IP address management tools aren't sexy, but they can certainly take the tedium out of the necessary and difficult task of tracking IP addresses and DNS names across an enterprise network.
A mistake in the configuration of the DNS or DHCP services can create catastrophic problems. The bigger your enterprise network is, the more IP addresses you have to maintain and typically, the more complex the DNS configuration.
How we tested IP address-management tools
IPAM products keep strict tabs on IP addresses, DNS names, MX records, aliases or any other standard DNS object attribute. An obvious extension to IPAM is the ability to push IP address information out to DNS and DHCP servers to make the information usable across the network. Some IPAM solutions completely take over the operation and configuration of DNS/DHCP services and some simply control cursory operational aspects of these services.
For this test, we considered IPAM to mean all the tasks surrounding maintaining a list of active and available IP addresses for each subnet of our test enterprise network, the data which characterizes the addresses (media access control addresses, DNS name, DNS aliases, MX records, dynamic vs static IP addresses), management of the services necessary to make the names and IP addresses usable on the network (dns and dhcp), and all access control and user roles for individuals who would need to use the system.
Yes, it’s a pretty tall order, but we generally found that while the products tested attack the problem from different angles, they all do a fairly decent job. The real differentiation in the four products we tested -- Alcatel-Lucent’s VitalQIP, BT DiamondIP’s IPControl, Bluecat Networks' Proteus and Adonis, and Crypton Computers’s EasyIP -- lies in how each approach lines up with how your network is built.
Bluecat's offerings are delivered as a set of appliances. There are basically two types – Proteus for IPAM and Adonis for DNS/DHCP services, both of which are driven via a Web interface. The Proteus 5000 IPAM appliance was capable of completely controlling the Adonis 1000 box and its standard set of Internet Systems Consortium (ISC)-based services software. The set of appliances is purchased outright with no recurring software licensing charges and is based on the number of managed IP addresses you have. Bluecat’s has a high starting price (the combination we tested runs more than $90,000) but depending on the number of IP addresses you need to manage, this combination may actually be less expensive than other options that the number of IP addresses exceeds 50,000. There is a recurring annual maintenance fee, but professional services that aid in the integration of the solution into your network are included in the purchase price.
Alcatel-Lucent’s VitalQIP is the longest running enterprise IPAM product on the market today and therefore has had more time to mature. VitalQIP – delivered as software that runs on a standard network server -- from an architectural perspective is infinitely scalable and has full control of all DNS and DHCP services from either Web client, a native client that runs on a desktop and a command line interface. VitalQIP developers wrote their own DNS and DHCP services. And while they say their code is based on ISC code, it is still a proprietary implementation of the service standards. The architecture is also a bit complex, but when you buy VitalQIP, professional services are bundled with the price.
BT DiamondIP takes a similar approach to Alcatel-Lucent’s architecture, but instead of writing their own services, they take standard open source services and wrap them with software so they can be controlled by IPControl. BT DiamondIP offers the product in the form of an appliance (which we tested) or as software that can run on your own server hardware, both of which are accessible via Web-based and command line interfaces. But while IPControl is architecturally similar to VitalQIP, it’s much less complex.
EasyIP is a completely different class of IPAM product. It is a software-only product that runs on a Windows server (NT, 2000 and 2003) that is also running IIS. There is an AJAX-based Web interface as well as a native console to drive the product. EasyIP has features to help the user import current IP and DNS information loaded into its database, manage the information in the database, and allow for simple export features for manually loading the information into a DNS server. This solution requires more manual intervention than the other products, but it is also less expensive. That said, EasyIP is more suited for smaller enterprise networks because it is focused on the most basic of IPAM problems.
Picking a winner from this group of products is difficult. Bluecat’s combination got the ultimate nod for our Clear Choice Award. But there was very little daylight between the winner and Alcatel-Lucents’s VitalQIP and BT DiamondIP’s IPControl, which came in at a virtual tie for second. The issues Bluecat excelled in addressing were ease of use, licensing flexibility and data import methods.
We broke the issues surrounding IP address management into four groups: IP address data import and export (which we considered to be one of the more difficult tasks these products need to complete with a high level of accuracy), feature set (including the user interface and user management and license management auditing, as examples), service and support (including documentation), and scalability.
Enterprise network managers use an array of solutions to manage their IP addresses including spreadsheets, home-grown management applications, and off-the-shelf solutions similar to those covered in this test. If you purchase one of the products we tested, it is important that they have the ability to accurately import your known IP address information into the new IPAM system.
The IPAM solution simply tracks IP address adds, deletes and edits. IPAM does not act as a server for DNS information - DNS servers do that. Therefore, the accuracy of exporting IP addresses to DNS servers is important because if you make any mistakes, you could kill DNS name information used for mission-critical functions such as e-mail addressing and Web content addressing. The potential dependence on an IPAM solution puts a high priority on the quality of support and documentation, which we took into consideration when scoring these products.
