- 26 Aug 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
Securing ZPE Systems Network
- Updated on 26 Aug 2024
- 1 Minute to read
- Print
- DarkLight
- PDF
This document provides information on how Nodegrid devices and managed devices securely communicate with ZPE Cloud. The following figure depicts a robust framework that showcases safeguarding connections between the devices and ZPE Cloud.
0.1: Network Administrator to ZPE Cloud | ||
Description | Administrators can access Out-Of-Band (OOB) devices through OOB-Cloud by browsing https://zpecloud.com or https://zpecloud.eu depending upon the region. | |
Encryption | HTTPS | |
Authentication | Authentication is carried out based on SSO, MFA | |
Other | ZPE Cloud is hosted on GCP and follows all the security aspects of GCP (Google Cloud Platform). We follow Soc2 Type2 compliance as shared in the detailed compliance documentation. |
0.2: ZPE Cloud to Azure AD (SSO Authentication) | |
Description | Administrators will get authenticated with Azure AD. |
Encryption | HTTPS, Certificate |
Authentication | SAML 2.0, MFA |
Other | A certificate is used to protect the SAML document |
0.3: ZPE Cloud to OOB Device (ZPE Nodegrid Device Access ) | |
Description | OOB-Cloud is utilized to manage OOB devices by employing the OOB cloud to access the console of network devices via the OOB infrastructure. The OOB device synchronizes with the OOB cloud via either a Sophos internet or 4G/5G LTE connection. OOB Device connects to ZPE Cloud - only outbound connects from device to cloud. |
Encryption | MQTTS with mTLS with TPM (Trusted Platform Module), HTTPS, WSS |
Authentication | mTLS, Device/Cloud based authentication (TPM Pairing) |
Other | The device-to-cloud communication detailed documentation is shared with the team |
0.4: ZPE OOB Device to Azure AD | |
Description | Administrators can manage devices via the console or management port by accessing OOB devices through OOB-Cloud. |
Encryption | HTTPS, Certificate |
Authentication | SAML 2.0, MFA |
Other | - |
0.5: ZPE OOB Device to Network Device | |
Description | Administrators have the option to manage devices either through the console or the management port. |
Encryption | HTTPS, CONSOLE, HTML5, CSR |
Authentication | TLS |
Other | The ZPE cloud will allow access to the console and management of the Network device through a secure HTML5 webpage via HTTPS protocol. The Network device will connect to the ZPE devices through both the serial port (console) and the management port. |
0.6: Log Data Transmission | |
Description | The ZPE OOB device sends the log to the Splunk forwarder. |
Encryption | SSL/TLS 1.2+ encryption for data in transit |
Authentication | TLS |
Other | - |
0.7: Log Data Transmission | |
Description | API requests to and from the ZPE OOB Device. |
Encryption | HTTPS |
Authentication | TLS |
Other | - |