CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Streamline Deployments » Zero Touch Provisioning (ZTP) » Page 10

What is an Application Delivery Platform?

by | Jul 26, 2023 | Application Hosting, Edge Computing, EdgeOps, Improve Network Security, Network Automation, Remote Network Management, SD-WAN, Simplify Branch Infrastructure, Virtualization, Zero Touch Provisioning (ZTP)

An illustration showing a breakout of various software application components to highlight the need for an application delivery platform

Modern software architectures are highly complex and often very difficult to maintain and operate. A single enterprise application comprises hundreds (or even thousands) of individual services, technologies, and toolchains while requiring a lot of underlying infrastructure, such as servers, routing and load balancing rules, and security controls. All of this complexity increases overhead costs and adds to the ever-growing workloads of software, network, and infrastructure teams, especially when you multiply this effort across dozens or hundreds of software deployments.

Platform engineering is a new discipline introduced by Gartner to address these challenges by reducing the complexity of software engineering, network operations, and application delivery. The platforms built by these engineers are known by several names, including internal developer platforms, internal developer portals, and application delivery platforms. This guide defines an application delivery platform, discusses the underlying technology, and highlights a leading platform engineering solution.
.

Table of Contents:
  1. What is an application delivery platform?
  2. What is the importance of an application delivery platform?
  3. What technology makes up an application delivery platform?
  4. Introducing ZPE Systems’ Services Delivery Platform

What is an application delivery platform?

An application delivery platform is a suite of technologies that handles all the services that support an application, including security, traffic management, load balancing, and data management. Platform engineers combine all these services into a common toolset used to deploy applications at customer sites, so there’s no need to build a new architecture every time. This streamlined experience makes application delivery cost-effective by significantly reducing workloads and deployment timelines.

What is the importance of an application delivery platform?

The goal of an application delivery platform is to reduce deployment and management complexity. Deployment complexity leads to a greater risk of human error when configuring things like security controls and access policies, and any mistakes are likely to be found and exploited by cybercriminals. Management complexity makes it harder to stay on top of patch schedules. Unpatched software often contains vulnerabilities that are exploited by cybercriminals; for example, known ransomware groups targeted unpatched IBM software earlier this year.

By reducing complexity, an application delivery platform also reduces the attack surface, improving an organization’s overall security posture.

What technology makes up an application delivery platform?

By its very nature, an application delivery platform is highly customized to fit the needs of the applications being supported. Here are some examples of the services and technologies that are often included.

  • Server storage & compute: The platform needs storage (usually solid-state) and processing units (CPUs or GPUs) to run the applications and store necessary data. Ideally, the OS and computing architecture will support containers (e.g., Docker) for microservices applications.
  •  
  • Automation tools: A key feature of application delivery platforms is the ability to automatically provision and deploy new environments, apps, and network services as well activate services licenses and service chaining. That means the platform should host automation tools for configuration management, code delivery, and software-defined networking (SDN).
  •  
  • Security: The ideal platform makes it possible to deliver applications without configuring security every time. That means it provides unified management and repeatable deployments for security services like firewall traffic inspection, access control lists, and advanced authentication.
  •  
  • Routing & load balancing: A lot of backend networking goes into the typical application deployment to ensure traffic is routed correctly and optimized for performance. An application delivery platform should support network functions virtualization (NFVs) and SDN so standard network configurations can be easily deployed alongside the applications being delivered.
  • Management tools: Engineers need a way to remotely access, manage, and troubleshoot application deployments, even (and especially) during major service disruptions. The ideal platform includes out-of-band serial console management and supports third-party troubleshooting tools so remote teams can quickly recover systems and applications without an expensive on-site visit.

While this list is far from exhaustive, it covers the foundational technology that supports an application delivery platform. Platform engineering is still in its infancy, and many organizations struggle to efficiently execute it because of how many moving pieces need to be considered. The goal is to find a solution that provides the best framework of hardware and software capabilities that platform engineers can build upon, so they can create a fully customized application delivery platform without reinventing the wheel.

Introducing ZPE Systems’ Services Delivery Platform

Zero Pain Ecosysteme

The Services Delivery Platform from ZPE Systems is the perfect foundation for any platform engineering initiative. Nodegrid edge routers serve as the hardware backbone, providing networking and failover capabilities, OOB serial console management, and plenty of memory, storage, and CPU headroom for additional apps and services. You can build a fully customized hardware platform with the modular Net Services Router (NSR), extending your storage or compute capabilities or adding more ports to support your application deployment.

