IPAM INTELLIGENCE: ALL ROADS LEAD TO PROTEUS

Whitepaper
ii | BlueCat Networks
Use of this document
Copyright
This document and all information (in text, Graphical User Interface
(“GUI”), video and audio forms), images, icons, software, design,
applications, calculators, models, projections and other elements
available on or through this document are the property of BlueCat
Networks or its suppliers, and are protected by Canadian and
international copyright, trademark, and other laws. Your use of this
document does not transfer to you any ownership or other rights
or its content. You acknowledge and understand that BlueCat
Networks retains all rights not expressly granted.
Persons who receive this document agree that all information
contained herein is exclusively the intellectual property of BlueCat
Networks and will not reproduce, recreate, or other use material
herein, unless you have received expressed written consent from
BlueCat Networks.
Copyright © 2010, BlueCat Networks Inc. All rights reserved
worldwide.
Publisher Information
Published in Canada — No part of this publication may be
reproduced, transmitted, transcribed, stored in a retrieval system,
or translated into any human or computer language in any form or
by any means without the express written permission of:
BlueCat Networks Inc.
4101 Yonge Street, Suite 502
Toronto, Ontario
Canada M2P 1N6
Attention: Product Manager
Telephone: 416-646-8400
Fax: 416-225-4728
E-mail: info@bluecatnetworks.com
Website: www.bluecatnetworks.com
This publication is provided as is without warranty of any kind,
express or implied, including, but not limited to, the implied
warranties of merchantability, fitness for a particular purpose, or
non-infringement.
All terms mentioned in this publication that are known to be
trademarks or service marks are appropriately capitalized. BlueCat
Networks cannot attest to the accuracy of this information. Use of
a term in this publication should not be regarded as affecting the
validity of any trademark or service mark. The trademarks, service
marks and logos (the “Trademarks”) displayed are registered and
unregistered Trademarks of BlueCat Networks, Inc. and others.
Users are not permitted to use these Trademarks for any purpose
without the prior written consent of BlueCat Networks or the third
party owning the Trademark.
No Professional Advice
This document is for convenience and informational purposes
only. This document is not intended to be a comprehensive or
detailed statement concerning the matters addressed; advice or
recommendations, whether scientific or engineering in nature or
otherwise; or an offer to sell or buy any product or service. BlueCat
Networks does not warrant or make any representations regarding
the use, validity, accuracy, or reliability of, or the results of the use
of, this website or any materials on this document or any website
referenced herein. This document is intended solely for the use of
the recipient. It does not institute a complete offering and is not to
be reproduced or distributed to any other person.
 IPAM Intelligence - All Roads Lead to Proteus™ | iii

Executive Summary
BlueCat Networks is leading the market in 3rd generation IP
Address Management and is defining it as IPAM Intelligence™. It
explains in detail the urgency around moving from spreadsheets,
homegrown, and legacy solutions to intelligent IPAM solutions.

The increasing numbers and types of network attached devices,

the dwindling supply of available IP addresses, and the need for
‘always-on / always accessible’ corporate networks are driving
requirements for sophisticated IPAM solutions. These solutions
offer tools to monitor and control the IP address space, prevent
address conflicts, reclaim and reallocate unused addresses, and
predict address requirements, all in accordance with network
governance policies. They are considerably more functional than
the legacy IPAM solutions, spreadsheets and other ’homegrown’
systems that are commonplace today.

The features and functions that distinguish intelligent IPAM

solutions from spreadsheets and other legacy products can be
conveniently arranged in five value categories – the ‘Five Pillars of
IPAM Intelligence’ : Management, Visibility, Integration, Continuity
and Control.
iv | BlueCat Networks

Contents Integration����������������������������������������������������������������������������������������� 10
Support for Heterogeneous Environments�������������������������������������� 10

Executive Summary ������������������������������������������������������������������������������ iii VoIP Implementations��������������������������������������������������������������� 11

Proteus API����������������������������������������������������������������������������� 12

The Internet is Exploding������������������������������������������������������������������������� 1

Visibility�������������������������������������������������������������������������������������������� 12

IPv6 Introduces New Complexity��������������������������������������������������������������� 2 Real-Time Visibility into DNS and DHCP Services������������������������������� 12
IP Reconciliation����������������������������������������������������������������������� 12

Why Legacy Tools and Manual Processes No Longer Work�������������������������������� 3 Mapping Devices���������������������������������������������������������������������� 13

Limitations of Spreadsheets����������������������������������������������������������3 Audit Tracking�������������������������������������������������������������������������� 13

Homegrown Solutions�����������������������������������������������������������������3 Monitoring������������������������������������������������������������������������������ 13

Partial Visibility��������������������������������������������������������������������������3 Logging and Reporting�������������������������������������������������������������� 14

Inadequate Access Control������������������������������������������������������������3

Continuity������������������������������������������������������������������������������������������ 14
Limited Automation��������������������������������������������������������������������3
Data Integrity�������������������������������������������������������������������������� 14
Manual Processes Can’t Deliver Continuity����������������������������������������3
High Availability����������������������������������������������������������������������� 15
Data Restoration���������������������������������������������������������������������� 15
The Introduction of Intelligent IPAM����������������������������������������������������������� 4
Error and Data Checking������������������������������������������������������������� 15
Introducing The Five Pillars of IPAM Intelligence���������������������������������5
Appliance Level Redundancy������������������������������������������������������� 15

Management���������������������������������������������������������������������������������������� 6 Service Level Failover and Load Balancing��������������������������������������� 15

Centralized DNS/DHCP Configuration�����������������������������������������������6

Control���������������������������������������������������������������������������������������������� 16
Concurrent Management of IPv4 and IPv6����������������������������������������6
Delegated Access Control������������������������������������������������������������ 16
IP Address Tracking���������������������������������������������������������������������7
Workflow�������������������������������������������������������������������������������� 16
IP Modeling�������������������������������������������������������������������������������7
MAC Filtering��������������������������������������������������������������������������� 16
IP Reconciliation�������������������������������������������������������������������������7
DHCP Class and Vendor Options���������������������������������������������������� 16
Workflow����������������������������������������������������������������������������������8
DNS Naming Policies����������������������������������������������������������������� 16
Self Provisioning������������������������������������������������������������������������8
Audit Tracking�������������������������������������������������������������������������� 17
Distributed Administration�����������������������������������������������������������8
Authentication������������������������������������������������������������������������� 17
Multi-Core Architecture����������������������������������������������������������������8
Asset Management���������������������������������������������������������������������9 Conclusion����������������������������������������������������������������������������������������� 17
Data Grouping���������������������������������������������������������������������������9
Data Migration������������������������������������������������������������������������� 10
Ease-of-Use����������������������������������������������������������������������������� 10
 IPAM Intelligence - All Roads Lead to Proteus™ | 1

The Internet is Exploding

It is an IP Revolution.

