How do you manage what you cannot see? Corporate information on the Internet is mandatory, and it exposes the network to threats. The battle lines are drawn between security and network management. The invention of the firewall stopped many intruders. Firewalls also stopped network management. To solve this problem, extensive firewall rules are established Security experts agree network management protocols are a significant security risk. In many cases, SNMP and other protocols are not allowed to pass through the firewalls. Without these protocols, network managers cannot ensure availability of data or applications. DMZs (extranets, untrusted zones, etc.) were the initial areas of concern.
These customer-facing networks outside the firewall are an organization’s connection to customers for e-commerce and marketing. This component of IT targets 100% uptime availability. Network and security teams struggle with a fair compromise to achieve this goal. ZoneRanger was built to address these issues. With an extensive customer list and nine years of developing network management software for HP OpenView, our consultants have encountered these problems many times. Our goal was to build a secure network appliance to support the applications and protocols required to meet the needs of the network management team without violating the network security policies.
Secure Proxy Server for Network Management Protocols
ZoneRanger is typically deployed outside the firewall. It communicates via an Industry standard 128-bit encrypted (SSL) TCP connection to a Ranger Gateway inside the firewall. Using the concept of a proxy server, the Ranger Gateway delivers requests to the ZoneRanger and in turn, the ZoneRanger to the device. Management applications can now communicate with devices outside the firewall without additional rules or open ports.
Secure Remote NMS (Network Management Systems)
For remote (secure) locations, ZoneRanger can be deployed as an independent network management system. This 2U rack-mounted appliance can also report to a primary NMS like HP OpenView. Based on a user configuration it can run discovery, display the health of a network, provide root cause correlation and manage network inventory. A simple web interface is provided to give operations personnel a view into the health of the remote network.
Firewall Rule Changes -- Death by Committee
The impact of changing firewall rule or opening another port on the firewall is complicated. ZoneRanger eliminates the need for multiple rules and ports. Adding a device or new management application does not require a rule change.. Change management is no longer needed for the DMZ.
Too Many Traps or No Traps at All
Few organizations allow traps from the DMZ. Those that do are challenged to sort the valid from the worthless. The opposite solution is no traps and no warning of problems. ZoneRanger blocks unauthorized traps while acceptable traps are consolidated and filtered. Traps can be configured for multiple delivery destinations based on source addresses, PDU data, or var binds.
Syslog and Cisco Log Messages
Log files provide a history of the life of the system. This rich information is sitting on those devices in the DMZ and often unavailable to operations personnel. ZoneRanger establishes source-based rules to forward messages to the correct destination inside the firewall.
Using Netflow Data from the DMZ
Netflow and sFlow provide real-time network data that includes security threats, QOS, utilization, and user / application monitoring. Due to security, most organizations allow no UDP traffic to pass through the firewall. ZoneRanger filters and securely passes Netflow / sFlow data to specific destinations in the intranet. This feature is application to any Netflow / sFlow collector.
SERVICE PROVIDER CHALLENGES
Many small to medium sized organizations do not have registered IP addresses. As a proxy device, ZoneRangers shields the service provider network and applications from these individual addresses. The feature allows full application support and minimal administration compared to implementation of NAT. Read ZoneRanger Business Case document on Duplicate IP.
In many MSPs / ISPs, a standard set of applications is used to manage multiple customer networks. Deployment of a ZoneRanger at each customer site will appear as a single device to the management application. The proxy features allow the service provider to manage multiple ZoneRangers and their individual DMZs with a single instance of the management application. Additional revenue opportunities exist for providers who give users access to the web server dashboard on their individual ZoneRanger. Read ZoneRanger Business Case document on Shared Applications.