Providing Out-of-Band Connectivity to Mission-Critical IT Resources

The Biggest Ransomware Attack You Haven’t Heard of…Yet

James Cabe CISSP

This article was written by James Cabe, CISSP, whose cybersecurity expertise has helped major companies including Microsoft and Fortinet.

MOVEit over SolarWinds — The largest and most successful ransomware attack ever recorded is happening. Right now. It’s attacking healthcare and financial institutions with high rates of success, and recently stole sensitive data of 4 million more healthcare patients. It uses something called CL0P ransomware, and the threat actor is a well-known criminal group with the name FIN11. Many organizations are finding it difficult to stop the attack because they have no way to access infected devices, take them offline, patch, or even replace them. So, what exactly is going on?

The group responsible for the attack

FIN11 is a cybercriminal group that has been active since 2016 or before, originating from the Commonwealth of Independent States (CIS). While the group has historically been associated with widespread phishing campaigns, their focus has shifted towards other initial access vectors. FIN11 often runs high-volume operations targeting industries in North America and Europe for data theft and ransomware deployment, primarily leveraging CL0P (aka CLOP).

FIN11 is responsible for multiple widespread, high-profile intrusion campaigns leveraging zero-day vulnerabilities, and the group likely has access to the networks of many more organizations than it is able to successfully monetize. Despite this, they’re currently attacking MOVEit, a well-known SaaS provider who relies on a file transfer appliance called Accellion lFile Transfer Appliance (FTA). This legacy product remains unpatched, which has led to the breach of many Fortune 100 companies and state and federal agencies.

FIN11

How did the ransomware attack start?

The ransomware attack began with several Accellion FTA customers, including those in industries like healthcare, legal, finance, retail, and telecom. Companies such as Jones Day Law, Kroger, Singtel, and many others had no idea that they had been attacked, because the initial breach was quiet and headless.

Their only indication came after receiving a threatening email aimed at extortion. 

In this email, the group threatened to publish stolen data on the “CL0P^_- LEAKS” .onion website, according to an investigation from Accellion. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.

According to the investigation, four zero-day security holes were exploited in the attacks:

  • CVE-2021-27101 – SQL injection via a crafted Host header
  • CVE-2021-27102 – OS command execution via a local web service call
  • CVE-2021-27103 – SSRF via a crafted POST request
  • CVE-2021-27104 – OS command execution via a crafted POST request

And, the published victim data appears to have been stolen using a “WEB SHELL”. These web shells give remote administrative access to the web server and create a jumping off point to attack the rest of the internal network. Mandiant, a well-known cyber investigation arm of Google, added, “The exfiltration activity has affected entities in a wide range of sectors and countries” (Threatpost). Exfiltration is the unauthorized removal of important or damaging data from an organization.

However the biggest problem is that these web shells are what researchers call “PERSISTENCE”. This means that an attacker can remain in your network indefinitely to continue damaging and attacking your resources. Researchers call these “APTs,” or Advanced Persistent Threats.

Why is the ransomware attack still going strong?

The ransomware attack is still going strong because there’s no patch available. According to open source information, beginning on May 27, 2023, CL0P Ransomware Gang began exploiting a previously unknown SQL injection vulnerability (CVE-2023-34362) in Accelion’s appliance that is the backbone of a solution known as Progress Software’s MOVEit Transfer service. Internet-facing MOVEit Transfer web applications were infected with a web shell named LEMURLOOT, which was then used to steal data from underlying MOVEit Transfer databases. In similar spates of activity, TA505, which is the group responsible for the Dridex trojan and Locky ransomware, conducted zero-day-exploit-driven campaigns against Accellion FTA devices in 2020 and 2021, and Fortra/Linoma GoAnywhere MFT servers in early 2023.

What most organizations want to know is: How do you quickly respond to issues like these? How can you be properly prepared to respond to an issue you didn’t cause or didn’t expect?

Patching is a good response. However, it takes an average of 205 days to patch a recently known zero-day exploit like the MOVEit vulnerability. While patching alone is typically the ideal response, it isn’t automatic nor can it be done quickly.

Another approach involves removing the offending software or appliance, or cutting off access to the software or appliance. But once you remove this access, how do you continue normal operations, and how can you easily bring the software/appliance back online? Without adequate infrastructure in place, physically deploying to each site is not practical, especially for distributed organizations.

CISA and the FBI encourage organizations to implement the recommendations in the Mitigations section of this CSA to reduce the likelihood and impact of CL0P ransomware and other ransomware incidents. The Mitigations section describes many approaches, including patching, removing software/appliance access, and implementing a recovery plan. But all of these take too much time and too many resources, which leaves organizations vulnerable as they scramble to create an adequate response.

The great news is, organizations can cover all their bases without having to reinvent the wheel. This approach is recommended in one of CISA’s recent directives, and gives organizations somewhat of a silver bullet that allows them to quickly defeat ransomware and remain prepared for any future attack.

What approach does CISA recommend to address ransomware attacks?

CISA’s recent directive (23-02), which addresses the vulnerability of Internet-exposed management interfaces, calls for organizations to create an isolated management infrastructure (IMI) via out-of-band connectivity. This is a drop-in solution that the military, telcos, and hyperscalers/cloud companies use to respond to widespread ransomware and other issues impacting security and resilience. This approach — which ZPE Systems has perfected in the last decade with the help of Big Tech — gives organizations a completely separate control plane through which they can monitor and manage their entire IT infrastructure in a safe and dedicated fashion.

What is isolated management infrastructure?

