Network Engineers: 5 Must-Have Tools During a Slow Economy

by Jordan Baker | Oct 28, 2022 | Data Center Management, Data Center Resilience, Increase Productivity, Minimize Impact of Disruptions, NetDevOps Transformation, Network Automation, Out of Band Management, Remote Network Management, SecOps, Zero Trust Security

Network engineers need powerful tools to keep digital services online and customers happy. This is especially true during economic downturn, when organizations must freeze hiring and put more strain on existing staff. Revenue relies on network availability, and with experts predicting a recession this winter, significant operational challenges are inevitable for most organizations.

The burden of overcoming these challenges falls on network engineers. Success means maintaining reliable services and reaping any professional benefits (salary increases, promotions, etc.). Failure, on the other hand, means the very realistic possibility of major business losses and job cuts, including yours.

In order to make sure you don’t fall into the latter scenario, here are five must-have tools and techniques to help network engineers overcome these challenges.

Tool 1. OOBI-LAN™

Out-of-band (OOB) management is an essential part of a network engineer’s toolkit. At the conceptual level, out-of-band is meant to provide management access to production equipment, even if the production equipment is offline.

One major problem is that many organizations invest a lot of time and money into their production infrastructure, but not into any dedicated OOB infrastructure. In other words, they deploy OOB solutions that rely in part on their production equipment, such as OOB VLANs connected to in-band switches. All it takes is a mistake, misconfiguration, or attack to bring down the production and management networks, leaving network engineers to rebuild the entire system from scratch while their services remain offline to customers. This is simply not acceptable in a slow economy, where the business’ resources and revenue are already too thin.

From the pandemic lockdowns, organizations have learned that they need a way to more quickly recover their network locations. According to the Uptime Institute’s 2022 Outage Analysis, outages lasting longer than 24 hours increased to nearly 30% in 2021. This has led many to build dedicated OOB infrastructure for the LAN (OOBI-LAN). They deploy a serial console locally to establish connectivity to the management ports of their sensitive equipment. Network engineers must use this serial console to access their production infrastructure. This serial console minimizes the attack surface since it’s the only device connected to the Internet, and allows network engineers to restore services even if production equipment is down.

Tool 2. OOBI-WAN™

A critical tool for network engineers is out-of-band that enables remote WAN management. But typically, organizations employ a WAN management strategy that also relies on their production infrastructure, such as for creating VPN tunnels for management traffic. If a VPN tunnel becomes broken or the production gear fails, network engineers are suddenly left without remote access to their equipment.

Aside from a lack of availability, traditional OOB access comes with real security risks. Exposing LTE modems to the Internet, leveraging untrusted third-party VPN services, using OOB hardware that’s old and unpatched, and worse — exposing the management port of devices to public Internet. All of these are attack surfaces, any of which can give access to your infrastructure and be used as the pivot point to get to the rest of the infrastructure.

Image: Management access depends on production equipment to establish VPN tunnels.

On top of their OOBI-LAN, organizations have built dedicated OOB infrastructure for the WAN (OOBI-WAN – there’s a Star Wars reference somewhere in there) for added resilience against these scenarios.

Image: OOBI-WAN and OOBI-LAN create a fully separate out-of-band infrastructure that can be used to completely rebuild production infrastructure.

OOBI-WAN uses MPLS, IPsec, or SD-WAN links to create an overlay network dedicated specifically to management traffic. This gives network engineers private access to their infrastructure for management and troubleshooting, essentially creating a completely separate OOB network that does not rely on any part of the production network. OOBI-WAN lets network engineers use their WAN connection to remotely access their OOBI-LAN and fully rebuild their distributed networks, regardless of the state of their production infrastructure.

A key part of OOBI-WAN is the inherent security that is built at all layers. To build secure OOBI-WAN, the best practice is to use OOBI-SDWAN™ which automates the building of VPN tunnels between all the nodes that need to be managed. OOBI-SDWAN provides the expected auto-VPN feature which means VPN encryption keys remain secure, as they don’t need to be copied/pasted/typed into multiple third-party devices. OOBI-SDWAN also ensures that an SLA is provided on the OOBI network along with observability dashboards of connectivity and the access state of the network. The combination of OOBI-SDWAN with a zero trust security framework is the best way to gain reliability in a way that reduces your risk.

