Meet ZoneRanger Play Simplify Firewall Rules

For more than 15 years, financial institutions, government agencies, and large public utilities have looked to Tavve for expertise to securely proxy network management protocols through firewalls, and providing a more secure infrastructure utilizing fewer resources.

ZoneRanger
For Commercial Networks
Reduce overall attack surface
Eliminate open firewall ports
Save hundreds of man-hours writing and maintaining firewall rules
Learn More
ZoneRanger G-Series
For Government Networks
FIPS 140-2 certified
Unlimited message rate
Eliminate open firewall ports
Save hundreds of man-hours writing and maintaining firewall rules
Learn More

ZoneRanger reduces firewall rule complexity and administrative costs, while increasing network security.

Secure SNMP Proxy

Secure SNMP Proxy

What SNMP lacks in simplicity it makes up for in popularity. SNMP is supported by the vast majority of network devices and servers, and is an essential component of many management applications, providing a mechanism for these applications to configure, collect information, and receive alerts (a.k.a. “traps”) from managed devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent SNMP from passing through the firewall, accepting limited ability to manage the devices beyond, or allow SNMP to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for SNMP traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks. All SNMP protocol traffic is carefully inspected by the ZoneRanger, and where applicable is matched with known outstanding requests, before being allowed to pass.

Secure SNMP Proxy

The ZoneRanger SNMP proxy feature supports the following SNMP protocol transactions:

  • SNMP Request/Response (to/from devices in a firewall-partitioned zone)
  • SNMP Trap (from devices in a firewall-partitioned zone)

In addition to acting as a proxy for SNMP v1 and v2c traffic, ZoneRanger can also be configured to provide SNMPv3 conversion, allowing management applications to continue to use the older, more prevalent versions of SNMP, while enabling the selective use of SNMPv3 within firewall-partitioned zones where higher levels of security are required.

SNMP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure ICMP Proxy

Secure ICMP Proxy

More often than not, the simplest way to verify that a network device is operating and reachable is the simple, ubiquitous ICMP echo request, more commonly referred to as “ping”. Applications for this simple but powerful protocol mechanism range from the familiar “ping” command, to sophisticated management applications that use ICMP echo requests to poll device status or measure network latency.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent ICMP from passing through the firewall, accepting limited ability to manage the devices beyond, or allow ICMP to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for ICMP echo request/response traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks. All ICMP echo request/response protocol traffic is carefully inspected by the ZoneRanger, and responses are matched with known outstanding requests, before being allowed to pass.

ICMP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • NetFlow / sFlow
  • NTP
  • SNMP
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure Syslog

Secure Syslog

Logs typically are not very exciting or flashy, but when you need to understand what is going on in your network, more often than not the critical information you need will be in your device and server logs. Syslog is a common, simple protocol for collecting log information from managed devices and servers across a network. Many network devices and servers can be configured to send Syslog information to designated collection stations, and a variety of management applications have been developed to collect, analyze, and present the information received.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent Syslog information from passing through the firewall, accepting limited ability to receive information from the devices beyond, or allow Syslog messages to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for Syslog traffic, enabling management applications to receive Syslog messages from devices beyond firewalls, while mitigating the associated security risks. All Syslog messages are carefully inspected by the ZoneRanger. Valid messages that match configured filter criteria are forwarded to configured destination addresses. As a result, managed devices are prevented from directing Syslog messages to arbitrary destinations via the ZoneRanger.

Secure Syslog Proxy

Syslog is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure TACACS+/RADIUS

Secure TACACS+/RADIUS

Centralized access control using the TACACS+ and/or RADIUS protocols has become a popular and effective approach for managing secure access to network devices and servers. The ability to manage user authentication, authorization, and accounting in a single server, or a small number of servers, provides a significant advantage both in terms of reduced administrative effort/cost, and improved security, because changes can be made in a more timely and less error-prone manner.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for centralized access control, requiring network administrators to choose between two equally unacceptable alternatives: prevent TACACS+ and RADIUS from passing through the firewall, effectively isolating the devices beyond from the primary centralized access control servers, or allow TACACS+ and/or RADIUS to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for TACACS+ and RADIUS traffic, enabling network devices and servers to effectively reach back through the firewall to the centralized access control servers, while mitigating the associated security risks through careful inspection and filtering of all TACACS+ and RADIUS traffic.