Isolated management infrastructure consists of the hardware and software that create a management network that’s fully separate from other production and management networks. The key to this is in out-of-band connectivity, which is defined as connectivity other than TCP/IP. Out-of-band can include direct USB, serial, or even non-routed zero-trust connections to crown-jewel assets.

Essentially, the IMI gives an organization complete oversight and control of their widespread IT infrastructure, in a way that is secure and accessible only to their IT teams.

In this diagram, the production infrastructure (blue ring) sits at each distributed location. The out-of-band infrastructure for LAN (OOBI-LAN) is the green ring and surrounds the production infrastructure with one layer of isolated management. The OOBI-WAN (orange ring) is what provides a second layer of isolated management, which teams can access from a central or remote location, to gain access to the OOBI-LAN and ultimately the production infrastructure.

ZPE Automation

Knowing these assets and providing access across the organization can be easy and does not have to disrupt current operations. 

How can IMI stop the FIN11 ransomware attack?

In the ongoing FIN11 ransomware attack, Internet-facing applications are targets of the zero-day exploit. This means that no amount of security solutions can pre-mitigate the attack (i.e., there’s nothing you can do to stop it). This is where IMI shines.

Isolated Management Network diagram sitting beside production infrastructure

Remember the OOBI-LAN/OOBI-WAN diagram? Here’s a zoomed-in view of the isolated management infrastructure sitting beside the production infrastructure. The IMI connects via serial, Ethernet, and USB to production gear, and provides the necessary functions (routing, storing golden images, hosting jumpbox tools, etc.) to recover from attack. But how?

IT teams can use OOBI-WAN to remotely access their OOBI-LAN and production gear. They can pull affected devices offline and bring them in for forensics, which takes place in an Isolated Recovery Environment (IRE). This means these assets and networks are still reachable by analysts and responders, but isolated from other vulnerable assets. This allows an organization to quickly and even automatically deploy tools and resources inside of this environment through devices like ZPE Systems’ Nodegrid.

To combat the FIN11 attack, organizations don’t need to unplug cables or shut their devices off. They can instead deploy their IMI as the framework for closing the attack surface while maintaining access and critical data to aid in recovery.

Get the blueprint for isolated management infrastructure

Don’t wait until the next attack to shore up your defenses. ZPE Systems has worked with Big Tech for ten years developing the isolated management infrastructure. It’s now available inside the Network Automation Blueprint, and walks you through how to implement your own IMI. Download the blueprint now to stay ready for any attack.

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

SD-WAN ROI Calculator & Cost Reduction Strategies

sd-wan roi calculator

As an organization expands by adding new branches, its WAN also expands. The larger the WAN grows, the more network traffic needs to flow through MPLS (multi-protocol label switching) circuits, which have much more expensive bandwidth fees than traditional circuits. Some organizations improve their network performance by deploying security appliances at regional data centers, so they don’t need to backhaul traffic through the central firewall, but this only increases MPLS expenses and operating costs. Plus, spinning up each branch takes time, partly because of how long it takes to install a new MPLS circuit, which reduces agility and increases overhead costs.

SD-WAN, or software-defined wide area networking, abstracts WAN management to a separate control plane, streamlining workflows and allowing for a high degree of automation. SD-WAN makes it possible to leverage 5G and other networking technologies to reduce the reliance on MPLS circuits while still applying security policies and controls. With SD-WAN, you can lower your MPLS bandwidth costs, reduce the number of security appliances deployed around the enterprise, and deploy new branches faster.

In this post, we describe how SD-WAN decreases branch networking costs. We also explore strategies to reduce your expenses, providing an SD-WAN ROI calculator for a more personalized estimate of your potential savings.

How SD-WAN reduces branch networking costs

 

Reducing branch networking costs with SD-WAN

SD-WAN decreases MPLS bandwidth expenses by leveraging 5G and other available networks when possible.
An SD-WAN on-ramp to SASE means fewer security appliances deployed around the enterprise.
SD-WAN results in faster branch deployments by decreasing the reliance on new MPLS circuit installations.

 

Implementing SD-WAN can result in the following cost reduction benefits.

Decreased MPLS bandwidth expenses

In a traditional WAN architecture, MPLS circuits are installed at each branch to create a semi-private connection back to the primary enterprise network; this traffic isn’t encrypted, but it is partitioned from the public internet and other MPLS customers. MPLS networks are very reliable, but the bandwidth is significantly more expensive than public internet bandwidth. Finding ways to reduce the amount of traffic over MPLS circuits can reduce the ongoing operational costs of each branch.

SD-WAN leverages whatever networks are at its disposal—including MPLS, public ISPs, and 5G/4G cellular—to find the best and most efficient path for branch traffic. An organization can use SD-WAN software to prioritize specific kinds of traffic based on parameters such as the apps or resources being requested, so precious MPLS bandwidth is only used when needed. Many organizations are able to move away from MPLS completely by using SD-WAN. Providers are also required to build their SD-WAN fabric from encrypted tunnels, allowing SD-WAN to direct traffic over the public internet with less risk.

Cost reduction strategy: secure access service edge (SASE)

Even with SD-WAN’s encryption, branch traffic still needs to pass through a security appliance in the central data center so enterprise security policies and controls can be applied, which likely means using the MPLS anyway. Secure access service edge, or SASE, rolls up multiple enterprise security technologies (such as next-generation firewalls (NGFWs) and data loss prevention) into a single solution delivered as a service, which means organizations can deploy it to regional data centers or even the branches themselves. SD-WAN’s intelligent routing feature can determine when branch traffic is destined for cloud or web resources, then direct this traffic through the SASE stack instead of using the MPLS to reach the central firewall. SASE can help eliminate MPLS usage completely while reducing bottlenecks for greater cost savings.