Internet usage is exploding, as an ever-increasing number of

endpoint devices require network connectivity. Some of the new
technologies driving the growth in IP networking and the demand
RFID for IP addresses include:
▪▪
IP CONSUMPTION

IPv6 Voice-over IP (VoIP) handsets have existing IP address

Implementation space. Many telephony systems have been converted to
VoIP and these systems are expected to maintain the high
Virtualization VoIP availability associated with the traditional public switched
telephone network (PSTN). Supporting IP services like
Wireless DHCP and TFTP are critical if VoIP is to deliver the ‘dial-tone’
reliability users have come to expect from the PSTN.
▪▪ Mobile Computers and other wireless devices significantly
increase IP address consumption and network monitoring
COMPLEXITY challenges.
▪▪ Deployments of virtual machines scaled horizontally
provide organizations with an optimal method for
IP Addresses are consumed differently and the complexity deter-
managing specific services and applications, yet increase
mines how they will drive the need for IPAM.
the number of IP addresses in use.
▪▪ Radio Frequency Identification (RFID) tags hold the
promise of tremendous efficiencies in enterprise supply
chain management, improving inventory tracking and
management. As cost of RFID tags continues to fall, they
become economically viable for a wider range of lower
cost goods. RFID systems ultimately connect to an IP
backbone, significantly and consequently increasing
consumption of IP addresses.
▪▪ IPv6 will introduce new complexities. Issues in
transitioning from IPv4 to IPV6, and management of a dual
stack of IPv4 and IPv6 addresses are two factors that will
drive demand for IPAM.

As the size and complexity of the IP address space increases,

planning, allocating and tracking IP addresses becomes increasingly
difficult. In fact, IP address management (IPAM) is becoming
a growing challenge for many organizations. Primitive IPAM
solutions, which employ spreadsheets, homegrown solutions or
legacy applications to manage IP addresses, simply do not offer the
sophisticated features required to support modern organizations
in their efforts to stay connected and avoid downtime.
2 | BlueCat Networks

IPv6 Introduces New Complexity

With the growing number of network-attached devices, we
are exhausting our supply of IP addresses. With nearly 85% of
addresses already in use, experts believe that if current trends
continue, addresses will run out by 2011.1

Not surprisingly, governments around the world are mandating

public and private sector organizations to adopt the IPv6 protocol
IPv4 IPv6 in order to prevent IP address exhaustion. In 2005, the United States
Office of Management Budget (OMB) issued Memorandum M-05-
22 that stated: “by end of June 2008, the network core of all federal
agencies will become IPv6 compliant.”2 The European Commission
IPv4 Mixed IPv6 has also issued a statement indicating that all companies and
Network Adoption public sector institutions in the European Union (EU) should be
IPv6 compliant by 2010. The expectation is that 25% of all Internet
activity in the EU will have migrated to IPv6 by that time.3
With Adonis and Proteus your networks can support IPv6 both in
parallel with and independently of IPv4.
Over the next several years, organizations will need to focus on
implementing IPv6 to take advantage of the latest applications
and services, and remain competitive in the Internet landscape.
The transition from IPv4 to IPV6 is yet another factor driving
requirements for more capable IPAM solutions. The length of
IPv6 addresses (eight fields of up to four hexadecimal digits)
alone precludes spreadsheets and homegrown tools from being
workable IPAM solutions in the future – there’s simply too much
room for human error in the data entry process.

It is anticipated that initial transition from IPv4 to IPV6 will occur on

the external IP space and then ripple inward to the private network
space. It is also expected that many networks will remain a hybrid of
IPv4 and IPv6 — some with very different architectures. While one
can assume that most organizations will have similar structures for
IPv4 and IPv6, there will be key differences. For example, IPv6 uses
the Global Unicast addressing system that defines unique device
addresses that are routable across the Internet. Global Unicast
addressing is very different from Network Address Translation
(NAT) designs implemented in most IPv4 networks, which use
private, non-routable address spaces inside the organization with
external endpoints using the public address space. Clearly these
issues impose new demands on IPAM systems.

1
OECD. (2008) Internet Address Space – Economic Considerations in the
Management of IPv4 and the Deployment of IPv6. Retrieved June 3, 2008 from
http://www.oecd.org/dataoecd/7/1/40605942.pdf
2
Executive Office of the President – Office of Management and Budget (2005)
Memorandum for the Chief Information Officers. Retrieved June 3, 2008 from http://
www.whitehouse.gov/omb/memoranda/fy2005/m05-22.pdf
3
EUROPA Press Release (2008) An unlimited source of Internet addresses to be on
stream in Europe by 2010. Retrieved June 3, 2008 from
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/08/803&format=HTML
&aged=0&language=EN&guiLanguage=en

Why Legacy Tools and Manual Processes No
Longer Work
Legacy IPAM management tools and manual management
processes simply do not meet the needs of organizations
experiencing explosive growth in IP connected devices. This section
highlights some of the deficiencies in legacy IPAM solutions.
Limitations of Spreadsheets
Within many small and medium-sized companies, network
administrators track IP addresses using spreadsheets. Every
time new addresses and networks are allocated or modified, an
administrator manually updates the spreadsheet. Management
practices based on spreadsheets are prone to human error in
configuration. One conflicting IP address or assignment can
disrupt network services. Spreadsheets used to monitor network IP
usage have limited abilities to track large amounts of data in multi-
user environments. They simply do not scale to meet enterprise
requirements.
Homegrown Solutions
Recognizing the need for automation in some form, and to keep
administrative efforts in check, many companies have developed
in-house tools to allocate and track IP addresses. While these tools
alleviate some of the administrative burden, they’re typically
unsophisticated and do not address the breadth of enterprise
requirements. For example, organizations need to monitor critical
events and set up the corrective mechanisms to address them.
Integration of event management into an in-house IPAM solution
is clearly an ambitious undertaking.
Partial Visibility
Spreadsheets and homegrown solutions offer only limited visibility
to the state of your network. These implementations usually fail
to provide sufficient information to track and audit changes –
’who made the change’, ‘when did it happen’, and ‘from where it
was made’. This creates frustration when configuration issues
cause outages, particularly for those who have to figure out what
was changed and when. The problem is exacerbated in multi-
user environments where administrators’ visibility to changes is
virtually zero (the lack of visibility in such environments is one of
the reasons these systems typically do not scale).
Equally important for publicly traded companies and those in
regulated industries are the emerging IT governance regulations
included in Sarbanes Oxley (SOX), the Health Insurance Portability
and Accountability Act (HIPAA),
the Gramm-Leach-Bliley Act (GLBA) and other legislation. IPAM
reporting and auditing features are necessary to demonstrate
IPAM Intelligence - All Roads Lead to Proteus™ | 3
compliance with regulations. These features allow administrators
to state with confidence who had access to what IP addresses and
when, and assess the consequences of such access.
Inadequate Access Control
Many IPAM services are manually configured through disparate
management systems, command line methods, or simplistic server-
centric tools. Often, these methods contain few if any measures to
prevent or restrict access on a granular level.
The lack of granular access control limits change management to a
select few (typically senior administrators), as there is no means to
extend restricted functionality to less experienced users. Without
access control comes the problem of too many administrators
changing the same data concurrently. This configuration problem
can cause service outages and business disruption. A granular
approach to IP management allows for individual or group
administrative access rights on a hierarchical basis, that establishes
who can make changes, what can they change, who can approve
such changes, and when such changes can take effect.
Limited Automation
An effective IPAM solution should provide automated means to
create, deploy, track and reconcile IP addresses. Spreadsheets
have no automation and homegrown systems have few if any
automated functions. They offer little or no automation for creating
and maintaining configurations for IP services.
Many solutions that address a single aspect of IPAM, such as DNS or
DHCP, provide little insight into the overall management objective
since the data is localized and isolated from the system at large.
IPAM systems need to address how a DNS or DHCP allocation can
be captured and processed correctly, not only from the service side
but also from the management perspective. Organizations using
spreadsheets to manage IP addresses lack the ability to update
their data dynamically based on DDNS or DHCP lease events, and
therefore do not get a real-time view of their network.
Manual Processes Can’t Deliver Continuity
An outage in the IP services layer can cause many segments of a
network to fail and force applications into a disconnected state. IP
services configured manually are prone to human error and can be
unreliable as a result. Some networks topologies do not separate
IP services and DNS/DHCP services thus creating a larger case for
failure since these systems have very different means for manage-
ment and reliability.
Many business systems, like Active Directory®, will not function
without the underlying IP services like DNS. It is important therefore
to provide redundant and separate service layers to minimize the
impact of a device failure.
4 | BlueCat Networks