Tool 3. Fully independent automation infrastructure

Another tool that network engineers are becoming familiar with is automation. Network automation codifies repetitive tasks to reduce workloads for configuration management, compliance, and troubleshooting. During a slow economy, being able to scale an IT team’s efforts is especially valuable to business operations and end customers.

There is one major concern, however: having automation that runs loose and begins destroying the network, much like a bull in a China shop. Network engineers typically must learn new automation tools and programming languages, which requires trial and error. And because there is a lack of a best practice reference architecture, teams don’t know any better than to automate directly on the production network. This causes anxiety, as one mistake could bring down the network, cause catastrophic losses, and leave network engineers without an efficient way to recover.

Image: The orange section describes dedicated automation infrastructure used for safely implementing automation.

In recent years, teams have been deploying automation on dedicated infrastructure like their OOB network. This automation infrastructure sits between the production infrastructure and the orchestration infrastructure, and serves as a safe way to build an automation pipeline. Open, Linux-based appliances like the Nodegrid Net SR combine a variety of functions and can host automation tools, like those for observability and analytics, version control, and source of truth. This independent automation infrastructure allows network engineers to ensure the integrity of configuration changes, software updates, and remediation protocols in an out-of-band manner, rather than testing directly on the production network. They can scale their capabilities, and in case of errors, roll back to a golden configuration that keeps services online.

Tool 4. Remote access to local jump box

Network engineers have another tool at their disposal: the jump box (a.k.a. jump server, jump host). A jump box hosts tools for maintaining operations, and these include file servers, image storage, configuration management tools, and troubleshooting commands. The jump box is a valuable asset for normal operations and for restoring services, such as when a device fails and needs its image rebuilt.

The issue with jump boxes is that they are typically a separate device that requires power, cooling, rack space, and maintenance. Some jump boxes also require on-site technicians to physically connect to the equipment needing repair.

Many organizations have adapted by upgrading their OOB infrastructure with appliances that can run full virtual machines (VMs). These can run all the tools mentioned above as well as with Docker containers, while consolidating power consumption, cooling resources, and rack space. The OOB appliance can double as a jump box. Combined with OOBI-LAN and OOBI-WAN, network engineers get remote access to re-image a device, diagnose DNS/routing issues, and perform any other necessary tasks. Key point is that discrete jump boxes – Like the Intel NUC — to be converted to virtual jump boxes running on a secure OOB platform like the Nodegrid Service routers.

Tool 5. Smart hands

A final way that network engineers get help through a slow economy is by outsourcing to so-called ‘smart hands.’ Employing smart hands means involving a third-party expert who can take on some of the IT workload. It’s a viable strategy, especially for teams feeling crushed by corporate belt tightening and the resulting mountain of tasks.

Companies who take this approach must be aware that the skills of smart hands varies greatly, as does the cost. This means it’s essential to strike a balance between which tasks to outsource, and which tasks to keep in house. For example, many organizations use smart hands for simple jobs such as replacing hardware and installing equipment at new sites. For more specialized jobs that require deeper knowledge of the environment, such as fixing a misconfigured IP address or route, teams use in-house personnel. This balance helps organizations get the support they need to keep operations running.

Get a cheat sheet to implement these tools fast

Some companies thrive during economic downturn, because they’ve intelligently placed these tools within their network architecture. Over the past decade, we’ve worked with these companies — including the largest tech giants — to describe in painstaking detail how they set up their infrastructure. We just released all 40+ pages of this validated reference architecture, complete with implementation diagrams and examples.

It’s called the network automation blueprint and it combines all of these tools. Network engineers can confidently answer questions like:

How do we meet SLAs with a smaller workforce?
How can we keep sites operating without physical access to equipment?
How can we perform weekly updates/patching without breaking things?

The blueprint is your cheat sheet to implementing a more resilient network, and fast. Click the button below to download your copy now.

Download blueprint

ZPE Systems launches smartphone-size cloud gateway for IoT, OT, & IoMD applications

by Jordan Baker | Oct 19, 2022 | News & Announcements, Press Releases

The Nodegrid Mini SR is ideal for secure remote out-of-band connectivity, automation, and security for critical edge devices

Fremont, CA October 19, 2022 — ZPE Systems announces the Mini SR, a smartphone-size, cloud-orchestrated gateway that solves the operational challenges of running security and connectivity at the network edge.

