Secure SNMP Proxy

What SNMP lacks in simplicity it makes up for in popularity. SNMP is supported by the vast majority of network devices and servers, and is an essential component of many management applications, providing a mechanism for these applications to configure, collect information, and receive alerts (a.k.a. “traps”) from managed devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent SNMP from passing through the firewall, accepting limited ability to manage the devices beyond, or allow SNMP to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for SNMP traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks. All SNMP protocol traffic is carefully inspected by the ZoneRanger, and where applicable is matched with known outstanding requests, before being allowed to pass.

The ZoneRanger SNMP proxy feature supports the following SNMP protocol transactions:

  • SNMP Request/Response (to/from devices in a firewall-partitioned zone)
  • SNMP Trap (from devices in a firewall-partitioned zone)

In addition to acting as a proxy for SNMP v1 and v2c traffic, ZoneRanger can also be configured to provide SNMPv3 conversion, allowing management applications to continue to use the older, more prevalent versions of SNMP, while enabling the selective use of SNMPv3 within firewall-partitioned zones where higher levels of security are required.

SNMP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP