Terminal Servers: Uses, Benefits, and Examples

by Jordan Baker | Jan 5, 2024 | Consolidation, Data Center Management, Data Center Resilience, Failover Connectivity, Increase Productivity, Minimize Impact of Disruptions, NetDevOps, NetDevOps Transformation, Network Automation, Out of Band Management, Remote Network Management, Security Service Edge (SSE), Vendor Neutral Platform, Zero Touch Provisioning (ZTP), Zero Trust Security

Terminal servers are network management devices providing remote access to and control over remote infrastructure. They typically connect to infrastructure devices via serial ports (hence their alternate names, serial consoles, console servers, serial console routers, or serial switches). IT teams use terminal servers to consolidate remote device management and create an out-of-band (OOB) control plane for remote network infrastructure. Terminal servers offer several benefits over other remote management solutions, such as better performance, resilience, and security. This guide answers all your questions about terminal servers, discussing their uses and benefits before describing what to look for in the best terminal server solution.

What is a terminal server?

A terminal server is a networking device used to manage other equipment. It directly connects to servers, switches, routers, and other equipment using management ports, which are typically (but not always) serial ports. Network administrators remotely access the terminal server and use it to manage all connected devices in the data center rack or branch where it’s installed.

What are the uses for terminal servers?

Network teams use terminal servers for two primary functions: remote infrastructure management consolidation and out-of-band management.

Terminal servers unify management for all connected devices, so administrators don’t need to log in to each separate solution individually. Terminal servers save significant time and effort, which reduces the risk of fatigue and human error that could take down the network.
Terminal servers provide remote out-of-band (OOB) management, creating a separate, isolated network dedicated to infrastructure management and troubleshooting. OOB allows administrators to troubleshoot and recover remote infrastructure during equipment failures, network outages, and ransomware attacks.

Learn more about using OOB terminal servers to recover from ransomware attacks by reading How to Build an Isolated Recovery Environment (IRE).

What are the benefits of terminal servers?

There are other ways to gain remote OOB management access to remote infrastructure, such as using Intel NUC jump boxes. Despite this, terminal servers are the better option for OOB management because they offer benefits including:

The benefits of terminal servers

Centralized management	Remote recovery
Even with a jump box, administrators typically must access the CLI of each infrastructure solution individually. Each jump box is also separately managed and accessed. A terminal server provides a single management platform to access and control all connected devices. That management platform works across all terminal servers from the same vendor, allowing teams to monitor and manage infrastructure across all remote sites from a single portal.	When a jump box crashes or loses network access, there’s usually no way to recover it remotely, necessitating costly and time-consuming truck rolls before diagnostics can even begin. Terminal servers use OOB connection options like 5G/4G LTE to ensure continuous access to remote infrastructure even during major network outages. Out-of-band management gives remote teams a lifeline to troubleshoot, rebuild, and recover infrastructure fast.
Improved performance	Stronger security
Network and infrastructure management workflows can use a lot of bandwidth, especially when organizations use automation tools and orchestration platforms, potentially impacting end-user performance. Terminal servers create a dedicated OOB control plane where teams can execute as many resource-intensive automation workflows as needed without taking bandwidth away from production applications and users.	Jump boxes often lack the security features and oversight of other enterprise network resources, which makes them vulnerable to exploitation by malicious actors. Terminal servers are secured by onboard hardware Roots of Trust (e.g., TPM), receive patches from the vendor like other enterprise-grade solutions, and can be onboarded with cybersecurity monitoring tools and Zero Trust security policies to defend the management network.

Examples of terminal servers

Examples of popular terminal server solutions include the Opengear CM8100, the Avocent ACS8000, and the Nodegrid Serial Console Plus. The Opengear and Avocent solutions are second-generation, or Gen 2, terminal servers, which means they provide some automation support but suffer from vendor lock-in. The Nodegrid solution is the only Gen 3 terminal server, offering unlimited integration support for 3rd-party automation, security, SD-WAN, and more.

What to look for in the best terminal server

Terminal servers have evolved, so there is a wide range of options with varying capabilities and features. Some key characteristics of the best terminal server include:

5G/4G LTE and Wi-Fi options for out-of-band access and network failover
Support for legacy devices without costly adapters or complicated configuration tweaks
Advanced authentication support, including two-factor authentication (2FA) and SAML 2.0
Robust onboard hardware security features like a self-encrypted SSD and UEFI Secure Boot
An open, Linux-based OS that supports Guest OS and Docker containers for third-party software
Support for zero-touch provisioning (ZTP), custom scripts, and third-party automation tools
A vendor-neutral, centralized management and orchestration platform for all connected solutions

These characteristics give organizations greater resilience, enabling them to continue operating and providing services in a degraded fashion while recovering from outages and ransomware. In addition, vendor-neutral support for legacy devices and third-party automation enables companies to scale their operations efficiently without costly upgrades.

Why choose Nodegrid terminal servers?

Only one terminal server provides all the features listed above on a completely vendor-neutral platform – the Nodegrid solution from ZPE Systems.

The Nodegrid S Series terminal server uses auto-sensing ports to discover legacy and mixed-vendor infrastructure solutions and bring them under one unified management umbrella.

The Nodegrid Serial Console Plus (NSCP) is the first terminal server to offer 96 management ports on a 1U rack-mounted device (Patent No. 9,905,980).

ZPE also offers integrated branch/edge services routers with terminal server functionality, so you can consolidate your infrastructure while extending your capabilities.

All Nodegrid devices offer a variety of OOB and failover options to ensure maximum speed and reliability. They’re protected by comprehensive onboard security features like TPM 2.0, self-encrypted disk (SED), BIOS protection, Signed OS, and geofencing to keep malicious actors off the management network. They also run the open, Linux-based Nodegrid OS, supporting Guest OS and Docker containers so you can host third-party applications for automation, security, AIOps, and more. Nodegrid extends automation, security, and control to all the legacy and mixed-vendor devices on your network and unifies them with a centralized, vendor-neutral management platform for ultimate scalability, resilience, and efficiency.

Want to learn more about Nodegrid terminal servers?

ZPE Systems offers terminal server solutions for data center, branch, and edge deployments. Schedule a free demo to see Nodegrid terminal servers in action.

Request a Demo

Best Network Performance Monitoring Tools

by Jordan Baker | Nov 15, 2023 | Application Hosting, Data Logging, Increase Productivity, Minimize Impact of Disruptions, Monitoring & Reporting, Out of Band Management, Remote Network Management, User Management, Vendor Neutral Platform

Network performance monitoring tools provide visibility into the health and efficiency of networks and their underlying infrastructure of devices and software. Some platforms focus entirely on collecting and analyzing logs from various sources on the network, while others provide additional management capabilities that let you control, change, and troubleshoot network infrastructure. Choosing the right solution requires a thoughtful consideration of factors such as the cost, scalability, and interoperability of the software, as well as your team’s experience and abilities. This guide compares three of the best network performance monitoring tools by analyzing these critical factors before providing advice on the most scalable and cost-effective way to deploy your solutions.

Comparing best network performance monitoring tools

Platform	Key Features
SolarWinds Network Performance Monitor (NPM)	Network device, performance, and fault monitoring Deep packet inspection and analysis LAN and WAN monitoring Automatic network discovery, mapping, and monitoring Network availability monitoring Network diagnostics Network path analysis Network performance testing SNMP monitoring Wi-Fi analysis
Kentik	Network telemetry dashboards Multi-vendor network monitoring Cloud, edge, and hybrid cloud monitoring SaaS application performance & uptime monitoring Intelligent automated alerts SNMP, traffic flow, VPC, host agent, and synthetic monitoring Multi-cloud performance monitoring Kubernetes workload monitoring SD-WAN monitoring Network security monitoring Network map visualizations QoE monitoring
ThousandEyes	Network availability and performance testing WAN performance monitoring Cisco SD-WAN monitoring and optimization Browser session monitoring Network path visibility User Wi-Fi connectivity monitoring VPN mapping and monitoring Cross-layer data visualizations

Disclaimer: This comparison was written by a 3rd party in collaboration with ZPE Systems using data gathered from publicly available data sheets and admin guides, as of 10/20/2023. Please email us if you have corrections or edits, or want to review additional attributes: Matrix@zpesystems.com

SolarWinds Network Performance Monitor (NPM)

The Network Performance Monitor (NPM) is part of the SolarWinds Orion platform of integrated products. This mature and richly featured monitoring software is delivered as a cloud-based service and can observe SaaS (software as a service), cloud, hybrid cloud, and on-premises infrastructure. With advanced features like deep packet inspection (DPI), WAN optimization monitoring, automatic network mapping, and automated diagnostic tools, SolarWinds NPM is meant to be a complete, enterprise-grade observability solution. As part of the Orion platform, it’s also extensible with other products from the SolarWinds ecosystem, such as a Network Configuration Manager. As an enterprise solution, SolarWinds NPM comes with a high price tag that grows even larger as additional monitoring agents are added, limiting the scalability. Another important factor to consider is that SolarWinds recently suffered a high-profile hack that compromised thousands of customers, so there are security risks involved in trusting the Orion supply chain. Additionally, despite a large library of integrations, SolarWinds is a closed ecosystem that doesn’t work well with 3rd-party tools or custom scripts.

Pros	Cons
Supports SaaS, cloud, and on-premises networks Includes advanced monitoring features like DPI Part of a large ecosystem of observability and management solutions	Pricing is expensive and limits scalability Recently suffered a high-profile breach that impacted thousands of customers Closed ecosystem may not support your 3rd-party tools

Kentik

Kentik is an end-to-end network observability platform for cloud, multi-cloud, hybrid cloud, SaaS, and data center infrastructure. In addition to network performance monitoring, the platform includes monitoring solutions for SaaS application performance and SD-WAN performance. Other observability features include SaaS uptime monitoring, AI-driven insights and alerts, network security monitoring, and QoE (Quality of Experience) monitoring. Kentik also recently launched a Kubernetes network monitoring solution called Kentik Kube that provides end-to-end cluster visibility. Overall, Kentik is a powerful network observability platform that includes many of its most innovative features in its “Essentials” and “Pro” pricing packages, providing a lot of bang for your buck. The downside is that you can’t subscribe to features individually and must purchase a whole package, meaning you could end up paying for features you don’t need. Because Kentik is not a large vendor, its customer service may be slow to respond in some cases. Additionally, although Kentik does have a large library of integrations, it is not a vendor-neutral platform.

Pros	Cons
Supports cloud, multi-cloud, hybrid cloud, SaaS, and data center infrastructure Includes many advanced features and solutions at no additional cost Provides AI-driven network insights and intelligent alerts	Products aren’t available a la carte Customer service and technical support can be slow to respond Isn’t entirely vendor-neutral

ThousandEyes

ThousandEyes is a digital experience monitoring platform primarily focused on network and application synthetic testing, end-user performance monitoring, and ISP Internet monitoring for SaaS, cloud, and on-premises networks. Additionally, ThousandEyes is part of the Cisco family and can be used to monitor and optimize Cisco SD-WAN architectures. Across its family of observability products, ThousandEyes includes features like wireless network visibility, SaaS performance visualizations, cloud application outage detection, and SD-WAN performance forecasting. The major advantage of the ThousandEyes platform is that it provides true end-to-end visibility of the entire service delivery chain, including end-user device performance and third-party provider availability. One downside is the endpoint agent-based monitoring solution requires on-premises VMs to run, which can be cumbersome to maintain and limits scalability. The pricing is expensive compared to similar solutions, and you may have to combine products to get all the features you need. Additionally, ThousandEyes is not a vendor-neutral platform and has a relatively small library of integrations.

Pros	Cons
Supports SaaS, cloud, and on-premises networks Works with Cisco DNA software for SD-WAN monitoring Provides end-to-end visibility of the entire service delivery chain	Agent-based monitoring requires on-premises VMs, limiting scalability Pricing is expensive compared to similar solutions Limited integrations, preventing interoperability

Conclusion

Each of the solutions on this list has advantages that make it well-suited to certain environments, as well as limitations to consider. Solarwinds NPM is part of a large ecosystem of observability and management solutions that includes advanced features like DPI, but it’s suffering from a major security incident and has a closed ecosystem. Kentik packs a lot of innovative, AI-driven monitoring capabilities into its platform offerings, but its pricing tiers are inflexible, and it doesn’t have the large, enterprise-grade support team of its larger competitors. ThousandEyes provides end-to-end visibility of the entire service delivery chain and works seamlessly with Cisco DNA software, but it has a steep learning curve and a limited library of integrations.

How to run the best network performance monitoring tools

Most network performance monitoring tools – even cloud-based SaaS offerings – communicate with endpoint agents using software deployed on VMs (virtual machines) running on-premises in each business location. Running these VMs on fully provisioned servers or PCs is expensive, but deploying them on NUCs is highly insecure, especially as organizations scale out with distributed branches and edge computing sites. What’s needed is a consolidated hardware solution that combines critical branch, edge, and data center networking functionality with vendor-neutral VM and application hosting, such as the Nodegrid platform from ZPE Systems. Nodegrid’s serial switches and network edge routers run the open, Linux-based Nodegrid OS, which can host your choice of third-party software – including Docker containers – for network performance monitoring, SD-WAN, security, automation, and more. Nodegrid’s versatile, modular hardware solutions also provide out-of-band (OOB) management access to critical remote infrastructure and monitoring solutions, giving teams a lifeline to recover from outages and ransomware attacks. Nodegrid uses innovative, enterprise-grade security features like Secure Boot, self-encrypted disk, and two-factor authentication (2FA), and its onboard software is frequently patched for vulnerabilities to defend against a breach. Deploying Nodegrid at each business site consolidates your network to reduce hardware overhead, streamlining management and enabling easy scalability.

Deploy the best network performance monitoring tools with Nodegrid

Reach out to ZPE Systems to see a demo of how the best network performance monitoring tools run on the Nodegrid platform.
Contact Us

Breaking Down The 2023 Ragnar Locker Cyberattacks

by Jordan Baker | Nov 3, 2023 | Improve Network Security, Micro-segmentation, Minimize Impact of Disruptions, Network Automation, Out of Band Management, SecOps, User Management, Zero Trust Security

This article was written by James Cabe, CISSP, a 30-year cybersecurity expert who’s helped major companies including Microsoft and Fortinet.

Throughout 2023, several organizations were successfully hit by Ragnar Locker cyberattacks. The affected victims spanned the globe and were forced to shut down much of their critical operations, while the attackers demanded tens of millions of dollars in ransom payments. Despite the group being taken down by law enforcement in October, organizations are re-evaluating their defensive measures — and more importantly, their recovery strategies — to combat these attacks.

If you read my previous articles about the ongoing MOVEit breach and the ransomware that hit MGM, you probably know that isolation is key. It helps you fight through attacks by cutting the kill chain, so that you can restore services quickly without reinfection.

Who Carries Out Ragnar Locker Cyberattacks?

Recent Ragnar Locker cyberattacks were carried out by the Dark Angels Team cybercriminal group. Dark Angels Team’s modus operandi is to breach a company’s defenses, spread laterally, and steal data that can be used to extort the target company. The approach they take involves gaining access to the Windows domain controller, where they deploy ransomware. They encrypt devices using Windows and ESXi encryptors, which gives organizations little recourse aside from taking their critical systems offline in order to stop the spread.

How Do Ragnar Locker Cyberattacks Start?

Ragnar Locker breaches, like all ransomware attacks, require a kill chain that must first be initiated. MITRE ATT&CK defines this as the ‘initial,’ and in these attacks, the initial comes from social engineering. Email stuffing is often the tactic of choice, whereby the attacker sends an email that appears to have a trail of replies or forwards (see the example below). Email trails like this trick spam filters and land directly in the target’s inbox. When an employee clicks a malicious link inside the email, the attack kicks off.

Image: Email stuffing is used by marketers and threat actors alike to bypass spam filters.

How Do Companies Discover Ragnar Locker Cyberattacks?

After the Ragnar Locker cyberattack kicks off, the bad link uses Java to load the locker ransomware, then a series of batch scripts installs a payload consisting of virtual box emulation software. This emulation software takes over and encrypts the host, and displays the ransomware message (see image below).

Image: A Ragnar Locker ransomware message showing on encrypted devices.

How Do Ragnar Locker Cyberattacks Spread?

The attack spreads by gaining access to Windows domain controllers and then attacking the management interfaces of the VMware ESXi machines. Most organizations don’t properly segment or isolate these management interfaces. This makes them especially vulnerable even to older Babuk ransomware source code that is an ESXi encryptor. Basically, the attackers only need to gain access to the management network, and then they can attack the production network.

From Intel471: “VMware’s ESXi is called a ‘bare metal’ hypervisor because the underlying hardware on which it is installed doesn’t need an operating system. ESXi allows the hardware to be utilized for multiple virtual machines (VMs), which saves on hardware costs. ESXi is a fruitful target for attackers since it may be connected to several VMs and the storage for them. Security experts warn ransomware actors have built specific binaries to target these systems. Groups joining this trend include HelloKitty, Black Basta, Cheerscrypt and GwisinLocker.”

They continue, “Over the last few years, several vulnerabilities have been identified in ESXi, including CVE-2021-21974. The vulnerability is a heap overflow vulnerability within Open Service Location Protocol (OpenSLP), which is a network discovery tool. The vulnerability is remotely exploitable over port 427, and has a Common Vulnerability Scoring System Version 3.0 (CVSSv3) base score of 8.8. It’s suspected that it may be the vulnerability exploited in this attack. VMware said that “significantly out-of-date products” were targeted with vulnerabilities that had been addressed. It affects ESXi versions 7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG and 6.5 before ESXi650-202102101-SG. Due to other vulnerabilities in OpenSLP, VMware disabled OpenSLP starting in 2021 in ESXi versions 7.0 U2c and ESXi 8.0, which is the current version.”

Ultimately, these attacks exploit a combination of a lack of management plane isolation to the VMware management interfaces, specifically on port 427 (OpenSLP), and a lack of patching and updating. Organizations also typically lack a backup authentication mechanism for the control plane, as well as Privileged Access Management, which are both good fallback options.

How Can Companies Stop Ragnar Locker Cyberattacks?

Ragnar Locker ransomware and other attacks are successful because companies don’t employ proper management plane isolation. Attackers can gain access to VMware management interfaces, and then they essentially have the keys to the kingdom. That’s it. No amount of defense can save you.

If you recall CISA’s binding operational directive, they call for an isolated management infrastructure. This is what we refer to as IMI. Rather than serving as a defense, like we think of traditional cybersecurity products, the IMI is an architecture that allows you to fight back. It’s your quick-reaction force, your cavalry, your secret weapon that ensures you always have a counterattack ready to deploy.

IMI is infrastructure that is dedicated — and most importantly, fully isolated from production assets — to ensuring operations can recover quickly from breaches and outages. Here’s a graphical breakdown:

The IMI includes all of the tools you need for rerouting traffic, decommissioning affected gear, wiping/re-imaging devices, and restoring infrastructure. You can also incorporate automation to speed the process along and make recovery something that happens in minutes or hours at the most. Aside from being completely isolated from production assets, the IMI itself is also segmented and employs zero trust practices. This means that you and only you have access to your secret weapon for cutting the ransomware kill chain.

How Do You Use Isolated Management Infrastructure?

An IMI can host an IRE (Isolated Recovery Environment), which is used to cut off all user data and remote access (except for OOB) to an entire infected site. A properly implemented recovery environment should automate most of these activities to speed up the recovery. One of the first considerations is the requirement for a secondary organization in your IAM that is not attached to normal operations. This is what is known as a set of “Break the Glass” accounts. These are known in military circles but have made it into formal practice as part of a strong playbook for ransomware. Once you do this, you can instantiate selected Zero Trust remote access to the site using credentials that are not in the scope of the attack, and then bring up a communications channel for a virtual war room using software like Rocket Chat, Jitsi, Slack, or other standalone communications tools that are installable on the IRE environment.