With SD-WAN and SASE, your organization can reduce the ongoing monthly expense of MPLS bandwidth at each branch without sacrificing reliability or security.

 

Fewer security appliances

To ensure that branch traffic is as secure as the primary enterprise network, teams usually backhaul that traffic through the same central firewall for inspection and policy application. This creates a massive bottleneck that can slow the entire enterprise down, so some organizations choose to deploy security appliances at smaller regional data centers near their branch locations to distribute the load. However, that usually means additional MPLS circuits are provisioned at each data center, increasing startup and bandwidth costs. Plus, there are the hardware, software, and licensing costs for all the additional security appliances.

We’ve already mentioned how SD-WAN leverages alternative networks (as well as encrypted tunnels) to reduce MPLS bandwidth usage and how SASE applies enterprise security controls to branch traffic while bypassing firewalls entirely. These two benefits also result in cost savings from needing to purchase and license fewer security appliances. Since vendors deliver SASE as a service, it doesn’t necessarily require special hardware to run, and some providers even offer it as a managed cloud service, eliminating the hardware cost altogether.

Cost reduction strategy: vendor-neutral solutions

On-premises versions of SASE usually don’t need vendor-specific hardware so you can deploy the software on any available server as a VM. However, many branches lack the extra server storage or computer headroom needed for this kind of deployment. To ensure you can deploy SASE without buying additional resources, consider vendor-neutral branch networking solutions that can directly host and run third-party VMs. That means you can get gateway routing, switching, out-of-band serial console management, and SASE in a single device, consolidating the branch networking stack to reduce hardware expenses and management complexity.

With SD-WAN, SASE, and vendor-neutral solutions, you can streamline your branch deployments to reduce costs and increase efficiency.

 

Faster branch deployments

Generally speaking, the faster a company can deploy a new branch, the faster it will see a return on investment (ROI). However, getting a new MPLS circuit provisioned can take a long time—several months is typical—which can delay deployment timelines and increase overhead expenses while an organization sits on a non-productive branch.

SD-WAN makes it possible to leverage alternative network technologies to get a branch up and running before the MPLS circuit is ready. For example, SD-WAN can direct branch traffic across a 5G network even before the main fiber or cable connection is installed. When all of the branch circuits are provisioned, SD-WAN can seamlessly incorporate them into its routing policies based on preconfigured policies and automation triggers for a smooth deployment. In short, SD-WAN eliminates the organization’s reliance on MPLS for revenue generation, with branches that can be fully operational as soon as LTE or ISP links are set up.

Cost reduction strategy: zero touch provisioning (ZTP)

Another way to reduce branch spin-up times is with zero touch provisioning, or ZTP. ZTP uses software scripts to execute new device configurations over the network, reducing the need for pre-staging or manual, on-site programming. Typical branch deployments involve sending engineers on-site to manually copy and paste configuration files, which is time consuming and increases the risk of human error. With ZTP, unskilled on-site staff simply plug in new device cables and the configuration scripts are automatically retrieved and executed to fully build the environment without human touch. Plus, ZTP scripts are reusable, so you can use the same ones to deploy many different branches.

With SD-WAN and ZTP, your organization can reduce branch deployment delays and see a faster ROI from new branches.

 

SD-WAN ROI calculator

ZPE Systems provides vendor-neutral branch networking solutions that can directly host or integrate your choice of SD-WAN and SASE applications. ZPE’s platform also allows you to extend ZTP and other automation to every device in every branch on your network. Check out our SD-WAN ROI calculator for a customized estimate of how much money you can save by deploying SD-WAN on ZPE’s platform.

ZPE System’s Nodegrid solution combines branch networking, out-of-band management, and vendor-neutral orchestration into a single platform.

To learn more about using Nodegrid as your on-ramp to SD-WAN, or for help with the SD-WAN ROI calculator, contact ZPE Systems today

Contact Us

Opengear EOL: IM7200 Alternative Options

Opengear alternatives

The Opengear IM7200 is a line of out-of-band (OOB) serial consoles, also known as terminal servers, console servers, serial console servers, serial console routers, and serial console switches. The Infrastructure Manager (IM) solution provides consolidated remote management of data center infrastructure. The IM7200 is EOL as of the 31st of March, 2023, with an end-of-sale date of the 30th of September 2023 – click here to see a full list of affected product SKUs. In this blog, we’ll discuss replacement options for the IM7200, including Opengear alternatives that deliver unlimited automation capabilities and complete vendor freedom.

 

Table of contents:

Opengear IM7200 overview

The Opengear IM7200 is a line of serial console solutions that provide out-of-band (OOB) management for 8-48 devices. It’s designed to give administrators a dedicated control plane from which to access and manage remote infrastructure in data centers and large IT deployments.

With the IM7200 now EOL, Opengear recommends migrating to the OM2200 series. Let’s take a look at the features, specifications, and limitations of the Opengear OM2200 before discussing some alternative options.

 

Looking for replacement options for other discontinued serial consoles and branch routers? Try:

Opengear migration options: OM2200

The Opengear OM2200 Operations Manager console server solution provides OOB management for up to 48 devices over serial and/or Ethernet. OOB and failover use dual fiber ports, with an optional LTE-A Pro cellular module available. One of the OM2200’s biggest strengths is its power management capabilities, uniquely supporting over 100 power vendors’ equipment.

