Transcription
REALIZING SECURE NETWORKS BY OVERCOMING COMPLEXITY:THE PROTEUS IP ADDRESS MANAGEMENT SYSTEMWhitepaper
ii BlueCat NetworksUse of this documentCopyrightThis document and all information (in text, Graphical User Interface(“GUI”), video and audio forms), images, icons, software, design,applications, calculators, models, projections and other elementsavailable on or through this document are the property of BlueCatNetworks or its suppliers, and are protected by Canadian andinternational copyright, trademark, and other laws. Your use of thisdocument does not transfer to you any ownership or other rightsor its content. You acknowledge and understand that BlueCatNetworks retains all rights not expressly granted.Persons who receive this document agree that all informationcontained herein is exclusively the intellectual property of BlueCatNetworks and will not reproduce, recreate, or other use materialherein, unless you have received expressed written consent fromBlueCat Networks.Copyright 2010, BlueCat Networks Inc. All rights reservedworldwide.Publisher InformationPublished in Canada — No part of this publication may bereproduced, transmitted, transcribed, stored in a retrieval system,or translated into any human or computer language in any form orby any means without the express written permission of:BlueCat Networks Inc.4101 Yonge Street, Suite 502Toronto, OntarioCanada M2P 1N6Attention: Product ManagerTelephone: 416-646-8400Fax: 416-225-4728E-mail: info@bluecatnetworks.comWebsite: www.bluecatnetworks.comThis publication is provided as is without warranty of any kind,express or implied, including, but not limited to, the impliedwarranties of merchantability, fitness for a particular purpose, ornon-infringement.All terms mentioned in this publication that are known to betrademarks or service marks are appropriately capitalized. BlueCatNetworks cannot attest to the accuracy of this information. Use ofa term in this publication should not be regarded as affecting thevalidity of any trademark or service mark. The trademarks, servicemarks and logos (the “Trademarks”) displayed are registered andunregistered Trademarks of BlueCat Networks, Inc. and others.Users are not permitted to use these Trademarks for any purposewithout the prior written consent of BlueCat Networks or the thirdparty owning the Trademark.No Professional AdviceThis document is for convenience and informational purposesonly. This document is not intended to be a comprehensive ordetailed statement concerning the matters addressed; advice orrecommendations, whether scientific or engineering in nature orotherwise; or an offer to sell or buy any product or service. BlueCatNetworks does not warrant or make any representations regardingthe use, validity, accuracy, or reliability of, or the results of the useof, this website or any materials on this document or any websitereferenced herein. This document is intended solely for the use ofthe recipient. It does not institute a complete offering and is not tobe reproduced or distributed to any other person.
The Proteus IP Address Management System iiiExecutive SummaryThe continual increase of complexity, and the adoption of Voiceover IP (VoIP) on many corporate networks, has meant that mostenterprise and carrier-class networks now require the additionalmanagement overhead previously only found in the largestnetworks. This management need is further compounded bythe requirement for corporations to explore or implement IPv6compatible networks to ensure capacity and service over thenext decade. VoIP integrations generally double the number of IPaddresses inside some networks simply due to the fact that eachuser with a computer has a phone. Management of IP resourcescan be severely restricted by inadequate design in the provisioningof IP space and services that can directly impact corporate growth.Existing IP Address Management (IPAM) solutions on the marketare typically software-based and require extensive installation andintegration, coupled with licensing expenses, yielding a solutionthat is outside most corporate budgets. Manual or home grownsolutions to tackle IP address management often fall short andcarry a high cost associated with labor-intensive processes andknowledge transfer.BlueCat Networks, a leader in dedicated DNS and DHCP appliances,has developed its Proteus IPAM Appliance to help organizationsdesign and scale IP networks effectively. Utilizing existinginvestment in the Adonis 500 and 1000, dedicated appliancesfor DNS and DHCP services, Proteus acts as the nerve center to acentrally managed IP address system with distributed services,all linkable to network management systems. Unlike other IPAMsystems that comprise a dedicated IP management system with afew DNS abilities, Proteus was designed to integrate DNS and IP aswell as moving other important components such as deploymentand server management into their own components in a unique“Multi-Core” architecture. Proteus represents a new level ofbusiness-driven interactive network control and monitoring thatbrings IPAM into conformance with business requirements.The appliance model allows affordable deployment of a secure,enterprise class application without extensive implementation,installation and third-party licensing costs. Total cost of ownership(TCO) is further reduced by its intelligent, role-based web interface,controlled firmware updates, and delegated access controlmodel. Interoperability with outside provisioning systems can beachieved through several different kinds of integration modelsfound in “Extending Proteus” on page 16. Proteus represents anew generation of hybrid in this market, embracing the powerand flexibility of enterprise application suites and the security andsimplicity f network appliances.
