The article will discuss the problems of organizing a network infrastructure in the traditional way and methods for solving the same issues using cloud technologies.
For reference. Nebula is a SaaS cloud environment for remote maintenance of network infrastructure. All Nebula-enabled devices are managed from the cloud via a secure connection. You can manage a large distributed network infrastructure from a single center without spending the effort to create it.
What is another cloud service for?
The main problem when working with a network infrastructure is not network design and equipment purchase, and not even rack mounting, but everything else that will have to be done with this network in the future.
New network - old worries
When a new network node is commissioned, after installation and connection of equipment, the initial setup begins. From the point of view of the "big bosses" - nothing complicated: "We take the working documentation for the project and start setting up ..." It's so cool to say when all the network elements are in one data center. If they are scattered around the branches, the headache begins with providing remote access. Such a vicious circle: in order to get remote access over the network, you need to configure network equipment, and for this you need access over the network ...
We have to come up with various schemes to get out of the impasse described above. For example, a laptop with Internet access via a USB 4G modem is connected via a patch cord to a custom network. On this laptop, a VPN client comes up, and through it the network administrator from the headquarters tries to access the branch network. The scheme is not the most transparent - even if you bring a laptop with a pre-configured VPN to a remote site and ask to turn it on, it is far from a fact that everything will work the first time. Especially if we are talking about a different region with a different provider.
It turns out that the most reliable way is to keep a good specialist “on the other end of the wire” who will be able to set up his part according to the project. If there is no such branch in the state, options remain: either outsourcing or a business trip.
We also need a monitoring system. It needs to be installed, configured, maintained (at least keep track of disk space, and make regular backups). And who knows nothing about our devices until we tell her. To do this, you need to register the settings for all pieces of equipment and regularly monitor the relevance of the records.
It's great when the staff has its own "man-orchestra", which, in addition to the specific knowledge of a network administrator, knows how to work with Zabbix or with another similar system. Otherwise, we take one more person on the staff or outsource.
Note. The saddest punctures begin with the words: “Yes, what is there to configure this Zabbix (Nagios, OpenView, etc.)? Now I’ll quickly lift it up and it’s ready!”
From implementation to operation
Let's look at a specific example.
Received an alarm message that a WiFi hotspot somewhere is not responding.
Where is she located?
Of course, a good network administrator has his own personal directory in which everything is recorded. Questions begin when this information needs to be shared. For example, you need to urgently send a messenger to sort it out on the spot, and for this you need to issue something like: “Access point in the business center on Stroiteley Street, building 1, on the 3rd floor, office N 301 next to the front door under ceiling."
Let's say we are lucky and the access point is powered via PoE, and the switch allows it to be rebooted remotely. You don't have to go, but you need remote access to the switch. It remains to configure port forwarding through PAT on the router, deal with VLANs for connecting from the outside, and so on. Well, if everything is set up in advance. The work may not be difficult, but it must be done.
So, the food point was rebooted. Did not help?
Let's say something is wrong in the hardware. Now we are looking for information about the warranty, the beginning of operation and other interesting details.
Speaking of WiFi. Using the home version of WPA2-PSK, in which one key for all devices, is not recommended in a corporate environment. Firstly, one key for all is simply unsafe, and secondly, when one employee leaves, you have to change this shared key and re-configure settings on all devices for all users. To avoid such troubles, there is WPA2-Enterprise with individual authentication for each user. But this requires a RADIUS server - another infrastructure unit that needs to be controlled, backed up, and so on.
Please note that at each stage, whether it was implementation or operation, we used auxiliary systems. This is a laptop with "third-party" Internet access, and a monitoring system, and a reference base for equipment, and RADIUS as an authentication system. In addition to network devices, third-party services also have to be serviced.
In such cases, you can hear the advice: "Give it to the cloud and not suffer." Surely there is a cloud Zabbix, perhaps somewhere there is a cloud RADIUS, and even a cloud database to keep a list of devices. The trouble is that this is not needed separately, but "in one bottle." And still, there are questions about organizing access, initial device setup, security, and much more.
What does it look like when using Nebula?
Of course, initially the "cloud" does not know anything about our plans or about the purchased equipment.
First, an organization profile is created. That is, the entire infrastructure: the headquarters and branches are first registered in the cloud. Details are specified, accounts for delegation of authority are created.
There are two ways to register used devices in the cloud: the old-fashioned way - by simply entering the serial number when filling out a web form or by scanning a QR code using a mobile phone. All that is needed for the second method is a smartphone with a camera and Internet access, including through a mobile provider.
Of course, the necessary infrastructure for storing information, both accounting and settings, is provided by Zyxel Nebula.
Figure 1. Nebula Control Center Security Report.
