TCPWave IP Address Management

Transcription

1 Whitepaper TCPWave IP Address Management Built for the next generation cloud computing enterprises

2 Introduction to IP Address Management The IP Address Management, IPAM refers to managing the allocation, administration, and tracking of the public and private IP addresses and associated devices. Enterprises deploy systems and devices that interact with the DNS and DHCP serves in order to manage the IP addresses. A majority of the enterprises still use manual processes or spreadsheets for IP address management. A single request to allocate an IP address to a device may involve different parties in the company and coordinating their responses. This tends to take more time and is error prone without any recovery mechanism built in due to outages and not to mention its cost. The TCPWave IPAM solution automates all aspects of the IP address management thus reducing the network operating costs. It eliminates the network down time. As most of the steps are automated with extensive checks and balances, it eliminates the configuration errors. This whitepaper discusses the importance of an IPAM solution that is automated and how TCPWave s IPAM solution meets FCAPS capabilities easily. It also lists how the TCPWave s solution is superior to most of the IPAM solutions offered by other vendors.

3 The TCPWave IPAM Solution TCPWave IP Address Management allows the Network Personnel to automate the process of allocating and de-allocating the IP address resources. This automation is both efficient and intelligent. The IPAM can dynamically manage the available address space by complying with the Organization s IP Address and Security policies. TCPWave s IPAM provides an intuitive Graphical Web User Interface through which you can not only manage the DHCP but also the Domain Name System Services. The TCPWave s IP Address Management software for DHCP, DNS and IP Address management (DDI) includes a full-featured and integratable IPAM solution that helps network administrators eliminate network conflicts and outages, track critical assets, ensure network security and providing reports based on a wide range of parameters, including IP address status (dynamic, static, available, reserved, etc.), networks, subnets, admin activities. Even though multiple DDI providers are there in the market today, each one of them have numerous product deficiencies, which cause issues as enterprises scale and newer technologies rely more on the fundamental DNS and DHCP protocols. The architecture and design of the TCPWave IPAM is performed in a meticulous way after reviewing the Gartner article, which highlights the deficiencies of the current available DDI products in the market.

4 Built With Latest Technology TCPWave s IPAM is built from scratch using the fastest and robust jquery framework and Java. One of the primary benefits of TCPWave s IPAM is the ability to handle cross browser issues seamlessly. While other IP Address Management implementations have issues working with all browser versions and the management is not possible using a mobile device, TCPWave s IPAM has been engineered to the extreme to work with all browsers and all smart phones and tablets. TCPWave s IPAM, built using the latest Java technology is much faster and can seamlessly integrate into the existing automation via RESTful API calls. TCPWave s RESTful API comes with extensive documentation and examples.

5 Simplified Dashboard TCPWave s IPAM provides fault management, performance management, config assurance, patch management and IPAM software in one bundle. There is no need to purchase monitoring software to manage your DNS Infrastructure. TCPWave s IPAM integrates with EMC SMARTS and automatically sends SNMP alerts when critical events arise in IPAM operation. Scheduled changes can be managed more efficiently and roll backs take place automatically if the change implementation fails. TCPWave also provides a powerful dashboard to monitor all the core components of the DDI infrastructure managed by the TCPWave IPAM with extensive graphing capabilities for performance management metrics. TCPWave s DNS and DHCP appliances are automatically added to the fault and performance management once they are a part of the TCPWave IPAM ecosystem.

6 Network Topology and Health Management TCPWave s IPAM enforces strict database integrity checks. Its smart logic checks the sanity of the DNS and DHCP configuration files before sending them to the remote DNS and DHCP devices. This ensures that the remote devices do not crash after getting an update from the DDI. Thus it eliminates manual DNS and DHCP push. DNS updates take place in real time and DHCP configurations are updated automatically when new scopes are defined. Powerful metrics used by the dashboard assist you in identifying bottlenecks in your network. IPv4 and IPv6 Support TCPWave s IPAM solution supports both IPv4 and IPv6 out of the box. It covers IPv4 and IPv6 needs of the organizations. With TCPWave s IPAM, organizations and service providers can avoid the risks of IP address shortage, reduced online presence and losing out potential customer base. They can roll out new services based on IPv6 with zero delays. DNS and DHCP Integration TCPWave s IPAM can efficiently manage DNS and DHCP servers in ways far better than most other IPAMs. The DNS and DHCP servers can be easily provisioned and integrated with TCPWave s IPAM with a simple mouse click. It can do RFC 2136 Dynamic DNS updates and zone records reconciliation with strong security mechanisms like TSIG, DNSSEC, Encrypted message transfers etc.