iv BlueCat NetworksContentsExecutive Summary .iiiBackground–The Rise of IP Networks. 1Growth and Complexity . 1Current IPAM and DNS/DHCP Solutions . 2Manual Processes .2IPAM Software .2DNS/DHCP Appliances .3Toward the Ideal IPAM Solution . 3The Proteus IPAM System . 4Multi-Core Architecture . 5User Experience. 5Security . 6Change Control and Reporting . 6Extending Proteus . 7The Future . 7
The Proteus IP Address Management System 1Background–The Rise of IP NetworksIn the late 1960s, the U.S. Department of Defense, AdvancedResearch Projects Agency (ARPA, now known as DARPA) starteda project to develop an open network protocol that would allowoperability between different networks. The original networkconsisted of four nodes and connected to each other usingNetwork Control Protocol (NCP) and as it grew, became knownas ARPA Internet or more commonly ARPANET. During the 1970s,a design for a new group of protocols was developed and wouldeventually be known as Transmission Control Protocol (TCP) andInternet Protocol (IP) or simply TCP/IP. In the 1980s, the networkconsisted mainly of research organizations and nationally fundedsuper-computer centers that were primarily connected by 56Kbps links. In 1988, the links were upgraded to T1 (1.544 Mbps)and the interest of private organizations started to increase. By1991, the backbone of the network was privatized and, in 1993,projects were initiated to solicit commercial service providers. Thelate 1990s saw explosive growth of the network from thousands ofsystems in the beginning of the decade to tens of millions by theend. The network became known as the Internet and is recognizedas a standard fixture for most corporations.The address system, also known as IPv4, defines an address witha length of 32 bits and is usually expressed as four 8-bit fieldsseparated by dots, also known as “dotted decimal notation”. Thesystem allowed in excess of four billion addresses. Practicallyhowever, there were far fewer available addresses in reality, assubnetting, the act of creating sub-networks of the main network,often resulted in large numbers of addresses being allocated tovery few users. Each address must be unique, and consists of anetwork ID and a host ID, which are used to route traffic and allowlocal network communication. Network addresses were initiallyallocated manually, and this is still the method used for mostNetwork servers, but increased complexity in growing networksrendered this method inadequate for client devices. The solutionto this was to develop a protocol that would allow a device tonegotiate with the network to assign a unique address and otherconfiguration parameters. Early protocols such as Reverse AddressResolution Protocol (RARP) were used to determine addressesbut proved ineffective for allocation. Bootstrap Protocol (BOOTP)was later designed to allow a newly booted device the ability todetermine its IP address dynamically. Dynamic Host ConfigurationProtocol (DHCP), an enhanced version of BOOTP with moreoptions, has become the standard means for allocating addressesdynamically. Today most mobile phones, corporate and wirelessnetworks as well as Voice over IP (VoIP) systems rely on DHCP foraddress allocation.Internet addresses allowed networked devices to communicateacross networks, but a problem arose when a device was movedfrom one network to another. Relaying address change informationwas too costly in both bandwidth and time, and so a naming systemwas developed. With a similar look to the IP address dotted notation,domain names (e.g. host.bluecatnetworks.com) allow systems toconnect to one another by looking up a system’s name to revealits address. Originally the names were kept in a single Hosts file,anddistributed on a regular basis throughout the network. As thefile grew to contain thousands of names, the system was requiredto change for the networks to expand and host millions of systems.The Domain Name System (DNS) was created in the late 1980s toprovide one of the world’s most distributed databases of domainnames to IP addresses. This system maps names to addresses andprovides reverse resolution while allowing domain owners theability to delegate responsibility to other systems. Now one of thecornerstones of Internet communication, DNS makes it possible tobrowse the web, send e-mail and locate network services.Growth and ComplexityAs the Internet evolved from a research network into a global publicnetwork that connects millions of systems worldwide, IP addressesstarted to become scarce. When IPv4 was originally designed it wasinconceivable that addresses would run out, especially when thenetwork consisted of only several hundred systems. But with overa billion1 mobile phones, PCs, and other devices that required IPaddresses, the need for a new addressing system