Once your data is in an IPAM system, features become the next most important set of issues. It’s important to consider how easy (or difficult) the system is to use. It is also important to define what addresses or groups of addresses an IT administrator has permissions to edit. The ease of use issues are significantly driven by how well thought out the user interfaces are. Software licensing is another important issue that we consider a feature because licensing in effect links the IPAM operation to your business process.
Because healthy network operation is dependent on the IPAM solution working properly, it’s important that the IPAM solution be able scale up to handle however large your network address space can grow to be. Although it’s difficult to test scalability, our import/export test is done with a DNS dataset of 70,000 nodes, which results in more than 200,000 DNS objects. While this isn’t the largest IP dataset in existence, it is a dataset of significant size. From that solid base, we evaluated the architecture of the IPAM products to see how well they can handle a large network.
Bluecat simplicity reigns
In the Bluecat product set, the Proteus IPAM appliance both stores the pertinent IP address data and controls the Adonis DNS/DHCP server.
Other Proteus boxes can be added to the solution for redundancy and load balancing, but there are only two tiers to the overall architecture. However, an interesting consideration for some enterprise networks might be how well the Bluecat set can scale down. Bluecat does offer a relatively inexpensive Adonis package, which is meant for satellite offices with limited DHCP and DNS needs. This is a big plus because the other players don’t have this option.
Bluecat uses standard ISC services for DNS and DHCP operations. There is no need to be concerned with running proprietary services with a limited installed base. However, you do need to take service upgrades into account should the ISC group release functional or necessary security upgrades. But this is an issue with the other products (IPControl) that tap into standard ISC services as well.
Other than the Adonis network configuration, there are few configurable elements in the Adonis box. There are some data import tools such as the ability to import from other IPAM systems, spreadsheets, and from a zone transfer of a production DNS server, but once the data is imported into Adonis, it is pushed to up to the Proteus. There is much administrative interaction with the import process, but this is only something you do once and Bluecat professional services are onsite to help you through it.
The Proteus appliance pulls the necessary updates from Bluecat’s centralized update service and then pushes out the update to the Adonis appliance. Because Bluecat manages the configuration and updating of the services, Bluecat must make a new version of one of its services available for upgrade. For example, in the case of a new DNS security exploit and a resulting new version of the DNS services, Bluecat must take this upgraded source code and place it into its upgrade system. While this is an issue worthy of consideration, keep in mind that any solution that automates the updates of DNS/DHCP services will have this issue.
The data import and verification test worked well with the Bluecat combination. Some IP addresses did not get imported properly, but the number of errors was within our tolerance levels for a successful data import. Bluecat was able to accurately import 98.1% of the more than 200,000 objects in the original dataset. With more troubleshooting, it would likely have been possible to have properly imported most if not all the failed objects, but the point was to see how well the system would import existing data with the least amount of manual intervention.
There are two things that stand out with the Bluecat solution - ease of use and simple licensing. The Web interface is consistent across functions, easy to navigate and made all features easy to configure and use.
Bluecat’s Web interface allows an administrator to set up and manage user accounts and user permissions. This allows some users to only have rights to change IP address information for blocks of addresses that match their organizational functions. If a user has permissions to change an IP address, the user interface allows the change.
One unique and very useful feature of Proteus is the ability to set up multiple configurations. If you have enough Adonis boxes, it is possible to push these configurations out to separate sets of Adonis boxes to run several DNS infrastructures. We made use of this feature when doing the data import tests. We could import data using different import methods into separate configurations.
For ongoing IP address maintenance tasks, a user logs onto the Proteus box through a Web browser, goes to the block of addresses he wants to modify, finds the IP address, and makes the change through the user interface. The change is logged in the Proteus box so an administrator can troubleshoot any potential user errors that may occur. All adds, deletes and changes, as well as all system level changes are logged into the Proteus database.
The licensing is similarly simple, but with a more far-reaching implication. Once you buy the appliances you need, you don’t have to be concerned with how many IP addresses you manage, either now or in the future. This can be a disadvantage if you have a highly distributed and redundant DNS and DHCP services architecture since you would need to buy one appropriately sized Adonis appliance for every server in your architecture. There are several sizes of Bluecat appliances that should fit most enterprise network sizes.
VitalQIP popularity speaks volumes
Alcatel-Lucent VitalQIP takes an academic approach to solving the problem of IP address management. The company defined the problem it wanted to solve, developed an architecture that addresses absolutely all the areas of the problem, and implemented it. The product is not particularly elegant or efficient. The good news is you can be assured that it will do a good job, but the bad news is the solution can feel a bit overwhelming with its plethora of user interfaces, multiple architectural layers, complicated licensing schemes and proprietary DNS and DHCP services.