7 Information Security TCPWave s IPAM supports TACACS+, Active Directory, Radius, PAM, and Single Sign On authentication mechanisms. TCPWave s appliances have passed the most stringent ethical hacking and penetration tests where our competition failed. When BIND exploits take place, TCPWave s IPAM protects your mission critical DNS infrastructure because it provides a non-bind solution in addition to BIND to fend off DNS exploits. TCPWave s IPAM offering is an innovative security-as-a-service bundled product that delivers core network infrastructure solutions that help organizations protect their mission critical networks from DNS attacks and enable them to effectively meet the complex and evolving regulatory compliance and data governance mandates that have been spawned from highly publicized data breaches. TCPWave, positioned by the financial sector in Wall Street, New York as a best in class appliance provider delivering an integrated suite of on-demand data protection solutions spanning DNS threat management, regulatory compliance, data governance and secure B2B communications all of which are based on a

8 common security-as-a-service platform. Simply put, our solutions help organizations to: Keep DNS DDOS attacks out of their environments Prevent the theft or inadvertent loss of sensitive information Collect, securely retain, govern and discover sensitive data for compliance and litigation support Securely communicate and collaborate on sensitive data with customers, partners and supplier Segregation of Duties Segregation of Duties are Control Activities that reduce the risk of error and malicious DNS/DHCP activities or human errors, through proper division of tasks between employees. As DNS and DHCP relate to the core functionality of mission critical network services, it is the proper Segregation of Duties in the TCPWave IPAM that prevents the potential for employee circumvention of controls. Using the TCPWave IPAM, User Administrators can only create user accounts and cannot alter DNS/DHCP data. Power and Normal accounts can alter DNS/DHCP data but they cannot define user accounts. All the user actions are audited. The TCPWave IPAM then collects all the changes every midnight and sends them to an distribution list that is used to reconcile and verify the transactions against a foreign change control mechanism. The various types of administrators and their descriptions listed below:

9 SADM Super Admin, has access to all the functionality of the system FADM Functional Admin, Special admin with functional privileges and valid for the special user twcadm only. UADM User Admin, Has access to user administration functionality only NADM Normal Admin, Has privileges only to create Objects and Scopes PADM Power Admin, Has access to Zone/Domain/Server/Network/Subnet/Scope /Template/Object RADM Read-only Admin When the product is initially shipped, the only account available in the product is twcadm (Functional Admin). This account is used to define the SADM and UADM accounts that in turn create the NADM/PADM/SADM accounts to manage the IP address space and comply with the segregation policies that are a mandatory requirement in many of our financial client deployments. High Availability and Scalability TCPWave s IPAM is highly scalable and reliable IP address management solution. It ensures strict database and configuration integrity checks. The solution is built with high availability and disaster recovery management to ensure the continuity of business critical services. In case of catastrophic failure scenarios, a secondary server automatically takes over the primary server s role without interrupting the enterprise network.

10 Audit and Traceability TCPWave s IPAM comes with an extensive audit capability, which provides accurate forensics for IP Audit, subnet audit, network audit, domain audit etc. You can customize the auditing policies to audit what the Security team is interested in for better audit reviewing. The Login audit enables detection of unauthorized intrusions in to the system. A combination of failure and success authentication audits help determine when the breach of security occurred. Isolation and preservation of the security events logs helps track users who gained unauthorized admin privileges. The preservation of logs also avoid login failure logs to be overwritten through Denial of Service Attacks. The Network, Subnet, and Domain audits provide extensive information related to network traffic, IP allocations etc. These audits help in detecting unusual network traffic, IP address allocation and de-allocation rates, DNS query rates etc.