What about access settings? Opening ports, forwarding traffic through an incoming gateway, all the things that security administrators affectionately call: "picking holes"? Fortunately, you don't have to do all of this. Devices running Nebula establish an outgoing connection. And the administrator does not connect to a separate device for configuration, but to the cloud. Nebula acts as an intermediary between two connections: with the device and with the network administrator's computer. This means that the stage with the call of the incoming admin can be minimized or skipped altogether. And no additional "holes" on the firewall.
But what about the RADUIS server? After all, some kind of centralized authentication is needed!
And these functions are also taken over by Nebula. Authentication of accounts for access to equipment goes through a secure database. This greatly simplifies the delegation or withdrawal of rights to manage the system. It is necessary to transfer the rights - we get the user, we assign the role. It is necessary to select the rights - we perform the reverse actions.
We should also mention WPA2-Enterprise, which requires a separate authentication service. Zyxel Nebula has its own analogue - DPPSK, which allows you to use WPA2-PSK with an individual key for each user.
"Inconvenient" questions
Below we will try to give answers to the most tricky questions that are often asked when entering a cloud service.
Is it really safe?
In any delegation of control and management, two factors play an important role in ensuring security: anonymization and encryption.
The use of encryption to protect traffic from prying eyes is more or less familiar to readers.
Anonymization hides information about the owner and source from the staff of the cloud provider. Personal information is removed and records are assigned a "faceless" identifier. Neither the developer of the cloud software nor the administrator maintaining the cloud system can know the owner of the requests. "Where did this come from? Who might be interested in this? ”- such questions will remain unanswered. The lack of information about the owner and source makes insider information a waste of time.
If we compare this approach with the traditional practice of outsourcing or hiring an incoming administrator, it is obvious that cloud technologies are safer. The incoming IT specialist knows a lot about his ward organization, and can, willingly or unwillingly, cause significant harm in terms of security. Still need to resolve the issue of dismissal or termination of the contract. Sometimes, in addition to blocking or deleting an account, this entails a global change of passwords for accessing services, as well as an audit of all resources for “forgotten” entry points and possible “bookmarks”.
How much more expensive or cheaper is Nebula for an incoming admin?
Everything is relative. The basic functions of Nebula are available for free. Actually, what could be even cheaper?
Of course, it is impossible to completely do without a network administrator or a person replacing him. The question is the number of people, their specialization and distribution by sites.
As for the paid extended service, then raising a direct question: more expensive or cheaper - such an approach will always be inaccurate and one-sided. It would be more correct to compare many factors, ranging from money to pay for the work of specific specialists and ending with the costs of ensuring their interaction with a contractor or an individual: quality control of performance, preparation of documentation, maintaining a level of security, and so on.
If we talk about whether it is profitable or not profitable to purchase a paid service package (Pro-Pack), then an approximate answer may sound like this: if the organization is small, you can get by with the basic version, if the organization is growing, then it makes sense to think about Pro-Pack. The difference between versions of Zyxel Nebula can be seen in Table 1.
Table 1. Feature set differences between the base version and the Nebula Pro-Pack version.
This includes advanced reporting, user auditing, configuration cloning, and much more.
And what about traffic protection?
Nebula uses protocol to ensure the safety of working with network equipment.
NETCONF can run on top of several transport protocols:
- ();
- ();
- ();
- ().
When comparing NETCONF with other methods, such as management via SNMP, it should be noted that NETCONF supports outgoing TCP connection to overcome the NAT barrier and is considered more reliable.
What about hardware support?
Of course, you should not turn the server room into a zoo with representatives of rare and endangered types of equipment. It is highly desirable that the equipment, combined with control technology, close all directions: from the central switch to access points. Zyxel engineers have taken care of this possibility. Many devices are running Nebula:
- 10G central switches;
- access level switches;
- switches with PoE;
- access points;
- network gateways.
Using a wide range of supported devices, you can build networks for various types of tasks. This is especially true for companies that grow not up, but in breadth, constantly developing new platforms for doing business.
Continuous development
Network devices with a traditional management method have only one way to improve - changing the device itself, whether it be new firmware or additional modules. In the case of Zyxel Nebula, there is an additional path for improvement - through the improvement of the cloud infrastructure. For example, after updating the Nebula Control Center (NCC) to version 10.1. (September 21, 2020) New features are available to users, here are some of them:
- the owner of an organization can now transfer all ownership rights to another administrator in the same organization;
- A new role called "Owner Representative" that has the same rights as the owner of the organization;
- new organization-wide firmware upgrade feature (Pro-Pack feature);
- two new options have been added to the topology: reboot the device and power on and off the PoE port (Pro-Pack function);
- support for new access point models: WAC500, WAC500H, WAC5302D-Sv2 and NWA1123ACv3;
- support for voucher authentication with QR codes printing (Pro-Pack function).
Useful links
Source: habr.com