was recognized.The replacement protocol to IPv4 will be IPv6 and with 128 bitsworth of address space (2128 – 1 possible addresses beforesubnetting), it was decided that many of the underlying systemswould be revamped to plan for the future growth of the Internet.Unfortunately, with growth comes complexity, and with IPv6 theaddresses are four times longer than with IPv4, and managementof both DNS and address allocation require increasingly elaboratemanagement techniques. Written in hexadecimal, IPv6 addressesresemble 3ffe:ffff :0100:f101:0210:a4ff :fee3:9566, whereas an IPv4address in decimal notation might look like 192.168.0.1.With the introduction of Voice over IP (VoIP), many networks arebeing overhauled to support greater bandwidth and size, creatingsignificant pressure to streamline IT processes. The conventionalphone network is starting to undergo a transition to the VoIP worldusing the ENUM protocol. This protocol defines a set of namingstrategies and resolution of specific DNS data to convert existingphone numbers, e.164 format, to VoIP endpoints.1“Nokia: 2 billion cell phone users by 2006”, December 9, 2004 (http://netscape.com.com/2100-1035 22-5485543.html)
2 BlueCat NetworksThe ENUM protocol allows the convergence of the systems intoa seamless voice network. This amplifies the need for networkmanagement when IP usage can almost double with every userrequiring an IP address for both their PC and their phone. Wirelessnetworks require address re-allocation on a more frequent basisas users roam and connect to different networks. Newer networkapplications such as VoIP often require more complex networksconfigurations. For both IPv4 and IPv6, DHCP provides these extrasettings when the device joins the network. This is an extra layerof detail in an already complex system, managing the interactionsbetween IP management and deployment of these optionsthrough DHCP.Within the next five years, it is expected that most carriers willoffer IPv6 support, and many organizations are in early-stagetransition.2 Many existing network tools and address managementsystems are limited to IPv4, meaning that with the added addressmanagement complexity of IPv6, they may not be up to the task.Despite the hesitation by many IT professionals to move to IPv6,several industries and government bodies are moving ahead,and thus a partial transition will be underway soon. Many newand changed concepts such as the IPv6 addressing format seemformidable, as does the increased complexity of managing anaddress space that is orders of magnitude larger. The unique 64-bitnumber in the tail portion of the address alone will create a rapidadoption of naming services that can be easily remembered andput much higher loads on DNS services.Increased complexity always means less security unless it canbe fully managed. Modern networks are at risk to breaches anddowntime simply as a result of their own inherent complexity. Theonly real solution is to divide the tasks involved into manageablesize operations that can be secured while maintaining the abilityto manage the entire system in real time. Considering the tensionbetween these two goals, it is not surprising that the ideal IPAMsolution has yet to emerge.Hybrid systems consisting of automated address scanning tools andmanual tracking are cost effective but still too user intensive andtherefore prone to human error. The IP management spreadsheetsera needs to come to a close for most.PROS Many corporations still use manual processes involvingspreadsheets and “pings” to identify potentially available IPaddresses due to budgetary pressure or because current IP addressmanagement (IPAM) systems are seen as too complex or havingpoor Return on Investment (ROI). This method, although used byseveral large organizations, scales poorly, leads to migration andmaintenance nightmares, and is very prone to human error.2“IPv6:Open for Business?”, September, 2003 The Yankee GroupShort-term cost savings Does not work well withmultiple administrators Results often inefficientor non-functional Difficult to ensuresecurity Possibility forcatastrophic failureFigure 1: An Evaluation of Manual Process Solutions.IPAM SoftwareMany IPAM solutions exist, and while several manage both the DNSand IP spaces interactively, few were designed for this purpose. PROS Automates IPmanagement Allows management ofDNS space Provides reporting andauditing capabilities Allows concurrentmanagement anddistributed deployment Rich client and/orwebbased interfaceCurrent IPAM and DNS/DHCP SolutionsManual ProcessesBarely adequatesolution for smallnetworks with a singleadministratorCONSCONS DNS integrated on topof IP, but not tightlyintegrated Requires separatesoftware for deployingconfigurations Installation andintegration fees canraise costs manyfold Some user interfaces areeither too complex ortoo limited Systems need to be keptup to date with manualsoftware patches Hardware andsupporting softwareadd additional costsand complexityFigure 2: An Evaluation of IPAM Software Solutions.
