TechNote: ZoneRanger Makes SYSLOG Usable in Unsecured Areas of the Network

HOME

LITERATURE

TechNotes

The Challange

Logging system/device activity is a critical piece in maintaining a complex network infrastructure. The NOC relies on log messages for exception reporting and troubleshooting. The security group can use log information to “playback” what happened around a suspect incident. Industry regulations such as Sarbanes Oxley can require that accurate logs be stored in a secure archive.

Syslog is a ubiquitous mechanism for logging system messages from a wide range of network devices and servers. For most devices syslog is available as soon as the device has booted. This lightweight common protocol doesn’t come without a few shortcomings. Syslog packets travel over UDP packets. These plaintext messages pose a security risk and many companies don’t allow inbound UDP through a firewall. Leaving the syslog receiver open to all devices makes it vulnerable to a Denial of Service attack. Locking down the firewall to known devices with host rules requires manpower and adds to the firewall rule load.

The ZoneRanger Solution

Tavve’s ZoneRanger appliance makes syslog usable with devices in unsecured areas of the network. A single SSL encrypted TCP port in the firewall is used to pass syslog messages from the ZoneRanger to the syslog receiver. This shortens the unencrypted, unreliable path syslog messages must traverse to the single hop from the device to the ZoneRanger. Syslog messages are only forwarded for systems/devices the ZoneRanger is currently managing, eliminating traffic from nodes that might try a DOS attack. The ZoneRanger can filter syslog messages by source address, message header information and message string, reducing the amount of unimportant messages reaching the syslog processing system. Multiple forwarding rules can be configured so that messages can be forwarded to multiple syslog processors. One may be creating notifications based on message content, another used to log the messages for archiving. Syslog messages can be converted to SNMP traps for processing with trap receivers such as HP OpenView NNM on Windows.

How does ZoneRanger fit into your network?

Sample ZoneRanger Network Diagrams
Does ZoneRanger Work with Your Network Apps?

What others are saying...

"Tavve has developed the ZoneRanger product, in order to enable companies to leverage their centralized management infrastructure across firewall-partitioned networks, while mitigating risks associated with management protocols."
Tavve: ZoneRanger
Subraya Mallya
PrudentCloud.com

"Without a more secure approach to managing the protocols and tools that manage the network - including the 'trusted' internal network - enterprises may be exposing themselves to more risk than they realize."

Scott Crawford, CISSP, ISSAP, ISSMP
Senior Analyst, Enterprise Management Associates

"ZoneRanger effectively extends the reach of management applications to devices located beyond firewalls, eliminating the need for complicated firewall configurations, extensive agent deployments, or expensive application replication. ZoneRanger also provides security, acting as an application layer proxy firewall, inspecting and validating the traffic relayed between applications and devices."

Jim Doble, CISSP
CTO, Tavve