Zyxel Nebula - ease of management as the basis for savings

Instead of the preface

This article is devoted to such very "non-technical" things as simplicity and ease of management. This is not about ergonomics and various features of the interface, but about an integrated approach.

What simplifies the management system?

If you ask about this, for example, a regular administrator, you can hear the following answers:

"Well, it will be more convenient to work ..."
“It’s not necessary to run to the server room once more or write to the attendants on duty ...”.
"But for me if only it somehow worked, the admin is sleeping - the traffic is on" ...
')
In fact, the answer to this question is quite simple - the simpler the system is to manage, the more time and money you can save.

We could say that this is true only for beginners. And as soon as the IT specialist receives the status of a network guru, he instantly begins to solve network issues “with one hand” and the inconvenient management is compensated by knowledge and experience.

But it is not.

The fact is that most of the total volume of operations for setting up and maintaining a network of any complexity is occupied by routine operations. And the more complex the network, the higher the qualifications of the network administrator. And that means - the more money the organization loses in routine operations.

At the same time, with less experienced specialists, each system management operation takes even more time.

It turns out to be a paradox - whatever the qualifications of the network administrator, it still will not be possible to avoid monetary losses due to an inefficient network infrastructure management system.

It is possible to say for each particular case that they lost more here, less - but in general no one has yet managed to avoid such costs.

Where does the time go?

Until now, we have only spoken common words: inefficient, difficult, inconvenient ...
But what really is an effective system?

Is it all about the design? Design, of course, is important, but the fact is that all people are different. And many design solutions created for some people are absolutely not suitable for others. That is why there are still various third-party applications for managing this or that hardware and software.

What is routine? This is when you have to do a bunch of small repetitive operations. Or, on the contrary, to perform a certain set of many different actions, the connection between which, at times, seems not quite obvious.

One of the key points is the presence or absence of an integrated approach. If it is possible to develop some common templates and on their basis to create appropriate tools that facilitate management - this is already a great help.

Routine is when each device has to be configured separately and only in rare cases can you apply any presets like configuration file templates.

It is another matter if the network administrator can form in advance and subsequently apply any templates, policies, group settings.

Simply put, it’s good when you don’t have to waste your time on constantly configuring everything and everyone. And, accordingly, the constant documentation.

To do this, you have to independently build some kind of a single network infrastructure, often with the use of developments from third-party companies, and only then you can use the results of your hard work.

And what again come back to where you came from? By the cost, now for the construction of the system?

It would be much better if together with the network equipment immediately, out of the box, the unified management system will start working.

This possibility already exists.

Zyxel Nebula as a symbol of ease of management

As mentioned above, when all network equipment is miraculously connected to a single control node, it is much easier to work with it.

Take, for example, such a simple task as setting up a VPN.

If you build a similar system on network gateways that are controlled by the traditional method, then you have to spend a lot of time and effort.

Let us analyze the situation when an IPsec channel is built between two ZyWALL USG 50 and ZyWALL USG 100 hardware gateways.

Note This description is given primarily to show the features of step-by-step configuration of two network gateways in the traditional way. Regardless of whether you use the web interface or the command line interface, you still have to complete all these configuration steps.

On the ZyWALL USG 50 you need to do the following steps:

1. In the Network - Interface - Ethernet menu, set the static IP address on the wan1 interface.
2. In the Object - Address menu , create an object in which the remote subnet will be specified.
3. To create an IPSec tunnel, go to the VPN menu - IPSec VPN - VPN Gateway and create a new rule with the IP address of the remote VPN gateway.
4. In the My Address - Interface field, specify the interface wan1, and in the Peer Gateway Address field - the Static Address specify the IP address of the gateway with which the ZyWALL USG 50 will establish a VPN tunnel. And in the Pre-Shared Key field - a pre-agreed key, which must match on both sides of the tunnel.
5. After configuring the VPN Gateway, go to the VPN menu - IPSec VPN - VPN Connection to further configure the VPN connection.
6. In the Application Scenario section, you need to select the value Site-to-site, and in the VPN Gateway field - the pre-set rule.
7. In the Local policy field, specify the local subnet, and in the Remote policy field, specify the remote subnet
8. Next, from the Network - Zone menu , you need to edit the IPSec_VPN zone, of which the VPN connection created earlier will be a member.
9. Then from the Network - Firewall menu , you need to create a firewall rule for passing network traffic from the VPN tunnel to the local subnet. Next, indicate the direction governing traffic in relation to the IPSec_VPN zone, which includes the IPSec tunnel created.

Note The firewall on the ZyWALL USG 100 hardware gateway is configured in the same way.