The Proteus IP Address Management System 3Current products are generally strong in specific areas while weakor overly complicated in others. Several of the leading IPAM systemsstarted off as IP address only systems geared only toward carriers,and have been augmented to handle DNS and DHCP services. Manyhave “rich” clients with specific system and network requirementsthat have not evolved to meet the needs of multiple administratorsin both functionality and usability. Some systems have embracedthe web-centric model, but require specific hardware, storage andthird party software, and have simple, shallow-tiered architecturesthat cannot scale well within the enterprise. The biggest issuewith most existing applications is that IP management is the firstpriority and DNS is an afterthought, when they must be managedequally and intimately with one, by design, affecting the other.Typical management systems have an entry price of 50,000 andsome exceed 1Million and several license their software on a perIP-address basis. Additional hardware costs, 3rd-party softwarelicenses, and integration fees can inflate this cost model severely.DNS/DHCP AppliancesOver the past five years, DNS and DHCP appliances have grownin popularity and have replaced many servers in organizations.Appliances require no additional hardware and often displacesystems several times their cost. Some systems are web basedbut lack user concurrency, while others like the Adonis 1000 DNS/DHCP Appliance use “rich” client software to simplify managementand provide multi-appliance management. Although DNS andDHCP appliances are eminently suitable to a purpose-drivenframework, they are to date, less suited to the conceptualizationand management capabilities required for modern IPAM systemssuch as tens or hundreds of administrators and multiple concurrentconfigurations. PROS Cost Effective Reduced TCO CONS GUI allows quick configuration without lengthyintegration processDo not scale well formultiple administratorsand multiple configurations Simple update processkeeps software up-todateGeared towards providing service rather thanmanaging information Customization limitedNo additional softwareor hardware requiredFigure 1: An Evaluation of Manual Process Solutions.Toward the Ideal IPAM SolutionThe ideal IPAM solution would be designed to manage the IPspace and the DNS space while integrating them at every levelrequired. This type of solution would also allow an administratorto conceptualize and design using one view of the network andrealize the designs by interfacing with subsidiary componentsand servers through a different view. The system would buildmuch of the implementation automatically, and yet allow editingof any part of he configuration. All of the separate componentswould interact and interoperate where IP and DNS spaces could bedesigned together with the actual deployment details integratedwhere appropriate. The designer or architect’s ability to visualizethe network would be improved by dealing with differentservices and subsystems separately, while Proteus manages theinherent complexity of the resulting interactions behind thescenes. As networks become more complex and represent morecritical infrastructure, the need for a system that can support thecollaborative and individual efforts of specialists while ensuringthat their efforts interoperate securely is essential.The administrator interface on the ideal IPAM solution wouldrefresh data in an intuitive manner. The conceptual view of thenetwork for a given task would reflect the conceptual level of theadministrator performing the task, whether architecting the entirenetwork or modifying an IP allocation. Management would becentralized, and yet available to administrators across the network.Administrative rights would be clear and hierarchical, and could bemodified or delegated as required. Services would be distributed,and yet the entire system would scale easily. Although applianceshave yet to offer this level of flexibility, their hardened OS andhardware platforms would be ideal in the volatile environmentthat these solutions are exposed to.Managing a complex system like an IPAM with a large numberof possible administrators requires a clear audit trail of changeswith the ability to roll back changes. Reporting is also crucialto the processes of planning, communication and standardsenforcement. E-mail alerts ensure that the proper staff are awareof issues when—or even before—they arise.Enterprise clients can have specific requirements for largescalesolutions. A choice of authentication methods improves theability to integrate with various heterogeneous networks. Someorganizations require that a solution be able to integrate withthe Relational Database Management System (RDBMS) that theyhave standardized on. The availability of Application ProgrammingInterfaces (APIs) means that organizations are able to integrate thesolution more fully and easily with their existing IT infrastructureinvestments. Also, SNMP monitoring of systems can be essential inthe daily administration of networks of this scale.This list of expectations, while commonly understood and agreedupon, is surprisingly uncommon in implementation. Current IPAMproducts offer some of these features to varying extents, but are
