About the Micro-Segmentation Gatekeeper
The Micro-Segmentation Gatekeeper (MSG) is a hardware appliance that provides Zero Trust Security for devices which cannot install the zLink agent. This may include:
IoT or other hardware devices that the manufacturer has not opened for installation of 3rd party software
Applications running on unsupported legacy operating systems (e.g. Windows NT, AIX, Solaris)
MSG hardware are available in different models with up to 32 port-pairs of Gigabit Ethernet; options for 10GE/40GE are also available. Contact Zentera Systems for complete information on the range of MSG hardware options.
Planning a MSG Deployment
Port Pairs
Each pair of Gigabit Ethernet ports performs a Layer 2 pass-through, and supports hardware bypass. In the event of a software or hardware malfunction, including a loss of power, the MSG port pairs fail open for continued availability of the protected load.
It is recommended to recover from a failure as quickly as possible; while availability of the secured load is maintained, security controls are not operational.
Make sure to take steps to recover from a failure as quickly as possible; while availability of the secured load is maintained, security controls are bypassed.
Supported Deployment Configurations
Fully-Isolated Mode
A port-pair may connect directly to isolate protected devices as shown below. In this configuration, the MSG is deployed between the access switch and the protected device. It can provide complete east-west isolation for the protected device, creating a chamber with individual device granularity for up to 32 devices per MSG. This mode enables the chamber controls to be matched tightly with the function of the downstream protected device.
In this fully isolated mode, the MSG uses the CoIP MSG Standard license type.
High-Density Mode
A port-pair may also be connected upstream of the aggregation switch. In this mode, each port can protect up to 48 downstream devices, allowing one 32 port-pair MSG to protect up to 1,536 devices. However, it trades off security to achieve this density, as east-west control is no longer possible at the individual device level, and the chamber behind each MSG port-pair can must be programmed to support all of its downstream devices.
In the high-density mode, the MSG uses the CoIP MSG Premium license type.
Onboarding the MSG
Onboarding an MSG is similar to onboarding a zLink agent or Gateway Proxy.
The MSG ships from Zentera with all port-pairs configured as L2 bypass. You do not need to do any additional configuration before installing in your network.
From Onboarding and Management > Manage MSGs, click the 'Register MSG +' button.
This brings up the dialog for generating an installer package:
You may copy the wget or curl command and run it from the MSG command prompt in order to download the package directly to the MSG, or you may download it to your computer and transfer it to the MSG separately.
From the MSG console, uncompress the installer and run the install-zlink shell script (requires sudo privilege). Once complete, the MSG service will start and connect to zCenter; the MSG will be visible in Onboarding and Management > Manage MSGs:
You may then click on the
icon in the action menu to view the MSG dashboard, which displays the MSG information, the network interface and port status, as well as CPU, disk, and memory utilization.
Selecting the license type
As described above, the CoIP MSG Standard License and Premium License differ in the supportable deployment configurations; the Standard License supports only Isolated Device mode, while the Premium License enables High Density Mode.
The MSG license defaults to Standard. To change it to Premium, open the dashboard, and click on the license type under MSG Information. This allows you to select the Premium license type.
Your zCenter must have enough licenses of the appropriate type for the MSG to check out the correct license.
Once onboarded, you may proceed to set up an MSG Device Group and assign Chamber Policies or Access Policies.
Comments
0 comments
Please sign in to leave a comment.