The OM series is Opengear’s line of NetOps console servers, which means they support Opengear’s automation modules as well as Python scripts and Docker container deployments. However, Zero Touch Provisioning (ZTP) and RESTful APIs are locked behind an upgraded version of Opengear’s Lighthouse software. In addition, the OM2200 is what’s known as a 2nd generation or “Gen 2” serial console, which means it isn’t vendor-neutral and can’t integrate or host third-party applications for automation or security.

Opengear OM2200 Features & Tech Specs

Notable Serial Console Features

• SSH direct to consoles

• Keystroke logging

• Alert on cable disconnects

• Text pattern match

• Multiple concurrent sessions

• Automatic device name discovery

OOB Managed Interfaces

• 16, 32, 48 ports

Hardware

• AMD X86, 64-bit CPU

• 8 GB DRAM

• 64 GB SSD

Automation

• Opengear NetOps modules

• Docker

• Python

• Perl and bash support

• Ruby

Automation for End Devices

• Can run playbooks

• Python

• Lighthouse

Guest OS

• Docker support

Power Management

• Monitor UPS battery status

• Automate routine maintenance and load testing

• Control PDU outlets via serial, USB, and Ethernet

• Enforce remote power permissions and map managed consoles to outlets

• Minimize MTTR with out-of-band power control

• Uniquely supports over 100 power vendors’ equipment

Hardware Security

• TPM 2.0

• Embedded firewall

Form Factor

Fixed 1RU

 

Opengear OM2200 limitations

The OM2200 is a good Gen 2 serial console switch that offers some major improvements over the IM7200, but it still falls short of delivering Gen 3 OOB console server functionality in the following ways.

  • Vendor lock-in: The X86 CPU and Linux-based OS makes the OM2200 programmable and extensible, but Opengear’s Lighthouse management software is not truly vendor-neutral. That means your third-party integration capabilities will be limited to specific supported solutions. If you have a hybrid, distributed, or multi-vendor infrastructure, this limitation could leave gaps in your management and orchestration coverage.
  • Limited automation: The OM2200 improves upon the 7200 by supporting Opengear NetOps modules and allowing scripting and ZTP within the Lighthouse Automation edition. However, this automation only extends to certain supported end-devices, which means you’ll either need to stay within Opengear’s ecosystem, or manually provision and deploy the rest of your infrastructure.
  • Lack of security: The OM2200 includes TPM 2.0 security, SAML 2.0 support, and an embedded firewall. However, it does not include additional hardware security like geofencing, BIOS protection, or UEFI secure boot. This increases the risk that a stolen serial console could be used by cybercriminals to breach your OOB management network.


Both the Opengear IM7200 and OM2200 are Gen 2 serial console servers, which means they provide OOB management access as well as some automation functionality to simplify individual network management workflows. However, due to vendor lock-in and minimal hardware security, the OM series falls short of the end-to-end automation and security required for a Gen 3 serial console solution.

Opengear alternative options from ZPE Systems

Another migration option for EOL Opengear console servers is the Nodegrid solution from ZPE Systems. This Gen 3 OOB management platform includes a wide range of serial console servers and integrated branch services routers to choose from, with the Nodegrid Serial Console Plus (NSCP), the Nodegrid Serial Console S Series, and the Noderid Net Services Router (NSR) serving as direct replacements for the IM7200.

Nodegrid Serial Console Plus (NSCP)

The high-density Nodegrid Serial Console Plus comes in 16, 32, 48, and 96 serial RJ45 port configurations as well as providing 2 USB 3.0 ports for a total of 98 managed devices on a single 1RU solution. That means a single NSCP could replace up to 12 Opengear IM7200 serial consoles, saving on hardware costs and optimizing rack space.

Nodegrid Serial Console S Series

The Nodegrid S series, which comes in 16, 32, or 48-port configurations, uses auto-sensing ports to provide seamless management of modern, legacy, and mixed-vendor infrastructure. The S Series RS232 serial console switch is the perfect legacy modernization platform because it allows you to extend automation to end devices that otherwise wouldn’t support it.

Nodegrid Net Services Router (NSR)

The Nodegrid Net Services Router (NSR) is an all-in-one branch networking solution that delivers OOB, SD-WAN, and more in a single box. The NSR has a modular design that lets you customize your solution with extra terminal server capabilities, storage, processing power, or GbE Ethernet ports.

All Nodegrid devices are secured with on-board features like BIOS protection, geofencing, TPM 2.0, and UEFI Secure Boot. An embedded firewall provides additional functionality like multi-site IPSec VPN, advanced authentication, and 2FA and SAML 2.0.

Nodegrid’s hardware can also directly host VMs, Docker containers, and third-party security and automation applications. Plus, the Linux-based Nodegrid OS supports NetOps automation and orchestration via integrations with tools like Docker, Chef, Puppet, and Ansible. In addition, ZPE’s management software, which is available as an on-premises or web-based solution, provides vendor-neutral visibility and orchestration of all your data center and cloud infrastructure behind one pane of glass.