The Introduction of Intelligent IPAM
Vendors began introducing second generation IPAM solutions
over a decade ago. These software solutions were IP-oriented, but
were complex and oftenincluded an expensive licensing model.
Today’s ‘always-on / always accessible’ network infrastructures
are considerably larger and more complex than those of 10
years ago. They are expected to deliver quality of service that
far outstrips decade-old requirements. Without question, IP
address management is more challenging, and the need for more
sophisticated IPAM tools and processes has emerged. Fortunately,
we are witnessing a transition from second generation IPAM
to intelligent solutions offering new capabilities required to
meet modern day network administration requirements. These
solutions offer leading-edge technology and innovative designs
to dynamically manage IP addresses and their associated data.
▪▪
Restoration of any deleted data pertaining to domains,
networks or IP addresses;
▪▪ Quick navigation functionality to view entire networks;
▪▪ Network event notification;
▪▪ Enforcement of corporate naming policies; and,
▪▪ Accurate modeling of network domains for the purpose of
anticipating requirements for IP addresses
Intelligent IPAM solutions embody these features and functions
and much more. They offer services to ensure high availability
and continuity of network services, such as database backup and
restoration, clustering with data replication and automatic failover,
data checking, system monitoring, auditing and reporting.

The management of the IP address space now becomes dynamic in

sharing network-described IP data, and reconciling this data with
DNS/DHCP servers. Enabling DNS and DHCP tools to exist in tandem
allows for a dynamic engagement of domains and IP addresses
that defines, deploys, and tracks IP ranges and properties.

In summary, IPAM can best be described as an abstraction layer that

models out domains and networks with the purpose of planning,
tracking, and managing IP addresses and their associated data.
This ecosystem can be defined as network objects and services
including DNS and DHCP, devices, unique object identifiers, and
user-defined identifiers that automatically integrates each other’s
existence for data propagation, continuation, and network based Proteus administration screen.
data-source sharing.

An IP revolution is exactly what is going on in the network

administration industry today. It is a revolution that enables IPAM
to be a more effective, scalable tool for managing network growth
without incurring additional head count. IP address management
is not a new concept, but it has materially evolved. It came into
the forefront over a decade ago, but is now going through a
revolution by liberating network administrators to delegate with
confidence— empowering other network administrators to make
changes to the network infrastructure within pre-prescribed
policies and guidelines based on access rights. Within this context,
IPAM Intelligence gives birth to access rights, network event
notification, reconciliation of IP addresses over the entire network,
data restoration, IP auditing tools, and naming policies.

The demand for a sophisticated IPAM brings with it new

requirements for management services, including:
▪▪ Workflow management4
▪▪ Granular policy administration;
▪▪ Automatic IP discovery and reconciliation; Workflow management’ allows senior administrators to delegate responsibilities to
4‘

local administrators who are permitted to make changes to the network infrastructure
▪▪ Monitoring of remote appliances; within pre-prescribed guidelines based on access rights.
 IPAM Intelligence - All Roads Lead to Proteus™ | 5

Introducing The Five Pillars of IPAM Intelligence

As organizations continue to consume IP addresses, they require
more sophisticated IPAM solutions. The features and functions
that distinguish intelligent IPAM solutions from legacy tools
can be summarized in five categories – the ‘Five Pillars of IPAM
Intelligence’:
▪▪ Management - streamlines the management of your IP
infrastructure;
▪▪ Integration - leverages your existing network assets;
▪▪ Visibility - enables you to see and do more with your IP
data;
▪▪ Continuity - ensures your IP infrastructure is always
available; and,
▪▪ Control - allows you to control your IP address space and
delegate control when required.

The five pillars provide a framework for evaluating your next

generation IPAM system. With the growing volume complexity of
IP addresses under management, organizations must implement
IPAM solutions with comprehensive features in each pillar.

Summarized in the following table, the Five

Pillars provide a framework for evaluating
next generation IPAM solutions. The Pillars
and their underlying features are the
Management Visibility Integration Continuity Control cornerstones of BlueCat’s Proteus IPAM
appliance.
• Centralized DNS/ • Support for • Real-time • Data Integrity • Delegated
DHCP Heterogeneous visibility into Access Control
Environments DNS/DHCP • High Availability
Services •
• Concurrent • Windows • Data Restoration
Management of Management • IP Reconciliation • MAC Filtering
• Error and Data
IPv4 and IPv6 Agent Checking • DHCP Class and
• Mapping Devices
• IP Address • VoIP Vendor Options
• Audit Tracking • Appliance Level
Tracking Implementations Redundancy • DNS Naming
• IP Modeling • APIs • Monitoring Policies
• Service Level
• IP Reconciliation • Logging and Failover and • Audit Tracking
Reporting Load Balancing
• • Authentication

• Self Provisioning
• Distributed
Administration

• Multi-Core
Architecture

• Asset
Management

• Data Grouping
• Data Migration
• Ease of Use
6 | BlueCat Networks

Management
One of the most important aspects of any IPAM system is its
efficacy in managing your IP addresses, name space and DHCP
services while reducing your total cost of ownership. The goal of
every system should be to achieve centralized management with
distributed services.
IP DHCP DNS
BlueCat Networks’ Proteus™ appliance achieves this goal through
DHCP DNS concurrent usage, distributed administration, restrictive roles and
a web-based interface. Proteus’ multi-core design allows multiple
administrators to manage similar or disparate parts of the network
space from different points. For example, a user who is familiar with
Multiple users configuring DNS & DHCP services. the name space can manage the IP portion via the DNS interface,
where another user might want to manipulate DNS names from
the IP side.

Within this multi-core design, deployment roles and options

allow network administrators to model their IP and name space
as an abstract system without confusing users with underlying
deployment or configuration intricacies.

Centralized DNS/DHCP Configuration

Proteus provides a robust IPAM solution that centralizes all
DNS/DHCP configurations, across multiple platforms within the
organization, including Windows servers and BlueCat’s own Adonis
appliances.

All changes made to DNS, DHCP or IP inventories are made through

a web-based interface and then logged to Proteus’ powerful
relational database. This provides advanced audit capabilities and
gives administrators the ability to undo any network change at a
moment’s notice.

Most DNS and DHCP systems make their changes immediately

in the production environment. In the case of Microsoft, these
changes might be replicated to other domain controller servers
within minutes with Active Directory’s integrated DNS. These
methods of management scale poorly and leave the organization
with invalid data and pockets of the network without proper
connectivity.

Proteus can schedule network configuration changes so that they

can occur during maintenance windows rather than during normal
business hours. The appliance provides a “staging” or “holding”
area that allows senior administrators to review and approve
configuration changes before they are deployed or rendered
active.

