HUIT dns/dhcp redesign and roadmap Improved dns, right size IB, modern design, linux fallback.

Slides:

Advertisements

Similar presentations

The Domain Name System Continuity of Operations Apricot 2008 Taipei TAIWAN 28feb2008.

Advertisements

Review iClickers. Ch 1: The Importance of DNS Security.

© 2011 Infoblox Inc. All Rights Reserved. Infoblox – control, secure & automate Mike Carroll.

What’s New: Windows Server 2012 R2 Tim Vander Kooi Systems Architect

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

2.1 Installing the DNS Server Role Overview of the Domain Name System Role Overview of the DNS Namespace DNS Improvements for Windows Server 2008 Considerations.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Highly Available Central Services An Intelligent Router Approach Thomas Finnern Thorsten Witt DESY/IT.

Firewall Configuration Strategies

NOT FOR PUBLIC DISTRIBUTION State of Minnesota Technology Summary February 24, 2011.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Trusted Internet Connections. Background Pervasive and sustained cyber attacks against the United States continue to pose a potentially devastating impact.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Enhanced Secure Dynamic DNS Update with Indirect Route David Wilkinson, C. Edward Chow, Yu Cai 06/11/2004 University of Colorado at Colorado Springs IEEE.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Domain Name Services Oakton Community College CIS 238.

Evolved from ARPANET (Advanced Research Projects Agency of the U.S. Department of Defense) Was the first operational packet-switching network Began.

1 Content Distribution Networks. 2 Replication Issues Request distribution: how to transparently distribute requests for content among replication servers.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Network discovery Multi- server mgmt (MSM) Visibility & audit.. Automatic discovery of DC, DHCP and DNS servers, and dynamic IP addresses.

Module 7: Configuring TCP/IP Addressing and Name Resolution.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Module 5: Planning a DNS Strategy. Overview Planning DNS Servers Planning a Namespace Planning Zones Planning Zone Replication and Delegation Integrating.

Security Services Agenda Overview of HEAnet security services HEAnet CERT (Computer Emergency Response) Anti-Spam RBL (Real time blacklist service) HEAnet.

Configuring Global Server Load Balancing (GSLB)

Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.

Healthcare – Large S. Florida Hospice Jeff Potter – IT Consultant.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

CD FY09 Tactical Plan Status FY09 Tactical Plan Status Report for Site Networking Anna Jordan April 28, 2009.

October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.

The Global DDI Company.

Anycast DNS. WatITis | Strengthening Collaboration | December 8, 2009 | Anycast DNS Outline Current Anycast routing Anycast implemented Problems resolved.

AWS Cloud Firewall Review Architecture Decision Group October 6, 2015 – HUIT-Holyoke-CR 561.

Tony Kombol ITIS DNS! overview history features architecture records name server resolver dnssec.

Configuring Name Resolution and Additional Services Lesson 12.

Firewall Security.

Module 6: Designing Name Resolution. Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS.

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

2.1 © 2004 Pearson Education, Inc. Exam Designing a Microsoft ® Windows ® Server 2003 Active Directory and Network Infrastructure Lesson 2: Examining.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.

1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.

© F5 Networks, Inc. 1 How Does DNS Work? A user browses to A user browses to

Setup and Management for the CacheRaQ. Confidential, Page 2 Cache Installation Outline – Setup & Wizard – Cache Configurations –ICP.

Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.

DNS/DHCP REFRESH June, Executive Summary The Domain Name System (DNS) and Dynamic Host Protocol (DHCP) are the lifeblood of the network. Without.

Kona Security Solutions - Overview

Welcome to Early Bird Class

APNIC DNSSEC deployment considerations APNIC 23, Bali George Michaelson R&D Officer APNIC.

Swiss NREN protection with DNS RPZ

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

KSK Rollover Update David Conrad, CTO ICANN 59 – ccNSO Members Meeting

Azure Site Recovery For Hyper-V, VMware, and Physical Environments

How a Stateful Firewall Works

FY09 Tactical Plan Status Report for Site Networking

Introduction to Networking

Uptime All The Time: Doing Business In The Cloud

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Stratus Innovations Group Virtual Datacenter Offering

Dev Test on Windows Azure Solution in a Box

Sizing …today. T: Here’s how. .