The vendor-neutral, Linux-based Nodegrid OS can run your custom applications as well as third-party automation, security, DevOps, and management tools. Plus, Nodegrid unifies all connected services and applications under a single management umbrella, allowing teams to oversee and orchestrate all of their deployments from one convenient portal.

 

Ready to Learn More?

The Services Delivery Platform from ZPE Systems simplifies platform engineering with powerful, multipurpose hardware and an open, vendor-neutral OS. Contact us today to learn more about using Nodegrid for your application delivery platform!

Contact Us

How to Implement Zero Trust for OT

by | Jun 26, 2023 | Improve Network Security, Micro-segmentation, Remote Network Management, Zero Touch Provisioning (ZTP), Zero Trust Security

zero trust for ot
Enterprise security teams traditionally focus on IT networks, but operational technology (OT) security is just as important. OT comprises equipment that interacts with the physical world, such as sensors, temperature gauges, and motors, as well as the systems used to control that technology. Attacks on OT systems have a huge impact on business operations and customers, often causing more devastation than an IT breach. For example, an attack on an oil pipeline’s control systems could shut down production for weeks and affect millions of people in the region.

“Zero trust” is a security methodology designed to reduce the risk of attack through network segmentation, granular access policies, and advanced security technologies. Many organizations use zero trust to protect their IT networks, but it’s just as critical to the safeguarding of operational technology. This post defines zero trust security before explaining how to implement zero trust for OT.

Table of Contents:

What is zero trust for OT?

According to recent research by Barracuda Networks, more than 90 percent of manufacturing organizations saw cyberattacks hit their production or energy supply in 2021 alone. OT is a frequent target because of how devastating an attack can be on business operations and because it often lacks the same security policies and controls that protect IT infrastructure. To solve this problem, teams need to apply zero trust security principles, policies, and technology to their OT networks. The zero trust security methodology follows the motto “never trust, always verify.” That means operating under the assumption that no users or devices should be trusted, even if they’re logging in from within the main office. Achieving a zero-trust architecture means segmenting IT and OT networks and creating micro-perimeters of highly specific security policies and controls to protect each segment. Zero trust often uses advanced security technologies like AIOps and machine learning to enforce those policies, identify subtle signs of compromise, and quickly resolve security incidents.

How to implement zero trust for OT

Let’s discuss the requirements and best practices for implementing zero trust for OT.

Isolate critical systems with segmentation

Zero trust requires custom-tailored security policies and controls to protect specific network resources. That means network teams must logically segment the network based on which resources need to be protected by which policies and technologies, a practice known as micro-segmentation.

OT is often grouped together into a single micro-segment under the assumption that all OT needs the same protection. However, not all OT is created equally, especially in the eyes of a would-be attacker. For example, a programmable logic controller (PLC) gives cybercriminals control over manufacturing processes, but compromising an access control system lets them physically infiltrate the building. Some organizations take zero trust even further by using nano-segmentation to isolate individual systems, applications, or containers to create extremely effective micro-perimeters to address specific vulnerabilities.

Micro- and nano-segmentation are the backbone of a zero-trust architecture, enabling the creation of micro-perimeters using granular access policies and security controls customized for the protected resources.

Create and enforce strong security policies

Zero trust security policies determine who can pass through each micro-perimeter and who can access each OT resource. These policies should follow a least-privilege approach, meaning everyone gets the bare minimum privileges required to complete their workflows and nothing more. The best practice is to use role-based access control (RBAC), categorizing individual accounts based on their role (e.g., system administrators or machine operators) and giving each role least-privilege access to the resources required for that job.

The best way to create and enforce zero trust security policies is with an identity and access management (IAM) solution. A zero-trust IAM solution monitors each micro-perimeter to verify the identities of all accounts requesting access and attempts to establish an account’s trustworthiness using methods like two-factor authentication (2FA). Some advanced IAM solutions even use machine learning technology like user and entity behavior analytics (UEBA) to monitor account activity on the network and spot anomalous behavior that could indicate compromise.