4 BlueCat Networksnot strong in some of the above areas. The complexity of IPAM hasconsigned this type of thorough and usable system to the dreamsof frustrated administrators.The Proteus IPAM SystemTraditional enterprise-class IP management systems consist ofsoftware components operating on third-party hardware platformswith additional software and an operating system to manage.DHCP and DNS are often handled by software agents on separateservers with client software on administrative workstations. Thissystem is costly to implement and maintain because of the myriadof different software and hardware components, increasingcomplexity and maintenance costs. The Proteus architecturedeveloped by BlueCat Networks differs greatly from traditionalsystems in the IP address management space, not only simplifyingdesign and administration tasks, but also improving security.Proteus is an IP address management appliance that requireslittle or no integration with existing systems yet can interoperatewith mid- to large-sized network management systems. TheProteus appliance itself does not perform DNS resolution orDHCP allocation, but it manages and acts as the central nervecenter for Adonis appliances and Windows servers that performDNS/DHCP services. Proteus is the design and monitoring centerfor IPAM, DHCP, and DNS, and it deploys these configurations toAdonis appliances and Windows DNS/DHCP servers. The Adonisappliances or Windows DNS/DHCP servers become an extensionof the Proteus IPAM system, providing a powerful combination ofcentralized, webenabled management with distributed service.Proteus can be used for IPAM, including DNS and DHCP, with oneAdonis appliance or many hundreds. Real-time data is provided toProteus from the appliances about the state of the address andname space via an intelligent agent that resides on the Adonisappliance called the Proteus Command Server.All Adonis appliances are compatible with Proteus. While underProteus central management, Adonis cannot be controlled via theAdonis Management Console.Designed to allow a large number of concurrent users to modify/view the same data simultaneously, Proteus enables administratorsto work together. This approach is different from solutions thatlock administrators out of specific areas or the entire configurationwhile another person is making changes. To achieve this goal,several design approaches were considered. Although Adonis usesa rich Java client, BlueCatrealized that with Proteus, this would increase the TCO becauseof client-side requirements for large scale deployments. A Javaweb client was rejected because it would require a Java VirtualMachine (JVM) on each workstation, more code overhead formulti-user functionality, and data refresh issues. Other systemsget around data refresh issues by requiring the user to refresh thedata periodically, helping to scale the application, but creating adifficult application to use.The decision to use a pure web based interface allows Proteus tobe used with any HTML-compliant browser without the need forspecific plug-ins, and browser refreshes mean that data is displayedin its most current state because this is what administrators expectof client-side applications. Dynamically generated HTML scalesbetter for applications like Proteus because not all data is requiredat the same time, and the administrator’s browsing behaviordefines how current the data is that’s being displayed.Web-based applications are viewed to be easier to learn thanapplications because users see the process as an extension ofbrowsing the web. This n-tier web architecture also enables Proteusto support Simple Object Access Protocol (SOAP) web servicesfunctionality. Proteus currently uses SOAP to receive updates fromAdonis. This infrastructure will also enable Proteus to interact withother network services and devices using this increasingly commonmethod of integration. Proteus uses XML natively throughout itssystems, and also enables integration with foreign data schemaswith user-definable data elements that can be associated to anytype of system object.
