About the Micro-Segmentation Gatekeeper

The Micro-Segmentation Gatekeeper (MSG) is a hardware appliance that provides Zero Trust Security for devices which cannot install the zLink agent.  This may include:

• IoT or other hardware devices that the manufacturer has not opened for installation of 3rd party software

• Applications running on unsupported legacy operating systems (e.g. Windows NT, AIX, Solaris)

MSG hardware are available in different models with up to 32 port-pairs of Gigabit Ethernet; options for 10GE/40GE are also available. Contact Zentera Systems for complete information on the range of MSG hardware options. 

Planning a MSG Deployment

Port Pairs

Each pair of Gigabit Ethernet ports performs a Layer 2 pass-through, and supports hardware bypass. In the event of a software or hardware malfunction, including a loss of power, the MSG port pairs fail open for continued availability of the protected load.

It is recommended to recover from a failure as quickly as possible; while availability of the secured load is maintained, security controls are not operational.

Supported Deployment Configurations

Fully-Isolated Mode

A port-pair may connect directly to isolate protected devices as shown below. In this configuration, the MSG is deployed between the access switch and the protected device. It can provide complete east-west isolation for the protected device, creating a chamber with individual device granularity for up to 32 devices per MSG. This mode enables the chamber controls to be matched tightly with the function of the downstream protected device.

High-Density Mode

A port-pair may also be connected upstream of the aggregation switch. In this mode, each port can protect up to 48 downstream devices, allowing one 32 port-pair MSG to protect up to 1,536 devices. However, it trades off security to achieve this density, as east-west control is no longer possible at the individual device level, and the chamber behind each MSG port-pair can must be programmed to support all of its downstream devices.

Onboarding the MSG

Onboarding an MSG is similar to onboarding a zLink agent or Gateway Proxy.

From Onboarding and Management > Manage MSGs, click the 'Register MSG +' button.

This brings up the dialog for generating an installer package:

You may copy the wget or curl command and run it from the MSG command prompt in order to download the package directly to the MSG, or you may download it to your computer and transfer it to the MSG separately.

From the MSG console, uncompress the installer and run the install-zlink shell script (requires sudo privilege).  Once complete, the MSG service will start and connect to zCenter; the MSG will be visible in Onboarding and Management > Manage MSGs:

You may then click on the

 icon in the action menu to view the MSG dashboard, which displays the MSG information, the network interface and port status, as well as CPU, disk, and memory utilization.

Selecting the license type

As described above, the CoIP MSG Standard License and Premium License differ in the supportable deployment configurations; the Standard License supports only Isolated Device mode, while the Premium License enables High Density Mode.

The MSG license defaults to Standard.  To change it to Premium, open the dashboard, and click on the license type under MSG Information. This allows you to select the Premium license type.

Once onboarded, you may proceed to set up an MSG Device Group and assign Chamber Policies or Access Policies.