What is our primary use case?
We were already an Infoblox customer for IP address management, DNS, and DHCP and we decided to beef up our security in another avenue as far as the company and its network. So this is one area we got into with Infoblox because of their DNS security. I previously worked for another company in Boston that was an Infoblox customer, and on DNS security originally you had to set up a connection with Infoblox. The threat feeds that analyze the traffic, the customer had to receive those feeds. This is some years back when they first got into this.
So now, with Pegasystems we're doing the same thing, however, Infoblox is doing this in the cloud, which is infinitely better for a customer like us, meaning that they take in all the threat information and analyze our traffic. All we have to do is set up normal connections to the internet. It's like talking to another website. There's firewall security involved, but that's the most important thing for analyzing Infoblox, the fact that they provide this service out on the internet, in the cloud, is huge for us because they have the ability to synthesize a number of different sources for DNS security, put it in their secret sauce in their portal, and all we have to do is communicate with it and then they inspect our traffic. That is the most important thing for us as a customer.
I realize that other companies do that as well, but because Infoblox is an important part of our network infrastructure it makes a lot of sense to do our DNS security with Infoblox. We're also a Palo Alto Firewall customer, and we have traffic that goes out to the internet. All of our traffic going out to the internet gets inspected by Palo Alto firewalls. They have a similar service, but we chose to partner with Infoblox because they're already in the DNS arena and have been for a number of years.
How has it helped my organization?
Our ability to detect data exfiltration was minimal before Infoblox and the cloud portal was instituted for us. In terms of DNS security as a whole, we had some capability with our firewalls, but this is a lot more specialized because we're sending all of our DNS requests to Infoblox. I'd say we improved 100%.
The actual communications that go on between our DNS appliances and the threat engines in the cloud, that traffic get logged by Infoblox, so that information is available in the cloud, and we also export logs to, we have a Splunk system. So in terms of data exfiltration, Infoblox does a good job of identifying any threats in that arena. Now, if something like that comes up and gets logged, it gets flagged by our Splunk system. I work in the network operations team, we have a security knock. If some kind of alert in that realm was logged, they would be alerted, meaning our security folks. Then if we need to take action on someone's machine or a server then it gets triggered from our security, security operations. I would rate the identification of data exfiltration with a high mark.
Our primary interoperability is with Splunk. The log feed into Splunk got set up right after we signed up for the portal. They go hand in hand. It's because our security team uses Splunk to analyze data. This means they get information from the portal, and they also get information from our individual appliances in the various offices as well.
BloxOne Threat Defense reduced the amount of effort involved in our SecOps teams when investigating events.
Our security staff has been added to significantly in the last few years. I started with Pega in 2017 when there were only a handful of security people, but we were a 5,000 employee company. I think we're probably around 6,000 now. It wasn't just tools, they didn't have enough people to manage the security posture the way they are now. They basically created a whole new department. This platform is just one of many things that they receive data from.
Our monitoring and detection capability was minimal before we got into BloxOne. Now it's an improvement.
What is most valuable?
There's reporting and monitoring in the portal itself, and what customers can view. Additionally there are add-on programs specifically for Infoblox programs that go with Splunk. There are several tools available that add extra visibility.
Some of the tools that are involved with Splunk, Infoblox can be consulted on to help identify specific pieces of data that our security team is looking for. That's a plus because in this arena there's a lot of data that gets produced and making sense of it is the whole ballgame. Even though Splunk is not an Infoblox product, it's Splunk, but when our security folks receive data from Infoblox and they're not sure exactly how to massage it, there are content folks at Infoblox who help sort through stuff like that. The way that works is that we set up a call or a Webex/Zoom and just hash out with our security team exactly what they're trying to do.
If we had to take a look at where we are right now, Palo Alto is trying to get more business with us and at some point, we will probably take a look at what they offer in this space, which is just to get educated on the marketplace. The fact that we're a Palo Alto customer, we look to them to add value as well. I'm not saying we're changing anything right now, I'm just saying in our company because we're a big Palo Alto customer, we'll be looking at things they're going to be doing in the future as well.
We're using BloxOne strictly on the cloud version, but there are threat defense options that can be done with our onsite appliances into what Infoblox calls "the Grid". The Grid is just the collection of appliances that we have in the various offices, and there's a central management tool called the Grid Master where you can set up additional threat defense options, meaning you can inspect traffic even before it leaves the network. That's something we're going to be looking at as well. We're not doing it, but we're going to be looking at it.
Our initial activation in this arena, because it was so straightforward to just forward traffic right to the portal, which can be done in just a few minutes and actually have it inspect traffic in the first hour. It's not that we've precluded the onsite, but it's just something that we're looking at as a follow-up. We don't feel that we're at a major detriment, but it could improve some of the things we're doing if we do it onsite even before it gets to the cloud. Before they had the cloud portal you had to take in the threat feeds that they use or are available on the internet, and feed them into your own network, which makes it a lot more complicated.
That's still available. People will still do that, but we choose to use Infoblox and let them synthesize the threat feeds that they have access to.
What needs improvement?
This is not just Infoblox, this could be any portal provider, cloud provider, sometimes they change the look of the customer-facing options and it's not completely clear why they make the change.
It's not just cosmetic. I'll find things that they've moved around after they've done an upgrade. That's a valid criticism of any portal app because they don't poll every user to ask how you want to see the menu options. Everybody gets the same thing.
For how long have I used the solution?
I have been using Infoblox since 2019.
How are customer service and support?
I would rate their technical support an eight out of ten.
How would you rate customer service and support?
How was the initial setup?
The initial setup was straightforward. The options for the appliances were clearly documented. The onsite logging is actually a virtual host in our network. The setup for that was pretty straightforward as well. There was good documentation.
It took basically one day to start communicating with the portal and verify that all the appliances were actually, in fact, sending data to the portal and their traffic was being inspected. It didn't take a whole day to set that up, most of the time was just, it was a few hours of setup and several hours of monitoring, just learning what to look for. But it was pretty straightforward.
What other advice do I have?
Our on-sight Infoblox DNS DHCP appliances, which there are about 30 of them around the world, there's one screen of information where you put in the Infoblox cloud IP address, answer a few questions, then that triggers DNS forwarding to the Infoblox cloud portal. So when we send our DNS traffic out to the internet it goes to Infoblox first in order to get inspected. If for some reason a particular office or a particular appliance is unable to communicate with Infoblox at a particular time at that cloud IP, they're still able to forward DNS traffic directly to the internet as a backup. That can happen for normal communication disruption. It doesn't happen a lot, but at least our DNS queries don't stop completely if there's an interruption somewhere out on the internet. Which, again, doesn't happen often, but it's good to have available.
We do some configuration on our Infoblox appliances. On the user side of the portal, there are options for reporting and monitoring that get set up by the customer, but Infoblox sets up sessions with us whenever we ask. Initially, when we became a portal customer we received training from Infoblox, and if we want a refresher or we have somebody new who we want to go through the training they'll assist. What they usually do is have the local Infoblox team in Boston assist with that kind of training as well.
It's not protocol agnostic. It's specifically analyzing DNS traffic. Now, if there's data inside the DNS traffic that is being used for non-DNS purposes, that's different. They are not analyzing other protocols, they are just analyzing DNS. So we use other tools to analyze other protocols, primarily firewalls.
I would rate Infoblox an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.