Nodegrid features & tech specs

 

Nodegrid NSCP

Nodegrid S Series

Nodegrid NSR

Notable Serial Console Features

• SSH direct to consoles

• Keystroke logging

• Logging to ZPE Cloud, NFS, Local

• Alert on cable disconnects

• Text pattern match with scriptable actions

• Multiple concurrent sessions

• Automatic device name discovery

• Session sharing for collaboration

• IP address per serial port

• Secure session logout enforcement

• Power control hotkey on serial port

• Configurable icon per serial port

• SSH direct to consoles

• Keystroke logging

• Logging to ZPE Cloud, NFS, Local

• Alert on cable disconnects

• Text pattern match with scriptable actions

• Multiple concurrent sessions

• Automatic device name discovery

• Session sharing for collaboration

• IP address per serial port

• Secure session logout enforcement

• Power control hotkey on serial port

• Configurable icon per serial port

• SSH direct to consoles

• Keystroke logging

• Logging to ZPE Cloud, NFS, Local

• Alert on cable disconnects

• Text pattern match with scriptable actions

• Multiple concurrent sessions

• Automatic device name discovery

• Session sharing for collaboration

• IP address per serial port

• Secure session logout enforcement

• Power control hotkey on serial port

• Configurable icon per serial port

OOB Managed Interfaces

• 16, 32, 48, 96 ports (1RU)

• 16, 32, 48 ports

• Up to 5 x 16-port RJ-45 Serial modules

Hardware

• Intel X86, 64-bit CPU optimized for running VMs and automation tools

• Dual-SIM 5G/4G/LTE, Wi-Fi, and V.02 modem for OOB/Failover

• Intel X86, 64-bit CPU optimized for running VMs and automation tools

• Dual-SIM 5G/4G/LTE, Wi-Fi, and V.02 modem for OOB/Failover

• Intel X86, 64-bit CPU optimized for running VMs and automation tools

• Dual-SIM 5G/4G/LTE, Wi-Fi, and V.02 modem for OOB/Failover

Automation

• ZPE Cloud

• Chef

• Docker

• Puppet

• Python

• Ruby

• ShellScript

• Node.js JavaScript

• Red Hat Ansible

• KVM Hypervisor

• ZPE Cloud

• Chef

• Docker

• Puppet

• Python

• Ruby

• ShellScript

• Node.js JavaScript

• Red Hat Ansible

• KVM Hypervisor

• ZPE Cloud

• Chef

• Docker

• Puppet

• Python

• Ruby

• ShellScript

• Node.js JavaScript

• Red Hat Ansible

• KVM Hypervisor

Automation for End Devices

• ZPE Cloud

• Chef

• Docker

• Puppet

• Python

• Ruby

• ShellScript

• Node.js JavaScript

• Red Hat Ansible

• KVM Hypervisor

• ZPE Cloud

• Chef

• Docker

• Puppet

• Python

• Ruby

• ShellScript

• Node.js JavaScript

• Red Hat Ansible

• KVM Hypervisor

• ZPE Cloud

• Chef

• Docker

• Puppet

• Python

• Ruby

• ShellScript

• Node.js JavaScript

• Red Hat Ansible

• KVM Hypervisor

Guest OS

• VMs, Docker, Kubernetes, LXC

• VMs, Docker, Kubernetes, LXC

• VMs, Docker, Kubernetes, LXC

Power Management

• Supports major power strips manufacturers

• Power management integrated with serial session (escape sequence in the serial session or power buttons in web serial session)

• Power control of VMs

• Access rights for users & user groups

• Supports major power strips manufacturers

• Power management integrated with serial session (escape sequence in the serial session or power buttons in web serial session)

• Power control of VMs

• Access rights for users & user groups

• Supports major power strips manufacturers

• Power management integrated with serial session (escape sequence in the serial session or power buttons in web serial session)

• Power control of VMs

• Access rights for users & user groups

Hardware Security

• TPM 2.0

• Encrypted solid-state disk

• UEFI BIOS with protection

• Secure Boot (signed OS

• Geofencing

• TPM 2.0

• Encrypted solid-state disk

• UEFI BIOS with protection

• Secure Boot (signed OS

• Geofencing

• TPM 2.0

• Encrypted solid-state disk

• UEFI BIOS with protection

• Secure Boot (signed OS

• Geofencing

Form Factor

Fixed 1RU

Fixed 1RU

Modular 1RU

The Nodegrid Gen 3 serial console solution is an Opengear alternative that serves as a direct replacement for the IM7200 while delivering enhanced automation capabilities and complete vendor freedom.

Watch a free Nodegrid demo to see a Gen 3 console server solution in action.

Watch the Video

Opengear IM7200 migration SKUs:

Opengear IM7200 EOL SKU

In Scope Features

ZPE Replacement Product

IM7208-2-DAC

IM7208-2-DDC

8 Serial ports, OOB management

Fixed Form Factor:

ZPE-NSCP-T16R-STND-DAC

ZPE-NSC-T16S-STND-DAC

ZPE-NSCP-T16R-STND-DDC

ZPE-NSC-T16S-STND-DDC

 

Modular Form Factor:

ZPE-NSR-816-DAC with 1 x 16 port serial module 1 x ZPE-NSR-16SRL-EXPN

ZPE-NSR-816-DDC with 1 x 16 port serial module 1 x ZPE-NSR-16SRL-EXPN

IM7216-2-DAC

IM7216-2-DDC

16 Serial ports, OOB management

Fixed Form Factor:

ZPE-NSCP-T16R-STND-DAC

ZPE-NSC-T16S-STND-DAC

ZPE-NSCP-T16R-STND-DDC

ZPE-NSC-T16S-STND-DDC

 

Modular Form Factor:

ZPE-NSR-816-DAC with 1 x 16 port serial module 1 x ZPE-NSR-16SRL-EXPN

ZPE-NSR-816-DDC with 1 x 16 port serial module 1 x ZPE-NSR-16SRL-EXPN

IM7232-2-DAC

IM7232-2-DDC

32 Serial ports, OOB management

Fixed Form Factor:

ZPE-NSCP-T32R-STND-DAC

ZPE-NSC-T32S-STND-DAC

ZPE-NSCP-T32R-STND-DDC

ZPE-NSC-T32S-STND-DDC

 

Modular Form Factor:

ZPE-NSR-816-DAC with 2 x 16 port serial module 2 x ZPE-NSR-16SRL-EXPN

ZPE-NSR-816-DDC with 2 x 16 port serial module 2 x ZPE-NSR-16SRL-EXPN

IM7248-2-DAC

IM7248-2-DDC

48 Serial ports, OOB management

Fixed Form Factor:

ZPE-NSCP-T48R-STND-DAC

ZPE-NSC-T48S-STND-DAC

ZPE-NSCP-T48R-STND-DDC

ZPE-NSC-T48S-STND-DDC

 

Modular Form Factor:

ZPE-NSR-816-DAC with 3 x 16 port serial module 3 x ZPE-NSR-16SRL-EXPN

ZPE-NSR-816-DDC with 3 x 16 port serial module 3 x ZPE-NSR-16SRL-EXPN

96 port not available in IM or OM series

96 Serial ports, OOB management

ZPE-NSCP-T96R-STND-DAC

ZPE-NSCP-T96R-STND-DDC

Ready to replace your EOL Opengear IM7200 with a Gen 3 out-of-band serial console solution?

Call ZPE Systems today at 1-844-4ZPE-SYS for a special trade-in promotion.

Contact Us

99.999% Uptime for a Top-10 Engineering School

Providing low-level remote access and automation saves hundreds of hours per month for the university’s small IT team

One of the largest universities in the United States fosters academics and research for nearly 40,000 students, staff, and researchers. The university sits among the top 10 schools for engineering, and heavily integrates technology into all disciplines, including engineering, computer sciences, and agricultural studies.

The university received a grant to expand, update, and connect their network of campuses, while enhancing infrastructure and mobility, resiliency, and campus amenities.  But having more than 200 on-campus buildings presents a challenge. The campus is home to academic facilities as well as a hospital, airport, 60,000-seat sports stadium, and dozens of leased spaces for local businesses. This makes the university equivalent to a small city, and its network infrastructure is what keeps it all connected.

Their small IT team was responsible for maintaining more than 10,000 management devices, most of which were long past EOL and frequently failing. They needed a refresh, but with a solution that could also reduce the hundreds of hours they spent every month on travel and on-site work. To maximize their day-to-day efficiency, they required a solution that could overcome these operational gaps:

  • Reducing the 100-150 hours of monthly travel times, by giving engineers the ability to fully access their stack remotely
  • Reducing the 80-120 hours of monthly on-site work required to maintain the 99.999% SLA, by automating manual jobs such as patching and firmware upgrades
  • Expanding their management headroom and use-case adaptability, by migrating to IPv6 and reducing the existing 6RU device stack

Download the full case study to see how ZPE’s Nodegrid hardware and software solved these problems.

EngineeringSchoolCover

Download the full case study

Problems and Gaps

The university is one of the largest in the United States. It sits among the nation’s top 50 schools for research expenditures, and heavily integrates technology into all disciplines, including engineering. Its main campus is home to more than 200 buildings that sit on over 2,500 acres of land. The campus is essentially a small city, and the university’s network infrastructure keeps it all connected.

This network infrastructure, however, was well beyond EOL and in disrepair. But rather than simply upgrade to newer devices, the university’s small IT team wanted to improve the overall quality of life well into the future. This meant addressing three gaps:

  • Inefficient management at scale — Each engineer spent an average of ten hours per month on travel alone, just to traverse the campus’ wide footprint and get to each MDF/IDF closet.
  • Too much focus on ops — The aging infrastructure was on the brink of collapse and required each engineer to spend eight hours per month in on-site work, just to keep devices running.
  • Too many devices — The infrastructure includes roughly 10,000 devices to manage, which was exhausting IP on their limited IPv4 network and too rigid to fit in tight spaces, like their remote farm closets and research labs.

Solution

The university deployed the full lineup of Nodegrid devices, including the Nodegrid Serial Console, Nodegrid Services Routers, and Nodegrid Manager. These allowed them to overcome all three gaps using remote management, automation, and consolidated functionality, to save engineers hundreds of hours every month. Download the full case study to see the complete solution and benefits.

Need Help Replacing End-of-Life Gear?

Check out our complete products and services package to make your EOL transition seamless. Choose from a variety of Synopsys-validated devices, get a generous trade-in discount, and let our engineers install and configure into your environment. Click below to explore this offer and more customer case studies.

Network Automation Cost Savings Calculator

automation cost savings calculator
Many organizations feel continuous financial pressure to cut costs and streamline operations due to economic factors like the ongoing threat of a recession and global supply chain interruptions. Network automation can help companies across all industries save money during lean financial times. A recent Cisco and ACG Research study found that network automation can reduce OPEX by 55% by streamlining workflows such as device provisioning and service ticket management. Though they aren’t mentioned in the study, additional savings are generated by using automation to avoid outages and accelerate recovery efforts.

This post discusses how to save money through automation and provides a network automation cost savings calculator for a more customized estimate of your potential ROI.

 

Table of contents

How network automation provides cost savings

Network automation reduces costs by streamlining operations, preventing outages, and aiding in backup and recovery workflows.

Network automation saves money by solving problems

Problem: High OPEX

Solution: Automation tackles repetitive tasks like new installs and ticketing operations, which helps you generate revenue sooner and reduce the time and resources spent on maintaining operations.