Organizations must solve evolving business needs by deploying applications and devices at locations including branch offices, third-party manufacturing sites, powerplants, emergency response locations, and urgent care facilities. Even with cloud SaaS-based applications, organizations still require equipment, and they typically outsource to MSPs and MSSPs who can manage the SLA and operational challenges presented by this physical stack. These providers need a simple platform to host third party applications, enable remote operation, and ensure security. The Mini SR solves this problem.

Roughly the size of an iPhone, this cloud-managed, out-of-band gateway collapses multiple boxes. The Mini SR delivers wired and wireless connectivity, hosts third-party security apps and critical tools, and provides centralized cloud orchestration. Its fanless, ruggedized design can be tucked away and extends management capabilities via physical Gigabit Ethernet and USB interfaces, offering remote access via ZPE Cloud.

The Mini SR is ideal for MSPs/MSSPs and for following use cases:

Out-of-band edge rack management with environmental sensor support
SASE/SSE on-ramp for Netskope, Palo Alto Networks’ Prisma Access, and Zscaler connectors
Secure IoT/OT gateway with simple cloud orchestration
Secure work-from-anywhere gateway (home, car, temp office)
Police/emergency response (in-vehicle edge compute router)
SCADA industrial OT/IoT zero-trust, pico segmentation gateway
Medical and industrial device cloaking to prevent detection and exploitation during hacker reconnaissance scans
SaaS applications requiring a box to host agents for vulnerability scanning, experience monitoring, and critical DDI (DHCP/DNS/IPAM) services

The Mini SR was designed after collaborating with industry tech giants, who during the pandemic needed a secure resilience solution for their sprawling IoT and OT infrastructures. This compact gateway connects, controls, and isolates critical assets via out-of-band (OOB) management. This secure path uses the Mini SR’s Wi-Fi, LTE, or Ethernet connections to establish a tunnel or connect to zero trust destinations, keeping management traffic separate & secure.

Joe Quenneville, CEO of security service provider CyberGRC, states, “The Mini SR is perfect for managing remote manufacturing equipment, SCADA systems, medical imaging devices, and even oil & gas equipment sensors. It lets my IT team get inside their distributed systems without having to physically be on site.”

Matt Robinson, CTO of Rahi, says, “The Mini SR makes life easy for MSPs and VARs managing remote branch offices or industrial locations. It gives actionable observability into the environment for quick troubleshooting and recovery without requiring an on-site resource. The Mini SR’s out-of-band and hosted tools let teams remotely rebuild entire stacks of infrastructure, making efficient use of smart hands resources. We anticipate savings ranging from $600 to $4,000 on each smart ticket incident.”

Koroush Saraf, ZPE Systems’ VP of Marketing and Product Management, explains: “Anyone considering Raspberry Pi or Intel NUC needs the Mini SR instead. Many IT use cases and SaaS services require a physical device on premises to act as the hosting platform or cloud gateway, and this device needs to be regularly updated with the latest patches. The entire Nodegrid SR fleet, including the Mini SR, can be upgraded and orchestrated from ZPE Cloud just like iPhone users receive updates from the App Store. The Mini SR connects to ZPE Cloud via out-of-band to keep its OS and guest applications up to date.”

The Mini SR uses the Intel x86 CPU and is preloaded with Nodegrid OS, which combines secure cloud out-of-band management and an open platform with the ability to run your preferred VMs, Docker containers, and LXC applications. The device also accommodates Nodegrid’s environmental sensors and feeds data to Nodegrid Data Lake for analytics. These integrations increase uptime by giving visibility into infrastructure heat, moisture, dust, device tampering, user experience, and hidden machine log data. On top of this the SR family incorporates encrypted disk and secure boot to prevent tamper and supply chain risks are detected and thwarted. Organizations can now cut downtime by 50% or more, predictably configure and scale sites in hours, and keep edge users connected without interruption.

Click the button to visit our Mini SR announcement page.

