Centralized access control using the TACACS+ and/or RADIUS protocols has become a popular and effective approach for managing secure access to network devices and servers. The ability to manage user authentication, authorization, and accounting in a single server, or a small number of servers, provides a significant advantage both in terms of reduced administrative effort/cost, and improved security, because changes can be made in a more timely and less error-prone manner.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for centralized access control, requiring network administrators to choose between two equally unacceptable alternatives: prevent TACACS+ and RADIUS from passing through the firewall, effectively isolating the devices beyond from the primary centralized access control servers, or allow TACACS+ and/or RADIUS to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for TACACS+ and RADIUS traffic, enabling network devices and servers to effectively reach back through the firewall to the centralized access control servers, while mitigating the associated security risks through careful inspection and filtering of all TACACS+ and RADIUS traffic.

In addition to acting as a proxy for TACACS+ and RADIUS traffic originated by network devices and servers, ZoneRanger can also act as a TACACS+ or RADIUS client, using its own proxy service, so that authentication and authorization for access to the ZoneRanger’s own administration interfaces can also configured and monitored from centralized access control servers.

TACACS+ and RADIUS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

• FTP
• HTTP / HTTPS
• ICMP
• NetFlow / sFlow
• NTP
• SNMP
• Syslog
• Telnet / SSH
• TFTP