Concurrent Management of IPv4 and IPv6

With Proteus, your networks can support IPv6 in parallel with and
independently of IPv4. Proteus provides tracking for both IPv4 and
IPv6 data for systems on the network, with the ability to tie both

addresses together to a single entity in the system to provide a
tracking mechanism for dual stacked clients.
Organizations can plan for the future and confidently deploy their
IPv6 networks when needed, knowing that Proteus can take them
to the next level.
IP Address Tracking
IPAM solutions are responsible for maintaining accurate data on IP
inventories and their related allocations through DNS and DHCP.
Organizations must have real-time data about IP address allocation
by configuration, zone and subnet while also tracking host names,
MAC addresses, port data and more. In large networks, resolving
accessibility issues becomes increasingly challenging, especially
when multiple locations are involved. At any time, your network
administrator might need to access information of IP addresses in
use, when they were assigned, what devices are consuming the
address, and the network or subnet. Having this level of visibility
greatly reduces network abuse, increases network management
efficiency, and enhances network security.
Proteus’ purpose-built user interface, auditing and reporting tools
lead the IPAM market in IP tracking technology, enabling network
administrators to monitor all network configuration changes
in real-time. With spreadsheets, network administrators simply
cannot track IP allocation at this level of granularity, let alone keep
up with the dynamic updates.
IP Modeling
Proteus allows administrators to model different IP address spaces
within an organization, including IANA IP grants, as well as any and
all private spaces. You can model your public, corporate, private
and lab spaces with tools that track, partition, resize, move and
split IP network space. In addition, Proteus network templates
allow you to pre-design your networks according to your business
requirements. You can create one or more network templates that
include settings such as non-standard default gateway addresses,
DHCP ranges, host record data, and DNS and DHCP deployment
options. These templates save you from manually configuring
hundreds or thousands of networks.
Proteus allows you to manage overlapping IP spaces through the
creation of separate Proteus configurations. This powerful feature
allows you to manage the IP spaces of separate entities without
conflict or issue. For example, in the event of two companies
merging, IT administrators can maintain separate conflicting IP
infrastructures that can co-exist while the IP integration process
is planned and deployed. For another example, consider an
Internet Service Provider who manages 20 different customers.
Each customer’s IP space can exist in its own Proteus configuration
without interfering with others’ spaces. Another major benefit of
Proteus’ configuration feature is that it allows system administrators
IPAM Intelligence - All Roads Lead to Proteus™ | 7
to plan and deploy to a parallel testing environment – which mimics
a production environment – without interfering with production
servers and IP addresses.
IP Reconciliation
With Proteus, administrators can reconcile modeled IP address
information with the current state of their network. Reconciliation
can be defined for a block of address space or on a specific
network.
IP reconciliation uses automated, scheduled network discoveries
to track actual IP usage on the network and reconcile this to
the data within Proteus. This allows administrators to unearth
reclaimable IP addresses (those no longer in use on the network)
as well as discover addresses in use that have not been provisioned
by Proteus.
The scheduling mechanisms allow for routine scans that can
better determine the addresses in use, as well as ad-hoc scans
when irregular network behavior is suspected. Best practices in IP
reconciliation allows for the detection of:
▪▪ Reclaimable IP addresses – IP addresses no longer in use
on the network but are still allocated in the IP database;
▪▪ Unknown IP addresses – IP addresses which exist on the
network but are not authorized (e.g. a manager who
attaches a wireless router to support extra staff ); and,
▪▪ Mismatched IP data – IP addresses which exist in both the
IP database and on the network, but do not match, as in
the case of new MAC addresses being used with old IP
addresses due to a hardware refresh.
Proteus’ discovery module uses a non-invasive method to ‘walk the
network’ using layer 2 information. This is achieved by processing
SNMP information through the routers without using a flood of
ping requests. The discovery process can detect routable networks,
default gateways and port information.
Administrators typically define IP reconciliation policies that
discover IP allocation information over several, periodic network
sweeps. The discovered IP allocations are compared to the
allocation state maintained in Proteus to identify addresses that are
misaligned, which may indicate reclaimable IP space, unauthorized
addresses or updated IP information.
The reconciled information can also indicate dynamic allocations
that do not match their states inside the DHCP service. This can be
used to identify a machine that might have hijacked a reserved
address.
Since many networks have mobile users, the IP addresses reported
during a single network discovery might not be an accurate
representation of the network, which is why Proteus includes the
ability for scheduled network discoveries on a periodic basis. This
8 | BlueCat Networks
allows Proteus to build a baseline of data overtime that will help
the administrator to make a more educated decision in identifying
and eliminating erroneous data.
Once the network has been discovered, administrators can
determine what actions should be taken. Proteus does not
automatically process discovered data since administrators should
determine whether the information should be incorporated into
the system or not. There are different types of resolutions available
depending on how addresses were allocated and what information
the network discovery yielded. For example, a static address will
get processed differently from one allocated by DHCP.
Administrators can filter and sort data to focus on specific areas of
interest. Once an administrator has chosen an action to reconcile,
changes are made to the IP information and the audit trail is
updated, as with all Proteus operations.
Workflow
Users typically work on many different parts of the IPAM
infrastructure and usage patterns can be viewed based on the type
of user. For example:
▪▪ Power users can focus on building or merging networks;
▪▪ Help desk staff can focus on adding DNS records to the
external name space; and,
▪▪ Network engineers can focus on making changes to the
DHCP settings on the network.
For many organizations, opening up access to all types
of administrative users can cause potential issues. Not all
administrators have the level of skill required to properly manage
DNS and DHCP. Junior administrators can introduce configuration
changes that can cause errors leading to a service outage.
Proteus facilitates delegation to any type of user through Workflow,
which provides an approval mechanism for any configuration
change made on the system. Both users and configuration objects
can be made workflow-enabled. Any change made by a workflow
user or to a workflow object must be approved by a senior
administrator before being added to the system. This helps to
safe guard the system against configuration mistakes by requiring
changes to be approved before they are implemented into the
system.
Self Provisioning
Proteus’ self-provisioning feature extends the capabilities of
workflow. In many organizations, the majority of IP network
administration goes into granting requests for new IP addresses,
networks and DNS hosts. Proteus introduces a set of self-
provisioning tools that can integrate with a web-based portal or
with your existing change request tools.
These tools transfer simple network administration to the network
users by empowering them to make their own IPAM requests.
Such requests are automatically added to Proteus, with real-time
notification to an administrator, who can then approve or deny the
requests. By automating these arduous tasks, Proteus drastically
reduces the time and effort spent managing the IPAM system and
the IP space it controls.
Distributed Administration
To provide a centrally-managed environment for distributed
administration, Proteus offers a web-based interface. This
lightweight interface allows access to the Proteus system from any
location, regardless of the administrators’ platforms [or underlying
processing requirements].
Many other systems support rich clients, which work well for small
numbers of administrators but create issues for concurrency and
platform compatibility. They also require additional software to be
installed on an administrator’s desktop. This restricts which system
administrators can make changes, preventing them from making
changes away from their desk or when out of office.
Proteus avoids this through its AJAX-enabled web interface that
provides the benefits of a rich client without additional overhead
and compatibility issues. Administrators can connect to Proteus
systems with any standard web browser, without the need for
additional software or plug-ins, and allowing them to connect
from anywhere inside or out of the office.
Multi-Core Architecture
Proteus’ revolutionary multi-core architecture separates the
distinct IPAM aspects yet unifies them so that they can be managed
separately, or as one.
The multi-core architecture looks at leverage points between cores
of data and establishes a relationship between them – creating an
additional layer of information. These data cores can include MAC
addresses, IP inventory, DNS / DHCP database information, devices
and subnet allocation data stores.
Most second-generation IPAM products – even ones that claim to
be third generation – are primarily IP focused. The limitation of an
IP centric, single-core design is that there is not necessarily a direct
correlation between IP addresses and DNS entries. As organizations
embrace IPv6, a multi-core architecture becomes even more
important since these relationships become more complicated.
For example using the multi-core approach, the host DNS record
can be linked simultaneously to both IPv4 and IPv6 addresses,
thus expressing the correct and intended relationship. This differs
from the single-core model where separate relationships are kept
and there is no concept of a unified host record between the two
address spaces.

Single Core
IPv4 Host
IPv6
Host
Multi-core IPv6
DNS Host
IPv4
Single Core vs. Multi-Core for representing a DNS host record
with IPv4 and IPv6 addresses.
A multi-core approach allows administrators to configure IPAM data
in the core that they are the most familiar with. DNS administrators
are able to configure DNS changes and automatically update
the IP address space - as host records are created, the core
responding IP addresses are reserved and marked in use. Similarly
DHCP administrators are able to configure DHCP changes and
automatically update the DNS and MAC spaces - as IP address
are assigned or reserved, host names and MAC addresses can be
automatically created and assigned. Any change to one core will
automatically make the appropriate changes in any related core.
In addition to the relationship between the various cores, another
important aspect of the multi-core design is its ability to map
deployment roles and options onto various portions of the data.
Deployment roles contain information about how an object should
be deployed including the server and any additional parameters.
Roles are inherited down throughout a core to eliminate the need
of repeating and introducing inconsistencies from human error.
For example, an administrator can create a set of deployment
roles at the DNS view level and all sub-domains underneath
will automatically inherit the roles. Some configurations will
require additional parameters that might span several servers.
For these situations, deployment options can accommodate
deploymentspecific data for a particular object.
IPAM Intelligence - All Roads Lead to Proteus™ | 9
As with roles, child objects will inherit deployment options where
applicable, and Proteus allows administrators to accomplish tasks
that would be very mundane under a manually configured system.
This is achieved by Proteus’ ability to determine the most optimal
placement of configuration information during the deployment
process. These additional layers of abstraction allow users to
primarily focus on the data, while administrators can put the
correct mechanisms in place so that deployment is as intended.
Asset Management
Proteus allows organizations to track the host name, MAC address
and port for any IP address, as well as additional data around an
asset. Data, such as serial numbers, departments, employee owner
and other information, can prove invaluable to an organization
when tracking assets, troubleshooting or locating systems. User
Defined Fields provide unlimited opportunities for customizing
your managed objects by allowing you to add fields to virtually
anything Proteus manages. For example, by adding the appropriate
user defined fields to the IP address object, you can track the IP
address based on its serial number, physical location or VLAN. In
this way, Proteus can track objects such as IP hosts in different
ways, allowing you to categorize and filter objects to meet specific
business goals.
Data Grouping
Most IPAM information is represented in a hierarchical structure and
navigated through drill downs, tree interfaces or decomposition.
Proteus’ multi-core design incorporates a method for identifying
objects that can be traversed laterally rather than via the traditional
drill down approach.
Proteus’ Object Tagging feature allows users to apply contextual
labels to multiple objects to create a unique navigation pattern
and grouping structure. For example, users might want to group
network equipment by geographic location. Administrators can
define the tag structure for geographic zones, and then define
child tags that describe the desired structure. Users can then apply
tags to an object to define the relationship that will allow them to
traverse the objects outside the traditional parent-child model. For
example, one can immediately display – “show me all the printers
in NY building B on the 3rd floor”.
Data Migration
As you transition from spreadsheets or homegrown solutions to an
Intelligent IPAM solution, you need tools to migrate data from the
old system to the new, in a manner that is simple and error free.
Without such tools, the volume of data and its relationships can
make data migration an arduous task.
Proteus simplifies data migration by using a purpose-built import
engine that migrates data from structured XML. This format can
10 | BlueCat Networks
represent most data objects in Proteus and can be composed of
several different modules to provide finegrained migration.
Ease-of-Use
Ease-of-use is one of the many features that differentiate BlueCat’s
products from competitive offerings. With the benefit of customer
feedback and the company’s own expertise, BlueCat’s products are
designed to improve the user’s over-all IPAM experience.
Features such as next available address/network and event
notification reduce the time and effort required to carry out daily
tasks. Next available address/network allows administrators to easily
allocate new addresses and provision new networks with the click
of a button. No more searching through hundreds of networks and
addresses to find available resources. Event notification helps to
keep administrators aware of issues before they become problems.
As events occur on Proteus, administrators are instantaneously
notified via email or SNMP to ensure that issues are detected and
corrected proactively.
Integration
Many organizations embraced ’best of breed’ products in the late
1990s. Unfortunately, best of breed products did not necessarily
integrate with one another. Today, enterprises need to leverage
their current network investments and deliver IPAM capabilities
across their existing infrastructures seamlessly. They need
to centralize all dynamic DNS/DHCP services across multiple
platforms within their organizations – this capability is integral to
an intelligent IPAM solution.
A major drawback with spreadsheets and homegrown solutions
is that they don’t provide visibility into dynamically allocated
addresses. They are disparate from your IP allocation tools, such as
DHCP. The problem is exacerbated as more and more services are
standardizing on DHCP for IP allocation (almost every operating
system enables DHCP out-of-the-box). Consider also that wireless
networks and VoIP devices all utilize DHCP for address assignment.
Without integration between your DHCP server and IPAM tool, you
end up with only pieces of DNS and DHCP – none of which give
you a complete picture of IP usage on your network.
Proteus IPAM Appliance
Adonis DNS/DHCP Appliance Microsoft Windows DNS/DHCP
Adonis DNS/DHCP Appliance in XHA
Proteus with mixed Adonis and Windows environments.
Support for Heterogeneous Environments
An intelligent IPAM solution is able to manage IPAM services in
heterogeneous environments. Many environments are mixed and
need to be managed to meet organizational IT objectives. Proteus
provides integrated solutions to manage both Windows DNS/
DHCP services and BlueCat’s own Adonis DNS/DHCP appliances,
providing the ability to manage a heterogeneous environment.
With the introduction of Active Directory in Windows® 2000,
Microsoft introduced DNS as a critical component of its new
directory platform. This sparked an ongoing point of contention

