CONTACT US
1-844-4ZPE-SYS
ZPE CLOUD

Providing Out-of-Band Connectivity to Mission-Critical IT Resources

Home » Streamline Deployments » SD-Branch » Page 2

NIS2 Compliance & Requirements

by | Jun 3, 2024 | Application Hosting, Increase Productivity, Modernize Legacy Environments, Network Automation, Out of Band Management, Remote Network Management, SD-Branch, SD-WAN, Streamline Deployments, Vendor Neutral Platform

NIS2 Compliance

NIS2 – an update of the EU’s Network and Information Security Directive – seeks to enhance the cybersecurity level and resilience of EU member states. Compared to the original NIS, it significantly increases risk management, corporate accountability, business continuity, and reporting requirements. NIS2 became law in all EU member states on 17 October 2024, so affected organizations must take action to avoid fines and other penalties. This guide describes the 10 minimum cybersecurity requirements mandated by NIS2 and provides tips to simplify NIS2 compliance. Citation: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)

Who does NIS2 apply to, and what are the consequences for noncompliance?

NIS2 applies to organizations providing services deemed “essential” or “important” to the European economy and society. Essential Entities (EE) generally have at least 250 employees, annual turnover of €50 million, or balance sheets of €43 million. Essential sectors include:

Important Entities (IE) generally have at least 50 employees, annual turnover of €10 million, or balance sheets of €10 million. Important sectors include:

  • Postal services
  • Waste management
  • Chemicals
  • Research
  • Food
  • Manufacturing (e.g., medical devices and other equipment)
  • Digital providers (e.g., social networks, online marketplaces)

The NIS2 Directive outlines three types of penalties for noncompliance: non-monetary remedies, administrative fines, and criminal sanctions. Non-monetary remedies include things like compliance orders, binding instructions, security audit orders, and customer threat notification orders. Financial penalties for Essential Entities max out at €10 million or 2% of the global annual revenue, whichever is higher; for Important Entities, the maximum is €7 million or 1.4% of the global annual revenue, whichever is higher. NIS2 also directs member states to hold top management personally responsible for gross negligence in a cybersecurity incident, which could involve:

  • Ordering organizations to notify the public of compliance violations
  • Publicly identifying the people and/or entities responsible for the violation
  • Temporarily banning an individual from holding management positions (EEs only)

Even the nonfinancial penalties of NIS2 noncompliance can affect revenue by causing reputational damage and potential lost business, so it’s crucial for IEs and EEs to be prepared when this directive takes effect in their state.

10 Minimum requirements for NIS2 compliance

The NIS2 directive requires essential and important entities to take “appropriate and proportional” measures to manage security and resilience risks and minimize the impact of incidents. It mandates an “all-hazards approach,” which means creating a comprehensive business continuity framework that accounts for any potential disruptions, whether they be natural disasters, ransomware attacks, or anything in between. Organizations must implement “at least” the following requirements as a baseline for NIS2 compliance (click links for more info):

10 NIS2 Compliance Requirements

NIS2 Minimum Requirement

Implementation Tip

Maintain comprehensive risk analysis and information system security policies

Keep policies in a centralized repository with version control to track changes and prevent unauthorized modifications.

Implement robust security incident handling measures

Use AIOps to accelerate incident creation, triage, and root-cause analysis (RCA).

Establish business continuity and crisis management strategies

Use out-of-band (OOB) management and isolated recovery environments (IREs) to minimize downtime and improve resilience.

Mitigate supply chain security risks

Implement User and Entity Behavior Analytics (UEBA) to monitor third parties on the network.

Ensure network and IT system security throughout acquisition, development, and maintenance

Use automated provisioning, vulnerability scanning, and patch management to reduce risks.

Perform regular cybersecurity and risk-management assessments

Use artificial intelligence technology like large language models (LLMs) to streamline assessments.

Enforce cybersecurity training requirements for all personnel

Simulate phishing emails and other social engineering attacks to prepare users for the real thing.

Implement cryptography and, when necessary, encryption

Ensure all physical systems are protected by strong hardware roots of trust like TPM 2.0.

Establish secure user access control and asset management practices 

Use zero-trust policies and controls to restrict privileges and limit lateral movement.

Use multi-factor authentication (MFA) and encrypted communications 

Extend MFA to management interfaces and recovery systems to prevent compromise.

1. Risk analysis and information system security policies

Organizations must create and update comprehensive policies covering cybersecurity risk analysis and overall IT system security practices. These policies should cover all the topics listed below and include specific consequences and/or corrective measures for failing to follow the outlined processes.

Tip: Keeping all company policies in a centralized, version-controlled repository will help track updates over time and prevent anyone from making unauthorized changes.

2. Security incident handling

Entities must implement incident-handling tools and practices to help accelerate resolution and minimize the impact on end users and other essential or important services. This includes mechanisms for identifying problems, triaging according to severity, remediating issues, and notifying relevant parties. NIS2 outlines a specific timeline for reporting significant security incidents to the relevant authorities:

  • Within 24 hours – Entities must provide an early warning indicating whether they suspect an unlawful or malicious attack or whether it could have a cross-border impact.
  • Within 72 hours – Entities must update the relevant authorities with an assessment of the attack, including its severity, impact, and indicators of compromise.
  • Within one month – Organisations must submit a final report including a detailed description of the incident, the most likely root cause or type of threat, what mitigation measures were taken, and, if applicable, the cross-border impact. If the incident is still ongoing, entities must submit an additional report within one month of resolution.
Tip: AIOps (artificial intelligence for IT operations) analyzes monitoring logs using machine learning to identify threat indicators and other potential issues that less sophisticated tools might miss. It can also generate, triage, and assign incidents, perform root-cause analysis (RCA) and other automated troubleshooting, and take other actions to streamline security incident handling.

3. Business continuity and crisis management

Essential and important entities must establish comprehensive business continuity and crisis management strategies to minimize service disruptions. These strategies should include redundancies and backups as part of a resilience system that can keep operations running, if in a degraded state, during major cybersecurity incidents. It’s also crucial to maintain continuous access to management, troubleshooting, and recovery infrastructure during an attack.