  • IAM = Identity and Access Management: Creates and deploys policies, verifies identities, and establishes trustworthiness.
  • 2FA = Two-Factor Authentication: Requires an additional form of identity verification (besides the username and password), such as a code sent to an authorized mobile device.
  • UEBA = User and Entity Behavior Analytics: Uses machine learning to monitor account activity, creates baselines for normal behavior, and identifies anomalies that could mean an account is compromised.

Strong, granular security policies and zero-trust IAM solutions help protect OT by limiting account privileges and preventing compromised accounts from accessing network resources.

Leverage advanced security technologies

There are additional security technologies that support or enhance zero trust for OT. For example, a next-generation firewall (NGFW) makes network segmentation easier and includes advanced features such as application-aware filtering and deep-packet inspection. Secure access service edge (SASE) delivers zero trust security solutions to the network edge, safeguarding OT at remote branch sites with the same policies and controls as the central enterprise network. AIOps uses artificial intelligence for better threat detection and faster incident recovery.

Organizations use advanced security technologies to fortify micro-perimeters, extend zero trust to the edge, and gain enhanced detection and recovery capabilities.

Implement zero trust for OT with Nodegrid

Zero trust security protects operational technology using network segmentation to create micro-perimeters of strong security policies and advanced security technologies custom-tailored to each individual resource’s requirements and vulnerabilities. Achieving zero trust is typically a long and tedious process because of how many solutions and devices you must deploy.

The Nodegrid solution from ZPE Systems alleviates this challenge by providing a vendor neutral platform capable of hosting and deploying all your zero trust security technologies. For example, Nodegrid network edge routers deliver all the networking capabilities required to spin up an OT branch and can directly host your choice of third-party security solutions. Nodegrid reduces hardware expenses by consolidating network functionality onto fewer devices while unifying network and security management under a single umbrella for greater operational efficiency.

In fact, Nodegrid is an entire Services Delivery Platform that you can deploy anywhere in your network architecture to host your critical third-party SaaS (software as a service) solutions. That means you can create a customized branch-in-a-box that combines gateway routing, switching, out-of-band (OOB) management, NGFW, SASE, infrastructure automation, and more in a single device.

Ready to Learn More?

Contact ZPE Systems to learn more about implementing and enhancing zero trust for OT with the Nodegrid Services Delivery Platform.

Contact Us

Atsign: Why Choose ZPE Systems to Host IoT Security?

by | Jun 22, 2023 | Application Hosting, Data Logging, Edge Computing, Improve Network Security, Increase Productivity, Network Automation, Out of Band Management, Remote Network Management, SecOps, Virtualization, Zero Touch Provisioning (ZTP), Zero Trust Security

Colin

A Conversation with Atsign CTO & Co-Founder, Colin Constable

This is a guest post composed by Atsign, creators of zero-attack-surface solutions including atProtocol.

We recently sat down with our CTO and Mariposa Rotary Club extraordinaire, Colin Constable, to discuss our partnership with our friends over at ZPE Systems. Let’s explore the driving force behind this powerful partnership, and how together we’re securing IoT devices and the data shared between them.

Why is this partnership strategically important?

We are a software company that helps people connect beyond the edge of the Internet. And as a software company, we need to have hardware to run our software on. After looking at a number of hardware platforms, ZPE stood out as an organization that provides a strong array of network connectivity options. Our software running on ZPE’s hardware serves as an edge platform that gives customers reliable access to edge-generated data.

What are some of the synergies between Atsign and ZPE?

First and foremost, ZPE’s hardware was designed from scratch to provide the openness and flexibility that we were looking for in a hardware platform. If I were going to design something like this myself, it would look very much like a ZPE box! It is incredibly easy to drop our Docker containers straight onto the platform, and they just simply work, which is quite a joy. To have a Docker container environment on an edge box is really the thing that makes ZPE stand out as a platform. Combine that with the fact that ZPE boxes are running x86, which makes things easy–plus actually having dual SIM cards–we can work with our MVNO partners to provide constant connectivity; even if hardlines go down, there’s cellular backup. The thing we can offer ZPE and their customers is if the box can see the Internet, then you’ll be able to address it, get data to and from it, and actually even log into it, and get hold of the built-in UI on the box.

Tell us about ZPE’s Docker Container support

Our docker containers literally just ran perfectly on the ZPE hardware. I went into the UI, selected my docker container, and it just ran. It doesn’t get much easier than that. Plus, there’s the promise of being able to have the docker container talk to connected devices like V.24 cables to provide connectivity to IoT devices.

Once IoT devices become directly addressable, then it opens up all kinds of opportunities for more efficient delivery or sharing of information that can save customers tons of money by eliminating a lot of the current infrastructure they currently use to do that job.

What are some real-world use cases for Atsign and ZPE Systems?

Because ZPE boxes have lots of connectivity options (e.g. serial ports, 4/5G backhaul, and ethernet–with more coming!) for connecting IoT devices, then you can have always-on devices at the edge, and be able to address and get data to and from them. For example, a radio station that has DSL connectivity, and cellular backup would be able to just automatically move over to cellular backup, notify the radio station that it’s on cellular backup, but use that connectivity until the ADSL line comes back online and at all times be able to get information from the equipment at the radio station. This is critical for radio stations, as it eliminates “dead air,” that moment when the transmitter is not transmitting. Sponsors rely on radio stations to put out notifications for what their businesses are doing, so having constant, uninterrupted connectivity is essential.

Do Atsign & ZPE Systems improve sustainability?

Traditional solutions would have you installing many different boxes. What we really like about the ZPE platform is that although the hardware provides lots of connectivity options–that reduces the footprint for starters–there’s no need to have different modems and firewalls, and any other services can be added via docker containers, so you actually have an environment where you have a single box, and it can do multiple functions at the edge.

What are your final thoughts on the partnership between Atsign and ZPE Systems?

As a software company, we need hardware to deploy on. We especially need hardware that can sit on the edge with all the right connectivity points. Atsign and ZPE Systems is really a perfect combination of great software and great hardware at the edge.

Bonus: What is Colin’s favorite firewall configuration for a ZPE box?

My favorite firewall rule is the one that costs the least money, and is ultimately the most secure firewall ruleset: Deny All. If you’ve got Deny All, that means that you don’t have to deal with the pain and complexities of firewall rules in order to address devices, which is what the real cost of networking is these days; it’s not necessarily the hardware, it’s actually having people to administer firewall rulesets. Having zero network attack surfaces, having a Deny All ruleset, just means you don’t have to have people changing rulesets all the time, which is a good thing.

Learn more about IoT Security & our partnership with Atsign

99.999% Uptime for a Top-10 Engineering School

by | Jun 20, 2023 | Actionable Data, Case Studies, Consolidation, Data Center Resilience, Edge Computing, Failover Connectivity, Modernize Legacy Environments, Network Automation, Pillar 1 - Data Center Infrastructure Management, Pillar 2 - Critical Remote, Remote Network Management, Simplify Branch Infrastructure, Virtualization, Zero Touch Provisioning (ZTP)

Providing low-level remote access and automation saves hundreds of hours per month for the university’s small IT team

One of the largest universities in the United States fosters academics and research for nearly 40,000 students, staff, and researchers. The university sits among the top 10 schools for engineering, and heavily integrates technology into all disciplines, including engineering, computer sciences, and agricultural studies.

The university received a grant to expand, update, and connect their network of campuses, while enhancing infrastructure and mobility, resiliency, and campus amenities.  But having more than 200 on-campus buildings presents a challenge. The campus is home to academic facilities as well as a hospital, airport, 60,000-seat sports stadium, and dozens of leased spaces for local businesses. This makes the university equivalent to a small city, and its network infrastructure is what keeps it all connected.

Their small IT team was responsible for maintaining more than 10,000 management devices, most of which were long past EOL and frequently failing. They needed a refresh, but with a solution that could also reduce the hundreds of hours they spent every month on travel and on-site work. To maximize their day-to-day efficiency, they required a solution that could overcome these operational gaps:

  • Reducing the 100-150 hours of monthly travel times, by giving engineers the ability to fully access their stack remotely
  • Reducing the 80-120 hours of monthly on-site work required to maintain the 99.999% SLA, by automating manual jobs such as patching and firmware upgrades
  • Expanding their management headroom and use-case adaptability, by migrating to IPv6 and reducing the existing 6RU device stack

Download the full case study to see how ZPE’s Nodegrid hardware and software solved these problems.

EngineeringSchoolCover

Download the full case study

Problems and Gaps

The university is one of the largest in the United States. It sits among the nation’s top 50 schools for research expenditures, and heavily integrates technology into all disciplines, including engineering. Its main campus is home to more than 200 buildings that sit on over 2,500 acres of land. The campus is essentially a small city, and the university’s network infrastructure keeps it all connected.

This network infrastructure, however, was well beyond EOL and in disrepair. But rather than simply upgrade to newer devices, the university’s small IT team wanted to improve the overall quality of life well into the future. This meant addressing three gaps:

  • Inefficient management at scale — Each engineer spent an average of ten hours per month on travel alone, just to traverse the campus’ wide footprint and get to each MDF/IDF closet.
  • Too much focus on ops — The aging infrastructure was on the brink of collapse and required each engineer to spend eight hours per month in on-site work, just to keep devices running.
  • Too many devices — The infrastructure includes roughly 10,000 devices to manage, which was exhausting IP on their limited IPv4 network and too rigid to fit in tight spaces, like their remote farm closets and research labs.

Solution

The university deployed the full lineup of Nodegrid devices, including the Nodegrid Serial Console, Nodegrid Services Routers, and Nodegrid Manager. These allowed them to overcome all three gaps using remote management, automation, and consolidated functionality, to save engineers hundreds of hours every month. Download the full case study to see the complete solution and benefits.

Download the Case Study

Need Help Replacing End-of-Life Gear?

Check out our complete products and services package to make your EOL transition seamless. Choose from a variety of Synopsys-validated devices, get a generous trade-in discount, and let our engineers install and configure into your environment. Click below to explore this offer and more customer case studies.

Replace EOL Gear

Network Automation Cost Savings Calculator

by | Jun 14, 2023 | Data Center Management, Data Center Resilience, DevOps, Edge Computing, Failover Connectivity, Increase Productivity, Network Automation, Scripting, Streamline Deployments, Zero Touch Provisioning (ZTP)

automation cost savings calculator
Many organizations feel continuous financial pressure to cut costs and streamline operations due to economic factors like the ongoing threat of a recession and global supply chain interruptions. Network automation can help companies across all industries save money during lean financial times. A recent Cisco and ACG Research study found that network automation can reduce OPEX by 55% by streamlining workflows such as device provisioning and service ticket management. Though they aren’t mentioned in the study, additional savings are generated by using automation to avoid outages and accelerate recovery efforts.

This post discusses how to save money through automation and provides a network automation cost savings calculator for a more customized estimate of your potential ROI.

 

Table of contents

How network automation provides cost savings

Network automation reduces costs by streamlining operations, preventing outages, and aiding in backup and recovery workflows.

Network automation saves money by solving problems

Problem: High OPEX

Solution: Automation tackles repetitive tasks like new installs and ticketing operations, which helps you generate revenue sooner and reduce the time and resources spent on maintaining operations.

Problem: Too many outages

Solution: Automation allows teams to be proactive by leveraging critical data to identify potential problems before they cause outages, freeing them from the typical break/fix approach.

Problem: Slow recovery

Solution: Automation speeds up processes like backups, snapshotting, and device re-imaging, which makes networks more resilient by accelerating recovery from outages and ransomware.

Reduces OPEX

The focus of the Cisco/ACG study was the economic benefits of streamlining network operations through automation. For example, the OPEX (operational expenditure) involved in spinning up a new branch is too high because deployments require so much work, time, and staff. Using automation to provision and deploy new resources can significantly reduce the time it takes to spin up a new branch, which means the site could start generating revenue much sooner. Using automation to monitor device health and environmental conditions could extend the life expectancy of critical (and expensive) equipment while reducing the number of on-site staff needed to maintain that equipment.

Network automation reduces OPEX by increasing the efficiency of repetitive or tedious tasks like new installs, incident management, and device monitoring. Crucially, automation does so without reducing the quality of service for end users and often only improves the speed, reliability, and overall experience.

Prevents outages

Network downtime is an expense that cash-strapped businesses can’t afford to bear. According to a recent ITIC survey, a single hour of downtime costs most organizations (91%) over $300,000 in lost business, with 44% of enterprises reporting outage costs exceeding $1 million. However, preventing downtime is difficult when most network teams are caught in a reactive break/fix cycle because they lack the staffing, resources, and technology required to maintain visibility and identify issues before they occur.

