Posts

Showing posts from 2021

Inglorious DDI

We all know how critical DHCP/DNS/IPAM (DDI) services are. Your network cannot function without them. But like most foundational elements of anything, they are certainly not glamorous...like good luck finding a home designer who specializes in home foundations. I would not be shocked should HGTV pass on my brilliant concept for a foundation building show. I suppose most people would find a show detailing footing depths and concrete pouring techniques rather boring.  Nevertheless, there are countless shows for redesigning and remodeling homes. On most episodes the foundation is out of sight, out of mind. If it's stable, no one wants to pay it attention, they just expect it to keep doing its job, supporting the structure. Once in a while a foundational issue is brought up that unexpectedly threatens to raise the budget to heighten the drama. All work stops until the issue is addressed. And you'll notice that the owner never denies paying the extra amount to fix the issue. ...

IPAM-As-Code

IP Address Management (IPAM) is often considered a necessary evil by most IT and Operations Engineers. Every time a new virtual instance in the cloud or on prem is instantiated, or an old fashioned server is deployed, both an IP address and DNS name need to be assigned...every time. Of course, the assigned IP address must be unique at least within a given routing domain, and the DNS name must be uniquely resolvable to enable users and other machines to connect with it. Beyond their respective uniqueness requirements, these core configuration elements must also be relevant to their respective deployment realms, such as subnet and DNS domain, so just any old assignment won't do. In addition, with the speed of today's business demanding a highly dynamic rate of change in creating, realigning or destroying virtual instances across a multi-cloud network, the assignment process must be always available and instantly responsive to not impede your business velocity. While assigning IP ...

DNS is to Devices as Google is to People

Thanks to search engines like google, locating articles, blogs, opinions, and even bona fide information on the Internet is as simple as posing a question in a web browser. Just type in your query then click on one of the search engine results to access the corresponding content. Of course, between the point when you click on a result and arrive at the linked page, the critical function of the domain name system (DNS) performs its crucial yet hidden role. Each search result displays text to the searcher representing content they can expect to find if they click on it. With the hypertext markup language (HTML), behind the text lies the corresponding uniform resource locator or URL. The URL is in the form of a web address that you might enter into your web browser, like www.google.com.  Names are helpful for humans using the Internet to identify desired destinations, but your laptop, mobile, watch, etc., generically "device," connects to your destination using the Internet Prot...

Call me...on DNS

DNS has proven incredibly versatile and scalable in resolving email, web, and application services names to IP addresses across the global Internet for over three decades. And its versatility seems to have no limits as DNS can even be used to map telephone numbers into IP addresses too. The means to perform this mapping function is useful for voice applications, not to mention other generic applications requiring resolution with one or more layers of indirection. The ENUM (E.164 telephone number mapping) service has been defined to support telephone number resolution. ENUM supports the mapping of telephone numbers, in ITU E.164 format, into uniform resource identifiers (URIs). A URI is an Internet identifier consisting of a uniform resource name (URN) and a uniform resource locator (URL). A simple example: for URL http://www.ipamworldwide.com with URN file.txt, the corresponding URI would be http://www.ipamworldwide.com/file.txt.  The mapping of E.164 numbers (or other arbitrary do...

Is DHCPSEC a thing?

Dynamic Host Configuration Protocol (DHCP) and the Domain Name System (DNS) are both foundational IP network services, enabling devices to connect to networks (via automated DHCP address and parameter assignment) and to navigate networks (via DNS name-to-IP resolution). DNSSEC refers to DNS security extensions, which is an Internet standard for signing and validating digital signatures on DNS response data. This process requires the signature-validating resolver to possess a trusted key which validates the response data signature, and by so doing, authenticates the data as published by the domain administrator and affirms the integrity of the data as matching that which was published. A single trusted key can be used to validate the entire Internet name space, thanks to the DNSSEC "chain of trust" mirroring the immanent DNS domain hierarchy up to the root zone.  In the DHCP realm, there is no such hierarchy and a given mobile device could roam across multiple networks, each w...

The Numerous Components of a Zero Trust Network

In the face of a rising tide of network infiltration attempts via increasingly diversified attack vectors, enterprises must constantly remain vigilant and proactive in managing system monitoring and attack detection solutions. Whether you realize it or not, IP address management (IPAM) plays a key role within your overall network security strategy. Core IPAM functions, including tracking IP inventory, allocating address space, monitoring network access through DHCP and discovery, and various DNS security tactics not only serve as requisite network functions but are critical to your network security strategy. As the sophistication of attacks continues to spiral, defensive strategies including IPAM must likewise evolve to keep pace if not outpace nefarious exploitation of network and system vulnerabilities. The concept of zero trust networks , originally posited by Forrester Research a decade ago, is rising in prominence as a fundamental network security approach within enterprises, acro...

Introduction to the Industrial Internet of Things

The Internet of Things or "IoT" refers to the evolution of the Internet beyond connectivity and interaction among traditional user-operated devices like PCs, tablets, phones and similar types of devices into the realm of connectivity and interaction with non-user operated devices such as sensors, monitors and remotely controllable devices. Internet-enabling such “unmanned” devices allows them to autonomously report events, updates, status changes, or to perform remote actions commanded by users or other devices via the Internet. The popularity of home assistants, security systems, video doorbells, thermostats, door locks, etc. evinces the continuing expansion of IoT devices within residences.  IoT also boasts exceptional growth prospects for all types of industries such as utilities, energy, manufacturing, pharmaceuticals, educational institutions, municipalities, and others. This enterprise realm of IoT is referred to as the industrial IoT , or IIoT, where sensors, monitors,...

Open Your Eyes to Better Network Security

Let's face it, your business relies on your network. From email to web browsing, and video meetings to chats, your network is indispensable to the usability of these applications that facilitate basic work functions like collaboration, communication, education and sales. Your network is mission-critical and the performance and availability of your network is paramount. Recognizing this, many organizations actively manage and monitor their networks in order to detect performance degradations and outages on network links, routers, switches and computing infrastructure. Such proactive monitoring affords an early warning system for teams responsible for network uptime and performance to identify and begin troubleshooting issues, not to mention potential security events, before network users are affected. Deployed redundancy of links and infrastructure can provide uninterrupted performance from the end user perspective, while allowing time for troubleshooting teams to rectify the situat...

Automating Cloud IPAM by Example

Image
Automation is a hot topic within IT organizations these days, as well it should be. Automation offers tangible benefits in terms of reducing costs, increasing agility, diminishing manual efforts and minimizing human errors while performing a process. I recommend considering IP address management (IPAM) tasks within your automation design as I proposed in a prior post , given IPAM's tentacles menacingly reaching into virtually every IP device initialization, movement or decommissioning process. But how does one go about designing automation? Consider that you can automate a process if it consists of a repeatable set of discrete tasks required to perform a function or unit of work. Some tasks may be performed in parallel with others and most tasks require input values provided by or derived from prior tasks to begin. Documenting the tasks required and the sequence or flow of tasks, i.e., as a workflow or flowchart, is a prescribed first step. Once you've laid out the basic flow, ...

Automate Your IPAM to Acclerate IT Service Delivery

Automation is among the key motivators for implementing an IP address management (IPAM) system. With the ubiquitous adoption of Internet-based technologies engendering IP networks over which nearly all of your applications communicate, it makes sense to simplify and minimize resource impacts for such networked applications and corresponding support. This IP convergence provides financial, efficiency, and productivity benefits in and of itself, but it also escalates reliance on and ensuing scrutiny of IP network performance, resiliency and integration into key business processes.  Underpinning this IP convergence is the IPAM foundation. Email, web, application servers need IP addresses and DNS names. User laptops, mobiles, and other devices need IP addresses. Cloud virtual machines or containers need IP addresses and DNS names. Literally every device you need to connect to your network needs an IP address; and if users need to reach it by name, it also needs a DNS name. With no IP a...

SD-IPAM for SD-WAN

Software-defined wide area networks (SD-WANs) enable organizations to increase networking efficiencies, improve cloud application performance, centralize provisioning, simplify operations, and reduce costs. Please read my recent post for an overview of  SD-WAN. In this post, we'll discuss the importance of flexible, adaptable and "software-defined" IP address management (IPAM) to fully realize the benefits of SD-WAN and to improve your security posture in the face of multiple Internet breakout points. IPAM comprises foundational network services for your IP network, which typically encompasses private networks, cloud networks, remote access networks, Internet of Thing networks and the Internet. Key IPAM functions include managing IPv4 and IPv6 address space across this diverse network landscape and requires tracking assigned and available addresses, allocating address blocks, splitting and joining address blocks as well as moving and freeing up address blocks and subnets...

What is SD-WAN?

Image
The concept of software-defined networking (SDN) can be traced back to common channel signaling (CCS) technology developed during the 1970's and 1980's for use in telecom networks. The CCS #7 protocol operates via a signaling network independent of the telephony traffic (e.g., bearer) network and provides call setup, routing, release and related functions. In an analogous fashion, SDN decouples the data or bearer plane from the control or signaling plane. As illustrated in Figure 1, the data plane comprises network routing hardware or virtualized network functions while the control plane includes software that “defines” or monitors, manages and reconfigures network routers to achieve optimal performance. Software-defined wide area networks (SD-WANs), the WAN component of SDN, enable organizations to partially or entirely supplant private network services such as Multi-Protocol Label Switching (MPLS) in order to improve network performance, centralize provisioning, simplify oper...

Applying ITIL4 to IP address management

 The discipline of network management affords innumerable technical and business benefits to organizations via the centralization of control, monitoring, and provisioning of distributed network elements such as routers and application or services databases. These benefits include holistic management of the entire network from a centralized point where appropriate resources and expertise can be leveraged for troubleshooting, resolution, and escalation. This pan-network approach lends itself well to supporting structured network change control procedures and is even more crucial today with enterprise networks expanding into clouds, IoT subnetworks, and mobile networks. Because IP addresses and associated DHCP and DNS functions are foundational to IT services and applications running over an IP network, these functions must be prudently managed, much as other critical network infrastructure elements are managed. The most commonly applied network management approach is that of the FCAP...