AbbottLink™ - IP Address Overview

F5 Networks Solutions Silverline Silverline

Cloud Management as a Service

Presentation transcript:

HUIT dns/dhcp redesign and roadmap Improved dns, right size IB, modern design, linux fallback

Redesign / roadmap aims Improved dns durability, reduce risk of recurrence of outage on 12/5 Update design to current best practice Project out development projects related to dns/dhcp

Current design issues Dns and dhcp are on common hardware (many IB boxes serve both dns and dhcp roles) Caching tier did not provide any durability, in fact, was the point of failure in design Box sprawl, too many Infoblox boxes, inefficient use of IB resources No alternative to IB in the event of a grid level failure On premise hosting of external dns view is a liability

Design proposal

New design overview Separate dns and dhcp services Move all internal dns services onto advance dns appliances (new) Replicate internal dns view onto standby linux bind servers Move external dns services from EOL appliances onto existing supported appliances. Move external dns for harvard.edu (but not child zones) to outside provider (eg: Akamai fastdns) Move all dhcp services onto existing appliances Enable dns query logging globally on the grid

New design consideration, recommended Buy advanced dns service boxes from IB Hardware refresh of IB gear due anyway (20 IB boxes are EOL 12/15) Advance dns boxes perform inspection prior to passing data to underlying bind, defending against emerging dns attack vectors (such as NXDOMAIN attack which is suspected as root cause of 12/5 outage) Build manual failover standby dns tier on linux vms Sync zone data via zone transfer Write and test failover plan Manual failover must be entirely programmatic, no datacenter work or on site presence Enable dns query and response logging Has an estimated 20% performance hit to max dns query rate Recommended by IB for forensic purposes – would have helped identify root cause of 12/5 outage Desirable to HUIT security office Significantly simpler to enable inside IB than to build outside of IB with either network taps or bind resolver layer

New design consideration, recommended Consolidate dhcp and dns onto separate dedicated IB boxes Mechanically simpler design, improving diagnostic capabilities Can reduce the overall number of IB boxes in use, resulting in cost savings over like for like replacements using existing design Vendor provided hosting of external dns view Providers like verisign or akamai better capable of handling dns DOS attacks External providers offer dnssec signing service – they manage key rotation Desire for management integration with on premise internal dns Provide IB dns firewall service Subscription to dns RBL service, permits rewriting dns responses for malicious sites Has passive mode, where no dns responses are rewritten, but events are logged

New design by the numbers Total device count of 17 IB, 3 linux (current count is 29 IB) 6x pt 1400 dns recursive resolvers (3 HA pairs), net new 2x 2220 grid manager (1 HA pair), lifecycle replacement 4x 2220 dhcp servers (2 HA pairs), existing hardware 4x 2220/2210 external dns non-recursive resolvers (2 HA pairs), existing hardware 1x 4000 reporting server (non-HA), existing hardware 3x stock linux vms noc vmware for standby internal dns

Improvements – why this is better Advance dns boxes address outage due to malicious queries Logging addresses HUIT security needs and IB support needs Sizing is based off of current utilization, right amount of hardware, cost conscientious Remains a single IB grid, simplest management Failover linux dns tier exists, failover is a manual process, requires no dns client reconfiguration Off site hosting of external view provides defense against external view dns attacks

Budget impact – in budget for capital, new ongoing $47k/yr for support/services Net new equipment: 6x IB pt 1400 (dns resolver), 2x IB 2220 (grid manager), 1x IB 2220 (test grid) IB capital cost $281k (does not include support) 6x Pt $30k = $150k 3x $34k = $102k 2 nd PSU and gbics for 1400s $13k 6x dns firewall license $16k Current FY and next capital budget are $295k, proposal is in budget for capital Support cost for new hardware partially offset by retiring EOL equipment Dns firewall 3 year license cost $52k – net new support costs ~$17k/yr Akamai external view hosting for three zones is $30k/yr, plus $4k one time setup cost this is net new support cost

Future roadmap items Reevaluate manual failover process There is concern over a manual failover process – will failover work when we need it, and will the data be up to date? Consider mixing in linux bind tier to live dns services Evaluate live mix of IB and stock linux bind Possible complications around logging or dns firewall Evaluate anycast as an appropriate technology on the network Could further reduce IB investments (would not need HA paired dns) Evaluate new IB offering for cloud ipam Grid-managed device that does ip address management for AWS (replacing native AWS dhcp)