Explore Mini SR

Upgrade Network Infrastructure With Minimal Business Interruption

by Jordan Baker | Oct 14, 2022 | Actionable Data, Data Center Management, Data Center Resilience, DevOps, Failover Connectivity, Improve Network Security, Increase Productivity, Minimize Impact of Disruptions, NetDevOps Transformation, Network Automation, Remote Network Management, SD-WAN, Secure Access Service Edge (SASE), Simplify Branch Infrastructure, Streamline Deployments

Outdated network infrastructure poses a significant risk to the security and continuity of business operations. According to NTT’s “2020 Global Network Insights Report,” obsolete devices contain nearly twice as many security vulnerabilities as currently supported solutions. Outdated network hardware is also more likely to fail, and the ability to recover from a failure is severely hampered by a lack of vendor support. However, network upgrades can be highly disruptive, so many organizations delay network upgrades to avoid business interruption. They don’t realize that their outdated devices are like ticking time bombs that could bring down their network at any moment. In this post, we’ll provide advice that helps answer the question: How do I upgrade network infrastructure without disrupting business operations?

Why and when to upgrade network infrastructure

Obsolete network infrastructure no longer receives updates and security patches from the vendor. That means any vulnerabilities that exist on the device will remain open, giving cybercriminals time to find and exploit them. In addition, older network solutions often lack the advanced security features like SSO and MFA, which are required for Zero Trust.

Even supported legacy devices suffer from limitations that can prevent a business from achieving its technological goals. For instance, legacy devices may not support automation, making it difficult to achieve NetDevOps transformation. Plus, as enterprise networks grow more distributed, there’s a need for solutions that support SD-WAN and SD-Branch technology.

Sometimes the solutions themselves aren’t terribly outdated, it’s just that business requirements have changed in such a way that the existing infrastructure can’t support. For example, an organization may migrate some applications and systems to the cloud, so they need networking solutions that support hybrid environments. In addition, the mix of old and new devices and cloud and on-premises resources increases management complexity and prevents teams from effectively leveraging network orchestration.

Obsolete devices, outdated security, limited automation support, and changing business requirements are all important reasons to upgrade network infrastructure. However, these upgrades must be approached with a thoughtful strategy to reduce the impact on the performance and availability of business resources.

How to upgrade network infrastructure with minimal business interruption

Vendor agnostic platforms are the key to smooth network infrastructure upgrades. Vendor agnostic (a.k.a. vendor neutral) network management platforms support integrations with all or most viable and established network solutions, including legacy devices.

Vendor-neutral management devices, such as the Nodegrid Serial Console, support both legacy and modern Cisco pinouts. That means Nodegrid provides a single, unified platform from which to manage all the outdated devices you already have as well as any new solutions you add to your infrastructure. This reduces management complexity for network administrators, giving them more time to focus on optimizing performance and planning future network upgrades.

Additionally, a vendor-neutral network orchestration platform can use that management device to extend modern automation and orchestration to legacy hardware. A truly vendor-agnostic platform, such as Nodegrid Manager (for on-premises and private cloud deployments) or ZPE Cloud (for public cloud and hybrid deployments) can run third-party automation playbooks and custom Python scripts. This gives network administrators the unprecedented ability to implement a fully-automated NetOps environment even while still rolling out infrastructure upgrades.

The final piece of the puzzle is vendor-neutral Zero Touch Provisioning (ZTP). ZTP gives you the ability to deploy new devices efficiently and securely in remote data centers, branch offices, and edge compute sites. ZTP devices are provisioned automatically over the network, reducing the need for onsite deployments or pre-staging. A vendor-neutral ZTP solution like Nodegrid can extend ZTP to other vendors’ devices so you can quickly deploy upgraded infrastructure.

Nodegrid delivers vendor-neutral management, orchestration, and ZTP so you can upgrade network infrastructure with minimal business interruption.

Need Help Upgrading Your Network Infrastructure?

Contact ZPE Systems to learn how to upgrade your network infrastructure with Nodegrid.

The Definitive SD-WAN Security Checklist for Enterprise Networks

by Jordan Baker | Oct 4, 2022 | Modernize Legacy Environments, SD-WAN, Secure Access Service Edge (SASE), Security Service Edge (SSE), Simplify Branch Infrastructure, Uncategorized, Zero Trust Security

Software-defined wide area networking, or SD-WAN, has made it possible to efficiently control highly distributed WAN architectures using software abstraction and automation. SD-WAN adoption is increasing, partially due to the rise in remote work during the pandemic, with experts predicting a compound annual growth rate (CAGR) of 26.2% between 2022 and 2028. However, while SD-WAN solves a lot of remote, edge, and branch networking problems, it also introduces security concerns that must be addressed. This definitive SD-WAN security checklist highlights the most important challenges and provides solutions for overcoming them.

