Introduction

Organization began moving in droves to the Zero Trust security model in 2019, implementing a “never trust, always verify and enforce least privilege” approach to internal and external network access. This approach enforces the mandate that traffic inside the perimeter deserves no more trust than traffic outside; all traffic should be inspected and logged and all access requests should be verified, authenticated and validated on a need-to-know basis.

The aforementioned approach does have a number of shortcomings, however, they include and are not limited to the followings:    

  • Restricting network access too harshly or verifying access requests too slowly could lead to crippling network bottlenecks.
  • Network issues such as DDoS attacks, human errors, poorly patched or misconfigured devices are not dealt with.
  • Traditional NGFW solutions tend to perform poorly when it comes to CPU-intensive services such as encrypted traffic inspection. 

Requirements

One of Lanner’s current customers came looking for a hardware appliance on which a proprietary solution can be run for identifying, tracking and isolating devices, applications and workflows based on business and security requirements. 

The said solution must be capable of delivering the following components:

  • Network access control for identifying/tracking all connected devices so that their roles and privileges within a network can be determined, granted, limited or revoked.
  • Internal segmentation firewalls (ISFWs) for delivering the scalability, span of control and performance robustness not found in traditional NGFW solutions.
  • Intent-based segmentation for interpreting and then converting business and security requirements into specific segmentation policies so that workflows and applications can be protected and isolated without bottlenecks.

Lanner Solution

Lanner’s NCA-5710, powered by the 2nd Gen Intel® Xeon® Processor Scalable Family (Skylake-SP/Cascade Lake-SP), not only offers dual CPU performance computing power and virtualization capacity in a 19” 1U form factor with high-port density but also features Intel® QuickAssist Technology, new Intel® AVX-512 instructions, Intel® Hyperscan and Data Plane Development Kit (DPDK).

With support for up to 384GB DDR4 system memory at 2666 MHz, the NCA-5710 greatly maximizes packet processing efficiency for virtual network functions, cryptography acceleration for deep packet inspection and next-generation firewall and UTM/IPS/IDS applications.

For optimal networking tasks, the NCA-5710 comes with dual LGA3647 CPU sockets and can be configured with either 4x GbE RJ-45 or 4x 10G SFP+ ports. The LAN expansion is made possible by way of its 4x NIC module slots that offer support for 10G/25G/40G/100G fiber/copper/bypass specifications.

The NCA-5710’s other outstanding features include dual console ports (RJ45 c& mini-USB), dual USB 3.0 ports, 6x individual swappable fans, dual 2.5”HDD/SSD bays, 1x M.2, 850W 1+1 ATX redundant PSUs and optional PCIe*16 FH/HL.

Benefits

When deployed as an advanced internal segmentation IPS, the NCA-5710’s server-grade hardware design delivers a number of benefits. This appliance offers performance at 10 Gbps with threat prevention enabled and its 4x NIC slots makes available a plethora of networking and input/output configurations, expandability; furthermore, it can be equipped for 24/7 operation with hardware bypass, 6x individual swappable fans and 850W 1+1 ATX redundant PSUs. 

All in all, the multi-pronged advantages can be summarized as below:

1.    Structured configuration, straightforward maintenance, and coherent administration

  • No-frills deployment with existing network transparency. 
  • Industry standard hardware design with 1U rack-mount sizing for OT environments.

2.    Network protection with deployment flexibility and multi-segments

  • Real-time and uninterrupted threat protection with easy installation and management through a centralized interface.
  • Vulnerability protection extended to encompass even unpatched devices and legacy systems.

3.    Device visibility and network reliability for all mission- critical assets

  • High-level asset visibility, passive asset ID and IT/OT traffic communication.
  • Incident and traffic monitoring with log tracing. 

4.    High Availability and 24/7 operation. 

  • Multi-port configurations for multi-segmented hardware failover support.
  • Redundant power supplies and systems fans.

Results

This customer was able to provide a solution that delivers intent-based network segmentation upon which the deployment of a network architecture with convenient and reliable ICS network security, cyber-attacks detection/elimination and incident impact reduction was built.

Lanner’s NCA-5710 in this case was proven the ideal and purpose-built appliance designed for rack- mounted deployments that fit transparently into the IT-OT convergency network environment. When equipped with in-depth OT protocol filtering, the NCA-5710 enables effective and manageable micro-segmentation for a complex environment in order to isolate and protect multi- segment networks. Network/device visibility and cyber defense also apply to legacy systems and unpatched devices, firmly ensuring uninterrupted operations.

Featured Product


NCA-5710

1U Rackmount Network Appliance for Network Traffic Management and Virtualized Network Security

CPU 2nd Gen Intel® Xeon® Processor Scalable Family (Skylake-SP/Cascade Lake-SP)
Chipset Intel® C621/627

Read more