Network automation solves this problem using advanced machine learning algorithms to analyze monitoring data and identify potential issues before they cause outages. For example, AIOps (artificial intelligence for IT operations) solutions provide real-time analysis of infrastructure, network, and security logs. AIOps is adept at recognizing patterns and detecting anomalies in data so that it can identify issues before they affect the performance or reliability of the network.

Accelerates recovery

While network automation helps to reduce downtime, it can’t eliminate outages altogether. When outages do occur, recovery is often a long, drawn-out process involving a lot of manual work, during which time revenue and customer faith may be lost. Network resilience is the ability to quickly recover from ransomware, equipment failures, and other causes of downtime with as little impact as possible on end users and business revenue. Automation speeds up recovery efforts in a few critical ways:

  • Streamlined backups – Automation makes performing regular backups and snapshots easier, reducing the risk of gaps or inaccuracies.
  • Reduced imaging delays – Automatic provisioning ensures that clean systems are spun up quickly so that business can resume as soon as possible.
  • Faster failover – Automatic network failover and routing technologies can reroute traffic around downed nodes before a human admin has time to respond, providing a more seamless end-user experience.

Network automation is a direct source of cost savings because it reduces OPEX without negatively impacting the business or customer experience. Automation also indirectly saves money by helping organizations avoid outages through proactive monitoring and maintenance. In addition, network automation technologies make businesses more resilient by speeding up recovery efforts when breaches and failures do occur.

Network automation cost savings calculator

ZPE Systems provides network and infrastructure automation solutions for any use case, pain point, or technological need. ZPE’s vendor-neutral platform allows you to extend automation to every device on your network, including legacy and mixed-vendor solutions, so that you can achieve true end-to-end automation (a.k.a. hyperautomation). For a customized estimation of how much money you can save by automating your network operations with ZPE Systems, check out our network automation cost savings calculator.

Ready to Learn More?

For help with the network automation cost savings calculator or to learn more about automating your network operations, contact ZPE Systems today.

Contact Us

What Is a Zero Trust Gateway?

by | Apr 25, 2023 | Micro-segmentation, Network Automation, Remote Network Management, SecOps, Vendor Neutral Platform, Virtualization, Zero Touch Provisioning (ZTP), Zero Trust Security

What Is a Zero Trust Gateway(2)
The constant threat of cyberattacks has made network security a top priority for companies in every sector, with Gartner predicting that global cybersecurity spending will reach $188 billion in 2023. However, security continues to get more challenging due to factors like a rise in remote work, an increasing reliance on touchless internet of things (IoT) devices, and the overall decentralization of enterprise networks. It’s hard to create a secure perimeter around the enterprise when its users, devices, applications, and data could be anywhere in the world.

The zero trust security methodology addresses this challenge by shrinking the focus from one large security perimeter and instead creating smaller “micro-perimeters” around each individual resource that needs defending. It’s called zero trust because it follows the principle of “never trust, always verify.” That means each user and device needs to verify its identity and prove its trustworthiness before it can penetrate the micro-perimeter. So, for example, if a cybercriminal uses stolen credentials to log into the enterprise network, they have to pass through many different security checkpoints to see or access any sensitive resources, which increases the likelihood they’ll get caught before excessive damage is done.

One way to implement micro-perimeters and apply zero trust security policies is with a device called a zero trust gateway. This post discusses the technologies that make up a zero trust gateway and explains how they work together to defend enterprise networks.

Table of contents:

What is a zero trust gateway?

A zero trust gateway is a device that sits at the edge of the network – or at the top of the rack – and applies zero trust security policies and controls to traffic flowing in either direction. The gateway can be a dedicated security appliance, but it’s often more cost- and space-effective to use a multi-functional device that combines security, networking, and infrastructure management in a single box.

Some of the key features used in an all-in-one zero trust gateway include network micro-segmentation, identity and access management, context-aware monitoring, and secure out-of-band management. There are a small number of mature solutions that deliver all of these features off-the-shelf, but they lock you into their small solution ecosystem and limited feature roadmap. A better approach is to start with a vendor-neutral platform that lets you host and integrate your choice of security applications to create a fully customized zero trust gateway. Let’s walk through how each of these security technologies works and how to combine them into a bespoke zero trust gateway solution.

To see an example of a vendor-neutral zero trust gateway at work, request a demo of the Nodegrid solution from ZPE Systems.