Secure TACACS+ / RADIUS Proxy

In addition to acting as a proxy for TACACS+ and RADIUS traffic originated by network devices and servers, ZoneRanger can also act as a TACACS+ or RADIUS client, using its own proxy service, so that authentication and authorization for access to the ZoneRanger’s own administration interfaces can also configured and monitored from centralized access control servers.

TACACS+ and RADIUS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • Telnet / SSH
  • TFTP
Secure NetFlow/sFlow

Secure NetFlow/sFlow

NetFlow and sFlow are relatively new protocols that can be used to collect sampled traffic and usage/event statistics from network devices. Many network devices and servers can be configured to periodically send NetFlow and sFlow information to designated collection stations, and a variety of management applications have been developed to collect, analyze, and present the information received. Some of these applications focus on network usage, accounting, and billing, while other applications focus on network performance optimization. NetFlow and sFlow are even used by some applications to identify security threats based on recognized attack signatures.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent NetFlow and sFlow information from passing through the firewall, accepting limited ability to receive information from the devices beyond, or allow NetFlow and sFlow messages to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NetFlow and sFlow traffic,enabling management applications to receive NetFlow and sFlow messages from devices beyond firewalls, while mitigating the associated security risks. All NetFlow and sFlow messages are carefully inspected by the ZoneRanger, and valid messages that match configured filter criteria are forwarded to configured destination addresses. This approach prevents managed devices (or malware masquerading as a managed device) from directing NetFlow and sFlow messages to arbitrary destinations via the ZoneRanger.

Secure NetFlow / sFlow Proxy

Secure Telnet & SSH

Secure Telnet & SSH

Even though web-based user interfaces have become very popular, the vast majority of network devices and servers continue to support Telnet, and/or its more security-conscious successor SSH, partly because some users prefer a command-line style of user interface, and partly because the command-line style is better suited to automation. As a result, a significant number of management applications are able to use Telnet and/or SSH to configure, control, or collect information from managed devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent Telnet and SSH from passing through the firewall, accepting limited ability to manage the devices beyond, or allow Telnet and/or SSH to pass through the firewall, accepting the associated security risks. ZoneRanger resolves this dilemma, acting as a transport-layer proxy for Telnet and SSH traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks in a variety of ways:

  • ZoneRanger effectively breaks the underlying TCP transport connection that carries the Telnet and/or SSH traffic into two connections, helping to protect the management application from TCP-based attacks.
  • ZoneRanger allows management applications to originate Telnet or SSH sessions with managed devices, but connections in the reverse direction are not allowed.
  • ZoneRanger can be configured to restrict Telnet and SSH traffic to specified devices and ports.
  • ZoneRanger can be configured to perform destination port translation, allowing management applications to initiate Telnet or SSH sessions using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).

In addition to enabling management applications to access command line interfaces for managed devices, ZoneRanger SSH proxy can also be used for secure file transfer (i.e. SCP, SFTP), reducing the need to use less secure protocols such as FTP or TFTP.Telnet and SSH are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • TFTP
Secure FTP

Secure FTP

FTP is one of the oldest and simplest ways to transfer files within your network. Although newer alternatives to FTP may offer greater convenience and/or security, there still are times when working with specific applications or devices, FTP may be the solution of choice.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for FTP users, requiring network administrators to choose between two equally unacceptable alternatives: prevent FTP from passing through the firewall, accepting the resulting loss of ability to transfer files to/from the devices beyond, or allow FTP to pass through the firewall, accepting the associated security risks.

FTP is especially difficult for firewalls due to its use of separate control and data connections. While control connections are always directed at a well-known port, data connections use dynamically assigned ports, making it difficult to configure the firewall to allow only the needed ports. Making matters worse, the direction in which the data connection is initiated depends on whether requested transfer mode is active or passive, making it difficult to implement a policy preventing initiation of connections from less secure network zones to more secure network zones.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for FTP traffic, enabling FTP client applications to extend their reach beyond firewalls, while mitigating the associated security risks. All FTP control connection traffic is carefully inspected by the ZoneRanger, and data connections are matched with known outstanding transfer requests, before being allowed to pass.

Secure FTP Proxy

The ZoneRanger FTP proxy feature supports all FTP protocol transactions defined in RFC 959, including:

  • Get File Request (from devices in a firewall-partitioned zone)
  • Put File Request (to devices in a firewall-partitioned zone)
  • List Directory Request
  • Delete File Request
  • Rename File Request

In addition to supporting active and passive mode file transfers, the ZoneRanger FTP proxy feature also includes an optional active-to-passive conversion feature, allowing an FTP client’s active mode transfer requests to be presented to clients as passive mode requests, so that clients that only support active mode are able to exchange files with servers that only support passive mode.

FTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure NTP

Secure NTP

The Network Time Protocol (NTP) is an older, but still very useful, Internet protocol designed to allow network devices and servers to synchronize their clocks with one or more centralized time servers, across a variable-latency network. In applications where time synchronization across devices is important, the ability to administer time across a large number of devices from a small number of centralized time servers using NTP is a significant advantage.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for NTP, requiring network administrators to choose between two equally unacceptable alternatives: prevent NTP traffic from passing through the firewall, effectively isolating the devices beyond from the primary time servers, or allow NTP traffic to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NTP traffic, enabling network devices and servers to effectively reach back through the firewalls to the centralized time servers, while mitigating the associated security risks through careful inspection and filtering of all NTP traffic.

ZoneRanger’s NTP proxy service can be configured to operate in either of two modes:

  • The ZoneRanger can obtain its time from a centralized NTP server, and can act as a secondary time server, responding autonomously to NTP requests from client devices.
  • The ZoneRanger can act as straight NTP protocol proxy, inspecting NTP requests received from client devices, relaying valid requests onto a centralized timer server, and relaying server responses back to the requesting clients.

Secure NTP Proxy

NTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure TFTP

Secure TFTP

Trivial File Transfer Protocol (a.k.a. TFTP) is not as trivial as its name suggests. Even though TFTP is a very simple, very basic file transfer protocol, it plays an important role in enabling management applications to manage the network device configurations. The majority of network devices provide mechanisms whereby they can be commanded to transfer their configuration files to/from a TFTP server, and a growing number of management applications have been developed, taking advantage of these mechanisms, to provide advanced configuration management services for large numbers of network devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for these applications, requiring network administrators to choose between two equally unacceptable alternatives: prevent TFTP traffic from passing through the firewall, accepting the resulting loss of ability to transfer configuration files to/from the devices beyond, or allow TFTP traffic to pass through the firewall, accepting the associated security risks. These security risks, in the case of TFTP, are significant, given that TFTP does not require login, and uses UDP, which is relatively easy to spoof, as a transport protocol.

ZoneRanger resolves this dilemma by acting as a proxy TFTP server. Managed devices, acting as TFTP clients, are instructed to transfer files to and from the ZoneRanger, rather than communicating directly with the management applications, eliminating the need to open the firewall to TFTP traffic. The ZoneRanger can proxy TFTP requests through to the management applications, or can be configured to transfer files to/from an internal directory, or to/from directories on the servers where the management applications are installed.

Secure FTP Proxy

The ZoneRanger TFTP proxy feature can be used together with the SNMP proxy feature to handle the situation where managed devices are instructed to transfer configuration files using an SNMP set request. When the ZoneRanger sees an SNMP set request that appears to be instructing a device to perform a configuration file transfer, it can modify the request, effectively redirecting the request to use the ZoneRanger’s TFTP server, then when the managed device initiates the request, will proxy the file transfer through to the originally requested TFTP server.

TFTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
Secure HTTP/HTTPS

Secure HTTP/HTTPS

Although originally associated with the World Wide Web, web protocols such as HTTP and HTTPS have also become a common way for network devices and servers to provide intuitive, user-friendly management interfaces, which can be used to configure, control, and monitor managed devices.
The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for HTTP and HTTPS users, requiring them to choose between two equally unacceptable alternatives: prevent HTTP and HTTPS from passing through the firewall, accepting limited ability to access the devices beyond, or allow HTTP and HTTPS to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as a transport-layer proxy for HTTP and HTTPS traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks in a variety of ways:

  • ZoneRanger effectively breaks the underlying TCP transport connection that carries the HTTP and/or HTTPS traffic into two connections, helping to protect the management application from TCP-based attacks.
  • ZoneRanger allows management applications to originate HTTP or HTTPS sessions with managed devices, but connections in the reverse direction are not allowed.
  • ZoneRanger can be configured to restrict HTTP and HTTPS traffic to specified devices and ports.
  • ZoneRanger can be configured to perform destination port translation, allowing management applications to initiate HTTP or HTTPS sessions using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).

Secure HTTP / HTTP Proxy

HTTP and HTTPS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
QUESTIONS? 888-950-2131 or 919-460-1789 Contact Us