The definitive SD-WAN security checklist

Keeping an SD-WAN architecture secure requires several features to be successful. It’s vital to consider this comprehensive list.

1. Frequent security patching

Outdated operating systems create a significant security risk. According to a 2016 Voke Media survey, about 80% of breaches or failed audits could have been prevented by patching outdated software or updating device configurations. An SD-WAN router with an outdated OS is more likely to have vulnerabilities, and the longer it goes unpatched, the more likely a hacker is to find and exploit those vulnerabilities.

However, SD-WAN architectures are often multi-vendor and highly distributed, making it challenging for administrators to monitor for vulnerabilities and stay on top of patch schedules. There are two primary ways to overcome this difficulty:

Centralized SD-WAN management platforms provide a single pane of glass from which to monitor and update device software. The right platform is vendor-agnostic, so administrators can easily patch any and all vendor devices from one common interface.
Automated patch management software helps keep OSes up to date by automatically applying new updates based on a predetermined schedule. Some solutions even perform automatic vulnerability scans or can monitor environments for missing patches and apply new updates that fall outside of the usual patch schedule.

Your ability to keep SD-WAN device software secure ultimately depends on the vendor’s patch schedule. Some providers are sluggish to patch known vulnerabilities in their software, either because they think they can keep said vulnerabilities a secret or because they don’t want to dedicate the time and resources needed to keep the OS up to date. That’s why you should look for SD-WAN hardware and software vendors who are transparent about vulnerabilities and who work diligently to release frequent patches and updates.

2. Zero Trust Provisioning

SD-WAN platforms are software-based, but they still require underlying networking hardware at each remote site for connecting to the enterprise network. Deploying this hardware can be difficult, especially when SD-WAN sites are in hard-to-reach locations such as offshore oil rigs, remote weather stations, or nations experiencing disasters or active conflicts. Often, organizations opt to pre-stage devices in their home office and then ship them to remote sites so they can avoid costly or dangerous travel.

Pre-staging creates a security risk because a pre-configured device could be intercepted by hackers and used to access the enterprise network. Zero Touch Provisioning (ZTP) reduces the need for pre-staging by deploying new device configurations over the network. ZTP-enabled devices provision themselves by using DHCP or TFTP to find and download configuration files, which means administrators can ship factory-default hardware that doesn’t contain any exploitable information about the enterprise network.

However, ZTP also introduces some additional security challenges. Once they’ve created the configuration file, administrators generally don’t monitor the entire automatic provisioning process, so there’s a chance that a mistake in the configuration file could create a security vulnerability that goes unnoticed. And, since one ZTP configuration file is usually applied to multiple devices, a potential security vulnerability could affect several systems or locations without anyone knowing. In addition, hackers could intercept the transmission of the configuration file over the network if the connection isn’t strongly encrypted.

These challenges are overcome with a secure ZTP solution that follows zero trust security principles. This type of solution is often referred to as “Zero Trust Provisioning,” and it includes hardware-based security like TPM, BIOS protection, encryption modules, and an onboard firewall which protects the software layer (secure boot) and management layer (two-factor authentication). In addition, the ideal Zero Trust Provisioning solution supports integrations with automated configuration management tools like Chef and Ansible which can be set up to test and monitor ZTP configurations for mistakes and security vulnerabilities.

Zero Trust Provisioning is a key part of the SD-WAN security checklist because it prevents branch networking hardware from being intercepted and used in a cyberattack. It also ensures that automatic provisioning occurs over a secure, encrypted network connection, and allows integration with configuration management tools to prevent errors from introducing additional vulnerabilities.

3. Secure out-of-band access

Many organizations use out-of-band (OOB) management to configure, control, and troubleshoot remote network infrastructure. OOB management uses a separate management plane, so resource-intensive network management and orchestration workflows don’t affect the performance or reliability of the production network. This may involve using a jump box to access an OOB network, which is an entirely separate management network architecture that runs parallel to the production network. However, a simpler solution is to use an OOB console server to achieve the same goal without the hassle of deploying a separate architecture.