That's not all. Go to setting up the ZyWALL USG 100

1. In the Network - Interface - Ethernet menu, you should set a static IP address on the wan1 interface.
2. In the Object - Address menu , you need to create an object in which the remote subnet will be specified.
3. To create an IPSec tunnel in the VPN menu - IPSec VPN - VPN Gateway, you need to create a new rule with the IP address of the remote VPN gateway.
4. In the My Address - Interface field, you need to specify the wan1 interface, and in the Peer Gateway Address - Static Address field, enter the IP address of the gateway with which the ZyWALL USG 100 will establish a VPN tunnel. In the Pre-Shared Key field - enter the previously agreed key, which must match on both sides of the tunnel.
5. After configuring the VPN Gateway, you will need to go to the VPN menu - IPSec VPN - VPN Connection to further configure the VPN connection.
6. In the Application Scenario section, select the Site-to-site value and in the VPN Gateway field, select a predefined rule.
7. In the Local policy field, you must specify the local subnet, and in the Remote policy field, the remote subnet.
8. Next, you need to configure the firewall on the ZyWALL USG 100. It is configured the same way as on the ZyWALL USG 50.

Finally, a VPN connection is created.

As I said above, the purpose of this brief description was to demonstrate a variety of settings on equipment with traditional controls. A full description with all the details can be read here .

Of course, different vendors may have different steps. But in general, the meaning is preserved - first we perform step-by-step tuning on one node, then the second. If you made a mistake or did not take into account something, we check and recheck everything from the first step.

If the company has a developed network infrastructure, with this method of management, the network administrator will not be bored.

And in the Zyxel Nebula on devices, it is enough to turn on the VPN and specify the subnet, as shown in Figure 1. And as ordinary users like to say: “It will work all by itself”.


Figure 1. Configuring VPN in Zyxel Nebula

Policies and general settings

As a rule, in each infrastructure unit - IT infrastructure located outside the network perimeter, common settings are used.

In the absence of any automation tools, the administrator has to connect to each device and edit the settings manually there.

But even if you use pre-created blanks - the setup process can take a long time. Uploading a previously prepared configuration file to each device is already a serious work in principle. Not to mention the process of preparing such a file

In Zyxel Nebula, this process is solved much easier.

All settings are distributed immediately to all devices belonging to the same site.

And if you need to transfer settings from one organization (Organization) to another, then for this you use the menu Organization - Configuration Sync. There you can choose which settings to transfer and to which organizations or devices. And the ability to transfer settings will gradually increase with the development of the Zyxel Nebula.


Figure 2. Zyxel Nebula Configuration Configuration section

About accounting and any other accounting

Well, in conclusion, I would like to remind you of such a wonderful duty of IT staff as inventory and equipment accounting.

Of course, according to the logic and job descriptions, this should be handled by the accounting department. But in Russia it is rare when an accountant is able to perform normal equipment accounting without involving an IT department.

Not only does accounting in its 1C write, it does not always have any technical meaning. With the same success, you can record all switches, routers, etc. as “point 1”, “point 2”, “point 3” if only the sums were specified correctly taking into account depreciation.

It often happens when IT specialists keep their internal “accounting” in order to understand what equipment is located, who they are listed for and where they are moving.

And here Zyxel Nebula can also provide an invaluable service.

First, network devices are already stored in a single database.
Secondly, they are already assigned to one or another branch.
Thirdly, you can immediately and easily get information such as a serial number, date of operation, and even look on Google map where it is now.

This information appears in the Zyxel Nebula database automatically, it does not need to be entered manually, as, for example, in the accounting system.

No less interesting is the process of registering usernames and passwords.

Any most qualified person is an ordinary person. Who can get sick, fall in love, decide to quit and jerk to the ends of the earth, or just forget the password.

Therefore, one way or another, the password accounting system is present in every organization. Another thing is that it can be organized in different ways.

For example, a CIO can write all passwords in his notebook. It seems to be convenient and the carrier is non-volatile and is kept by the responsible person. But to report a new password to your favorite boss every time you change access details, especially during night work, it is not always convenient. And then it is all forgotten. Again, waking up your boss in the middle of the night to prompt the password - of course, you can, but this is somehow not at all human.
There is also another option - when the CIO loses the coveted notebook and ... it’s better not to think about it at all.

There is also an option to use all sorts of programs to account for passwords. With encryption and other great things.

But then, sooner or later, the situation arises, described in one of Murphy's laws: "The key to the emergency medical room is stored in the emergency medical room." That is, to get access to the password storage program, you need to know the password, or even more than one, for example, the password for accessing the workstation, the password for accessing the network resource, the password for opening the program itself ...

With Zyxel Nebula this is solved very simply. The owner registers the infrastructure on himself and adds admin to the administration.

For the administrator, access to the devices is performed in accordance with the rights granted. He just needs to go to the cloud.

If the administrator lost the password - change is not a problem. If the administrator is gone - the owner deletes it and adds a new one.

Conclusion

Summing up, I want to draw attention to simple arithmetic. See how much text is occupied by the description of traditional solutions and how much is control with Zyxel Nebula.

These simple numbers speak for themselves.

Sources

[1] A page on the official Zyxel website dedicated to Nebula.

[2] A. Lakhtin. An example of creating a simple IPSec VPN tunnel between two ZyWALL USG hardware gateways . Article in the knowledge base.

[3] The Zyxel Nebula supernova is an economical way to security. ?

[4] Zyxel Nebula and company growth .

[5] We are not afraid of "clouds" .