11 Reporting The TCPWave s IPAM solution has rich report generation component. It can used to generate variety of reports like usage reports, audit reports etc. Also, these reports can be generated at a scheduled time and sent to different admins using the scheduler. Diverse DNS Support TCPWave IPAM comes with ISC s BIND and YADIFA. TCPWave has chosen YADIFA as a safe alternate name server implementation developed by EURid vzw/absl, the registry for the.eu top-level domain. EURid vzw/absl developed YADIFA to increase the robustness of the.eu name server infrastructure by adding a stable alternative to the other name server implementations in use. TCPWave s backup authoritative DNS server software is RFC compliant, supports DNSSEC with NSEC and NSEC3, has full and incremental zone transfer handling (AXFR and IXFR ) and contains source code enhancements to support dynamic updates.

12 TCPWave s IPAM securely, supports SNMP and it is not exposed to the BIND vulnerabilities since the code base is completely different. TCPWave has chosen Unbound as a component for the cache appliances controlled and managed by the TCPWave IPAM. Unbound is a very secure validating, recursive, and caching DNS server which incorporate features including enhanced security (DNSSEC) validation, Internet Protocol Version 6 (IPv6), and a client resolver library API as an integral part of the architecture. DNSSEC Integration TCPWave s IPAM offers Secure DNS utilizing highest level of encryption and makes DNSSEC deployments very simple, empowering service providers to provide secure DNS hosting and name resolution services. Secure DNS: TCPWave s IPAM supports DNSSEC thereby enabling service providers to provide secure DNS hosting and name resolution services. Further DNSSEC is used for secure Dynamic DNS updates that are RFC 2136 compliant. The DDNS updates ensures seamless zone updates without the need to restart the DNS server process. The DNSSEC rich set of features further include automatic key generation, zone signing, and scheduled DNSSEC key rollouts. The DNS server masters and slaves use secure TSIG transactions for full and incremental zone transfers.

13 Traditional DNS is vulnerable to multiple security exploits. Managing DNS with DNSSEC or GSS-TSIG has many operational overheads. Sending DNS updates using UDP port 53 has been proven as an insecure way to operate the mission critical DNS infrastructure. TCPWave has designed a revolutionary method of securing dynamic changes using a robust security model. Changes made in the IP Address Management web interface are sent using a secure conduit from the management server to the remote DNS server. A powerful logic developed in Java examines the contents of the update, determines the authenticity of the source IP Address, and verifies if the IPAM server sent the message and then processes the message. After updating the master DNS, the secure conduit service sends an acknowledgement back to the management server. If the acknowledgement is not received, the management server sends a retry. This communication uses a TCP port with a 1024 bit encryption key.

14 Command Line Interface (CLI) The TCPWave s IPAM solution comes with a rich and powerful set of commands which can be used to perform all the functions provided by the UI. They can be used to automate any functionality easily and can be integrated with existing automation scripts. root@www1 ~]# twc addobject --obj_address= obj_name="server " --class_code=pc --domain=tcpwave.com --obj_alloc_type=dynamic -- opt_template=generic --dhcp_server="nusalx-trv10-sl098" -- mac=01:23:45:67:89:ab --desc="internal Server" --ttl=300 --ns_a=1 -- ns_ptr=1 --ddns_a=1 --ddns_ptr=1 --ddns_cname=1 --ddns_mx=1 Object added successfully. Auto Discovery The TCPWave s IPAM is a smart and reliable IP address management for any organization with complex and dynamic network infrastructure. It automatically discovers your network topology and updates itself when new subnets are discovered on the network. When a new Arista switch is provisioned, automation can automatically inform TCPWave DDI to add the router interfaces into DNS, define the subnet profiles and add DHCP scopes for a rapid provisioning. The networks and subnets can be configured to be scanned periodically to detect the changes in the network nodes and then update the objects data. It can discover all the network devices and their configuration via ICMP, SNMP and NetBIOS protocols and consolidate the newly collected data with the existing data. Scheduler The Scheduler Engine provided by IPAM is a highly scalable, secure task scheduling engine. It can be used to schedule the jobs in various ways. The scheduler can be used to schedule any object create/update/delete operation or to patch the system or perform any administrative type of jobs. They can be scheduled on a daily or weekly or monthly basis. Also, it provides support for scheduling the jobs either repetitively or one time basis. This will be particularly useful to schedule either audit reports or usage reports to be sent to the admins.