Tip: Serial consoles with out-of-band (OOB) management provide an alternative path to systems and infrastructure that doesn’t rely on the production network, ensuring 24/7 management and recovery access during outages and other major incidents. OOB serial consoles can also be used to create an isolated recovery environment (IRE) where teams can safely restore and rebuild critical services without risking ransomware reinfection.

4. Supply chain security

Organizations must implement supply chain security risk management measures to limit the risk of working with third-party suppliers. These include performing regular risk assessments based on the supplier’s security and compliance history, applying zero-trust access control policies to third-party accounts, and keeping third-party software and dependencies up-to-date.

Tip: User and entity behavior analytics (UEBA) software uses machine learning to analyze account activity on the network and detect unusual behavior that could indicate compromise. It establishes baselines for normal behavior based on real user activity, reducing false positives and increasing detection accuracy even with vendors and contractors who operate outside of normal business hours and locations.

5. Secure network and IT system acquisition, development, and maintenance

Entities must ensure the security of network and IT systems during acquisition, development, and maintenance. This involves, among other things, inspecting hardware for signs of tampering before deployment, changing default settings and passwords on initial startup, performing code reviews on in-house software to check for vulnerabilities, and applying security patches as soon as vulnerabilities are discovered.

Tip: Automation can streamline many of these practices while reducing the risk of human error. For example, zero-touch provisioning automatically configures devices as soon as they come online, reducing the risk of attackers compromising a system-default admin account. Automated vulnerability scanning tools can help detect security flaws in software and systems; automated patch management ensures third-party updates are applied as soon as possible.

6. Cybersecurity and risk-management assessments

Organizations must have a way to objectively assess their cybersecurity and risk-management practices and remediate any identified weaknesses. These assessments involve identifying all the physical and logical assets used by the company, scanning for potential threats, determining the severity or potential impact of any identified threats, taking the necessary mitigation steps, and thoroughly documenting everything to streamline any reporting requirements.

Tip: An AI-powered cybersecurity risk assessment tool uses large language models (LLMs) and other machine learning technology to automate assessments with greater accuracy than older solutions. These tools are often better at identifying novel threats than human assessors or signature-based detection methods, and they typically provide automated reporting to aid in NIS2 compliance.

7. Cybersecurity training

Essential and important entities must enforce cybersecurity training and basic security hygiene policies for all staff. This training should include information about the most common social engineering attacks, such as email phishing or vishing (voice phishing), compliant data handling practices, and how to securely create and manage account credentials.

Tip: Some cybersecurity training programs include attack simulations – such as fake phishing emails – to test trainees’ knowledge and give them practice identifying social engineering attempts. These programs help companies identify users who need additional education and periodically reinforce what they have learned.

8. Cryptography and encryption

NIS2 requires organizations to use cryptography to protect systems and data from tampering. This includes encrypting sensitive data and communications when necessary.

Tip: Roots of Trust (RoTs) are hardware security mechanisms providing cryptographic functions, key management, and other important security features. RoTs are inherently trusted, so it’s important to choose up-to-date solutions offering strong cryptographic algorithms, such as Trusted Platform Module (TPM) 2.0.

9. User access control and asset management

Entities must establish policies and procedures for employees accessing sensitive data, including least-privilege access control and secure asset management. This also includes mechanisms for revoking access and locking down physical assets when users violate safe data handling policies, or malicious outsiders compromise privileged credentials.

Tip: Zero trust security uses network micro-segmentation and highly specific security policies to protect sensitive resources. MFA and continuous authentication controls seek to re-establish trust each time a user requests access to a new resource, making it easier to catch malicious actors and preventing lateral movement on the network.

10. Multi-factor authentication (MFA) and encrypted communications

The final minimum requirement for NIS2 compliance is using multi-factor authentication (MFA) and continuous authentication solutions to verify identities, as described above. Additionally, entities must be able to encrypt voice, video, text, and internal emergency communications when needed.

Tip: MFA, continuous authentication, and other zero-trust controls should also extend to management interfaces, resilience systems, and isolated recovery environments to prevent malicious actors from compromising these critical resources. The best practice is to isolate management interfaces and resilience systems using OOB serial consoles to prevent lateral movement from the production network.

How ZPE streamlines NIS2 compliance

EU-based entities classified as essential or important have limited time to implement all the security policies, practices, and tools required for NIS2 compliance. Using vendor-neutral, multi-purpose hardware platforms to deploy new security controls can help reduce the hassle and expense, making it easier to meet the October deadline. For example, a Nodegrid serial console from ZPE Systems combines out-of-band management, routing, switching, cellular failover, SSL VPN and secure tunnel capabilities, and environmental monitoring in a single device. The vendor-neutral Nodegrid OS supports GuestOS and containers for any third-party software, including next-generation firewalls (NGFWs), Secure Access Service Edge (SASE), automation tools like Puppet and Ansible, and UEBA. Nodegrid devices have strong hardware Roots of Trust with TPM 2.0, selectable encrypted cryptographic protocols and cipher suite levels, and configuration checksumTM. Plus, Nodegrid’s Gen 3 OOB creates the perfect foundation for infrastructure isolation, resilience systems, and isolated recovery environments.

Looking to Upgrade to a Nodegrid serial console?

Looking to replace your discontinued, EOL serial console with a Gen 3 out-of-band solution? Nodegrid can expand your capabilities and manage your existing solutions from other vendors. Click here to learn more!

DORA Compliance & Requirements

by | May 24, 2024 | Application Hosting, Increase Productivity, Modernize Legacy Environments, Network Automation, Out of Band Management, Remote Network Management, SD-Branch, SD-WAN, Streamline Deployments, Vendor Neutral Platform

A map of the EU with the words DORA Digital Operation Resilience Act.

The European Union’s Digital Operational Resilience Act (DORA) creates a regulatory framework for information and communication technology (ICT) risk management and network resilience. It entered into EU law on 16 January 2023 and took effect on 17 January 2025, applying to any firm operating within the European financial sector. This guide outlines the technical requirements for DORA compliance and provides tips and best practices to streamline implementation.

Citation: Digital Operational Resilience Act (DORA)

Which organizations does DORA affect, and what are the consequences of non-compliance?

