Secure NetFlow / sFlow Proxy
The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent NetFlow and sFlow information from passing through the firewall, accepting limited ability to receive information from the devices beyond, or allow NetFlow and sFlow messages to pass through the firewall, accepting the associated security risks.
ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NetFlow and sFlow traffic,enabling management applications to receive NetFlow and sFlow messages from devices beyond firewalls, while mitigating the associated security risks. All NetFlow and sFlow messages are carefully inspected by the ZoneRanger, and valid messages that match configured filter criteria are forwarded to configured destination addresses. This approach prevents managed devices (or malware masquerading as a managed device) from directing NetFlow and sFlow messages to arbitrary destinations via the ZoneRanger.