between the network services and domain layers with many split
between BIND on UNIX or Microsoft DNS.
BlueCat Adonis DNS/DHCP appliance
The BlueCat family of Adonis DNS/DHCP appliances can be
managed from the Proteus IPAM appliance to provide a robust,
appliance-based replacement for UNIX or Windows-based DNS
and DHCP services. Adonis appliances are available in a number
of hardware configurations designed to meet a variety of
organizational needs. The Adonis XMB™ platform provides robust,
highly available DNS and DHCP services at the branch level, while
the Adonis 1750R™ offers hardware redundancy for mission critical
services. Adonis appliances can be distributed across your network
and centrally managed by Proteus. They reflect dynamic changes
in their environments, which are incorporated into the Proteus
database in real-time.
Proteus Management Agent for Windows
The Proteus Management Agent for Windows (PMA) is used in
environments where Microsoft DNS and/or DHCP require IPAM
integration. Specifically designed for the Windows environment,
this .net-based solution provides similar functionality for the
managed services available on the Adonis appliances. This solution
eliminates the need to replace existing hardware and services on
Windows servers, while providing a management solution that is
lacking in the current Windows DNS/DHCP interface.
Users can choose to run PMA in the short term, with the intent of
transitioning their services onto appliances, or continue to invest
in Microsoft’s DNS/DHCP solution.
As with the Adonis appliance, the Agent updates Proteus with
the latest dynamic changes. Users familiar with the Microsoft
DNS/DHCP environment recognize that all changes made
through the Microsoft Management Console (MMC) interface are
immediate, which can result in loss of connectivity if bad data is
introduced. This process is rather unforgiving and in the case of
DNS, changes can be cached for several hours. Proteus alleviates
this issue by allowing deployments to be scheduled, thus allowing
administrators to choose if and when changes go live. Once PMA is
implemented, all changes to Microsoft DNS and DHCP services are
handled by Proteus. MMC is no longer needed.
VoIP Implementations
With the recent introduction of VoIP, many organizations increased
their IP address consumption significantly. A 200% to 300% rise
in the number of managed IP addresses is not uncommon. These
major increases were largely due to the fact that IP phones require
two network addresses.
Administrators utilizing tools like spreadsheets or in-house
IPAM Intelligence - All Roads Lead to Proteus™ | 11
applications to manage IP addresses ran into scale problems
during the early stages of VoIP rollout. Others who used IPAM tools
licensed by IP address found themselves forced to increase their
budgets so that the rollout could continue.
From an IPAM perspective, implementing VoIP involves three major
components:
Specialized DHCP Options
Assigning IP addresses to handsets can be done statically, but
dynamic assignment using DHCP is most often preferred. This
requirement alone prompted many organizations to re-examine
their existing DHCP infrastructures, as DHCP shifted from a
normal network service to a critical infrastructure element. Voice
applications require “dial tone” services and when an organization
has hundreds or thousands of IP phones that can be powered on
at the same time, high availability via both clustering and DHCP
failover greatly reduces downtime. Proteus’ DHCP implementation
allows for quick configuration of DHCP failover as well as scope
splitting for Windows environments. In addition, Proteus’ user
interface supports several options specifically introduced for DHCP
and VoIP.
TFTP Image Files
Once a handset has an IP address, DHCP provides the boot file image
name that will be used to initialize the handset. Using information
provided in the DHCP options, the handset locates the TFTP server
and downloads the specified boot image. Management of these
files, including deployment, creation, and revision, is managed
through the Proteus user interface. Using TFTP Deployment Roles,
Proteus can determine which servers will contain TFTP repositories
and will replicate the files as needed.
By centrally managing these services, and deploying to a
distributed number of locations, it is simple for an administrator
to make changes and roll them out to a number of TFTP servers
simultaneously. In the event of a rollback scenario, the administrator
can simply change the boot image file and redeploy without the
need to make changes in multiple locations.
DNS Mapping To Support ENUM Protocol
Part of the VoIP rollout strategy is the DNS mapping to support the
ENUM protocol. The E164 numbering system is the format used for
most telephone numbers including country, area, and additional
delegation codes.
This protocol uses DNS to map the E164 number using similar
methods to those used in reverse DNS mapping of the IPv4 and
IPv6 space. The information is represented in normal DNS zones,
but since the numbers are stored in reverse dotted notation,
it becomes very difficult for most administrators and users to
12 | BlueCat Networks

visualize.
Visibility
Proteus has native support for modeling the ENUM space with
With dynamic DNS and DHCP data, real-time visibility into DNS
delegation methods to handle country and area codes. The user
and DHCP updates is an important part of IPAM intelligence.
interface also supports unified management of services, like SIP
Spreadsheets provide visibility into static data; however, as more
and email, for a given phone number. E164 numbers are presented
and more services are standardizing on DHCP for IP allocation,
in Proteus in normal reading order and are converted to the reverse
more and more DHCP addresses are being leased to a variety of
format upon service deployment. This removes the difficulty in
different devices and spreadsheets just can’t track these dynamic
configuring ENUM while providing the necessary visibility.
updates.

Proteus API Governance and compliance requirements also dictate visibility

into administrative changes. To comply with industry-specific
To allow integration with 3rd party applications or to manipulate regulations, monitoring, reporting, and auditing features have
data programmatically, Proteus offers an open standards, SOAP- become paramount.
based API.

Since the API uses web services to encode XML information, the
API is not limited to a single language, thus reducing dependence
on a specific platform.

Included with the Proteus appliance, BlueCat offers Java® and Perl
packages for the web service. These packages reduce the time
required to write code and make the API fit tighter with the specific
DHCP Data DNS Data
language. API sessions are tracked by the same audit trail and user
management system, and can occur over secured or unsecured
channels.

Real-time centralized view into DNS & CP services.

Real-Time Visibility into DNS and DHCP Services

Proteus provides real-time visibility into IP allocation (via DHCP),
host name usage (through DNS), hardware visibility through MAC
address and network location through port mapping. A major
drawback with spreadsheets and homegrown solutions is that they
don’t provide visibility into dynamically allocated addresses—they
are disparate from your IP and host allocation tools, such as DHCP
and DNS.

IP Reconciliation
Proteus’ IP Reconciliation feature provides visibility into the
network through the Network Discovery service, including the IP,
MAC, host and port for each device on the network.

For an IPAM solution to be effective, it must be kept up-to-date

with what is occurring on the actual network. While DNS and DHCP
integration help maintain current information, static IP address
management can be a time consuming affair. IP reconciliation uses
automated, scheduled network discoveries to track actual IP usage
on the network and reconcile this to the data within Proteus. This
 IPAM Intelligence - All Roads Lead to Proteus™ | 13

allows administrators to unearth reclaimable IP addresses (those Audit Tracking

no longer in use on the network) as well as discover addresses
in use that have not been permitted by Proteus. Using the IP
Reconciliation feature, administrators are able to automatically
reconcile the data within Proteus with the actual network to
ensure the accuracy of all IP data. For more details, please see IP
Reconciliation on page 7.
Mapping Devices
Proteus’ Devices feature allows you to map physical network
devices to data within Proteus.
This feature allows network administrators to compartmentalize
network objects by physical boundaries within their organization.
This takes the logical data within Proteus and maps it to the
physical devices on the network.
When many users work on similar or separate parts of any system,
it is important to know who is changing what, when and where.
The auditing system inside Proteus runs deep within the product.
In fact, the module that captures all changes is implemented
inside the database. Changes cannot be made to the Proteus
database without being recorded – even if users attempt to
access the database directly. This information is tied to several key
components in order to answer the questions who, when, where,
and why.
Each time a user signs into Proteus, a user session is created which
is tied to every database transaction that the user performs. The
session includes information about the user, including his or her
identity, authentication system and IP address used to sign into
Proteus. Using this information, along with what data was changed
and a user supplied comment, Proteus creates an audit trail entry
that can be used by administrators to determine what information
was changed.

During operation, Proteus processes dynamic updates, such as

granted DHCP leases or dynamic DNS host registration, from
Adonis appliances and Proteus Management Agents for Windows.
These updates are recorded within the audit trail and available for
administrators to browse. Information about what was changed is
available on a system wide, per object, and per user basis.
Transaction
Even if an object is part of a transaction involving other objects,
it is still visible from the object’s perspective. The information
tracked for auditing purposes can also be used to perform localized
rollbacks when data is removed from the system.

Monitoring
User Name IP Address

Proteus provides the ability to monitor DNS and DHCP services

User’s Session
both remotely and ‘on-box’. Remote monitoring provides a real-
time, centralized perspective of performance and overall service
availability across the entire network. It helps ensure operational
efficiency by instantly notifying administrators of any change in
the state of a service, such as an outage or capacity issue.

On-box monitoring provides administrators with real-time

Changed Data
notification of state changes and service-level outages as they
occur. Notifications occur via the user interface, email, and/
or SNMP alerts. On-box monitoring, with its own service level
Message Information Blocks (MIBs), provides a very granular view
of DNS/ DHCP and operating system level services and statistics.