Problem: Too many outages

Solution: Automation allows teams to be proactive by leveraging critical data to identify potential problems before they cause outages, freeing them from the typical break/fix approach.

Problem: Slow recovery

Solution: Automation speeds up processes like backups, snapshotting, and device re-imaging, which makes networks more resilient by accelerating recovery from outages and ransomware.

Reduces OPEX

The focus of the Cisco/ACG study was the economic benefits of streamlining network operations through automation. For example, the OPEX (operational expenditure) involved in spinning up a new branch is too high because deployments require so much work, time, and staff. Using automation to provision and deploy new resources can significantly reduce the time it takes to spin up a new branch, which means the site could start generating revenue much sooner. Using automation to monitor device health and environmental conditions could extend the life expectancy of critical (and expensive) equipment while reducing the number of on-site staff needed to maintain that equipment.

Network automation reduces OPEX by increasing the efficiency of repetitive or tedious tasks like new installs, incident management, and device monitoring. Crucially, automation does so without reducing the quality of service for end users and often only improves the speed, reliability, and overall experience.

Prevents outages

Network downtime is an expense that cash-strapped businesses can’t afford to bear. According to a recent ITIC survey, a single hour of downtime costs most organizations (91%) over $300,000 in lost business, with 44% of enterprises reporting outage costs exceeding $1 million. However, preventing downtime is difficult when most network teams are caught in a reactive break/fix cycle because they lack the staffing, resources, and technology required to maintain visibility and identify issues before they occur.

Network automation solves this problem using advanced machine learning algorithms to analyze monitoring data and identify potential issues before they cause outages. For example, AIOps (artificial intelligence for IT operations) solutions provide real-time analysis of infrastructure, network, and security logs. AIOps is adept at recognizing patterns and detecting anomalies in data so that it can identify issues before they affect the performance or reliability of the network.

Accelerates recovery

While network automation helps to reduce downtime, it can’t eliminate outages altogether. When outages do occur, recovery is often a long, drawn-out process involving a lot of manual work, during which time revenue and customer faith may be lost. Network resilience is the ability to quickly recover from ransomware, equipment failures, and other causes of downtime with as little impact as possible on end users and business revenue. Automation speeds up recovery efforts in a few critical ways:

  • Streamlined backups – Automation makes performing regular backups and snapshots easier, reducing the risk of gaps or inaccuracies.
  • Reduced imaging delays – Automatic provisioning ensures that clean systems are spun up quickly so that business can resume as soon as possible.
  • Faster failover – Automatic network failover and routing technologies can reroute traffic around downed nodes before a human admin has time to respond, providing a more seamless end-user experience.

Network automation is a direct source of cost savings because it reduces OPEX without negatively impacting the business or customer experience. Automation also indirectly saves money by helping organizations avoid outages through proactive monitoring and maintenance. In addition, network automation technologies make businesses more resilient by speeding up recovery efforts when breaches and failures do occur.

Network automation cost savings calculator

ZPE Systems provides network and infrastructure automation solutions for any use case, pain point, or technological need. ZPE’s vendor-neutral platform allows you to extend automation to every device on your network, including legacy and mixed-vendor solutions, so that you can achieve true end-to-end automation (a.k.a. hyperautomation). For a customized estimation of how much money you can save by automating your network operations with ZPE Systems, check out our network automation cost savings calculator.

Ready to Learn More?

For help with the network automation cost savings calculator or to learn more about automating your network operations, contact ZPE Systems today.

Contact Us

Best Intel NUC Alternatives

Intel NUC Alternatives

Service providers often struggle with the hybrid nature of their business. Even as they transition more towards a consumable service-based model that’s decoupled from traditional hardware solutions, there’s still a need for some sort of box to be deployed physically at a customer’s premises. Providers frequently rely on COTS (Common Off The Shelf) hardware to reduce costs and simplify the deployment process.

One commonly used COTS device is the Intel NUC, or “Next Unit of Computing,” which is a small appliance-like mini computer. Some service providers utilize Intel NUC devices as jump boxes, while others use them as a platform to deploy their services on-site. While these mini-computers are relatively inexpensive and easy to install, they create added security risks and management headaches that service providers need to be aware of.

This post highlights the challenges and security risks involved in relying on Intel NUC devices before discussing enterprise-grade Intel NUC alternatives that solve these problems.

Table of contents:

 

Why is Intel NUC so popular in IT infrastructure?

Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs) often use Intel NUC jump boxes to remotely access the control plane of critical client infrastructure. These mini PCs typically run bare bones software to reduce licensing costs, which means they are unpatched, unmonitored, and unsecured. This lack of oversight and management makes Intel NUCs popular access points for hackers to breach client networks.

Why consider Intel NUC alternatives?

Service providers like to use Intel NUC boxes because they’re cheaper, faster to install, and take up less space than a full PC or server. NUCs are often deployed without antivirus, monitoring agents, or other security software installed, which excludes them from the service provider’s security coverage. Plus, clients are frequently unaware that these devices are in their racks accessing their infrastructure, so they don’t access them in security and compliance audits. Other Intel NUC challenges include:

  • Lack of centralized management – Each Intel NUC is an island that’s managed and accessed individually, which makes it impossible to efficiently deploy updates, install new tools, or monitor for problems.
  • Insecure, unpatched OS – Operating systems and software contain thousands of potential vulnerabilities that hackers can exploit, so a lack of monitoring and patch management creates a huge security risk.
  • No hardware security – Intel NUC boxes lack any hardware security, which means someone could steal the device and use it to deploy malware or access client resources – or even just pawn the hardware.
  • Regulatory issues – When providers use unmanaged jump boxes to access client infrastructure, they expose their customers to potential noncompliance with privacy laws like HIPAA that require strict data access controls.
  • Affects insurance eligibility – Using an unsecured Intel NUC may also disqualify customers from receiving cybersecurity insurance benefits in the event of a successful breach.