Avoiding normal authentication methods or IAM and normal communication channels is required for the integrity of the recovery and strengthens the recovery playbook. During this time, no email may be used that is associated directly with the organization. Ideally, email should never touch an account that is associated with it either.

The next step is to create a new set of clean side networks that do not directly connect to the main backbone or put it behind another firewall for triage good/bad. Using a sniffer software running on the IRE, the recovery team can then run a passive scan or an active scanner against all machines continuing to try to send email to Exchange/M365. You can give access to people that are deemed good (not sending traffic) but lock off (with an EDR) the ability to open Outlook for a while, while keeping them on the web email. From there, continue working through to find all the sending drivers to see if they have a good backup. If not, back up the infected drive for offline data retrieval for later. Then re-image while scanning the UEFI BIOS during boot (if needed, run an IPMI scan). If the site has a list of assets that are considered crown jewels, prioritize these.

Once you have a segmented “clean side” established with all the network services required to operate the site (DNS, IAM, DHCP), then Internet access can be restored to this site on a limited basis; which means only out-bound communications, nothing in-bound. Restorative operations can continue apace. making sure that the infected side assets are captured in backup for later forensics following chain-of-custody if damages exceeding insurance limits are found to be the case. This is decided in the war room.

Download the Isolated Management Infrastructure Blueprint

Now is the time to lay the groundwork for your IMI so you can fight back against ransomware. Download the Network Automation Blueprint, which gives you a step-by-step guide to building your Isolated Management Infrastructure.

Download blueprint

Get in touch with me!

True security can only be achieved through resilience, and that’s my mission. If you want help shoring up your defenses, building an IMI, and implementing a Resilience System, get in touch with me. Here are links to my social media accounts:

OOB Network Management Software Tools

by Jordan Baker | Nov 2, 2023 | Improve Network Security, Increase Productivity, Minimize Impact of Disruptions, Out of Band Management, Remote Network Management, Vendor Neutral Platform

Network management software tools enable administrators to provision, monitor, and maintain networks and network infrastructure without manually touching each individual device or service. We’ve previously covered the best network management software for both cloud-based and hardware-based networks. This post dives deeper into the hardware-based network management tools deployed in on-premises or private cloud environments via serial consoles (a.k.a. console servers, serial console servers, serial console routers, or serial switches).

These network management software tools provide out-of-band (OOB) management access to connected network infrastructure in data centers and remote sites. Serial consoles directly interface with network systems and devices, creating an isolated management network that doesn’t depend on the production LAN, WAN, or ISP. OOB management ensures continuous remote access even during major outages, so teams can troubleshoot and recover branch offices, edge computing sites, and other remote environments without costly truck rolls or managed service support. OOB console servers also unify management of all connected infrastructure, giving administrators a single platform to monitor, control, and automate the entire distributed network architecture.

Looking for a new out-of-band network management device? Read our guide:

Comparing the Best Out-of-Band Management Devices

We compare offerings from the four best OOB network management software tool providers and discuss the features, advantages, and disadvantages of each to help network teams make the best choice for their environment.

The best OOB network management software tools

Platform	Key Features
ZPE Systems Nodegrid Manager/ZPE Cloud	5G/4G LTE, Wi-Fi, POTS, or fiber OOB and failover support On-premises or cloud-based software options Robust hardware and software security including 2FA and SAML 2.0 x86 CPU and Linux-based Nodegrid OS support Guest OS and Docker containers Vendor-neutral software integrates with third-party tools like Ansible, Chef, Python, and Ruby Extends ZTP and other automation to legacy and mixed-vendor infrastructure OOB support over IPMI, ILO, DRAC, CIMC, vSerial, and KVM Device auto-discovery via network scan and custom probes Power management integrated with serial session Supports full range of environmental monitoring sensors
Vertiv Avocent DSView	4G LTE OOB and failover support HTML5 KVM and Serial viewers Telnet/PuTTY serial interfaces Session log, report, and archive Data Center Zone definitions ZTP, SOAP API, Python, Perl, PDU, and UPS automation Schedule and on-demand firmware management Web secure 2048 SSL certificate Two-factor authentication (2FA)
PerleVIEW	4G LTE, Wi-Fi, POTS, or fiber OOB and failover support Health monitoring and event handling Integrates with SNMP NMS Automated device discovery Device CLI scripting Configuration backup, firmware, and change management Single sign-on for in-band connections Device PING tool Audit trail log
Opengear Lighthouse	4G LTE or fiber for OOB and failover x86 processor can run Guest OSes and automation Supports over 100 power vendors’ equipment Automatic port discovery Lighthouse playbooks for streamlined automation Integrated SAML and AAA authentication Opengear NetOps modules support Bash, Docker, Pearl, Python, and Ruby SSH direct to consoles Keystroke logging

Disclaimer: This comparison was written by a 3rd party in collaboration with ZPE Systems using data gathered from publicly available data sheets and admin guides, as of 10/13/2023. Please email us if you have corrections or edits, or want to review additional attributes: Matrix@zpesystems.com

ZPE Systems Nodegrid Manager/ZPE Cloud

ZPE Systems offers two network management software tools based on their Nodegrid line of serial consoles and integrated edge routers. Nodegrid Manager is on-premises software, and ZPE Cloud is a cloud-based tool, but both provide out-of-band management access to on-premises infrastructure in data centers, branches, private clouds, and other remote sites. Nodegrid hardware offers a variety of connectivity options for OOB, failover, and WAN, including Wi-Fi and 5G. Nodegrid also supports a full range of environmental monitoring sensors for greater control over conditions in remote deployments.

Nodegrid solutions are protected by robust hardware and software security features, including UEFI Secure Boot, an embedded firewall with selectable cryptographic protocols, and 2FA and SAML 2.0 authentication. The x86 CPU architecture and Linux-based OS support Guest OSes and Docker containers, so Nodegrid boxes can directly host third-party software for security, automation, orchestration. Both Nodegrid Manager and ZPE Cloud are also completely vendor-neutral, supporting third-party automation scripts and tools including RedHat Ansible, Chef, Python, Ruby, and more. Nodegrid can even extend ZTP and other automation to legacy infrastructure that otherwise wouldn’t support it.

Nodegrid’s open platform essentially makes it a customizable network management multi-tool that’s capable of consolidating many different software solutions and network services. The primary limitation to this vendor-neutrality is that some other providers may require the purchase of additional licenses to run their tools on the Nodegrid platform.

For a real-world example of Nodegrid’s ability to streamline network management, read our case study, Vapor IO: Re-architecting the Internet.
.

Pros

Cons

5G/4G LTE, Wi-Fi, POTS, or fiber OOB and failover support
On-premises or cloud-based software options
Robust hardware and software security including 2FA and SAML 2.0
x86 CPU and Linux-based OS support Guest OS and Docker containers
Vendor-neutral software integrates with third-party tools like Ansible, Chef, Python, and Ruby
Extends ZTP and other automation to legacy and mixed-vendor infrastructure

Other vendors may require additional licenses to run VNFs and other tools on Nodegrid

Vertiv Avocent DSView

The DSViewTM network management software works with Vertiv Avocent out-of-band serial consoles, the ACS 800 and ACS 8000, which use 4G LTE cellular for out-of-band management and failover. Like the other options on this list, DSView consolidates the management of connected network infrastructure in a single web-based platform. In addition to serial port control, this software also provides keyboard/video/mouse (KVM) and MIB-based (Management Information Base) controls. It also supports environmental monitoring via sensors, but ACS8000 serial console servers only come with one sensor port – and the ACS800 doesn’t have one at all.

DSView management software includes automation support for Zero Touch Provisioning (ZTP), SOAP API, Python, and Perl scripts, and automated PDU (power distribution unit) and UPS (uninterruptible power supply) management. It also provides console event logging and notifications, such as “dying gasp” alarms when systems unexpectedly lose power. However, the software is not extensible with third-party automation or orchestration integrations, and the ACS800 and ACS8000 serial console hardware solutions run on an ARM CPU architecture that can’t support VMs or Docker.
.

Pros	Cons
4G LTE OOB and failover support Environmental monitoring sensor support ZTP, SOAP API, Python, Perl, PDU, and UPS automation Serial, KVM, and MIB-based controls FIPS 410-2 cryptography and 2FA security	No support for third-party automation or orchestration Doesn’t run VMs or Docker containers Serial console lacks an embedded firewall

PerleVIEW

PerleVIEW network management software tools are based on Perle’s IOLAN SCG & SCR OOB console servers. The platform includes automated device discovery, automatic event handling, device scripting, ZTP, and collection of device statistics and health statuses. Perle focuses on meeting the FCAPS network management framework created by the International Organization for Standardization (ISO). FCAPS standards for Fault management, Configuration, Administration, Performance management, and Security management, and PerleVIEW’s features target each of these areas. For example, fault management is streamlined through automated event handling with customizable alerts and SNMP probes.

However, the software does not support any third-party integrations, limiting its automation and security capabilities. Aside from automated device discovery and event handling, PerleVIEW doesn’t offer any automation for end devices. It also doesn’t support two-factor authentication (2FA), and only supports single sign-on (SSO) for in-band connections.
.

Pros	Cons
4G LTE, Wi-Fi, POTS, or fiber OOB and failover support Automated device discovery, event handling, health and device log collection, and device scripting Integrates with SNMP NMS (network management station) Single sign-on for in-band connections only Follows FCAPS standards	No support for third-party automation or orchestration Doesn’t run VMs or Docker containers Lacks support for environmental monitoring sensors

Opengear Lighthouse

Lighthouse is a network management platform that works with Opengear console servers, such as the OM2200 Operations Manager and the CM8100. The base version of Lighthouse provides out-of-band management access, integrated SAML and AAA authentication, and integrations with third-party notification and alert systems. Lighthouse supports over 100 power vendors’ equipment to streamline PDU and UPS management, and the x86 processor can run Guest OSes and automation.

With additional licenses, Lighthouse software is extensible with Opengear NetOps modules that provide greater automation capabilities with support for Bash, Docker, Pearl, Python, and Ruby. The upgraded Automation edition also includes ZTP for end devices and RESTful APIs. Beyond that, however, automation and orchestration abilities are limited because Lighthouse isn’t vendor-neutral, and Opengear has a limited ecosystem of integrations.
.

Pros	Cons
4G LTE or fiber for OOB and failover Integrated SAML and AAA authentication Supports over 100 power vendors’ equipment x86 processor can run Guest OSes and automation Opengear NetOps modules and ZTP available for automation	Only upgraded Automation edition supports ZTP for end devices NetOps modules require additional licenses Limited integration ecosystem

Key takeaways

All four options on this list provide out-of-band (OOB) access to remote network infrastructure, giving teams a lifeline in case of production failures or outages. Vertiv Avocent’s DSView software provides some automation capabilities and environmental monitoring, but doesn’t support third-party automation, VMs, or Docker containers. PerleVIEW focuses on meeting FCAPS network management standards but has very limited automation and security capabilities. Opengear Lighthouse is extensible with NetOps modules and other automation features, but they require additional licenses or fees, and you’re limited to Opengear’s ecosystem of integrations.

ZPE Systems offers Nodegrid Manager as an on-premises application or ZPE Cloud as a cloud-based tool. Both options use vendor-neutral hardware and software to create an open platform you can customize with your favorite third-party apps and integrations. ZPE’s OOB network management software tools enable end-to-end automation over a highly secure and reliable out-of-band control plane for a more resilient network infrastructure.

Deploy the best OOB network management software tools with ZPE Systems

Reach out to ZPE to learn how to build a resilient network with Nodegrid OOB network management software tools. Contact Us

Living Spaces Furniture: Scaling to 50 sites with only 3 network staff

by Jordan Baker | Oct 27, 2023 | Case Studies, Consolidation, Failover Connectivity, Improve Network Security, Increase Productivity, Network Automation, Out of Band Management, Pillar 2 - Critical Remote, Remote Network Management, Simplify Branch Infrastructure, Streamline Deployments

Collapsing the stack and centralizing management helps Living Spaces accelerate scaling across the U.S.

Blake Johnson – Living Spaces Furniture Network Architect

“We’ve quadrupled business, but Nodegrid is actually shrinking our workload, especially as we implement new automation. It’s a gamechanger for network folks. Period.” — Blake Johnson, Network Architect, Living Spaces Furniture

Download the Case Study

Living Spaces is a prominent furniture retailer in the United States. Their store locations include large showrooms, where customers can view furnishings for indoor and outdoor spaces, and plenty of warehouse space for storing on-hand inventory. These locations must serve customers with responsive shopping experiences, which depend on the network infrastructure.

Increasing demand helped Living Spaces grow out of its home state of California, into states including Arizona, Colorado, Oklahoma, Texas, and others. Their out-of-band infrastructure was crucial to spinning up new locations and maintaining operations. But they faced a significant problem: this infrastructure was incredibly complex and costly, requiring many dedicated cellular and out-of-band devices at each location. See why their three-person network team needed a solution that could:

Reduce costs and eliminate the need for $300,000 per year in SIM contracts
Reduce workloads and risks, by centralizing management and minimizing entry points
Accelerate deployments by allowing automation

ISP Network Architecture

by Jordan Baker | Oct 17, 2023 | Consolidation, Failover Connectivity, Minimize Impact of Disruptions, Modernize Legacy Environments, Monitoring & Reporting, Network Automation, Out of Band Management, Power Management, Remote Network Management, SD-WAN, Secure Access Service Edge (SASE), Simplify Branch Infrastructure, Vendor Neutral Platform, Virtualization

Internet service providers (ISPs) are the backbone of modern society, responsible for connecting businesses, services, and people to the Internet and to each other. ISP networks are vast, distributed, and complex, making them challenging to manage effectively. However, failing to do so has major consequences. For example, in July of 2022, Rogers Communications in Canada suffered a network system failure after a maintenance update, causing an outage that lasted more than 15 hours and took down emergency services and other critical infrastructure.

An ISP network architecture must be designed for resilience to prevent major incidents from occurring that affect consumers, communities, and the provider’s reputation. But significant challenges stand in the way, including a reliance on legacy infrastructure, and an inability to troubleshoot and recover failed gear remotely. This post discusses why these challenges exist and what ISPs can do to overcome them.

ISP network architecture challenges

Many ISP networks lack resilience because providers are failing to adapt to a rapidly changing landscape. With networks growing larger and more complex every day, new technologies like AI (artificial intelligence) and software-defined networking are needed to manage infrastructure efficiently and deliver innovative services. Additionally, providers get stuck in a break-fix cycle that leaves teams struggling to maintain service level agreements or focus on innovation. Let’s look at the causes of these challenges and discuss how to build more resilient ISP network architectures.

Legacy infrastructure creates technical debt and hampers growth

The challenge:	The solution:
Reliance on legacy systems creates technical debt and prevents ISPs from implementing new technologies	Vendor-neutral platforms like Gen 3 serial consoles extend automation, software-defined networking, and other advanced technologies to legacy infrastructure until it can be replaced.