OOB management improves the performance and reliability of production networks, and provides an alternative path to remote infrastructure (typically via cellular modem) in the event of an ISP outage or a network device failure. The issue with OOB management is that jump boxes and console servers are attractive targets to hackers. If a malicious actor manages to compromise the OOB network, they’ll gain complete control over the remote infrastructure.

To keep SD-WAN devices and other remote infrastructure secure, it’s best to use an OOB console server with advanced encryption for both the hardware and the management connections. In addition, the OOB solution should include Zero Trust features like MFA (multi-factor authentication) and RBAC (role-based access control). Just like the SD-WAN hardware, the OOB device(s) should run a fully patched OS and support Zero Trust Provisioning. For even greater protection, choose an OOB solution that supports integrations with third-party security solutions like next-generation firewalls (NGFW).

A secure out-of-band management solution gives network administrators 24/7 access to remote infrastructure on a dedicated, encrypted network connection using hardened OOB console server devices. This ensures that hackers can’t use the OOB network to hijack production infrastructure while also giving administrators the ability to quickly recover from outages, hardware failures, and cyberattacks.

4. Cloud-based security technology

As we’ve discussed above, it’s possible to run SD-WAN solutions on hardware with onboard firewall features. However, these basic firewalls often lack the advanced functionality needed to protect enterprise networks from sophisticated cyberattacks, which is why most organizations also use some form of stateful firewall or NGFW that resides in a central data center. This works well for a single, centralized enterprise network, but the addition of remote sites can create performance issues.

For the centralized firewall to inspect and protect SD-WAN traffic, that traffic must be backhauled through the central data center, even if the request is ultimately destined for the web. This inefficient routing causes bottlenecks, performance issues, and even dropped connections for on-premises and remote users alike. The obvious solution to this problem would be installing physical or virtual firewalls in each remote location, but this is expensive and disruptive and creates more management complexity for network administrators.

A better way to protect remote traffic while improving performance is through the use of cloud-based security solutions, such as Security Service Edge (SSE). SSE relies on SD-WAN’s intelligent routing capabilities to separate remote traffic that’s destined for web, cloud, and SaaS resources. This traffic bypasses the firewall and is instead routed through a cloud-based security stack, reducing the load on the enterprise network.

Ideally, the SD-WAN solution will tightly integrate with the SSE platform. This combination of SSE security with an SD-WAN on-ramp creates what’s known as SASE, or Secure Access Service Edge. This is most easily achieved using vendor-neutral branch networking platforms which can host or integrate with a wide variety of SD-WAN and SSE solutions. An integrated SASE architecture ensures comprehensive security while providing remote users and systems with fast, reliable access to cloud resources.

Nodegrid checks every box on your SD-WAN security checklist

Only one remote network management solution provides everything you need to keep your SD-WAN architecture secure: the Nodegrid platform from ZPE Systems. Nodegrid’s vendor-neutral routers, such as the 5-in-1 Hive SR branch gateway, can directly host or integrate with your chosen SD-WAN solution. Whether you enable SD-WAN with a Nodegrid device or by using ZPE Cloud’s SD-WAN application, you’ll get seamless access, centralized management, and state-of-the-art security.

1. Secure, up-to-date SD-WAN device OS

Nodegrid’s branch gateway routers run on the vendor-neutral, x86 Linux-based Nodegrid OS, which is constantly monitored for vulnerabilities and frequently patched to ensure security. Plus, with the ZPE Cloud orchestration platform, you can monitor and update all your SD-WAN devices from one convenient management portal—even if that hardware comes from another vendor.

2. Zero Trust Provisioning for branch networks

All Nodegrid devices support Zero Trust Provisioning, and they can extend this capability to any third-party devices managed by Nodegrid. That means administrators can securely configure all the multi-vendor devices in a remote branch network without the need for travel or pre-staging. Nodegrid ZTP is considered Zero Trust because it protects the hardware, software, and management layers with advanced security features like:

Password-protected BIOS
Current cryptographic modules
SSO with SAML (Duo, Okta, Ping, and ADFS), MFA, and remote authentication
Geofence perimeter crossing detection
Onboard firewall, IPSec, and Fail2Ban intrusion protection
Fine grain RBAC with strong password enforcement

Nodegrid also supports integrations with automated configuration management solutions like Ansible, Chef, and Puppet, so you can ensure every device is provisioned correctly.

