Creating rules to manage traffic across firewall boundaries costs more than you think. A simple rule that may take just a few minutes to write will require a significant number of man hours to get through the internal processes and procedures required for approval, testing, implementation, and documentation.
Sign-up now for a look behind the solution with a one-on-one demonstration of ZoneRanger.
How do you manage what you cannot see? Corporate information on the Internet is mandatory, and it exposes the network to threats. The battle lines are drawn between security and network management. The invention of the firewall stopped many intruders. Firewalls also stopped network management. To solve this problem, extensive firewall rules had to be written to allow management traffic to pass through corporate firewalls. Security experts agree that network management protocol pose a significant security risk for corporate networks. In many cases, SNMP and other protocols are not allowed to pass through the firewalls. Without these protocols, network managers cannot ensure availability of data or applications. DMZs (extranets, untrusted zones, etc.) were the initial areas of concern.
These customer-facing networks outside the firewall are an organization’s connection to customers for e-commerce and marketing. This component of IT targets 100% uptime availability. Network and security teams struggle with a fair compromise to achieve this goal. ZoneRanger was built to address these issues. With an extensive customer list and nine years of developing network management software for HP OpenView, our consultants have encountered these problems many times. Our goal was to build a secure network appliance to support the applications and protocols required to meet the needs of the network management team without violating the network security policies.
ZoneRanger is typically deployed outside the firewall. It communicates via an Industry standard 128-bit encrypted (SSL) TCP connection to a Ranger Gateway inside the firewall. Using the concept of a proxy server, the Ranger Gateway delivers requests to the ZoneRanger and in turn, the ZoneRanger to the device. Management applications can now communicate with devices outside the firewall without additional rules or open ports.
For remote (secure) locations, ZoneRanger can be deployed as an independent network management system. This 2U rack-mounted appliance can also report to a primary NMS like HP OpenView. A simple web interface is provided to give operations personnel a view into the health of the remote network.
Firewall Rule Changes — Death by Committee. The impact of changing a firewall rule or opening another port on the firewall is complicated. ZoneRanger eliminates the need for multiple rules and ports for your management traffic. Adding a device or new management application no longer requires a rule change.
Too Many Traps or No Traps at All. Few organizations allow traps from the DMZ. Those that do are challenged to sort the valid from the worthless. The opposite solution is no traps and no warning of problems. ZoneRanger blocks unauthorized traps while acceptable traps are consolidated and filtered. Traps can be configured for multiple delivery destinations based on source addresses, PDU data, or var binds.
Syslog and Cisco Log Messages. Log files provide a history of the life of the system. This rich information is sitting on those devices in the DMZ and often unavailable to operations personnel. ZoneRanger establishes source-based rules to forward messages to the correct destination inside the firewall.
Using Netflow Data from the DMZ. Netflow and sFlow provide real-time network data that includes security threats, QOS, utilization, and user / application monitoring. Due to security, most organizations allow no UDP traffic to pass through the firewall. ZoneRanger filters and securely passes Netflow / sFlow data to specific destinations in the intranet. This feature is application to any Netflow / sFlow collector.