The Men & Mice Blog

Men & Mice Suite IPAM and DNS with xDNS Redundancy™: security without complexity

Posted by Greg Fazekas on 8/22/18 7:12 AM

As we increased focus on cloud optimization, DNS redundancy, and compatibility across hybrid and multi-cloud networks in our latest Men & Mice Suite v9.1 release, we also went to great lengths to ensure visibility and ease-of-use across IP address management as a means of increasing network security.

Dynamic IP infrastructure challenges require dynamic DNS management

IP address management in general, and creating DNS redundancy in particular, are complex and often expensive challenges for network administrators. The possibility for human error leading to configuration errors and DNS failures, establishing where, and with which vendor in a distributed network an error has occurred, and the sheer disruptive power of DDoS attacks compound these challenges. Furthermore, increased redundancy across various environments within a network ecosystem often brings with it hindered visibility.

Without redundancies however, Networks are more susceptible to failure. Thus an important feature in the Men & Mice Suite 9.1 release is the improved xDNS Redundancy™.

xdns_new_yellow

xDNS Redundancy in Men & Mice Suite v9.1

Men & Mice Suite's xDNS Redundancy™ provides a level of abstraction that builds automation, provides centralized views, eliminates human error and removes conflicting DNS service provider platform complexities (e.g. incompatible APIs). It increases visibility and control of networks with hybrid or multiple cloud dns providers by unifying management, supporting Active Directory-hosted zones, offering the ability to create read-only zones (see below), and improving native support for Azure DNS and Amazon Route 53, all of which benefits the functionality and core health of IP infrastructure. 

We think of it as “taking the ‘daunt’ out of DNS redundancy." It streamlines the migration and management of a large number of DNS zones, such as with Azure DNS and Amazon Route 53, by utilizing cloud-native features to monitor changes to DNS made outside of the Men & Mice Suite, greatly improving synchronization of DNS data from cloud providers. It also enables the assignment of read-only zones across the network to boost resilience against DDoS attacks and other DNS failures.

xDNS Redundancy for creating read-only DNS zones

It is now possible to mark a DNS zone in an xDNS replication group as read-only. While internal changes are synced, external modifications to read-only xDNS instances will not be replicated to other zones.  

Once an xDNS zone redundancy group has been created, xDNS assists the administrator in creating identically replicated zone content, resulting in multiple equal master zones. Additional zones can be added or removed from the xDNS group as required.

If an xDNS zone is not available for updating (for instance - pun intended 😁 - if one DNS service provider experiences an outage) it will be marked as ‘out-of-sync’. Once it becomes available again, current data will be re-synchronized and updated from other zones.

All changes can be initiated by the authorized user through the Men & Mice Suite’s web-based or Windows-based management consoles or APIs, and will be applied to all zone instances in the group. All changes to xDNS grouped zones made externally, or outside of the Men & Mice Suite, will not be synchronized.

DNS management built for the cloudvisibility

A common pain point for CISOs and network managers is the lack of centralized views and the workflow automation difficulties of coordinating on multiple platforms. Whether you’re using a single-platform deployment or a combination of Cloud DNS providers (from Akamai Fast DNS to Azure DNS, Amazon Route 53 Dyn, NS1, or OpenStack), Men & Mice Suite’s xDNS gives you a convenient means to monitor and manage all your DNS resources within the Men & Mice Suite.

Simplifying the management of high-availability network resources across multiple environments is crucial for making network management intuitive and effective. To further address this, we added a web-based application in our 9.1 release, which rounds out the visibility trifecta that also includes a Windows-based management console as well as reliable and compatible REST, SOAP and JSON-RPC APIs. CISOs and network managers are able to look into their domains (again: pun absolutely intended 😉) from anywhere at any time, the way it works best for them.

The Men & Mice Suite is already known to be a robust DNS, DHCP and IPAM (DDI) solution that's easy to implement and able to leverage existing infrastructure investments to provide the visibility and ease-of-use for hybrid and multi-cloud environments that’s missing from competitive products.

Fast and efficient in heterogeneous DNS and DHCP environments, the Men & Mice Suite supports thousands of concurrent users and API connections, with millions of managed IPs and DNS records, for automation and provisioning, whether Unix/Linux, Windows, and Cisco IOS or across cloud services like Azure DNS, Amazon Route 53, Dyn, NS1 and Akamai Fast DNS, as well as IPAM in AWS, Azure and OpenStack.

We’ll be at VMWorld, at booth #2124let us show you how Men & Mice Suite’s xDNS functionality can ease network management and prevent against errors, DDoS and other attacks.Book appointment

DNS, DHCP & IPAM Software Trial

Topics: network outages, IP address management, hybrid cloud, hybrid network, DNS events, vmworld, network security, Azure DNS, Cisco IOS, Amazon Route 53, Dyn, NS1, Akamai Fast DNS

Network Outages, Human Error and What You Can Do About It

Posted by Men & Mice on 12/18/17 7:14 PM

When your route leaks 

Human error. As far as mainstream reporting on network outages goes, it’s the less flamboyant sidekick to DDoS and other cyber attacks. But in terms of consequences, it’s just as effective.