VitalQIP can be driven by a Web interface, a native client or command line tools available for the administrator. Although the Web interface operated properly, it appeared a little sluggish, while the native client responded much faster. The look and feel of the interfaces was consistent and relatively intuitive throughout. There are many options for setting up user groups and permissions that make the product flexible in that regard. On top of that, the displayed user interface elements can be configured for each user.
The architecture is complex but appears highly scalable. There are two entities in the architecture - enterprise services and remote services. Enterprise services can be broken into two types - centralized and distributed. Centralized enterprise services include license auditing and process scheduling. Distributed enterprise services include process messaging services, login services, update services, remote method indication (RMI) process scheduling, DNS updating and SSL tunneling services.
Remote services include process messaging services, QIP proprietary DNS service, QIP proprietary DHCP service, QIP proprietary BIND service and a QIP proprietary DHCP lease service. While proprietary overall, Alcatel-Lucent says the code for all of these services is built from ISC open source implementations that the company has tweaked so the QIP can update, configure and control all of them. The advantage is an administrator can completely rely on VitalQIP for all necessary server configurations instead of having to administer the services by hand. Since the service configurations can be rather complex, it can be argued that automation of the service configurations would be desirable. The whole point of an IPAM system should reduce the amount of human intervention in a DNS/DHCP/IP management system. The downside is there is an inherent increase in time to implement service code updates in response to discovery of a malicious exploit because VitalQIP developers must implement the updates in their code before VitalQIP administrators can make the update.
The QIP database services may be implemented with your choice of Oracle or Sybase database management systems (DBMS). The product comes with Sybase licensing and support. Oracle licensing is priced differently and requires your own Oracle DBA support. The database may be replicated as far as the DBMS allows.
VitalQIP fared well in our data import/export tests. The solution was able to import 99.2% of the more than 200,000 objects in the original IP address dataset.
The IT administrators can log on to VitalQIP through a VitalQIP client application on their desktop or through a browser. The user is given access to the address blocks they have been given access to modify (by a VitalQIP administrator) and make the change. The system can be configured to push the IP address information to DNS and DHCP services periodically or whenever a change is made.
Licensing for VitalQIP is painful. Its licensing structure is based on the number of used IP addresses. Fortunately, the pricing strata is based on rough block sizes of IP addresses, so once you buy a license for the number of IP addresses you have and you will possibly need in future, you should not have to worry about paying to manage more IP addresses. The auditing service built into the centralized Enterprise Services component of the VitalQIP architecture makes sure that the activated license will support the number of IP addresses the system is currently managing.
BT's IPControl is similar to VitalQIP in many ways in terms of licensing and basic architecture. But it separates itself because it has a simpler architecture, it uses standard services, and it has a more straightforward user interface.
IPControl's architecture comprises executive and agent pieces. The executive component resides in the IPAM appliance or your own hardware if you chose the software option and runs the database server (either MySQL or Oracle), Tomcat/Apache Web services, API Web interfaces, and the master agent. The agent piece acts as the control frontend for the DNS and DHCP services. It resides wherever the DNS and DHCP services sit, wraps itself around those services, and is responsible for communicating changes back to the executive piece of IPControl. A master agent manages licensing, agent connections and communication across distributed agents.
Both agent and executive can also run on the same hardware, but this requires professional services intervention. The product isn't sold in this form. Because professional services are bundled with the product purchase, this demarcation is a little fuzzy.
In terms of the basic communication procedure between the executive and the agent, when there is a new DNS or DHCP file, an alert is sent from the executive to the agent notifying it of the change. Next, the agent pulls the files from the executive. Then the agent validates the new files against the DNS/DHCP standards. Next, the agent places files in an appropriate location on the file system for the services to find. The final step happens when the agent signals the DNS and DHCP services to read the new files.
Unlike VitalQIP’s ability to directly control its underlying proprietary services, IPControl cannot control the configuration of the underlying open source services. In other words, you can send the services information on DNS and DHCP objects (IP addresses, names, MX records), but you can't change the structure of the DNS system regarding things such as primary and secondary DNS servers or update intervals. The idea is that the DNS and DHCP configuration is a task that is done early on in building the DNS/DHCP infrastructure and rarely changes.
However, because IPControl uses standard services, there is no need to wait for BT DiamondIP to update its service code and alert you to the change every time there is a security alert or any other reason to patch the services. The bad news is this requires you to handle the service updates by hand. This is not a problem for some enterprise networks, but it can be a problem if you are looking for a system that handles all this for you. Fortunately, we found its professional services staff to be very knowledgeable and helpful at these tasks.