15 Patch Management TCPWave s IPAM solution has a powerful patch management component using which all the components in the IPAM environment can be easily patched. This includes DNS and DHCP servers too. The patch management allows only TCPWave approved patches to be applied and all the patches are encrypted. So, patching any system will be secure and safe. Search Engine TCPWave s IPAM solution provides a powerful search engine. It can be used to search literally anything in the IPAM constellation. TCPWave IPAM for Cloud DNS The TCPWave IPAM takes the DNS management of enterprises to the next level with the built-in Cloud Integration. TCPWave customers can now mix and match DNS hosted in public cloud, private cloud, and dedicated TCPWave Remote DNS servers to create an ideal environment. Cloud DNS hosting provides a highly available and scalable DNS service and improves the resiliency of the TCPWave managed DNS infrastructure in the private enterprises. Data center disaster recovery is tremendously improved when single points of failure are eliminated at the DNS authoritative service layer. TCPWave IPAM ensures that the DNS zone data gets a constant validation to ensure that the cloud provider s DNS is in perfect harmony with the TCPWave managed DNS. When an object is updated in the TCPWave IPAM, the cloud providers are automatically updated too. Enterprises are shielded from exposing their internal DNS servers to the cloud and opening up DNS ports on the firewall for DNS zone transfers with the cloud providers. TCPWave customers can also choose to have all the three providers listed below to provide cloud DNS hosting for every DNS zone managed by TCPWave IPAM.

16 DNS Zones created in the TCPWave IPAM support Zone Mirroring with Amazon s Route 53 DNS and Rackspace DNS. DNS records added to the TCPWave IPAM are automatically synchronized with the cloud providers listed above using TCPWave s powerful RestAPI methods. The management communication uses encrypted SSL thereby preventing man in the middle attacks. Advantages over Competition Unlike TCPWave s IPAM, Open source IPAMs and some of our competitor's products have security issues like XSS, SQL injections, plain text passwords, directory traversal, logs saving passwords in plain text, ldap account password transmitted in plain text etc. TCPWave Information Security experts were also able to dump the competitor database and were able decode the unsalted hashes of all the users and log files which included plain text passwords. Unlike competitors, TCPWave s IPAM allows root level access of DNS and DHCP appliances for privileged users. TCPWave s IPAM provides a mechanism to integrate RESTful services with other systems securely using a secure access token that is valid only for the given client.

17 Conclusion TCPWave provides an IP Address Management solution for your evolving cloud infrastructure with numerous competitive advantages. Faster than competition Cost Effective Robust Encryption Scalable Java 7 + Rest API + Multi-dimensional Algorithms = Fastest IPAM The initial capital spend is aggressively priced and the return on investment is 12 months for enterprises. Elimination of UDP based updates to DNS and configuration pushes. Tested to manage over a billion objects with unique referential integrity checks. TCPWave IPAM does not have a 1000 zone DNS limitation. Disaster Recovery The only IPAM, leveraging Dual DNS and intelligent disaster recovery. Simplified Migration Ability to import 1 Mil. objects in under 17 minutes with Human Error Protection. Automated Discovery Discover 64k objects in under a minute, not hours. User Friendly Unique Dashboard with better monitoring and Management more control. Customer Support Experts TCPWave Customer Support Helpdesk is equipped with senior level 3 engineers available for you on a 7x24 basis. How to reach us: Contact us at to schedule a demonstration of our product. Or ewagner@tcpwave.com Phone: