University of Birmingham Saves 125 Workdays with Network Automation from Infoblox

THE CHALLENGES

DNS Management Dysfunction and Frustration

The adverse effects of the University’s disparate DNS solutions were impacting operational capabilities, requiring unnecessary administrative overhead, and were blockers to ongoing projects. Each system existed independently with no cross-tool integration. There was no consistency in how DNS was configured across solutions, providing no single, consolidated means of management, reporting, or alerting. The result was a lack of predictability in DNS behavior and an inability for existing tools to support modern standards.

The lack of cohesion created obstacles for even basic tasks, such as updating a DNS record. “If you entered a record in one system, you had to ensure it was entered in the other systems,” recalls Renyk de’Vandre, principal network engineer for the University of Birmingham’s Cloud Services team. Problems inevitably occurred because those DNS records were not being properly updated across systems. The growth of out-of-date DNS records with no way of determining their validity created increasingly inconsistent zone information.

IP address management (IPAM) presented a significant additional hurdle. In a typical day, networking teams were responsible for 400,000 IP addresses, all statically assigned. Whenever changes were made, a frequent occurrence in a fast-moving campus environment, those changes had to be entered manually.

Other obstacles included duplicate information, incorrectly formatted or out-of-date DNS records, and frequent conflicts between IPAM and Dynamic Host Configuration Protocol (DHCP). In addition, each DNS system had its own APIs for extending functionality to other networking tools and tasks, adding to management overhead.

Along with these ongoing headaches, de’Vandre and his team had to contend with a fundamentally flawed DDI architecture due to how it had evolved. In a seamless architecture, the DNS systems that manage DNS queries are properly delegated to provide rapid answers to queries they are authorized to handle in their given DNS zones. However, because of the patchwork evolution of UoB’s DDI solutions, delegated DNS authority was lacking in key parts of the network. Problems with improper delegation of Microsoft AD, in particular, caused DNS resolution delays and even failures, which eroded network performance and confidence. Improper AD delegation also impacted visibility from Infoblox as clients were pointed to AD rather than the preferred primary resolver.

Having so much of the network in Microsoft AD caused other problems as well, with a lack of security visibility being among the most serious. DNS data provides unprecedented views of client devices—where they go and what they connect to. “If you can’t see that client, you can’t control it. You can’t remediate it,” says de’Vandre. He could see clearly all the clients connecting through Infoblox NIOS but none of those connecting through Microsoft AD. Considering that Microsoft AD accounted for 90 percent of all clients, the security implications were enormous.

THE SOLUTION

Migrating Microsoft AD to Infoblox

The University understood that the way to resolve its many DDI architectural and operational issues was to rely on a single provider for critical network services. To achieve that goal, the IT team initially considered migrating away from Infoblox NIOS and running all DDI services through Microsoft AD DNS where most of the DDI workload already resided. That assumption was made before the team understood the scope of capabilities available through NIOS DDI, however. Consequently, the University’s IT team received training from Infoblox about the benefits of an agile, consolidated DDI solution. Once the training was completed, it became clear that AD DNS was not a full DDI solution that could offer the range of management, visibility, reporting, and the single API required for robust automation that Birmingham desperately needed, nor the integrated DNS security capabilities it sought.

Infoblox training was key to the University’s decision to renew Infoblox NIOS and the entire physical Infoblox Grid, extend their functionality, and renew its five-year support agreement, including a five-year training subscription. Members of the team are now certified in every single Infoblox product.

Among the critical network management solutions the University initially had, Infoblox NIOS DDI was the only one that consolidated DNS, DHCP, and IPAM into a single platform. Combined with the Infoblox Grid, it was a powerful networking asset for the IT team, but they were using only a sliver of its capabilities. “It was like owning a Porsche that you drive to the end of your garden and then get out,” de’Vandre says in hindsight. He also learned that NIOS DDI had never been properly configured. “It wasn’t doing the job it was supposed to.” With the aid of Infoblox training, de’Vandre fixed the misconfiguration issues, which solved a number of long-standing problems.

The institution had an extensive list of requirements for its DDI and security platform. To begin with, any DNS solution would need to accommodate rather than replace AD DNS outright since it accounted for so much of the network. From a networking perspective, the architecture also needed to be scalable and resilient. Additionally, it needed to make it easy for networking teams to access management securely and reduce complexity and administrative overhead by rationalizing DDI services across different systems. Critical to this was a migration of all Microsoft DNS services onto the NIOS DDI platform.

Furthermore, the University required a platform that would enable the automation of static processes, like IPAM, along with supporting a single API and extensive integration capabilities for automation tools like Aruba ClearPass.

For security, Birmingham mandated a solution that could provide threat intelligence, automate threat remediation, and protect all clients. It took the University over a year to complete the migration from Microsoft AD to Infoblox, largely because of the scope, which involved 38,000 fixed machines and accumulated issues from 30 years of disparate DDI management. The migration unfolded with no major service interruptions. Today, de’Vandre and his colleagues have full visibility and control of DNS, DHCP, and IPAM across their diverse networking solutions. “It is all managed from a single place,” says de’Vandre. It also includes Infoblox Threat Defense™, which proactively protects all of the University’s 40,000 students and faculty from the broadest assortment of malware, ransomware, and data exfiltration threats.

THE RESULT

Networking Simplicity, Cost Savings, and Security from One Solution

With Infoblox, the University eliminated the networking complexity and data conflicts that hindered performance and drove up management costs. The DNS resolves faster and is more responsive than before. Networking and security teams now have a single source of truth for DDI and a consolidated view of all network assets, including those associated with Microsoft AD. In contrast to Microsoft AD, NIOS DDI provides the full spectrum of DNS, DHCP, and IPAM capabilities. “AD is a DNS solution,” de’Vandre says, “but it certainly comes nowhere near in terms of DHCP or IPAM that Infoblox does.”

From a networking and security standpoint, the solution is empowering for de’Vandre and his colleagues. “Infoblox gives me the tools to enable the projects that are critical to achieving the University’s strategic vision,” he says. Combined with the Infoblox Grid, NIOS DDI provides all-important scalability and resilience on-premises and in hybrid and multi-cloud environments, enabling systems administrators to centrally manage DDI at the University’s campuses in the United Kingdom and the United Arab Emirates.

Apart from the cost savings in time from automating previously static registrations and a reduction in both incidents and Mean Time to Resolution (MTTR), troubleshooting DDI issues was vastly simplified due to enterprise-level reporting and alerting, and the enhanced visibility offered by Infoblox.

Consolidating on a single DDI solution means that deploying offsite, into the cloud, and to a brand new multi-million-dollar campus in Dubai now requires only one solution, not up to three as had been the case previously, significantly reducing complexity and cost for the institution.

One overarching advantage from Infoblox stands out for de’Vandre. “Infoblox brings visibility and reporting across the DDI space that was simply not there before.” With Infoblox, what had once been unmanageably complicated is now straightforward and reduces risk when making changes. For example, before the AD migration, DNS management required separate inputs across as many as six different systems. “When we come across a troubleshooting issue now, we’ve got one place to look, and we can see exactly how a client’s configured,” he says.

Consolidating DDI onto a single Infoblox platform created substantial cost savings. With Infoblox, the University eliminated the need for a separate DDNS service to keep DNS records current. It also was able to jettison BIND and previous bespoke software. In addition, before migrating AD to Infoblox, the University had to manually assign static IP addresses for more than 1,000 printers, along with thousands of machines located in classrooms, labs, and lecture halls. Infoblox’s feature-rich and resilient DHCP solution made migrating these IPs a straightforward process. The tight integration between Infoblox’s IPAM and DHCP also made it easy to identify duplicate records, while automating DHCP data across both IPAM and DNS, adding new capabilities and reducing the administrative burdens on operational teams. Thanks to the fully automated IP address assignment in NIOS DDI, the University now saves more than 125 workdays a year and printer moves are now plug and play.

Additional automation savings are made possible by the Infoblox API, which enables teams to painlessly connect to the vendor tools of their choice. Infoblox’s API enables the automation of 99 percent of Infoblox functions; whilst still in its infancy, this is a new capability the University is keen to develop.

Further savings come from the self-service capabilities of NIOS DDI. Before full Infoblox adoption, the University’s network engineers were besieged by requests from end users to perform low-level tasks, such as updating DNS records. The back and forth consumed valuable time and caused unnecessary delays to other teams and the University’s customers.

With permission-based access to the intuitive NIOS web interface, end users can quickly and easily perform basic tasks themselves with obvious saving implications. “Think how much of a return on investment we see by removing all that bureaucracy, all those delays?” says de’Vandre. As a bonus, NIOS self-service frees up core engineering resources to focus on higher-value projects.

All of this visibility and reporting has also enabled the University to more easily meet security and audit requirements with automated reports that can generate audit evidence on demand rather than through a yearly, onerous task.

On the security front, Infoblox enables the University of Birmingham to extend comprehensive protection to all parts of the network. Servicing Microsoft Windows clients from within Infoblox gives security teams critical visibility into the 90 percent of network activity that had previously been shielded from view. “Now that all DNS clients go through Infoblox, I can see all of them and act on them individually. I can protect everything, everywhere,” de’Vandre says.

Unlike Microsoft, Infoblox is designed to provide the best capabilities to all clients, not just Windows, so there are no concerns about standards limitations or incompatibilities. As long as the client is standards based, it works, and in many cases, the flexibility of the platform means bespoke requirements can often be accommodated.

De’Vandre is evangelical about the myth that AD requires AD DNS to function. It was a hard sell to convince stakeholders that decommissioning AD DNS would work without issue, but to date, there hasn’t been a single incident caused by AD using Infoblox as its sole source of DDI information.

For de’Vandre, a key reason behind the success he’s experienced with Infoblox stems from his dedication to training and support. “I thought I knew DNS when I started out. I didn’t,” he admits. “My understanding came from Infoblox’s training.” From an account management standpoint, the rapport he’s enjoyed with Infoblox staff has been one of a kind. “In a 30-year career, I’ve never had that with another organization.”

CONCLUSION

The extensive capabilities of Infoblox are something de’Vandre prizes highly. “It gives us a Swiss army knife to tackle problems.” As de’Vandre considers adding more automation and multi-cloud capabilities to his arsenal, he no longer worries about network management being an impediment. “We can look ahead with confidence now that our DDI solution can facilitate the vision for the platform and University.”