What is our primary use case?
We use our Infoblox DDI platform for everything: IPAM management, DNS, DHCP, and DNS firewall functionality with their BloxOne Threat Defense cloud.
We see DNS as the first layer of defense, so we use all the features the platform offers. We do not have DNS and DHCP in our Windows environment anymore.
How has it helped my organization?
For network efficiency, having IPAM and DNS together provides a singular view of the network. We know what is active and what is registered in your DNS. We can manage external and internal DNS together on the same platform.
The integrated view using IPAM and DNS is much simpler because Microsoft AD doesn't offer IPAM. It offers DNS, and it's scattered. This is the reason I like the power of the tool.
It is costly but it provides the whole integration and allows us to automate a lot of things, like server builds and virtual machine builds. The powerful API Infoblox offers allows my automation team to integrate and query for free IPs within Infoblox, allocate a name, and register it. Full automation is possible on the platform.
Also, the cloud licensing capabilities give you full visibility of what is happening in the cloud. Everything together, that's the power of the platform.
The automation capabilities have benefited the operations. People can make an API call to see the next free IP. Once they get an IP, they can register the DNS and build their server with the static IP. Then, they can assign the hostname directly through their scripting as soon as the server is live. It has benefited my automation team tremendously.
They are constantly asking me when we can have this platform in other branches, entities, or data centers because the platform is more European-centric. They have similar requirements in America and other entities separate from AMG Securities. That's how powerful it is.
Compliance and Security
It is our first line of defense. If somebody clicks on a malicious link, the DNS will not resolve it because it will not resolve the name to the IP. This stops the threat in its tracks, so your second line of defense and third line of defense don't have to kick in.
It actually prevents a lot of false alarms because if a link is blocked by antivirus, it creates an alert for the IT risk team to investigate. By not resolving the IP for a malicious link, it stops many issues before they escalate. This has improved our security posture significantly.
What is most valuable?
Instead of using the root DNS servers all over the Internet and its Threat Defense cloud. All queries from our clients go out, so we know what the clients are querying and where they are trying to go. We can see at a DNS level if something wrong is happening within the network.
Additionally, the ability to block unwanted traffic using DNS is powerful. While firewalls and other infrastructure can do this, BloxOne can also prevent the resolution of bot websites or other harmful sites; that's a powerful element.
What needs improvement?
At this stage, we are struggling to use some of the DNS features of the platform, which are more about protecting your domain from hijacking and similar threats. However, I don't think it is a problem with the platform itself. It seems to be more of an integration issue with the secondary DNS provider we are trying to use on the Internet, called Cloudflare.
So, it is more of an integration problem between Cloudflare DNS and any public DNS. I would like to improve the integration aspect of these two products. The platform should be able to work seamlessly with any other secondary DNS provider on the Internet.
If Infoblox can make their licensing cheaper, then this platform could be widely used because it does cost a fortune to have it. That's why we do not have it in every entity that we manage.
For how long have I used the solution?
I have been using it since 2010, so it has been 14 years.
I use the latest one, which we recently updated.
What do I think about the stability of the solution?
I would rate the stability a ten out of ten. Active Directory is supposed to be stable, and it is. Without Active Directory being stable, none of the authentication would work. There was never an issue of stability within Active Directory services. Infoblox actually makes this better because you can use all the IP addresses in a network.
In Active Directory, you have to split the scope, so you can only use 50% or 30% of the IPs in a particular network because of how the scopes are configured. But if you are very tight on IP space, then Infoblox is your solution, depending on the use case.
What do I think about the scalability of the solution?
I would rate the scalability a ten out of ten. It is the advantage of the platform. You can deploy multiple members in the grid at various locations depending on your requirements. You can have members in the cloud as well, and it's all managed through a central Grid Manager.
We have an enterprise license that covers all my users here, about 1500. This is the only solution for DDI, so everyone uses it. We would expand its usage if the price comes down.
We try to put the solution to another entity when the feature is available for free within Windows Active Directory. Why would you spend a million on this solution, right? That's why it is not adopted everywhere.