Once again, beginning of November, large parts of the US found themselves unable to access the internet due to one small error: a misconfiguration at Level 3, an ISP (Internet Service Provider) that underpins other, bigger networks.

According to reports the outage was the result of what is known as a “route leak”. In short, a route leak occurs when internet traffic is routed into inefficient, or simply wrong, directions due to incorrect information provided by one, or multiple, Autonomous Systems (ASes). ASes are generally used by ISPs to keep track of IP addresses and their network locations. Packets of data are routed between ASes, which use the Border Gateway Patrol (BGP) to establish and communicate the most efficient routes so you can browse the whole internet, and not just the IP addresses on your particular ISPs network.

Route leaks can be malicious, in which case they’re referred to as “route hijacks” or “BGP hijacks”. But in this case, it seems the cause of the outage was nothing more spectacular than a simple employee blunder, when (as speculation goes) a Level 3/Century Link engineer made a policy change which was, in error, implemented to a single router while trying to configure an individual customer BGP. This particular incident constitutes what the IETF defines as a Type 6 route leak,  generally occurring when “an offending AS simply leaks its internal prefixes to one or more of its transit-provider ASes and/or ISP peers.”

Route leaks, small and large, are regular occurrences – it’s part and parcel of the internet’s dependency on the basic BGP routing protocol, which is known to be insecure. Other recent high impact route leaks include the so-called Google/Hathway leak in March 2015 and a misconfiguration at Telekom Malaysia in June 2015 which had a debilitating roll-on effect around the world.

To minimize the possibility of route leaks, ISPs use route filters that are supposed to catch any problems with the IP routes that peers and customers intend to use for the sending and receiving of packets of data.

Other ways of combating route leaks include origin validation, NTT’s peer locking and commercial solutions. Additionally, the IETF is in the process of drafting proposals on route leaks.

Factoring in the human element

Tools and solutions aside, Level 3’s unfortunate misconfiguration once again highlights the fact that, despite keeping a low profile in the news, human error still rules when it comes to causing common network outages.

In an industry focused on how to design, build and maintain machines and systems that enable interconnected entities to send and receive millions of packets of data efficiently every second of every day, it’s maybe not all that odd that the humans behind all of this activity become of secondary importance. Though, as technology advances and systems become more automated, small human errors such as misconfiguring a server prefix are likely to have ever larger knock-on effects. At increasing rates, such incidents will roll out like digital tsunamis across oceans, instead of only flooding a couple of small, inflatable IP pools in your backyard.

Boost IT best practices - focus on humans

So outside of general IT best practices, what can you do to help the humans on your team to avoid human error?

Just as with any network, human interaction is based on established relationships. And just as in any network, a weak link, or a breakdown in the lines of communication, can lead to an outage. Humans who have to operate in an atmosphere of unclear instructions, tasks, responsibilities and communication, can become ineffective and anxious. This eats away at employee morale and workflow efficiency and lays the groundwork for institutional inertia and the stalling of progress. At other times, a lack of defined task-setting and clear boundaries may resort to employees showing initiative in the wrong places and at the wrong times.

To limit outages due to human error, just distributing a general set of best practices or relying on informally communicated guidelines amongst staff are simply not enough. While networking best practices always apply, the following four steps can be very effective in establishing the kind of human relationships needed to strengthen your network and optimize network availability.

 

Define DDI-1.png

1. Define

Draw up, and keep updated, a diagram not only of your network architecture (you do have one, don’t you?), but also make sure you have a workflow diagram for your teams: who is tasked with which responsibility and where does their action fit into the overall process? What are the expected outcomes? And what alternative plans and processes are in place if something goes awry? Most importantly, match tasks and responsibilities with well-defined role-based access management.

2. Communicate

Does everyone on your team, and collaborating teams, know who is responsible for what, when and where, and how the processes flow? Is this information centrally accessible and kept up to date? Clarity, structure and effective communication empower your team members to accept responsibility and show initiative within bounds.

3. Train

Does everyone on your team know what’s expected of them, and did they receive appropriate training to complete their assignments properly and responsibly? Do they have the appropriate resources available to do what they need to do efficiently? Without training and tools in place, unintentional accidents are simply so much more likely to occur.

4. Refresh

Don’t wait until team members run into trouble or run out of steam. Check in with each other regularly, and encourage a culture of knowledge sharing where individuals with different skill sets can have ample opportunity to develop new skills and understanding.

Refresh DDI.png

Finally

The saying goes, a chain is only as strong as its weakest link. The same goes for networks.

At a time in history when we have more technological checks and balances available than ever before, it turns out the weakest networking link is, too often, a human. While we’re running systems for humans by humans, we may as well put in the extra effort to help humans do what they do, better. Our networking systems will be so much stronger for it.

 

New Call-to-action

 

Topics: DDI, DDoS, network outages, IT best practices, IP address management