While Intel NUCs are a quick and inexpensive way for MSPs, MSSPs, and other service providers to remotely access client infrastructure, they also make it easier for cybercriminals to breach enterprise networks. To reduce the attack surface without increasing the cost, hassle, or footprint of deploying jump boxes, you need an enterprise-grade solution that combines networking functions, security, and remote out-of-band access to the control plane to eliminate the need for a separate device.

Intel NUC alternatives from ZPE Systems

The Nodegrid product line from ZPE Systems simplifies the tech stack in data centers and network closets with all-in-one infrastructure management solutions. Nodegrid devices roll up gateway routing, switching, Wi-Fi, and 5G/4G/LTE out-of-band management to cut down on the number of boxes in the rack. They’re also enterprise solutions, which means they can be onboarded with your security team and covered by your monitoring, intrusion detection, antivirus, and other security controls.

In addition, all Nodegrid boxes are protected by hardware security features such as BIOS protection, self-encrypted disk (SED), UEFI Secure Boot, and Signed OS. Plus, Nodegrid’s hardware and software are completely vendor-neutral, allowing easy integrations with third-party security solutions and SAML 2.0 authentication. Nodegrid can even directly host other vendors’ security software to further reduce your tech stack.

Key Nodegrid features

 

All Nodegrid Devices Include:

Key features

Strong Out-of-band management integration

Extensible applications with virtualization and containers

Zero Touch Provisioning (ZTP) over the WAN

Vendor-neutral, unified management via ZPE Cloud/Nodegrid Manager

Modern x86-64bit Linux Kernel

Extended automation based on actionable data

Failover to 4G/5G/LTE & Wi-Fi

Power control and monitoring

Orchestration support via Puppet, Chef, Ansible, RESTful

Security

BIOS protection

TPM 2.0

UEFI Secure Boot

Signed OS

Self-Encrypted Disk (SED)

Geofencing

X.509 SSH certificate support, 4096-bit encryption keys

Selectable cryptographic protocols for SSH and HTTPS (TLSv1.3)

Selectable cypher suite levels: high, medium, low, custom

SSL VPN (Client and Server)

IPSec, Wireguard, and Strongswan with support for multi-sites

Local, AD/LDAP, RADIUS, TACACS+, Kerberos, authentication

SAML support via DUO, OKTA, Ping Identity

Local, backup-user authentication support

User-access lists per port

Group/role-based authorization: AD/LDAP, RADIUS, TACACS+

Fine grain and role-based access control

Firewall – IP packet and security filtering, IP forwarding support

MD5 / SHA System Configuration Checksum™

System event syslog

Custom security settings

Strong password enforcement

Two-Factor Authentication with RSA and DUO

Networking

IPv4 / IPv6 Support

Embedded Layer 2 switching

VLAN

Layer 3 Routing

BGP

OSFP

RIP

QoS

DHCP (Client and Server)

RIPv1, RIPv2

VXLAN

DDNS

NTP

To learn more about the benefits of Nodegrid’s Intel NUC alternatives, contact ZPE Systems.

Nodegrid product comparison

The Nodegrid family of network edge routers delivers secure, Gen 3 OOB management for reliable remote access to distributed customer sites like branch offices or manufacturing centers.

Nodegrid Service Delivery Platform Family

 

Link SR

Bold SR

Hive SR

Gate SR

Net SR

Mini SR

CPU

X86-64bit Intel 

X86-64bit Intel

X86-64bit Intel 

X86-64bit Intel 

X86-64bit Intel 

X86-64bit Intel 

Cores

2

4 or 8

4 or 8

2, 4 or 8

2, 4, 8 or 16

4

Guest VM

1

1

1-2

1-3

1-6

1

Guest Docker

2+

2+

2+

2+

2+

2+

Storage

16GB – 128GB

32GB – 128GB

16GB – 128GB

32GB – 128GB

32GB – 128GB

14GB SED

Additional Storage

Up to 4TB

Up to 4TB

Up to 4TB

Up to 4TB

Up to 4TB

Wi-Fi

Yes

Yes

Yes

Yes

Yes

Yes

Cellular modem

1

1-2

1-2

1-2

1-6

1

5G

Yes

Dual 5G

Dual 5G

6x 5G

Sim slots

2

4

4

4

12

1

Serial Console Switch

1

8

Via USB

8

16-80

Via USB

Network

1x Gb ETH 1x SFP

5x Gb ETH

2x GbE ETH 2x 10 Gbps

4x 10/100/1000/2.5 Gbps RJ-45

2x SFP 5x Gb ETH

4x 1Gb ETH PoE+

2x 1Gb ETH 2x SFP+ Multiple expansion cards

2x 1Gb ETH

Data Sheet

Download

Download

Download

Download

Download

Download

The Nodegrid family of Intel NUC alternatives from ZPE Systems can help MSPs and MSSPs ensure secure, reliable remote management access to customer infrastructure without increasing costs.

Ready for a Demo?

To see one of ZPE’s Intel NUC alternatives in action, request a free Nodegrid demo! Request a Demo