Change Control With Proteus, administrators can proactively monitor their entire IP
Comment space to identify trends or potential threats. It gives them the tools
they need to ensure ultimate network performance.

Composition of an Audit Trail entry.

14 | BlueCat Networks

Logging and Reporting Continuity

Proteus contains a centralized logging system that captures all
Continuity of network services ensures your company is always
transactions and system-generated events, including alerts and
able to conduct business. To shield businesses from costly network
exceptional conditions. Specific services like the Data Checker
down time and service disruptions, intelligent IPAM solutions offer
and DHCP Alerter will post events that require an administrator’s
high availability features.
attention.
BlueCat’s IPAM solution separates critical services to help ensure
All events generated within Proteus can be inspected and
business continuity. Configuration and network change data is
processed by an intelligent notification system, which uses rules
stored on Proteus, while Windows® servers or Adonis appliances
to determine how and when to notify interested users or systems.
provide the DNS and DHCP services. Separation of services means
The notification system can filter by source and/or severity and
that DNS, DHCP and IPAM services can run independently of one
inform users via email or SNMP traps.
another. Should Proteus experience an outage, network operations
On-demand report generation is available through Proteus’ web- would continue without incident.
based management console. Reports come in a variety of formats
including PDF, HTML, CSV, XLS and RTF. Proteus’ reporting system
provides visibility into a variety of IPAM parameters, ranging Replication

from network and DHCP utilization to administrative changes.

Administrators can customize reports to suit their needs by
defining which parameters are required and how each parameter
is sorted.

XHA

DHCP Failover

Proteus and Adonis continuity options.

Data Integrity

Clustering with Data Replication

Proteus appliances can be deployed in two-unit clusters, with data

replication between the systems in the cluster. Administrators can
access either system to make configuration changes and updates
– any change made to one unit will automatically be copied to the
other.

Data replication keeps both Proteus units synchronized and ensures

either unit can substitute for the other. Should one Proteus unit
fail, its partner unit can continue functioning for both, ensuring
minimal network disruption.

Database Backups

Proteus has the ability to schedule backups of its configuration

database. Backups can be stored locally and automatically off-
loaded to remote servers for safekeeping. They ensure that
organizations always have a working configuration that can easily
be restored in the event of a system failure.
 IPAM Intelligence - All Roads Lead to Proteus™ | 15

Recovery Data Checker Service

BlueCat’s Proteus and Adonis appliances include recovery
mechanisms that return the systems to factory default
configurations. In the event of a system failure, these recovery
mechanisms quickly return systems to a known working condition,
from which administrators can reload databases from backup or
deploy other working configurations.
High Availability
The Data Checker service continuously checks the IPAM data for
inconsistencies and logical issues that might result in a failed
deployment of one or more IPAM services. The service also
examines the configuration and compares it against best practices
to indicate where settings might not be ideal. Once a concern is
detected, it is automatically triaged to determine what type of
impact it will have on the system. Issues that result in an erroneous
condition are flagged and prevent deployment until resolved by
user intervention.

Adonis appliances provide the ability to cluster pairs of systems in
an activepassive state. Systems are connected through a heartbeat
monitor that actively checks each system for configuration changes
and errors. Configuration changes in one system are automatically
replicated to the other, to ensure both remain synchronized.
The heartbeat monitor also detects errors or problems in a unit
and automatically initiates failover to the other unit. Clustering
with automatic failover ensures customers do not experience a
disruption of DNS/DHCP services in the event of a hardware or
software error.
Since data issues are often detected while administrators are
offline, they trigger events which are then processed by the
notification system to alert users. Issues found by the Data Checker
can be viewed globally and locally on a per object basis.
Appliance Level Redundancy
BlueCat offers carrier grade appliances with redundant hard drives
and power supplies and other hardware components. Should a
single component fail, the appliance will continue to function.

Data Restoration Service Level Failover and Load Balancing

The DHCP failover protocol provides a method for two DHCP
With regular database backups and a ‘Recycle Bin’ that allows
servers to communicate with each other. Failover provides both
recovery of deleted items, administrators can restore all information
redundancy and load balancing without requiring the use of
on both small and large scales. Users have their own personal bins
scope splitting. DHCP failover works by sharing one or more pools
while administrators with proper privileges have access to all between two DHCP servers. In failover terminology, two servers
deleted items for any given object. The ability to undo changes running failover are known as failover peers.
reduces the risk of mis-configurations and disruptive system
downtime. Failover peers need not be located on the same subnet, which
provides great flexibility when deploying DHCP servers. In fact,
failover servers are commonly placed on opposite sides of a WAN
Error and Data Checking
link, providing distributed services with full redundancy.
Proteus provides multiple levels of error and data checking to
ensure data integrity within the system. Error checking provides
the ability to check any entered data for syntax and logical errors
at time of entry, removing the need for administrators to do this
themselves.

Changes made to any system might be syntactically correct but

not always wise from a logical perspective. The problem with these
types of conditions is that they cannot be determined as the data
is being entered but require external analysis by experienced users
who know the pattern that they are looking for.

Based on a system developed for the Adonis appliance, which

provides a holistic method for checking the consistency of the data
from both syntactical and logical perspectives, Proteus performs
additional logic for use in an asynchronous environment where
multiple users might be involved in the creation of an issue.
16 | BlueCat Networks
Control
Enterprises require an IPAM platform that simplifies and centralizes
the control of network services and resources, actively orchestrating
user access control and delegation settings regardless of location.
Providing busy administrators the control to delegate access and
change rights with multi-level granularity out to remote locations,
this Proteus functionality allows them to keep an eye on everything
from a central office while freeing their time to accomplish other
tasks.
Delegated Access Control
Administrators typically have free reign over most systems, but
unfettered access is not appropriate for less experienced users
involved in network administration. Enterprise applications must
allow for delegation of control while limiting access. Proteus
provides administrators with the ability to assign access rights to
specific users or groups of users. Access rights can be assigned
system wide or on an object level basis. This allows administrators
to mask specific sections of the Proteus system, or individual
objects from specific users, or groups of users. Once authenticated,
users can navigate the IPAM data and manage those portions of
the system for which they have access rights.
Toronto London NYC
System Admin
Toronto NYC
London
Delegated access control across global installation.
Through access right overrides, administrators can set different
access levels for child objects than for their parents. This provides
simpler and more localized access for specific end-level users.
Workflow
An intelligent IPAM solution empowers lower level users to reduce
demand on experienced staff with specialized skills. Delegation
of control enables users to perform simple tasks, freeing senior
administrators for more pressing issues.
Proteus applies workflow to a number of object operations to
control delegation. Administrators delegate to a specific user or
user group through access controls, but specify that any changes
follow the workflow model. The process flows like this:
1. Following the workflow model, a user makes changes to
IPAM data in a sandbox environment.
2. Each change generates a ‘request’ to an administrator to
approve or reject the change.
3. Requests are visible to administrators and users who have
full control over the objects. Changes are also visible to
other users but appear as change requests.
4. When an administrator approves the change, all updates
are realized and the system indicates that it was the
approving administrator who issued the updates.
Alternatively, if an administrator rejects the change, it will
be discarded and any other associated changes will be
reverted.
MAC Filtering
MAC Filtering limits the systems that can access specific DHCP
pools. This feature ties into BlueCat’s MAC Pool capabilities that
restrict DHCP access to a list of configurable MAC addresses. MAC
Filtering can also explicitly deny MAC addresses from a global deny
list.
DHCP Class and Vendor Options
DHCP Class and Vendor Options allow you to give out various
DHCP options based on the type of system that is requesting an
IP address. For example, you can create a DHCP Vendor Profile for
VoIP devices that restricts what options VoIP phones can receive
based on the type of VoIP device that is connecting.
DNS Naming Policies
Proteus’ new DNS Naming Policies feature allows organizations
to enforce corporate naming policies within Proteus, as well as
restrict what types of host names can be used. Most organizations
have a corporate naming policy that indicates the type of device
and location through the host name. For example, tor-rtr-005.bcn.
 IPAM Intelligence - All Roads Lead to Proteus™ | 17

com represents the 5th (005) router (rtr) in Toronto (tor). Proteus’
Naming Policies feature allows organizations to establish a pre-
defined naming policy and associate it with a view or zone. The
feature also restricts what host names can be used to prevent
network administrators from configuring hosts or zones with
vulgar phrases, trademarked terms or other undesirable words.

