Managing Through Firewalls
ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for management protocols, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks.
- ZoneRanger provides a protocol break at the transport layer. TCP, UDP, ICMP, and IP headers do not pass transparently through the ZoneRanger, but are fully reconstructed before forwarding to the intended destination, providing protection against transport layer attacks.
- Management protocol messages are carefully inspected to ensure that they are syntactically correct before being allowed to pass through the firewall.
- Where applicable, response messages are matched with known outstanding requests before being allowed to pass through the firewall.
- Management protocol transactions are typically restricted to a predefined direction. For example, a management application is allowed to send an SNMP Get Request to a managed device, but the reverse is not allowed.
- In situations where management applications initiate requests destined for managed devices, ZoneRanger can be configured to perform destination port translation, allowing management applications to send requests using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).
- In the case of SNMP, ZoneRanger can be configured to convert v1 and v2c requests to SNMPv3, allowing management applications to continue to use the older, more prevalent versions of SNMP, while enabling the selective use of SNMPv3 within firewall-partitioned zones where higher levels of security are required.
ZoneRanger supports a growing suite of management protocols, including:
- Telnet / SSH
- HTTP / HTTPS
- NetFlow / sFlow
- TACACS+ / RADIUS