DORA applies to financial entities operating in the European Union, including:

  • Financial services
  • Payment institutions
  • Crypto-asset service providers
  • Crowdfunding service providers
  • Investment firms
  • Insurance companies
  • Data analytics and audit services
  • Fintech companies
  • Trading venues
  • Credit institutions
  • Credit rating agencies

Crucially, DORA also applies to third-party digital service providers that work with financial institutions, such as colocation data centers and cloud service providers.

Once DORA takes effect, each EU state will designate “competent authorities” to enforce compliance. Each state determines its own penalties, but potential consequences for non-compliance include fines, remediation, and withdrawal of DORA authorization.

ICT service providers (such as cloud vendors) labeled “critical” by the European Commission face additional oversight and non-compliance penalties, including fines of up to 1% of the provider’s average daily worldwide turnover the previous business year. Overseers can levy fines on a provider every day for up to six months until compliance requirements are met. These steep penalties make it essential for service providers to ensure their systems and processes are DORA-compliant.

What are DORA’s technical requirements?

DORA Requirement

Description

Technical Best Practices

ICT risk management

Financial institutions must develop a comprehensive ICT risk management framework containing strategies and tools for business resilience, recovery, and communication.

• Control/data plane separation

• Isolated recovery environments

ICT third-party risk management

Financial organizations in the EU must manage the risk of working with third-party vendors to prevent supply chain attacks.

• Automated patch management

• AIOps security monitoring

Digital operational resilience testing

Financial entities must establish a resilience testing program to validate their security defenses, backups, redundancies, and recovery systems every year.

• Control/data plane separation

• Alternative networking, compute, and storage

• Automated provisioning and recovery tools

ICT-related incident management

Financial firms must submit a root cause report within one month of a major incident.

• AIOps anomaly detection

• AIOps incident management

• AIOps root-cause analysis (RCA)

Information sharing

DORA encourages financial institutions to share cyber threat information within the community to help raise awareness and mitigate risks.

Using logs and analyses from technology solutions like UEBA and AIOps.

Oversight of critical third-party providers

Digital service providers deemed “critical” must follow the same compliance rules as the financial institutions they work with.

All of the above.

ICT risk management

DORA requires financial institutions to develop a comprehensive ICT risk management framework containing strategies and tools for business resilience, recovery, and communication. In addition to written policies and documented procedures, financial entities must implement technology such as security hardware and software, redundancies and backups, and resilience systems. Best practices for DORA-compliant risk management technologies include:

ICT third-party risk management

Financial organisations in the EU must manage the risk of working with third-party vendors to prevent supply chain attacks such as the MOVEit breach. ICT third-party risk management (TPRM) involves performing vendor due diligence to validate compliance with security standards and ensuring contractual provisions are in place to hold vendors accountable for security failures. On the technical side, financial entities should implement security policies and controls to limit third-party access and use monitoring tools that detect vulnerabilities, apply patches, and identify suspicious account behavior. Best practices for DORA-compliant TPRM technologies include:

Digital operational resilience testing

DORA requires financial entities to establish a resilience testing program to validate their security defenses, backups, redundancies, and recovery systems once per year. Examples of resilience tests include vulnerability scans, network security assessments, open-source software analyses, physical security reviews, penetration testing, and source code reviews. Financial entities deemed “critical,” as well as their critical ICT providers, must also undergo threat-led penetration testing (TLPT) every three years. DORA stipulates that these tests be performed by independent parties, though they can be internal so long as the organization takes steps to eliminate any conflict of interest. Technical best practices include:

ICT incident reporting

DORA streamlines and consolidates the incident reporting requirements that are currently fragmented across EU states. The takeaway from this section is a requirement for financial firms to submit a root cause report within one month of a major incident. Technical best practices for meeting this requirement involve using AIOps for:

Information sharing

This is less of a requirement than a suggestion, but DORA both allows and encourages financial institutions to share cyber threat information within the community to help raise awareness and mitigate risks. Best practices involve using (anonymized) logs from some of the technologies mentioned above, such as UEBA and AIOps.

Oversight of critical third-party providers

DORA requires “critical” digital service providers to follow the same compliance rules as the financial institutions they work with. Regulators may deem a provider critical if a large number of financial entities rely on them for business continuity or if they are difficult to replace/substitute when a failure occurs. Any cloud vendors, colocation data centers, or other digital service providers working in the EU’s financial sector should prepare for DORA by implementing:

Best practices for DORA compliance

Some of the technologies that can help simplify DORA compliance for financial institutions and critical service providers include:

Control/data plane separation

Separating the data plane (i.e., production network traffic) from the control plane (i.e., management and troubleshooting traffic) simplifies DORA compliance in two key ways:

  1. It isolates the management interfaces used to control ICT systems, making them inaccessible to malicious actors who breach the production network and aiding in resilience.
  2. It prevents resource-intensive automation, security monitoring, and resilience testing workflows from affecting the speed or availability of the production network.

The best practice for control and data plane separation is to use Gen 3 out-of-band (OOB) serial consoles, such as the Nodegrid product line from ZPE Systems. Gen 3 OOB provides a dedicated network for management traffic that doesn’t depend on production network resources, ensuring remote teams always have access, even during outages or ransomware attacks. It’s also vendor-neutral, allowing administrators to deploy third-party monitoring, automation, security, troubleshooting, and testing tools on the isolated control plane. Gen 3 OOB helps financial institutions and ICT service providers meet resilience and testing requirements cost-effectively.

Isolated recovery environments

Ransomware continues to be one of the biggest threats to resilience, with ransomware cases increasing by 73% in 2023 despite heightened awareness and additional cybersecurity spending. Preventing an attack may be nearly impossible, and full recovery often takes weeks due to the high rate of reinfection. The best way to reduce recovery time and meet DORA resilience requirements is with an isolated recovery environment (IRE) that’s fully separated from the production infrastructure.

A diagram showing the components of an isolated recovery environment.

An IRE contains systems dedicated to recovering from ransomware and other breaches, where teams can rebuild and restore applications, data, and other resources before deploying them back to the production network. It uses designated network infrastructure that’s completely separate from the production environment to mitigate the risk of malware reinfection. It also contains technologies like Retention Lock, role-based access control, and out-of-band management so teams can quickly and safely recover critical services and reduce DORA penalties.

