Managing Through Firewalls

Partitioning enterprise networks into security zones using firewalls is standard industry practice, but creates a dilemma for management professionals seeking to leverage their management application infrastructure investment across their entire network. These management applications, which automate and/or assist with configuring, monitoring, and controlling network devices and servers, typically depend on the ability to communicate with managed devices using a variety of protocols (e.g. SNMP, ICMP, Syslog, SSH, NetFlow). This creates a problem in firewall-partitioned networks because security professionals will often resist creating firewall rules to allow these management protocols, due to associated vulnerability concerns. As a result, companies are often forced to choose between two equally unacceptable alternatives: prevent management protocols from passing through the firewall, accepting limited ability to manage the devices beyond, or allow management protocols to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for management protocols, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks.

ZoneRanger combines a variety of approaches to provide additional security for management protocols:

  • ZoneRanger provides a protocol break at the transport layer. TCP, UDP, ICMP, and IP headers do not pass transparently through the ZoneRanger, but are fully reconstructed before forwarding to the intended destination, providing protection against transport layer attacks.
  • Management protocol messages are carefully inspected to ensure that they are syntactically correct before being allowed to pass through the firewall.
  • Where applicable, response messages are matched with known outstanding requests before being allowed to pass through the firewall.
  • Management protocol transactions are typically restricted to a predefined direction. For example, a management application is allowed to send an SNMP Get Request to a managed device, but the reverse is not allowed.
  • In situations where management applications initiate requests destined for managed devices, ZoneRanger can be configured to perform destination port translation, allowing management applications to send requests using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).
  • In the case of SNMP, ZoneRanger can be configured to convert v1 and v2c requests to SNMPv3, allowing management applications to continue to use the older, more prevalent versions of SNMP, while enabling the selective use of SNMPv3 within firewall-partitioned zones where higher levels of security are required.

ZoneRanger supports a growing suite of management protocols, including:

  • ICMP
  • SNMP
  • FTP
  • TFTP
  • Telnet / SSH
  • Syslog
  • NetFlow / sFlow
  • NTP