The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent Telnet and SSH from passing through the firewall, accepting limited ability to manage the devices beyond, or allow Telnet and/or SSH to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as a transport-layer proxy for Telnet and SSH traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks in a variety of ways:

• ZoneRanger effectively breaks the underlying TCP transport connection that carries the Telnet and/or SSH traffic into two connections, helping to protect the management application from TCP-based attacks.
• ZoneRanger allows management applications to originate Telnet or SSH sessions with managed devices, but connections in the reverse direction are not allowed.
• ZoneRanger can be configured to restrict Telnet and SSH traffic to specified devices and ports.
• ZoneRanger can be configured to perform destination port translation, allowing management applications to initiate Telnet or SSH sessions using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).

In addition to enabling management applications to access command line interfaces for managed devices, ZoneRanger SSH proxy can also be used for secure file transfer (i.e. SCP, SFTP), reducing the need to use less secure protocols such as FTP or TFTP.

Telnet and SSH are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

• FTP
• HTTP / HTTPS
• ICMP
• NetFlow / sFlow
• NTP
• SNMP
• Syslog
• TACACS+ / RADIUS
• TFTP