Back to Articles

How Tavve enables Managed Services Providers to lower expenses, enhance security, and improve service delivery quality

What is the Problem?

Some of the biggest challenges managed services providers (MSP) face impact their ability to maintain healthy margins and meeting their contracted SLA’s for the ongoing services. Customers expect the MSP to continuously provide added value, while at the same time limiting the MSP from making changes to their services that would enhance and improve the customer’s network and its operations.  The challenge becomes even greater when the customer requires the MSP to leverage the customer’s OSS / management tools instead of the MSP’s own environment, which further limits the MSP’s flexibility to drive change.

Common MSP challenges include:

  • Satisfying the customer’s security requirements, especially related to remote network access.
  • The effort and costs associated with complex firewall configurations and ruleset change management.
  • The administrative effort related to the ever-changing configurations of the many separate networks the MSP manages.
  • Limited or absence of log data analysis across network, security devices, and applications.
  • Reduce unforecasted expense related to the ingestion of telemetry data that is sent to management applications, such as Netcool and Splunk.

Meet Your Solutions:

ZoneRanger is a patented firewall proxy which allows for unsecure management traffic (SNMP, ICMP, Syslog, NetFlow, sFlowetc) to be inspected (DPI), validated, before being passed through a firewall boundary via an encrypted 256 – bit TLS tunnel, after which ZoneRanger filters, replicates, and forwards the data to an unlimited number of defined destinations. ZoneRanger extends the reach of your management applications into protected networks using transparent proxy to intercept and relay management traffic to, and from, the target devices. ZoneRanger removes the need for open management ports which dramatically reduces the firewall attack surface.

Before vs After ZoneRanger

The primary function of the ZoneRanger is to act as an application-layer firewall proxy, performing deep packet inspection for the protocols used by management applications. ZoneRanger provides proxy services covering a variety of protocol scenarios:

  1. Request/response protocols, where the requests are originated by the management application:
    • ICMP
    • SNMP
  2. Request/response protocols, where the requests are originated by the managed devices:
    • TACACS+
    • RADIUS
    • NTP
    • Generic TCP
  3. Session-oriented protocols, where the sessions are initiated by the management applications:
    • SSH
    • HTTPS
  4. Event/notification protocols, where events are generated by managed devices and are filtered and forwarded to management applications:
    • SNMP
    • Syslog
    • NetFlow / IPFIX**
    • sFlow
    • Generic UDP
  5. File transfer protocols, where the transfers are initiated by the management applications:
    • FTP
    • TFTP

Firewall rule change management is greatly reduced as ZoneRanger reduces the MSP’s change management process by removing the customer’s firewall from many network management change requests. 

ZoneRanger’s proxy services are transparent, in that management applications are not specifically aware that the Ranger Gateway and ZoneRanger are being used, and do not need to be configured in a special way in order to incorporate the use of the proxy. This approach simplifies management application configuration and enables ZoneRanger and RangerGateway to be used with a wide variety of management applications.

In addition to its role as a management firewall proxy, ZoneRanger can also be configured to act as a remote management station, performing network discovery, IP, SNMP, TCP polling, and root cause analysis. As a result, MSPs have the option of having their management applications poll their managed devices, with the ZoneRanger acting as a firewall proxy for the polling traffic, or having the ZoneRanger poll the managed devices, and forward status traps to their management applications.

PacketRanger is the intelligent UDP packet broker that eliminates management traffic flow chaos and delivers a reliable solution to manage the constant change of network telemetry and logging data.  PacketRanger enables optimization of management applications (estimated 30% savings on management applications such as Splunk) and offers management traffic pipeline observability through statistical analysis, empowering users to make better decisions, faster.

ZoneRanger and PacketRanger Deployment for MSP

PacketRanger provides MSPs with a mechanism to enable the flow of management traffic between the customer’s network devices and the MSP’s management applications while inspecting/filtering the traffic in order to mitigate security risks. PacketRangers are a high-performance solution primarily responsible for UDP packet replication and packet filtering.

The MSP can deploy the PacketRanger as a redundant pair and configured to share a Virtual IP address. In this deployment, network devices are configured to send management data to the Virtual IP address of the PacketRangers. This configuration ensures if the primary PacketRanger becomes inoperable or inaccessible, the secondary PacketRanger will automatically handle all traffic sent to the Virtual IP address.

For MSP customers with large networks utilizing a very high throughput of data, the MSP can deploy PacketRanger as a redundant cluster behind a load balancer.  All network devices are configured to send management data to the load balancer, which will handle traffic distribution to the PacketRangers. Each PacketRanger shares its configuration with the other PacketRangers in the cluster.

Benefits:

By deploying Tavve’s solutions as part of the MSP’s blueprint remote connectivity solution when onboarding a new customer network, these challenges are addressed in an efficient and affordable manner. With Tavve the MSP will:

Enhance Security:

  • The MSP’s and/or the customer’s attack surface is minimized. ZoneRanger reduces the need for open firewall ports, since the only open firewall port for management traffic is the encrypted tunnel to the Network/Security Operations Center. 
  • ZoneRanger’s transparent proxy prevents internal network fingerprinting as it conceals the management application(s) identity.

Lower OPEX, Prevent CAPEX:

  • Tavve’s solutions extend the lifespan of management applications (e.g. Netcool, Splunk) by intelligently filtering and directing the appropriate telemtry data to the right destination. 
  • Capacity expansions are delayed and savings on existing management applications is estimated to average 30%.
  • Firewall rule change management effort is reduced by up to 90%. Fewer open firewall ports, less ports to manage.

Improve Observability:

  • Through Statistical Analysis, deep insight is gained in how telemetry data flows through the network, enabling the MSP to visually detect network issues such as misconfigurations, resolve trap storms, identify top talkers, and take proactive action for their customers.

Increase Network Management Redundancy:

  • If a management application becomes unavailable, or a NOC / SOC goes down triggering the BCDR plan, Tavve’s solutions enable the MSP to easily re-direct telemetry data to failover management tools

Manage Compliance:

  • Through Tavve’s solutions, the MSP can aggregate management traffic from all of its business lines and operational entities in a centralized location to ensure that compliance (SOX, ISO, etc) is adhered to at all times, avoiding brand damage and regulatory fines as a result of inconstant compliance policies across multiple units managing their own networks

To learn more, contact us either via www.tavve.com or email at sales@tavve.com.

Return to this article on Tavve.com