How do you manage what you cannot see?  Corporate information on the Internet is mandatory, and it exposes the network to threats. The battle lines are drawn between security and network management.  The invention of the firewall stopped many intruders.  Firewalls also stopped network management. To solve this problem, extensive firewall rules are established  Security experts agree network management protocols are a significant security risk.  In many cases, SNMP and other protocols are not allowed to pass through the firewalls. Without these protocols, network managers cannot ensure availability of data or applications. DMZs (extranets, untrusted zones, etc.) were the initial areas of concern.

These customer-facing networks outside the firewall are an organization’s connection to customers for e-commerce and marketing.  This component of IT targets 100% uptime availability.  Network and security teams struggle with a fair compromise to achieve this goal. ZoneRanger was built to address these issues.  With an extensive customer list and nine years of developing network management software for HP OpenView, our consultants have encountered these problems many times.  Our goal was to build a secure network appliance to support the applications and protocols required to meet the needs of  the network management team without violating the network security policies.

ENTERPRISE CHALLENGES

Firewall Rule Changes -- Death by Committee

The impact of changing firewall rule or opening another port on the firewall is complicated. ZoneRanger eliminates the need for multiple rules and ports. Adding a device or new management application does not require a rule change.. Change management is no longer needed for the DMZ.

Too Many Traps or No Traps at All

Few organizations allow traps from the DMZ. Those that do are challenged to sort the valid from the worthless. The opposite solution is no traps and no warning of problems. ZoneRanger blocks unauthorized traps while acceptable traps are consolidated and filtered. Traps can be configured for multiple delivery destinations based on source addresses, PDU data, or var binds.

Syslog and Cisco Log Messages

Log files provide a history of the life of the system. This rich information is sitting on those devices in the DMZ and often unavailable to operations personnel. ZoneRanger establishes source-based rules to forward messages to the correct destination inside the firewall.

Using Netflow Data from the DMZ

Netflow and sFlow provide real-time network data that includes security threats, QOS, utilization, and user / application monitoring. Due to security, most organizations allow no UDP traffic to pass through the firewall. ZoneRanger filters and securely passes Netflow / sFlow data to specific destinations in the intranet. This feature is application to any Netflow / sFlow collector.

SERVICE PROVIDER CHALLENGES

Duplicate IP

Many small to medium sized organizations do not have registered IP addresses. As a proxy device, ZoneRangers shields the service provider network and applications from these individual addresses. The feature allows full application support and minimal administration compared to implementation of NAT. Read ZoneRanger Business Case document on Duplicate IP.

Shared Applications

In many MSPs / ISPs, a standard set of applications is used to manage multiple customer networks. Deployment of a ZoneRanger at each customer site will appear as a single device to the management application. The proxy features allow the service provider to manage multiple ZoneRangers and their individual DMZs with a single instance of the management application. Additional revenue opportunities exist for providers who give users access to the web server dashboard on their individual ZoneRanger. Read ZoneRanger Business Case document on Shared Applications.