Access to IPControl for all users is through a browser. The user logs on and can see the elements they can control. IP address changes are made through the Web interface. The interface is intuitively easy to use. All transactions are logged to the executive. All DNS/DHCP data updates can be configured by an administrative user and are logged for auditing purposes.
EasyIP is an easy alternative
EasyIP is a bare-bones software-only IP address management application that provides a way to track and change IP address information. It does not include any underlying DNS of DHCP services. The idea is to provide a simple way to store and maintain IP address information and give a simple CSV format file, but then you as the user are then responsible for figuring out how to import that into DNS.
There are two ways to import IP address information – the use of CSV files and through the product’s discovery tool. The CSV file reader function allows the user to specify which CSV file is to be read and the context of the data in the CSV file. Unfortunately, this tool requires that the IP addresses follow a dotted decimal format. The CSV files we used for testing had each octet of the IP address in a separate field. After some quick rearranging of our test dataset, EasyIP was able to read and import the CSV file.
Because EasyIP only does IPAM from a centralized server application and doesn’t support any DNS/DHCP services, there isn’t much to say about architecture. This fact alone would limit the use of EasyIP to small enterprise networks. Also, because the product doesn’t control DNS/DHCP services, you’d need a DNS expert on staff to support that enterprise.
The other method of import is through discovery. The discovery function allows EasyIP to collect the DNS name information for each IP address and place those into in an address space. The data is collected from a production DNS server. This function ran as expected. Once all the primary name information is gathered from the DNS servers, discovery can be run again to collect aliases and mail exchange (MX) records to get a more complete DNS dataset. This function had a known bug that the company said it would fix in its next release and we weren't able to complete this step.
Exporting the information to DNS services is only allowed through CSV files. This requires writing DNS data manipulation scripts to move the data to a DNS server. Because the ability to push the IP address information to a DNS server wasn't implemented, we weren't able to verify the import/export features. It is conceivable that a script could be written that would convert the EasyIP exported CSV file to a zone file for standard DNS services. It would take more work to define DHCP addresses and export that data to a DHCP server.
There are two user interfaces for EasyIP. One is a native Windows application (Windows 2003 or XP Professional) that allows configuration of EasyIP along with the user interfaces for manipulating the DNS data. The other interface is a Web-based AJAX application for manipulating the IP data. The AJAX interface requires Microsoft IIS Web server software with .Net v1.1. Both user interfaces are intuitive and easy to use.
Licensing for EasyIP is based on the number of managed IP addresses.
If you are looking to control your recurring costs and you would like to have your IPAM system automate all management and service configuration issues, we’d advise you to choose Bluecat. It is an appliance-based system that charges by the unit instead of by the number of managed IP addresses. It has an easy-to-use interface and the company’s professional services personnel are very knowledgeable.
If money is no object and you operate a large enterprise network where a highly scalable solution is necessary and you don’t mind running proprietary DNS and DHCP services, VitalQIP is also a good choice. VitalQIP provides a highly scalable architecture suitable for the largest enterprise networks and has a long history in the market to provide confidence in their ability to support your installation.
If price is a consideration and you have a growing enterprise network and you want to control your own DNS and DHCP services, IPControl is a good choice. Its architecture is highly scalable, and the underlying services are standard ISC DNS and DHCP implementations.
If you run your own DNS and DHCP services on a small enterprise network and you are looking for a small database for tracking your IP addresses, EasyIP could be an option. The hardware requirements are small and the price is attractive, but keep in mind that you must handle export to DNS services on your own.
A quick history lesson on the interesting path IPAM has taken over time shows why there are many similarities between the products tested.
In 1993, a start-up called Quadratek developed an enterprise IPAM product called QIP. In 1998, Lucent bought Quadratek while keeping the QIP brand. In 1999, Lucent bought INS, a professional services company. In 2001, INS spun out of Lucent into a standalone company. In the same year, Bluecat is founded and developed the Adonis product.
In 2002, the original developers or QIP found DiamondIP and develop a cable modem imaging product. In 2003, INS buys DiamondIP and launch NetControl, and IP address block management tool for ISPs. In 2004, INS launches IPControl. Two years later, Alcatel buys Lucent and keeps the QIP product brand.
In 2007, BT Global Services buys INS to form a professional service company in the US and form two business units, BT INS (professional services) and BT DiamondIP (software development).
Bass is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.
Learn more about this topic
IPAM Buyer's Guide: This guide includes product descriptions of systems and software that track IP addresses within an organization, automate changes and produce reports of systems/addresses.BlueCat adds IPv6 support to DNS/DHCP appliances
03/05/07IP address management takes a back seat – at a cost
10/18/06IP address mgmt. growing up