DNS and DHCP are free in Active Directory. It's a different way of doing things, but if you need an IP address management tool, you can get EfficientIP's tool for ten to fifteen thousand dollars. So why spend so much more? We managed to justify the presence of Infoblox, but the continuous price increase in their licensing is prohibitive. At one point, we might decide it's not worth it and go back to Windows Active Directory.
How are customer service and support?
I have an ongoing issue with Infoblox and Cloudflare DNSSEC. Neither Infoblox is moving forward nor is Cloudflare. These two DNS providers are not working together in the way a customer would expect. Cloudflare is one of the biggest DNS providers on the Internet. As a secondary DNS, they have their own services.
So, these two parties are not working together to solve the problem for the customer. I would expect their professionals to work directly with each other to solve the issue because Infoblox is not a secondary DNS provider on the Internet.
Cloudflare can be a secondary DNS provider on the Internet. Their businesses are separate in terms of what they can do for customers. There is no competition, and customers need providers like this to work together. We like Infoblox, and we like Cloudflare for what it does.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
I used Microsoft Active Directory.
We decided to switch to Infoblox to get a unified view of IP addresses, networks, and host names, and to better manage the usage of the IP address space we have.
How was the initial setup?
It is easy to set up, but if you are migrating from Windows Active Directory DNS and DHCP, you do need to enroll their professional services people who can help with the migration. Their professional services team is quite good, and this is how we migrated initially.
But once you have the platform, the learning curve is really easy. People can learn from each other, and we have never attended any formal training ourselves. I have people on my team who are experts in the platform.
The setup is easy if you use professional services. If you don't want to spend money on professional services, as a new product, it could be difficult for you. Most enterprises are more familiar with DNS and DHCP in Active Directory, so it will be difficult if you do not use professional services. It’s easy if you use them, and I think people should use professional services.
I would rate the complexity of the initial setup an eight out of ten, with ten being complex.
The first initial setup, ten years back, probably took us two weeks to deploy. We slowly migrated from Active Directory to BloxOne without causing any business outages.
What about the implementation team?
Our deployment was done by one professional services engineer. Just one person was enough for maintenance.
We were super careful because everyone was hesitant to move away from what they knew.
But the main action was to make people learn the platform. We got the Infoblox trainers on-site to conduct training sessions for people so they could get experience directly from the trainers. Training was the main focus when we rolled it out for the first time.
What was our ROI?
It's difficult to measure. Has it stopped any attacks or prevented any data from going out? If my business asks me question about the ROI, they might consider throwing the solution out.
For the IT infrastructure team, it's a good thing because we get a good way of doing things. Automation teams find it a better way of doing things.
But can't they do automation with Active Directory DDI? They definitely can. It might be a little difficult, but once their automation scripts are ready, they can always do it. It's a one-time effort.
In terms of measuring the return on investment, in my personal view, this is one of the best tools. But from the business view, considering the money spent on this solution, it may not be the best.
What's my experience with pricing, setup cost, and licensing?
I would rate the pricing a ten out of ten, with ten being very expensive. We actually pay about 900k a year.
Which other solutions did I evaluate?
We did have the option of EfficientIP. At that time, both Infoblox and EfficientIP were competitive. Infoblox was a new entrant in the market and had a very appealing and it was cheap and affordable solution. It wasn't based on the number of users in the entity. Last time, we had to refresh it, they changed their licensing model with their BloxOne Threat Defense. Per user, it costs around 25 to 30 pounds a year, and that's when it gets costly.
And EfficientIP may not have deployed the threat defense cloud or BloxOne Threat Defense cloud, but enterprises do have their own solutions. Multi-layered security solutions, antivirus, etc. When security budgets are constrained, why spend so much on threat defense per user? We have to look at why we're spending so much on threat defense per user.
What other advice do I have?
Overall, I would rate the solution an eight out of ten.
I will recommend other users negotiate with Infoblox on their pricing, or they should look at Infoblox's competition. Infoblox moved to user-based licensing and subscription-based licensing.
We already had Infoblox in our environment, so when you have something in your environment, your reluctance to change is quite high. But if you are looking for something new to implement, to move away from Active Directory, you should look at the competition and negotiate with Infoblox for a multi-year pricing deal.
Which deployment model are you using for this solution?
On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.