Audit Tracking
Proteus’ extensive audit trails provide control and complete
visibility to all administrative changes, facilitate governance and
help comply with government and industry regulations. For more
details, please see Audit Tracking on page 23.

Authentication
Proteus provides its own identity manager and supports several
alternative methods of authentication. The appliance can
authenticate users against an organization’s existing Active
Directory, LDAP, Kerberos or Radius services. Proteus also provides
mechanisms to use secondary authentication services when the
primary means is not available.

Administrators can configure Proteus to use secure connections for

all operations or just for authentication purposes. All authentication
attempts are logged with user name and IP location, and can be
audited by an administrator.
18 | BlueCat Networks

Conclusion servers.

Choosing an IPAM solution is a mission critical decision.

Most enterprises are expecting their network requirements to
become more taxing in the upcoming year. As IP consumption By integrating Proteus with our Adonis DNS/DHCP appliances and
explodes with the introduction of VoIP, virtualization, introduction Windows DNS/DHCP servers, we enable our customers to manage
of IPv6, wireless technology, RFID and increasing numbers of their networks with an exclusive competitive advantage—deriving
other devices demanding IP addresses, the requirement for IPAM greater efficiencies by using a commonly shared data source in
Intelligence becomes not only urgent, but critical to the business. managing the IP address management space.
DNS/DHCP services have given birth to a new layer of network
fabric identified as the IP address management space, which
reconciles IP centric data with data existent in a network database.
This fabric can best be described as an abstraction layer that
models out domains and networks with the purpose of planning,
tracking, and managing IP addresses and their associated data.
This ecosystem can be defined as network objects and services
including DNS and DHCP, devices, unique object identifiers, and
user-defined identifiers that automatically integrates each other’s
existence for data propagation, continuation, and network based
data-source sharing. The need for IPAM will only be exasperated as
the adoption of IPv6 becomes officially imminent.

As IPAM evolves from a simple marriage between DNS and DHCP

services, its definition cannot be limited to simply the benefits
derived from dynamically linking DNS and DHCP functionality
together. IPAM transcends this marriage to include features and
functions shaped by this new requirement in an age of dynamic
IP address data.

The management of the entire IP address management space

requires a greater sophistication due to a larger number of endpoint
devices, users and applications which contribute a heavier demand
for more IP addresses (leading to IP address exhaustion), and the
eventual onset of new protocols like IPv6 that will transform the IP
landscape. With this new paradigm shift in network architecture,
a fresh inspection of the IP space is required to meet the needs
of enterprises to effectively manage the data associated with IP
addresses and DNS/DHCP servers.

As network administrators are constantly asked to do more

with less, network issues including a lack of resources, a lack of
automation, and an inaccurate inventory of deployed IP addresses
become imminent challenges for those dealing with keeping
the IT infrastructure always-on and always-accessible. Although
IPAM is not fundamentally new, there is a revolution in managing
IP addresses that has led to the creation of an intelligent IPAM
appliance - Proteus from BlueCat Networks.

With Proteus, BlueCat has taken an innovative approach to

defining IPAM from the customer’s perspective—starting with
the data centric view of the IP address itself. BlueCat has designed
and built an intelligent IPAM platform that provides the delicate
balance between a strategic and pragmatic overview of the whole
network. BlueCat is defining 3rd generation IPAM with network
administration workflow efficiencies in mind so that IP address
data can be dynamically shared and updated with DNS/DHCP
 About BlueCat Networks
Founded in 2001, BlueCat Networks – the IPAM Intelligence Company is a leader in providing
enterprise-class IP Address Management (IPAM) platforms and secure DNS/DHCP network
appliances. BlueCat services an account base of over 1000 accounts with thousands of units
sold worldwide. Our award-winning ProteusTM IPAM platforms and AdonisTM family of DNS/
DHCP appliances has successfully garnered end-user acceptance by meeting the rising IP
management demands of healthcare, government, financial services, education, retail, and
manufacturing organizations.

BlueCat Networks, a worldwide market leader in IPAM innovation and thought leadership, is
benchmarking IPAM excellence in the networking industry. BlueCat Networks experiences
overwhelming marketplace acceptance of its networking solutions, resulting in high double
digit growth, year over year, since the company’s inception.

BlueCat Networks is headquartered in Toronto, Ontario, Canada with offices in the United
States, Europe and the Asia Pacific region. It sells networking appliances and services
worldwide through direct and indirect sales channels in over 32 countries.

To Learn More
For more information on BlueCat Networks, and our award winning Proteus IPAM solutions,
please visit our website at www.bluecatnetworks.com or call us at 1-866-895-6931.

www.bluecatnetworks.com
North American European Head Office: United Kingdom Germany Asia Pacific Head Office
Corporate/R&D BlueCat Networks BV BlueCat Networks Europe BlueCat Networks 1 Fullerton Road
Headquarters: Johannes Verhulststraat 156A Merlin House (Zentraleuropa) #02-01
502-4101 Yonge Street 1071 NP Amsterdam Brunel Road Altrottstrasse 31 Singapore 049213
Toronto, ON M2P 1N6 The Netherlands Theale Berkshire RG7 4AB D-69190 Walldorf, Germany Phone: +65 6832 5124
Phone: +1.416.646.8400 Telephone: +31 20 754 64 85 Phone: +44.118.902.6680 Telephone: +49.6227.38489.10 Fax: +65 6408 3801
Fax: +1.416.225.4728 Fax: +44.118.902.6401 Fax: +49.6227.38489.18
Toll Free: +1.866.895.6931

US Offices:
Reston, VA Atlanta, GA Chicago, IL Philadelphia, PA Los Angeles,CA
1818 Library Street 1165 Sanctuary Parkway 300 East 5 th Avenue 1500 Market Street 4640 Campus Drive
Suite 500 Suite 260 Suite 440 12th Floor / East Tower Suite 103
Reston, VA Alpharetta, GA 30009 Naperville, IL Philadelphia, PA Newport Beach, CA
20190 Phone: +1.770.777.2461 60563 19102 92660
Phone: +1.703.956.3551 Fax: +1.770.777.2464 Phone: +1.630.946.6297 Phone: +1.215.246.3400 Phone: +1.949.260.8444

©2010. BlueCat Networks, the BlueCat Networks logo, the Proteus logo, IPAM Appliance, the Adonis logo, Adonis are trademarks of BlueCat Networks, Inc. Microsoft,
Windows, and Active Directory are registered trademarks of Microsoft Corporation. Any product photos shown are for reference only and are subject to change without notice.
All other product and company names are trademarks or registered trademarks of their respective holders. Printed in Canada.