A large Government Agency in Europe has offices and data centers located in several countries. A security risk assessment was performed on how securely management protocols were being transported through firewalls to the datacenters. Until a few years ago, they did not have an effective solution to managing devices that were located beyond firewalls (i.e. in DMZs). The Security personnel did not allow management protocols to be transferred freely through the firewalls. The Security team either wrote thousands of firewall rules to allow for management traffic to flow into the Management Center or they chose to not manage those devices through the network. There were three significant issues associated with their two solutions: first the cost to write and maintain the firewall rules was significant and secondly the firewall rules allowed the risk associated with management protocols which are inherently insecure and thirdly by not managing the devices they had no perspective of their respective status.
The ZoneRanger Solution
In 2008, this government institution was one of the first government agencies to implement Tavve’s ZoneRanger solution to securely manage devices located in the DMZ. They deployed redundant pairs of ZoneRangers to several data centers throughout the Europe. The ZoneRanger provided a mechanism to securely extend the reach of their existing management applications, avoiding the need to configure risky firewall rules, or to deploy additional applications instances in their DMZs. The ZoneRanger allowed the government institution to use their existing management applications to securely communicate through the firewall to managed devices using a variety of protocols (e.g. SNMP, ICMP, Syslog, SSH, NetFlow). The SSL/TLS encrypted connection between the ZoneRanger and the existing management applications along with the data inspection performed on each protocol ensured the DMZs were being managed securely and effectively.
The Agency’s results were increased security, decreased cost, and decreased time to deploy new devices as the network grew. The ZoneRanger provided multiple security benefits: protocol break in all TCP connections and UDP datagrams, application-protocol-specific packet inspection, hiding management servers from DMZ devices. It reduced the risk of hackers penetrating the network to gain an understanding of the network architecture and the ability to reconfigure network devices. The significant reduction in firewall rules reduced the management cost associated with maintaining them and reduced the potential for human errors, such as ports unintentionally left open. The ZoneRanger provided the benefit of the being able to deploy additional devices in the DMZ without the burden of writing new firewall rules. This decreased the time needed to deploy new devices in their network as it grew. In conclusion, the Agency now has a clear picture of what is occurring in the DMZ without worrying about security and the cost to maintain a large number of firewall rules.
Please contact Sales@Tavve.com for more information about our ZoneRanger product.