SD-DDI for SD-WAN
Oct 03, 2022
Software-defined wide area networks (SD-WANs) enable organizations to increase networking efficiencies, improve cloud application performance, centralize provisioning, simplify operations, and reduce costs. In this post, we’ll discuss the importance of flexible, adaptable and “software-defined” IP address management (IPAM), or more generally DHCP, DNS, and IPAM or DDI, to fully realize the benefits of SD-WAN and to improve your security posture in the face of multiple Internet breakout points.
DDI comprises foundational network services for your IP network, which typically encompasses private networks, cloud networks, remote access networks, Internet of Thing (IoT) networks and the Internet. Key DDI functions include managing IPv4 and IPv6 address space across this diverse network landscape and requires tracking assigned and available addresses, allocating address blocks, splitting and joining address blocks as well as moving and freeing up address blocks and subnets. DDI includes similar activities for assigning, reserving, moving, and freeing up individual IP addresses, ranges and pools. Accurate tracking of IP blocks and individual addresses is critical to preventing duplicate assignments, erroneous assignments, and assignments that do not roll-up within your addressing hierarchy.
Beyond the mechanics of assigning and tracking IP subnets and individual assignments, managing domain name system (DNS) information for each IP device allows accessibility by name. DNS enables simpler network navigation by name instead of IP address and it is instrumental in scaling cloud-based service chains, which feature a succession of component virtualized services. The DDI discipline also enhances network security initiatives, particularly with the larger attack surface of multiple Internet breakouts, in offering secure network services and components as discussed later. Governance functions such as multi-administrator controls with delegation, reporting and auditing to track address utilizations and IP address accountability, services upgrading, among others are also critical.
In terms of how SD-DDI can facilitate attainment or furtherance of SD-WAN benefits, let’s consider each in turn. In terms of increasing networking efficiencies, SD-WAN seeks to offer better network performance and therefore improved user experience over traditional routed networks. This benefit stems from the cross-WAN perspective offered under SD-WAN with a centralized SD-WAN Controller which monitors the status of SD-routers and associated links, as opposed to the individual router perspective garnered via routing protocol updates.
The centralized SD-WAN Controller may trigger changes in SD-router configurations to reshape traffic as necessary in terms of routing, quality of service, and network selections. Consider that the first step in any IP communications prior to router processing is a DNS query to identify the IP address mapping to the domain name to which a connection is desired. This “first hop” in IP communications affords an opportunity to steer IP traffic according to a device’s proximity to cloud POPs, which in turn improves cloud application performance.
For example, Microsoft recommends deployment of a local DNS server in each Internet breakout site in order to resolve the closest accessibility point to the Microsoft Global Network. Having resolved the closest Office 365 front end server, the device will attempt to connect to the corresponding IP address. Thus, DDI and DNS in particular arm the application with the closest server location which the SD-WAN router on site shall route optimally in accordance with deployed policies. And if your SD-WAN router hosts a virtualization platform such as VMware, KVM or Docker, you could deploy virtual DNS servers to obviate hardware bloat at each breakout site.
Despite such hardware cost savings, deployment of local DNS servers to each site may seem onerous due to the added administration required to properly configure each DNS server. Each server must be configured to forward queries for internal hosts to internal authoritative DNS servers, typically via a physical or virtual private network, while recursing queries to Internet DNS servers to resolve hosts reachable via the Internet such as cloud applications. A centralized DDI architecture that mirrors that of SD-WAN in supporting a centralized perspective on the enterprise’s IP address space and provisioning of distributed DHCP and DNS servers, vastly simplifies such administration. Centralized administration enables application of common policies, such as forwarding to internal DNS servers to any number of distributed DNS servers deployed at each site.
A DDI system integrates IP address planning with DHCP and DNS configuration so a multi-step operational process is greatly simplified. Organizing IP address space, subnets, IP assignments, DHCP pools and DNS domain information together enables single-entry of common data with deployment to distributed DHCP and DNS services. Integrated discovery features provide a pulse on your private and cloud networks to identify any rogue devices, to verify proper provisioning and to assure the accuracy of your DDI repository for network auditing, reporting and monitoring. Integration of the IP and DNS assignment during the instantiation of virtualized network functions within and around SD-WAN streamlines overall network and compute process automation.
Lastly, SD-WAN helps reduce costs in reducing or eliminating the necessity of utilizing expensive carrier private network services. DDI helps further reduce costs in integrating IP address, DHCP and DNS processes and automating these processes in the context of broader cloud, IT and operations initiatives. Jointly, these software-defined solutions facilitate deployment of agile, adaptive, and automated IP networks to improve efficiencies and reduce overall operations costs.
Beyond these SD-WAN benefits which can be furthered with the use of SD-DDI, DNS security features of SD-DDI can help address a potential SD-WAN shortcoming: increased attack exposure though multiple Internet breakouts from sites with minimal protections. The deployment of local DNS in the form of hardware, virtualized or containerized DNS services can help improve threat detection and mitigation at these sites. Such DNS services as those offered by Cygna Labs’ Diamond IP portfolio, include integrated malware detection via DNS firewalls, data exfiltration monitoring through DNS tunneling remediation, DNS data authentication with DNSSEC, as well as various distributed denial of service protection mechanisms. Along with firewall protections afforded by your SD-WAN routers and other local resources, Internet attack risks can be recognized and reduced to acceptable levels.
SD-DDI can help you maximize the benefits of your SD-WAN deployment and centralize management of your foundational DDI services across your diverse multi-platform, multi-services, multi-vendor network and compute infrastructure.