3. Gen 3 secure out-of-band management

Nodegrid services routers provide reliable, Gen 3 OOB management access to any connected devices, including those from other vendors. This access is protected by a patched OS, onboard hardware security features, and current encryption modules. Plus, Nodegrid’s hardware and software can host or integrate with third-party security solutions like NGFWs for comprehensive OOB security.

4. An SD-WAN onramp to SSE

The Nodegrid branch networking solution provides the ideal SD-WAN on-ramp to leading Security Service Edge providers. That’s because Nodegrid is a completely open platform that can host or integrate with any SSE and SD-WAN offering to provide a single, unified SASE solution. This gives administrators complete control over every aspect of branch network management and SD-WAN security from one convenient portal, reducing complexity and improving your security posture at the same time.

Wondering how ZPE’s Nodegrid solution checks all the boxes on your SD-WAN security checklist?

Contact ZPE Systems today to learn more

Learn More

How To Keep Colocation Data Center Pricing in Check

by Jordan Baker | Sep 30, 2022 | Data Center Resilience, DevOps, Improve Network Security, NetDevOps Transformation, Network Automation, Scripting, SD-WAN, Secure Access Service Edge (SASE), Security Service Edge (SSE), Simplify Branch Infrastructure

Rows of data center racks in a colocation facility take up a lot of space, which contributes to colocation data center pricing.

With inflation and supply chain issues causing hardware prices to surge, and a winter recession looming on the horizon, every organization is looking for ways to cut technology costs. Though colocation hosting is often much less expensive than building and maintaining an on-premises data center, factors like physical space usage, power and bandwidth consumption, and remote support can cause your monthly colo bill to spiral out of control. This blog examines some of the most common reasons for colocation data center pricing increases and offers advice on how to keep these costs in check.

Colocation data center pricing considerations

First, here are four common factors that could cause your colocation data center pricing to increase.

1. Physical space

One of the major elements determining colocation pricing is the amount of physical space being rented. Some facilities charge by the rack unit and others by square footage (i.e., how much floor space is taken up by your racks). Costs for colocation space are typically calculated based on your portion of the facility’s operating expenses, which include things like physical security, building maintenance, and energy for cooling.

2. Power consumption

Power usage also heavily affects colocation data center pricing. While some facilities offer flat-rate power pricing, it’s more common to see pricing based on kilowatt usage. The price of data center power usage depends on many factors, such as electricity costs in the region, how energy-efficient the facility is, and how much energy it takes to cool your equipment.

3. Bandwidth consumption

Bandwidth is another usage-based expense that affects data center pricing. Organizations usually purchase bandwidth from the ISP, not directly from the facility, although some data centers do offer colo packages that also include internet access and bandwidth. That means that bandwidth pricing varies significantly from organization to organization.

4. Remote hands

Though colocation data centers handle many aspects of building and facility maintenance, customers are typically responsible for deploying and maintaining their own equipment. Most organizations do so via remote DCIM (data center infrastructure management) solutions, so they do not need to maintain a physical presence in the colocation facility. However, sometimes hardware failures or other issues make remote troubleshooting impossible, so they need to use on-site managed services, sometimes referred to as “remote hands.” Some colocation facilities include an allotted time for remote hands services in their pricing, but more often this is an added fee that’s paid for as needed.

There are many other factors contributing to the cost of colocation data center hosting—such as the location of the facility, the cost of your hardware, and the uptime promised by the provider. However, these four factors are relatively easy for you to change and control without needing to completely overhaul your infrastructure or move to a different facility.

Four ways to keep colocation data center pricing in check

Now, let’s discuss how to decrease your physical footprint, lower your power and bandwidth consumption, and minimize your reliance on managed support services.

Consolidated devices

Replacing bulky, outdated, single-purpose hardware with consolidated, high-density devices is a great way to reduce your colocation data center footprint without sacrificing functionality or performance. For example, the Nodegrid Serial Console Plus (NSCP) provides out-of-band management, routing, and switching for up to 96 devices in a single, 1U rackmount appliance. The NSCP helps reduce the number of serial consoles, KVM switches, or jump boxes in your colocation data center, allowing you to save money or use the extra space for new equipment.