Automated patch management

Cybercriminals often breach networks by exploiting known vulnerabilities in outdated software and firmware, as happened with 2023’s Ragnar Locker attacks. For large financial institutions and critical ICT providers, manually tracking and installing patches for all the third-party hardware and software used across the organization is too difficult and time-consuming, leaving potential vulnerabilities exposed for years. The best practice for meeting DORA’s third-party risk management requirement is to use an automated, vendor-agnostic patch management solution.

Automatic patch management tools discover all the software and devices used by the organization, monitor for known exploited vulnerabilities, and notify teams when vendors release updates. They centralize patch management for the entire network to simplify TPRM and aid in DORA compliance.

AIOps

AIOps uses artificial intelligence technology to automate and streamline IT operations. AIOps collects and analyses all the data generated by IT infrastructure, applications, monitoring tools, and security solutions to help identify significant events and make “intelligent” recommendations. AIOps helps with DORA compliance by providing:

  • Anomaly detection – Artificial intelligence analyses logs and detects outlier data points that could indicate an in-progress data breach or other problematic event.
  • Incident management – AIOps automatically generates, triages, and assigns service desk tickets to the appropriate team for resolution, significantly accelerating incident response.
  • Root-cause analysis – AIOps combs through all the relevant logs to determine the most likely cause of adverse events, making it easier to meet DORA’s root-cause reporting requirements.

How ZPE streamlines DORA compliance

The Nodegrid out-of-band management platform from ZPE Systems helps financial institutions and critical service providers meet DORA resilience requirements without increasing network complexity. Vendor-neutral Nodegrid serial consoles and integrated edge services routers deliver control plane isolation, centralized infrastructure patch management, and Guest OS/container hosting for third-party security, recovery, and AIOps tools. The Nodegrid platform provides a secure foundation for an isolated recovery environment that contains all the technology needed to get services back online and stay DORA compliant.

Download our 3 Steps to Ransomware Recovery whitepaper to learn how to improve network resilience with Nodegrid.
Download the Whitepaper

See how Nodegrid helped one of the EU’s largest banks meet modern security and compliance requirements.
Read the case study

 

Looking to replace your discontinued, EOL serial console with a Gen 3 out-of-band solution?

Looking to replace your discontinued, EOL serial console with a Gen 3 out-of-band solution? Nodegrid can expand your capabilities and manage your existing solutions from other vendors.

Click here to learn more!

SD-WAN Management Guide

by | May 15, 2024 | Application Hosting, Increase Productivity, Modernize Legacy Environments, Network Automation, Out of Band Management, Remote Network Management, SD-Branch, SD-WAN, Streamline Deployments, Vendor Neutral Platform

SD-WAN Management Platform

SD-WAN applies software-defined networking (SDN) principles to wide area networks (WANs), which means it decouples networking logic from the underlying WAN hardware. SD-WAN management involves orchestrating and optimizing software-defined WAN workflows across the entire architecture, ideally from a single, centralized platform. This SD-WAN management guide explains how this technology works, the potential benefits of using it, and the best practices to help you get the most out of your SD-WAN deployment.

How does SD-WAN management work?

A typical WAN architecture uses a variety of links, including MPLS, wireless, broadband, and VPNs, to connect branches and other remote locations to enterprise applications and resources. SD-WAN is a virtualized service that overlays this physical architecture, giving software teams a unified software interface from which to manage network traffic and workflows across the enterprise. SD-WAN management decouples network control functions from the gateways and routers installed at remote sites, preventing administrators from having to manage each one individually. It also reduces the reliance on manual CLI rules and prompts, which are time-consuming and prone to human error, allowing teams to deploy policies across an entire network at the same time.

SD-WAN can also use multiple connection types (including 5G LTE, MPLS, and fiber) interchangeably, switching between them as needed to ensure optimal performance. Plus, SD-WAN management enables organizations to use virtualized and cloud-based security technologies (such as SASE) to secure remote traffic to SaaS, web, and cloud resources. This allows organizations to reduce traffic on expensive MPLS links by utilizing less-costly cellular and public internet links to handle cloud-destined traffic.

The benefits of SD-WAN management

SD-WAN Benefit

Description

Branch bandwidth cost reduction

SD-WAN reduces bandwidth costs by redirecting cloud- and internet-destined traffic across less expensive channels, reserving the MPLS link for enterprise traffic alone

Branch performance optimization

SD-WAN management uses technologies like application awareness and guaranteed minimum bandwidth to automatically optimize network performance

Branch automation & orchestration

SD-WAN’s software-based management enables automatic deployments, load balancing, failover, and intelligent routing with a centralized orchestrator

Branch security enhancement

SD-WAN enables the use of cloud-based security solutions like SASE and Zero Trust Edge that extend enterprise security controls to branch network traffic

Cost reduction

MPLS links provide a secure connection between branches and centralized data center resources, but the bandwidth is far more expensive than fiber or cellular. SD-WAN reduces branch bandwidth costs by using less expensive channels for traffic that’s destined for resources online and in the cloud, reserving MPLS bandwidth for enterprise traffic alone.

Improved performance

To optimize the performance of a traditional WAN, teams must create specific routing, bandwidth utilization, and load-balancing rules for each branch and appliance, and hope these policies adequately predict and resolve any potential issues. SD-WAN management uses technologies like application awareness and guaranteed minimum bandwidth to automatically optimize network performance.

Automation & orchestration

By decoupling network control functions from the underlying WAN hardware, SD-WAN enables automatic device deployments, load balancing, failover, and intelligent routing. Teams can orchestrate automated workflows across the entire network architecture from a centralized software platform, to make deployments and configuration changes more efficient.

Enhanced security

Branch networks often suffer from security gaps due to the difficulty in extending enterprise security policies and controls to remote sites. Securing branch traffic usually means backhauling all traffic through the data center’s firewall, eating up expensive MPLS bandwidth and introducing latency for the rest of the enterprise. Some organizations opt to deploy security appliances at each branch site, which is costly and gives network administrators more moving parts to manage. 

SD-WAN enables the use of cloud-based security solutions like SASE and Zero Trust Edge that extend enterprise security defenses to branch network traffic without backhauling or additional hardware. SD-WAN automatically identifies traffic destined for web or cloud resources and routes it through the cloud-based security stack across less-expensive internet links, saving money and reducing management complexity while improving branch security.

How to get the most out of your SD-WAN deployment

There are a variety of SD-WAN deployment models, each of which solves a different WAN problem, so it’s important to assess your organization’s requirements and capabilities to ensure you build an architecture that meets your needs. It’s also critical to consider the scalability, adaptability, security, and resilience of your SD-WAN deployment to prevent headaches down the road. 

For example, using a vendor-neutral platform like Nodegrid to host SD-WAN allows you to easily expand your branch networking capabilities with third-party software for automation, security, monitoring, troubleshooting, and more without deploying additional hardware, allowing you to easily scale and adapt to changing business requirements. Nodegrid also consolidates branch functions like routing, switching, out-of-band serial console management, SD-WAN management, and SASE network security in a single device for cost-effective branch deployments. Plus, Nodegrid enables isolated management infrastructure that’s resilient to threats and provides a safe recovery environment from ransomware attacks and network failures. 

Ready to get started on your SD-WAN deployment?

Nodegrid unifies control over mixed-vendor hardware and software solutions across the enterprise network architecture for efficient, streamlined SD-WAN management. Request a free demo to learn more.

Request a Demo

Cisco 2900 EOL: Replacement Options

by | Jun 9, 2023 | Application Hosting, Consolidation, Data Center Management, Edge Computing, Modernize Legacy Environments, Out of Band Management, Remote Network Management, SD-Branch, SD-WAN, Secure Access Service Edge (SASE), Simplify Branch Infrastructure, Vendor Neutral Platform

cisco 2900 eol

The Cisco ISR 2900 series of branch routers went EOS (end-of-sale) on the 9th of December 2017, and Cisco concluded support on the 31st of December 2022. In this guide, we’ll compare migration options for the Cisco ISR 2900 EOL models to help you select a solution that supports your business use case, deployment size, and future growth.

Disclaimer: This comparison was written by a third party in collaboration with ZPE Systems using data gathered from publicly available data sheets and admin guides, as of 5/12/2023. Please email us if you have corrections or edits, or want to review additional attributes: Matrix@zpesystems.com

 

Table of Contents

Cisco ISR 2900 overview

The Cisco ISR 2900 is a line of enterprise gateway routers designed for branch and edge networking. It’s a modular solution that can be expanded with optional Network Interface Modules (NIMs) and Service Modules (SMs) for more functionality. There are two primary use cases for the 2900:

Converged branch networking – The ISR 2900 easily integrates with Cisco’s SD-WAN, SD-Branch, cloud security, and DNA network management software, can be extended with optional modules for added hardware capabilities, and supports NFV (network functions virtualization) for all-in-one branch networking.

Out-of-band (OOB) management – Using serial port modules, the ISR 2900 turns into an out-of-band (OOB) serial console solution that provides remote management access to the control plane of branch infrastructure.

The ISR 2900 is officially EOL as of the 31st of December 2022. The EOL models include all 2901, 2911, 2921, and 2951 ISR product SKUs.

Looking for replacement options for your other Cisco ISR EOL products? Read our guide to Cisco ISR EOL Replacement Options.

 

Cisco 2900 EOL replacement options

The discontinuation of the Cisco 2900 has left many organizations looking for migration options. Let’s compare two direct replacements from Cisco before discussing alternative options that deliver better branch management capabilities and greater opportunities for automation.

Cisco ISR 1100

Cisco ISR 1100 is a series of enterprise branch routers, though in this comparison we’re only looking at the models that support SD-WAN and thus serve as direct replacements for the discontinued 2900 models. The capabilities of the 1100 series vary, mostly because only some of the models are modular. For example, the fixed form-factor 1100-4G/4G LTE models have cellular functionality but offer fewer networking and security features. Conversely, the 1161X-8P and 112x-8P models are modular and can be extended with optional modules (like cellular for the 1161X or terminal server ports for the 112x-8P).

Even with these expansions, the compact ISR 1100s are best suited for smaller deployments in branch offices or small, provider-managed edge data centers. If your organization uses the ISR 2900 for converged branch networking, the 1100s are the closest Cisco replacement, though it supports OOB serial modules as well.

Cisco Catalyst C8300

The Cisco Catalyst C8300 series is a modular branch and edge networking solution, though due to its large size, it’s sometimes used as a primary on-premises gateway router. There are four models to choose from – two 2RU units with 2 SM and 2 NIM slots, and two 1RU units with 1 SM and 1 NIM slot. Each chassis comes with 6 embedded Layer3 Ethernet ports (1 Gbps and/or 10 Gbps) as well as a console port and USB port. All other port configurations and capabilities come via Cisco expansion modules, including options for 5G/4G cellular.

The Catalyst C8300 is a big, robust solution that’s designed for medium to large deployments such as campuses, colocation sites, and AI/machine learning data centers. The C8300 is primarily a converged branch networking solution like the ISR 1100 series, but it provides OOB management with optional serial cards.

Cisco 2900 replacement option comparison table

 

Cisco ISR 2900 (EOL)

Cisco ISR 1100

Cisco Catalyst 8300

Nodegrid Net SR

Nodegrid Serial Console Plus

Form Factor

1-2 RU

Desktop-1RU

1-2 RU

1 RU

1 RU

Max IPsec Throughput

Not defined

Up to 18.8 Gbps

Up to 18.8 Gbps

600 Mbps – 1.2 Gbps

600Mbps

Total Onboard WAN or LAN 10/100/1000 Ports

2-3

4-6

4-6

2

2

Total Onboard WAN or LAN 10Gbps Ports

0

0

0-2

2

2

WAN Ports

2-3

0-6

2-6

1+, configurable

0-4

LAN Ports

2-3

0-6

2-6

4-84

0-4

Slots

2-3

0-1

2-4

5

0

Default Memory

512 MB

4 GB

8 GB

8 GB

4 GB

Max Memory

2 GB

8 GB

32 GB

64 GB

16 GB

Compute

UCS-E Card

On-board, Compute card

On-board

OOB Capabilities

Requires Serial Card

Requires Serial Card

Requires Serial Card

Included

Included

Environmental Monitoring

N/A

N/A

N/A

Included

Included

For users looking for a Cisco solution to replace their EOL ISR 2900, the ISR 1100 series and Catalyst C8300 are the closest direct replacements. However, both product lines suffer from a major limitation – they aren’t vendor-neutral.

While Cisco routers integrate with some third-party partners, they do not support custom or third-party applications for automation and orchestration, which limits you to the automation offered by Cisco’s software. This lack of open integrations increases the chances that a Cisco solution won’t be able to hook into all the hardware and software components of a distributed and multi-vendor network architecture.

For example, if you utilize different SD-WAN and next-generation firewall (NGFW) vendors at some of your remote sites, Cisco’s automation may not extend to these devices. That means you’ll need to send out technicians to all remote sites (which could number in the dozens or hundreds) just to set up these services when you otherwise could have deployed them automatically.

Want to learn more about breaking free of locked ecosystems? Read The Benefits of Vendor Agnostic Platforms in Network Management

When network solutions like the Cisco 2900 go EOL, it’s the perfect opportunity to look for alternative options that provide the functionality you need without locking you into an ecosystem or limiting your automation capabilities.

Cisco 2900 direct replacement options from ZPE Systems

ZPE Systems provides a line of vendor-neutral solutions for branch and edge networking called Nodegrid. The Nodegrid Net Services Router (NSR) and Nodegrid Serial Console Plus (NSCP) serve as direct replacements for Cisco 2900 EOL products.

Nodegrid Net Services Router (NSR)

The Nodegrid NSR is a modular branch networking solution that you can customize to increase your terminal server ports, storage space, processing power, or switch ports. The NSR delivers converged branch networking capabilities like SD-WAN, SD-Branch, and NFVs, plus it can host your choice of custom and third-party applications for automation, security, and more.

While the NSR is the perfect converged branch solution to replace the Cisco ISR 2900, it also provides 3rd generation (or Gen 3) OOB management. That means Nodegrid’s OOB network is completely vendor-neutral and can extend automation capabilities to all your legacy and mixed-vendor infrastructure for efficient deployments, management, and orchestration.

Want to see the Nodegrid converged branch networking solution in action? Watch a Demo

Nodegrid Serial Console Plus (NSCP)

The NSCP is a robust, scalable branch networking and out-of-band serial console solution. The NSCP comes in 16-, 32-, 48-, and 96-port models, so you can choose the solution that’s right-sized to your deployment and use case. Plus, you can get built-in 5G/4G LTE and Wi-Fi options for failover and out-of-band.

Like the NSR, the NSCP is also an open platform that can run your choice of software to expand your capabilities and reduce your tech stack. Like the NSR, the NSCP delivers Gen 3 OOB management of all connected infrastructure, enabling true end-to-end automation in data centers, branches, and other remote sites. The NSCP is the perfect replacement for enterprises utilizing the Cisco 2900 for out-of-band management, though it also provides converged branch networking capabilities at any scale.

All Nodegrid devices run the open, Linux-based Nodegrid OS which can host your choice of third-party or custom applications, freeing you from vendor lock-in. You can even integrate infrastructure orchestration tools like Puppet, Chef, and Ansible to extend automation to end devices, regardless of vendor. This is what makes Nodegrid the world’s first Gen 3 branch networking solution.

Want to see how Nodegrid stacks up against Cisco’s replacement options? Click here to download the services routers comparative matrix.

Global support and supply chain

Leaving a trusted ecosystem behind to adopt alternative options can be risky, so it’s important to find a vendor that offers the support you need to make the transition and keep your operations running smoothly. ZPE Systems offers global product support using the “follow the sun” model, which means you get support when you need it, regardless of your timezone. You also won’t have to worry about supply chain issues causing stock shortages – ZPE supplies hyperscalers in 10K+ units per quarter and has great, consistent supply chain control.

Need to replace your Cisco 2900 EOL?

To learn more about replacing your Cisco 2900 EOL solution with the vendor-neutral Nodegrid platform and our shipping in as little as two weeks, contact ZPE Systems today. Contact Us

Cisco 2900 EOL product tables with migration SKUs

Cisco 2900 EOL Model

In Scope Features

Replacement Product (modular form factor)

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 16 serial ports

ZPE-NSR-816-DAC with 1 x 16 port serial module 1 x ZPE-NSR-16SRL-EXPN

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 32 serial ports

ZPE-NSR-816-DAC with 2×16 port serial module 2x ZPE-NSR-16SRL-EXPN

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 48 serial ports

ZPE-NSR-816-DAC with 3×16 port serial module 3x ZPE-NSR-16SRL-EXPN

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 60 serial ports

ZPE-NSR-816-DAC with 4×16 port serial module 4x ZPE-NSR-16SRL-EXPN

80 serial port option – no Cisco equivalent

Serial Console Module, Routing, 80 serial ports

ZPE-NSR-816-DAC with 5×16 port serial module 5x ZPE-NSR-16SRL-EXPN

 

Cisco 2900 EOL Model

In Scope Features

Replacement Product (fixed form factor)

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 16 serial ports

ZPE-NSCP-T16R-STND-DAC

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 32 serial ports

ZPE-NSCP-T32R-STND-DAC

Cisco ISR 2901

Cisco ISR 2911

Cisco ISR 2921

Cisco ISR 2951

Serial Console Module, Routing, 48 serial ports

ZPE-NSCP-T48R-STND-DAC

96 serial port option – no Cisco equivalent

Serial Console Module, Routing, 96 serial ports

ZPE-NSCP-T96R-STND-DAC

Want to see how Nodegrid compares to other serial console solutions?

Building an IoT Device Management System

by | Jan 25, 2023 | Application Hosting, Data Center Management, EdgeOps, SD-Branch, Security Service Edge (SSE)

shutterstock_1350962531(1)(1)

Internet of Things (IoT) devices are integral components of many modern businesses. In 2020, there were almost 9 billion active IoT devices—that number is predicted to exceed 25 billion by 2030. Effectively deploying, monitoring, and managing all of these devices in an enterprise environment requires powerful, centralized orchestration using an IoT device management system. This post discusses the best practices and key considerations to keep in mind when planning, designing, and building your IoT device management system.

What is an IoT device management system?

An IoT device management system provides a unified platform from which to manage all of the IoT devices in use by an organization. Many of these devices operate with little-to-no human interaction, in remote sites that may be difficult or even dangerous to access for routine maintenance. For example, IoT sensors are used inside oil pipelines to monitor crucial metrics like flow, pressure, and temperature. In addition, one organization may need to employ dozens or hundreds of different IoT devices to handle specific functions. These devices often come from different vendors, with separate management platforms, patch schedules, and configuration schemes. This results in a lot of management complexity for the IT teams responsible for provisioning, maintaining, and troubleshooting all of these devices, creating the need for an IoT device management system. The goal of such a solution is to bring all of the tasks involved in IoT device management under one roof, including:


  • → Onboarding:     Bringing new IoT devices onto the network with the proper credentials and security policies
  • → Configuration: Provisioning new IoT devices with the necessary settings
  • → Maintenance: Updating firmware and applying security patches in a timely manner
  • → Security: Applying enterprise security policies to all IoT devices on the network
  • → Diagnostics: Collecting and analyzing logs to help identify and fix IoT device issues
  • → End-of-life management: Decommissioning EOL devices so they don’t create a security risk by remaining online and unpatched
Nodegrid is a vendor-agnostic IoT device management system that enables end-to-end automation and reliable OOB management access. To see Nodegrid in action, schedule a free demo.

Best practices for building an IoT device management system

Here are some best practices and key considerations to keep in mind when planning, designing, and building your IoT device management system.

Avoid closed ecosystems

There are off-the-shelf software solutions for IoT device management that are designed to work within a single vendor’s ecosystem. While they may offer some support for third-party devices, they generally work best if you’re already operating within that vendor’s environment. For example, AWS IoT Device Management works with third-party IoT devices but requires an existing AWS infrastructure to use it effectively. These types of solutions will usually include a library of features and supported integrations, but you may not be able to integrate your preferred scripting languages, open-source tools, or other third-party components. A vendor-neutral, or vendor-agnostic, IoT device management system does not suffer from these limitations. In addition to the ability to hook into multi-vendor IoT devices, these platforms also allow you to use your choice of third-party software and scripts. A vendor-neutral solution gives you the freedom to build a truly bespoke IoT device management system that makes use of your team’s existing skills, preferred tools, and custom innovations.

Ensure 24/7 remote management access

One of the benefits of IoT devices is they can be deployed anywhere. However, maintaining continuous access to devices in remote and hard-to-reach environments can prove challenging. Natural disasters, LAN failures, ISP outages, political instability, and global pandemics can all occur with little-to-no warning, leaving organizations cut off from their critical remote IoT devices and infrastructure. Out-of-band (OOB) management solves this problem by providing an alternative path to remote network infrastructure. For example, an IoT device management system can use OOB serial consoles to create a management network that’s dedicated to the orchestration, maintenance, and troubleshooting of production network equipment. These serial consoles have multiple redundant network interfaces (e.g., 5G cellular, Fiber, and Wi-Fi) so admins can remotely access the IoT device management system even when the remote site loses its main internet connection. This ensures that organizations can recover from remote network failures faster, continue internal operations during ISP outages, and maintain continuous access to their IoT devices.

Protect IoT infrastructure with Zero Trust Security

IoT device management systems help ensure the security of remote IoT devices by simplifying tasks like firmware updates and vulnerability patch deployment. However, the IoT device management platform itself is a potential target for malicious actors hoping to gain complete control over an organization’s IoT infrastructure. That’s why organizations must protect their IoT device management system using Zero Trust Security. Zero Trust Security follows the principle of “never trust, always verify” by requiring all users, systems, and devices to continuously prove their trustworthiness as they access the network and enterprise resources. It also requires the consistent application of enterprise security policies and controls to every system and application that connects to the network, including the IoT device management system. That means, for example, that you should use technology such as two-factor authentication (2FA) and identity and access management (IAM) to control access and prevent compromised accounts from gaining control.

  • ☆ Bonus tip: Zero Trust Security is easier to apply if you use a vendor-neutral IoT device management system that supports integrations with third-party security solutions like next-generation firewalls (NGFWs) and Secure Access Service Edge (SASE). This will also ensure that Zero Trust controls are in place to protect the OOB management network from unauthorized access.

However, it’s important to acknowledge that there’s currently no way to completely prevent a breach from occurring. According to the Sophos State of Ransomware 2022 survey, 66% of organizations were hit by ransomware in 2021 alone, and that number is only expected to trend upwards over time. That’s why another critical aspect of Zero Trust Security for IoT device management is building a resilient network architecture with automation tools that reduce the MTTR (mean time to recovery) when—and not if—a breach occurs. Learn more about how to implement such an architecture with ZPE’s network automation blueprint.

Building an IoT device management system with Nodegrid

An IoT device management system is meant to simplify and streamline the management of remote, hard-to-reach, and complex IoT devices and infrastructure. Vendor-neutral systems allow you to customize your platform with the third-party tools and solutions that work best for your team and your organization’s use case. Out-of-band (OOB) management ensures that IT teams have reliable, 24/7 access to remote IoT systems. Finally, Zero Trust Security protects the IoT device management system and all connected devices from malicious attacks. The Nodegrid platform from ZPE Systems is a completely vendor-agnostic IoT device management system supported by Gen 3 OOB serial consoles like the Nodegrid Serial Console Plus (NSCP) and all-in-one edge gateway routers like the Mini Services Router (MSR). Nodegrid supports integrations with your choice of custom scripts, automation tools, and security solutions so you can build a bespoke IoT device management system that addresses your organization’s unique challenges and use cases.

Ready to learn more about the Nodegrid IoT device management system?

