seeing all the traffic really benefits us,” notes Grewal. From West’s perspective, an additional benefit is that Infoblox provides layered security without compromising confidentiality or privacy. “Being able to keep the network secure without having to pry into people’s lives is extremely important.”

Among its many capabilities, BloxOne Threat Defense combines market-leading DNS expertise with innovative data science to identify threat actor infrastructure. This approach disrupts attacker activities and prevents exposure to emerging and targeted attacks. “Infoblox is our first line of defense,” says West. “It’s part of the suite of tools that make services we host safer and stronger than ever before.”