Although according to Three Dog Night, “One is the Loneliest Number”, the gold charting band was definitely not referring to network attack surfaces. No matter what you are trying to defend, the smaller the area an attacker can access, the easier it is to repel the attacker. The same is true of corporate networks and the use of firewalls as the first line of defense against the wilds of the Internet.
One of the basic tenets of Corporate Security Policy is minimize the number and complexity of the firewall rules needed to defend the enterprise. In fact, sophisticated network security teams require committees to review and approve any and all changes to the corporate firewalls. So can you imagine if the Network Operations Manager submitted to the Firewall Committee the number of necessary rules they would need to manage the DMZ devices? To put it mildly, the response would be in line with the 1961 Connie Francis song, “Too Many Rules”.
In Alert (TA18-106A), “Russian state-sponsored cyber actors have conducted both broad-scale and targeted scanning of Internet address spaces. Such scanning allows these actors to identify enabled Internet-facing ports and services, conduct device fingerprinting, and discover vulnerable network infrastructure devices. Protocols targeted in this scanning include Telnet (typically Transmission Control Protocol (TCP) port 23, but traffic can be directed to a wide range of TCP ports such as 80, 8080, etc.), Hypertext Transport Protocol (HTTP, port 80), Simple Network Management Protocol (SNMP, ports 161/162), and Cisco Smart Install (SMI port 4786).”
So any process or tool which can help minimize the corporate firewall attack surface by limiting the number of firewall rules would be a welcome addition to the network security team. When the NOC manager submits to the Firewall Committee the one rule needed by the Tavve ZoneRanger to manage all of the DMZ devices, they will be singing another Three Dog Night hit, “Joy to the World.”
The ability for the ZoneRanger (residing in the DMZ) to route your network management traffic to the Tavve Ranger Gateway (residing on the other side of the corporate firewall in the enterprise network) through a single firewall port provides maximum device manageability while minimizing the corporate firewall attack surface and significantly reducing overall firewall rule complexity. Not to mention that the connection between the ZoneRanger and Ranger Gateway uses an industry standard 128-bit encrypted (SSL) TCP connection. Thus the ZoneRanger can provide ultimate DMZ manageability for the NOC without increasing the attack surface of the corporate firewall while maintaining overall Corporate Security Policy. Everybody wins.
Next time, let’s discuss AAA. That is Authentication, Authorization and Accounting, and not the emergency car service!
Learn more about Tavve’s ZoneRanger here.