Internet service providers often have a network architecture that’s a mix of new and legacy infrastructure. However, engineers with the experience to support older solutions are no longer working in the field, either because they’ve been promoted to leadership positions or retired. When legacy hardware fails, inexperienced engineers need time to overcome this skills gap, and ISPs may even need to bring in consultants. This increases the cost of failures, creating what’s known as “technical debt” – when a solution is more expensive to support than the value it brings to the organization.

In addition, ISPs can improve network resilience and provide better service to customers, by adopting new technologies like AI, 5G, software-defined networking (SDN), and Network as a Service (NaaS). But legacy hardware hampers the ability to adopt these technologies. For example, NaaS abstracts the need for MPLS circuits and customer-premises gear, making architectures more cost-effective and improving the customer experience. NaaS brings SDN concepts like programmable networking and API-based operations to WAN & LAN services, hybrid cloud, Private Network Interconnect, and internet exchange points. It optimizes resource allocation by considering network and computing resources as a unified whole and attempts to automate as much as possible. The trouble is, ISPs struggle to implement NaaS and other beneficial new technologies because their legacy hardware simply can’t support it.

Solution: Legacy modernization with a vendor-neutral platform

The ideal solution is to replace legacy infrastructure with modern hardware and software that supports the latest technologies. But for many ISPs, an overhaul like this is too costly and intensive. The next-best option is to bridge the gap with a vendor-neutral network modernization platform that extends automation, AI, and 5G connectivity to otherwise unsupported systems.

For example, serial consoles (also known as terminal servers, console servers, and serial console switches) provide remote management access to network infrastructure. The newest generation of these devices, known as Gen 3, are vendor-neutral by design so that they can control third-party and legacy hardware. Through a combination of built-in features and integrations, Gen 3 serial consoles can use technology like zero-touch provisioning (ZTP), AIOps, and automated configuration management to control connected hardware that otherwise wouldn’t support it. Some solutions, such as the Nodegrid platform from ZPE Systems, can even directly host SDN and NaaS software from other vendors, so ISPs can start implementing network improvements right away while they gradually replace their outdated infrastructure.

Physical infrastructure is difficult to manage and troubleshoot remotely

The challenge:	The solution:
ISP network admins can’t respond to changing environmental conditions or recover failed hardware remotely	Environmental monitoring connected to an out-of-band (OOB) management solution ensures continuous remote access on a dedicated, isolated network that enables fast and cost-effective recovery.

ISP network architectures involve a great deal of physical infrastructure, which is often deployed in remote edge sites and customer premises. Even with software- or service-based network solutions, hardware is needed to host that software, and the physical environment for that hardware is often less than ideal. Drastic weather changes, power outages, and other unexpected scenarios can happen without notice and rapidly bring down an ISP network. These events often cut off remote management access as well, making troubleshooting and recovery difficult, time-consuming, and expensive. In fact, supporting this physical infrastructure often consumes so much time and effort that it prevents ISPs from focusing on delivering better services and software to their customers.

Solution: Out-of-band management with environmental monitoring

The first part of the solution involves monitoring the environment that houses remote, physical infrastructure. An environmental monitoring system uses sensors to detect changes in airflow, temperature, humidity, and other conditions that affect the operation of network hardware. These sensors give ISPs a virtual presence in edge deployments and customer sites so they can quickly respond to changing conditions before systems overheat or circuitry corrodes.

The second part involves providing management teams with reliable remote access to physical infrastructure that won’t go down if there’s a production network outage. Out-of-band (OOB) management solutions use serial consoles with dedicated network interfaces used just for management access. This creates a parallel, out-of-band network that’s completely isolated from production network services and infrastructure. Additionally, many serial consoles use cellular connectivity via 4G or 5G to OOB access, providing a wireless lifeline to connect, troubleshoot, and restore remote infrastructure. OOB management allows ISPs to troubleshoot and recover failed hardware remotely, even during total network outages, so they can get services back up and running faster and less expensively.

The environmental monitoring system should run on the OOB network so remote admins can continue to monitor conditions while they recover failed hardware. The out-of-band management solution also needs to be vendor-neutral so ISPs can deploy third-party automation, AI, and NaaS on the OOB network. For example, Nodegrid Gen 3 serial consoles provide OOB, environmental monitoring, and a vendor-neutral platform to host third-party software at the edge. Nodegrid even enables fully automated responses to changing environmental conditions in those edge environments before admins are aware of a problem.

To learn more about building a resilient, automated network infrastructure with Nodegrid, download the Network Automation Blueprint.

Download Now

ISP network architecture resilience with Nodegrid

ISP network architectures must be resilient, meaning service providers must find a way to bridge the gap between legacy and modern systems while ensuring continuous remote access to manage, troubleshoot, and recover hardware at the edge. The Nodegrid ISP network infrastructure solution from ZPE Systems is a vendor-neutral, Gen 3 platform that delivers legacy modernization, environmental monitoring, out-of-band management, and much more.

Nodegrid delivers ISP network architecture resilience in a single platform

Request a free demo to see Nodegrid ISP network architecture solutions in action.

Watch a Demo

« Older Entries

Next Entries »

ZPE Solution Pathways

Discover Nodegrid