The Proteus IP Address Management System 5Multi-Core ArchitectureMany IPAM systems are centered on IP allocation management,and their DNS support has evolved along the way. Proteus IPAM isbased on a Multi-Core design that separates different parts of thesystem into their own set of interfaces. This, for instance, recognizesthat IP and DNS are separate services, but that they must be closelyintegrated together and with other services such as Authentication,Policy Enforcement and Deployment Management.Multi-core design enables the configuration to fully integrateboth the naming system as well as the IP address structures thatthe names represent. Both systems can be modeled through asingle interface, but they are kept separate where it makes sensebecause of how they are used inside the network. A change to an IPaddress will reflect in the DNS management of its name, but a DNSname change can affect the naming system directly while beingindirect to the address. Domain names permit the abstraction ofa network device’s address, where the name will remain the same,but the address can change without requiring applications to bereconfigured.that is available for most of the objects within a configuration. AProteus Configuration contains information about the networksand namespaces along with several levels of Deployment Options,Server Roles and Server Assignments. These controls form theProteus Deployment Core. The Proteus Deployment serviceshandle the implementation specifics, matching each part of eachservice to the appropriate managed Adonis Appliances.IP CoreDNS CoreProteus ConfigurationDeployment CoreAAdonis ServerIPMXIP/8DNSCNAME/16The IP core contains information about network breakdown or“allocation blocks”, as well as static and dynamic allocations. Thisinformation is integrated with the DNS core to keep the DNS spacecurrent with the IP networks that it represents. DHCP configurationis modeled based on the allocation blocks in the Proteus IP Coreand is kept current by real-time feedback from the Adonis servers.This allows administrators to monitor allocation as well as assistinghelp desk and network personnel validating and troubleshootingaddress problems. DNS changes from Active Directory and otherupdating systems are sent to Proteus in real time, like addressallocations, to indicate to administrators that a configurationchange was made by an automated process.Unlike the server-centric interface to Adonis, the Proteus IP/DNS modeling architecture permits abstracted and conceptualmanipulation of the Configuration without being tied to a specificserver or implementation. This kind of conceptual modeling allowsConfiguration-specific data to be hidden from the administrator,allowing administrators to focus on the task at hand. TheDeployment information for both DNS and DHCP is available at theConfiguration level as well as on the Deployment Options screenFor example, DNS authority and glue records are configurationspecific and are required by name servers for proper resolution,but they are repetitive from zone to zone and are not core to conceptualizing the IP/DNS space. Many administrators do not understand why such records exist and when they need to change them.Proteus autogenerates Glue Records and Reverse DNS records, andalthough the Administrator can always view them, it generatesthem when the Configuration Files for the specific Adonis Appliance are built by Proteus during Deployment.User ExperienceUtilizing common design patterns and metaphors, the Proteus userinterface is designed to target the information to the user simply,in task-centric fashion. Users can customize t
Unlike other IPAM systems that comprise a dedicated IP management system with a few DNS abilities, Proteus was designed to integrate DNS and IP as well as moving other important components such as deployment and server management into their own components in a unique "Multi-Core" architecture. Proteus represents a new level of