Another option is the Nodegrid Net Services Router (NSR), a modular appliance that can replace up to six other devices in your rack. The NSR provides routing and switching with network failover and out-of-band management, with expansion modules for Docker & Kubernetes container hosting, Guest OS & VNF hosting, and more. The NSR is an ideal solution for small colocation deployments because it can reduce the number of computing and storage devices in your rack. For example, the NSR can reduce your footprint from 4U to 1U, allowing you to cut costs and reduce the complexity of your remote infrastructure.

Remote DCIM power management

As mentioned above, most organizations use remote DCIM solutions to manage colocation infrastructure. Power management is an important aspect of remote DCIM for keeping colocation data center costs in check. Remote DCIM power management allows you to visualize power consumption, both at the individual device level and at a big-picture level. If you can see where you’re using power inefficiently, you can correct the problem (for instance, by replacing a faulty UPS or simply redistributing the load) before costs spiral out of control.

For power cost savings, you should use remote management DCIM that supports automation, such as Nodegrid Manager. This vendor-neutral platform allows seamless integrations with third-party or self-developed automation tools and scripts. That means you can use Nodegrid to automatically monitor for and correct inefficient power load distribution to ensure consistent usage and prevent overage fees. Plus, Nodegrid supports end-to-end automation for all your network and infrastructure management workflows, helping to reduce the overall manual workload for your administrators.

Software-defined networking

Traditionally, administrators set and monitor bandwidth usage by accessing the CLI (command line interface) or GUI (graphical user interface) on individual, hardware-based network devices like switches and routers. For complex and distributed network architectures using many switches in many locations (including remote colocation facilities), manual bandwidth control is so time-consuming and inefficient that organizations end up with a “set it and forget it” approach. That means bandwidth usage is free to fluctuate as much as it wants within certain thresholds, and organizations just eat the overage costs.

Software-defined networking, or SDN, decouples network routing and management workflows from the underlying hardware. This allows organizations to centrally control and automate their entire network architecture, which includes bandwidth management for remote colocation infrastructure. Centralized SDN management gives administrators a single interface from which to control all the networking devices and workflows, so they don’t need to jump from device to device to monitor and manage bandwidth usage.

The application of SDN technology to WAN management is known as SD-WAN, and when that extends into the remote LAN it’s known as SD-Branch. SDN, SD-WAN, and SD-Branch technology use intelligent routing to ensure efficient bandwidth usage and network load balancing. That means you can keep your colocation data center bandwidth costs in check while significantly reducing the amount of work involved for your network administrators.

Out-of-band management

Out-of-band management, or OOBM, separates your management network from your production network, allowing you to remotely manage, troubleshoot, and orchestrate your colocation data center infrastructure on a dedicated connection. This has numerous benefits, including:

Resource-intensive network orchestration workflows won’t affect the bandwidth or performance of the production network.
Administrators can still access remote infrastructure even if the primary ISP link goes down.
Administrators gain the ability to remotely troubleshoot even when a hardware failure or configuration mistake causes a production network outage.

OOBM can help reduce your reliance on colocation data center managed services because your administrators have an alternative path to critical infrastructure even during an outage. A Gen 3 OOB solution like Nodegrid can further reduce your colocation data center pricing in several ways:

OOB management is built into all Nodegrid devices, so you don’t need to purchase any additional hardware (or rent additional rack space) to enable out-of-band management.
Nodegrid OOB integrates with the vendor-agnostic Nodegrid Manager platform, which means you’ll have reliable 24/7 remote access to monitor and orchestrate power load distribution to ensure cost-efficiency.
Nodegrid OOB devices can directly host your software-defined networking, SD-WAN, and SD-Branch solutions so you don’t need to purchase additional hardware. You can also integrate SDN, SD-WAN, and SD-Branch software with the Nodegrid Manager platform for unified control.

The Nodegrid solution from ZPE Systems can help you keep colocation data center pricing in check through consolidated devices, remote DCIM orchestration, software-defined networking support, and Gen 3 out-of-band management.

Want to find out more about reducing colocation data center pricing with Nodegrid?

Contact ZPE Systems today!

« Older Entries

Next Entries »

ZPE Solution Pathways

Discover Nodegrid