Request a Demo

Network micro-segmentation

A zero trust micro-perimeter is made up of granular access control policies and security controls that are custom-tailored to the specific vulnerabilities and requirements of resources they’re defending. For example, an on-premises database containing sensitive financial records needs different policies than a cloud-based application that doesn’t process any personal information. To implement micro-perimeters, resources first need to be logically organized based on their sensitivity level, who needs access to them, and what their interdependencies are.

Network micro-segmentation is used to separate resources based on these criteria so that micro-perimeters can then be applied. For a device to be considered a zero trust gateway, it must support VLAN micro-segmentation and be able to apply access control rules consistently across all micro-segments.

Identity and access management

In a zero trust architecture, user and device permissions should be limited to only what’s necessary to perform their job role. For example, an HR account used to manage employee records shouldn’t have access to customer financial data, and vice versa. Access policies should be specific to individual micro-segments and resources and need to be applied to all users and devices consistently, no matter where they’re logging in from. That means a remote user should follow the same authentication steps and have the same permissions as they would if they logged in at the office.

For a large enterprise network, this is only achievable with a centralized identity and access management (IAM) solution. An IAM provides a single platform from which to create, manage, and apply security policies. A zero trust IAM also enables best practices like single sign-on (SSO) and two-factor authentication (2FA).

A zero trust gateway needs to integrate with your chosen IAM provider to ensure that policies are applied to both production traffic and management traffic. Some vendor-neutral gateway solutions can even directly host and run third-party IAM solutions, providing a more integrated experience and saving rack space.

Context-aware monitoring

Many successful cyberattacks use stolen credentials gained through phishing schemes and other social engineering tactics. For example, Mailchimp was recently attacked by malicious actors using credentials stolen from employees through social engineering. It’s difficult to detect and contain such an attack because the criminal looks like an authorized user. However, careful monitoring often reveals suspicious behavior, such as logging in from an unusual IP address or time zone, making multiple access requests to areas of the network they don’t usually visit, or transferring abnormally large quantities of data.

User and entity behavior analytics, or UEBA, uses machine learning technology to monitor and analyze account activity on the enterprise network. UEBA creates a baseline of “normal” behavior for individual accounts so it can detect any anomalous activity. UEBA integrates with other security and monitoring solutions, such as IAM and firewalls, so it can compare data from various sources to make more informed decisions. This is one of the ways that zero trust security verifies the trustworthiness of accounts trying to access sensitive resources, making UEBA a critical component of zero trust gateways.

Secure out-of-band (OOB) management

Admins need a fast and reliable way to access remote infrastructure for management, troubleshooting, and recovery. For example, it’s common for a single data center management team to be responsible for customer equipment in multiple DCs distributed around the world for redundancy. These admins can’t physically go on-site every time a firmware update fails or a device loses its IP address. That’s why they rely on remote out-of-band (OOB) management; remote OOB management creates a separate network just for management traffic that doesn’t rely on the production LAN. Admins access the OOB network using a dedicated management device, like a jump box or a serial console server.

This management device is a tempting target for cybercriminals, as gaining control of that device will give them complete control over the connected infrastructure. One way to protect the OOB network is by using a zero trust gateway with integrated management ports. For example, the Nodegrid Net Services Router (NSR) is a modular zero trust gateway that can be customized to connect to any type of device that needs to be managed or secured. The NSR comes with gateway routing and switching capabilities, an embedded firewall, and hardware security features like secure boot and a self-encrypted disk. Nodegrid is also completely vendor-neutral, which means it can directly host or integrate with your choice of third-party security solutions, including next-generation firewalls (NGFWs) and zero trust technologies like identity and access management and UEBA.

The NSR is a modular, open platform upon which to build a fully customized zero trust gateway for large data center deployments. The Nodegrid product line from ZPE Systems also includes a variety of serial console solutions and integrated all-in-one gateway routers to support other use cases, such as edge computing sites, branches, and automated IoT deployments.

A zero trust gateway helps organizations implement micro-perimeters of specific policies and controls to defend sensitive data and other valuable resources. A vendor-neutral, integrated solution like the Nodegrid Serial Console Plus from ZPE Systems makes it possible to combine zero trust security with networking and management functionality to create a streamlined, cost-effective zero trust gateway deployment.

Ready to learn more about Zero Trust Gateway?

To learn more about deploying Nodegrid as a zero trust gateway in your enterprise, contact ZPE Systems today.

Contact Us