Contact ZPE Systems today to learn more about the Nodegrid IoT device management system, contact ZPE Systems today. Contact Us

What To Look for In a Cloud Edge Gateway Solution

by | Jan 12, 2023 | Application Hosting, EdgeOps, Improve Network Security, SD-Branch, SD-WAN, Secure Access Service Edge (SASE), Security Service Edge (SSE)

Mini-SR-Rear
Gartner predicts that by 2029 more than 15 billion IoT devices will connect to enterprise infrastructure. Many of these devices will operate outside of the centralized enterprise network, in satellite offices, manufacturing facilities, retail stores, and other remote locations. These remote – or edge – IoT devices need a secure and reliable way to connect to cloud resources and applications.

A cloud edge gateway is a hardware or software solution used to connect edge devices to the cloud. Some edge gateways are also routers that connect the edge location’s network to the WAN (wide area network) or SD-WAN (software-defined wide area network). In addition, many cloud edge gateway solutions also provide management access to connected devices, so administrators can remotely monitor and control edge infrastructure.

Some popular use cases for cloud edge gateways include:

  • Retail stores: Cloud edge gateways give retail stores a fast and secure connection for POS (point of sale) terminals, credit card readers, and security cameras.
  • Remote health facilities: Hospitals and clinics in remote areas use cloud edge gateways to securely and reliably transmit health data from IoT medical devices.
  • Police/emergency response vehicles: Cloud edge gateways enable secure data transmission from police, fire, and EMS vehicles to cloud applications.

In this blog post, we’ll discuss the key characteristics and components of a robust, secure, and reliable cloud edge gateway solution.

What to look for in a cloud edge gateway

Vendor neutrality

In a decentralized network with many remote locations, network solutions like edge gateways are often chosen based on which vendor offered the best deal or had the most compelling sales pitch at the time a new site was opening. This creates a heterogeneous network architecture, with each vendor offering their own platform from which to monitor and manage their solutions. With so many platforms to learn and keep track of, it becomes very challenging for admins to keep networks operating at peak efficiency.

A vendor-neutral cloud edge gateway solution reduces management complexity by seamlessly integrating with the existing edge infrastructure. For example, Nodegrid Services Routers can run other vendors’ software, so admins can keep using the management platform they’re most comfortable with. Or, admins can use the ZPE Cloud network orchestration platform to manage any other vendor solution that’s connected to a Nodegrid device.

Vendor-neutral cloud edge gateways give organizations the freedom to continue expanding to new locations without worrying about integration issues. Vendor neutrality also reduces headaches for network administrators so they can focus on improving efficiency and optimizing performance.

High-speed cellular failover and out-of-band management

Edge IoT devices are used for critical operations, which means they need 24/7 connectivity. Cellular failover provides a secondary internet connection that’s independent of wired network infrastructure. A cloud edge gateway with cellular failover ensures that IoT devices have uninterrupted access to the cloud even if the primary ISP connection goes down. The best solution supports high-speed 4G/5G cellular to reduce the performance impact of failover, as well as providing dual-SIM slots for redundancy.

In addition, admins need management access to edge infrastructure and IoT devices that are independent of both the WAN and the LAN (local area network), so if something like a firmware update causes the local network to go down, they can repair the issue without needing to dispatch an expensive truck roll. Out-of-band (OOB) management uses a secondary network interface (like a 5G cellular SIM) to create an OOB network that’s dedicated to management and troubleshooting. An edge gateway with OOB management ensures that admins have 24/7 high-speed access to remote infrastructure so they can recover from problems faster and reduce downtime.

Secure hardware and software

The security threats to enterprise networks are ceaseless and growing more sophisticated by the day. Many IoT devices and edge locations operate with little-to-no human intervention, which means breaches could go undetected for a long time. In addition, it can be difficult to stay on top of patch schedules or remotely install security updates on so many devices in so many locations, which can leave edge networks vulnerable to attack.

The right cloud edge gateway comes with robust hardware security features like BIOS protection, encrypted disks, and geofencing that prevent malicious actors from using a stolen gateway to hijack edge networks. Its management software should also include Zero Trust security features like SAML 2.0 integration, selectable cryptographic protocols and cipher suite levels, and two-factor authentication (2FA). With a vendor-neutral solution like Nodegrid, admins can even use the cloud edge gateway to push out security updates to connected devices using the ZPE Cloud management platform.

Automation support

It’s growing more difficult for people to simultaneously manage the complex network infrastructures required for modern business operations while ensuring peak performance and 24/7 availability. Network automation solutions help decrease the burden on overworked admins and can improve the performance and reliability of edge networks.

Many edge gateways include some automation features as part of their management software. However, these tend to be limited to baked-in workflows, meaning admins may not be able to use custom scripts or third-party playbooks. The best cloud edge gateway has vendor-neutral automation support so admins can use their choice of automation solutions. For example, Nodegrid edge gateways can directly host automation playbooks from all the major platforms including Ansible and Puppet. Nodegrid also supports custom scripting and third-party integrations for even greater flexibility.

The best cloud edge gateway solution is vendor-neutral, uses high-speed cellular for failover and OOB management, follows Zero Trust best practices to keep the infrastructure secure, and supports all of the major automation tools and scripting languages. With the edge gateway market still being somewhat new, there’s really only one solution that checks all these boxes: the Nodegrid family of cloud edge gateway routers.

Why choose the Nodegrid cloud edge gateway solution?

There are six Nodegrid Services Router models to choose from based on your deployment size, networking requirements, and use case. For example, the Mini SR delivers versatile edge networking capabilities in a device approximately the size of an iPhone, which is perfect for mobile emergency response units or retail branches where space is at a premium.

For larger deployments, such as an edge compute data center or Smart Building system, the Net SR provides a modular solution with options for additional serial console ports, disk space, compute, PoE, and more.

Nodegrid’s vendor-neutral platform is extensible and capable of directly hosting other vendor solutions for automation, security, and other networking functions. Cellular failover and high-speed OOB are delivered via dual- or quad-SIM cellular slots with 5G/4G LTE support. Nodegrid devices are protected by secure hardware features, SAML 2.0 and 2FA support, and advanced authentication, plus the OS is kept up-to-date with frequent patches. Nodegrid is also the only cloud edge gateway with full support for all the top automation and IaC (infrastructure as code) solutions, including Ansible, Chef, and Puppet.

Ready to learn more about the Nodegrid cloud edge gateway solution?

Contact ZPE Systems today to learn more about the Nodegrid cloud edge gateway solution.

Contact Us