Secure HTTP/HTTPS Proxy

Although originally associated with the World Wide Web, web protocols such as HTTP and HTTPS have also become a common way for network devices and servers to provide intuitive, user-friendly management interfaces, which can be used to configure, control, and monitor managed devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for HTTP and HTTPS users, requiring them to choose between two equally unacceptable alternatives: prevent HTTP and HTTPS from passing through the firewall, accepting limited ability to access the devices beyond, or allow HTTP and HTTPS to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as a transport-layer proxy for HTTP and HTTPS traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks in a variety of ways:

  • ZoneRanger effectively breaks the underlying TCP transport connection that carries the HTTP and/or HTTPS traffic into two connections, helping to protect the management application from TCP-based attacks.
  • ZoneRanger allows management applications to originate HTTP or HTTPS sessions with managed devices, but connections in the reverse direction are not allowed.
  • ZoneRanger can be configured to restrict HTTP and HTTPS traffic to specified devices and ports.
  • ZoneRanger can be configured to perform destination port translation, allowing management applications to initiate HTTP or HTTPS sessions using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).
HTTP and HTTPS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP