x
 
ZoneRanger Play Bulletproof Your Network

How much time are you spending writing firewall rules?

Creating rules to manage traffic across firewall boundaries costs more than you think. A simple rule that may take just a few minutes to write will require a significant number of man hours to get through the internal processes and procedures required for approval, testing, implementation, and documentation.

ROI Calculator

ZoneRanger reduces firewall rule complexity and administrative costs, while increasing network security.

Secure SNMP Proxy

Secure SNMP Proxy

What SNMP lacks in simplicity it makes up for in popularity. SNMP is supported by the vast majority of network devices and servers, and is an essential component of many management applications, providing a mechanism for these applications to configure, collect information, and receive alerts (a.k.a. “traps”) from managed devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent SNMP from passing through the firewall, accepting limited ability to manage the devices beyond, or allow SNMP to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for SNMP traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks. All SNMP protocol traffic is carefully inspected by the ZoneRanger, and where applicable is matched with known outstanding requests, before being allowed to pass.

Secure SNMP Proxy

The ZoneRanger SNMP proxy feature supports the following SNMP protocol transactions:

  • SNMP Request/Response (to/from devices in a firewall-partitioned zone)
  • SNMP Trap (from devices in a firewall-partitioned zone)

In addition to acting as a proxy for SNMP v1 and v2c traffic, ZoneRanger can also be configured to provide SNMPv3 conversion, allowing management applications to continue to use the older, more prevalent versions of SNMP, while enabling the selective use of SNMPv3 within firewall-partitioned zones where higher levels of security are required.

SNMP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure ICMP Proxy

Secure ICMP Proxy

More often than not, the simplest way to verify that a network device is operating and reachable is the simple, ubiquitous ICMP echo request, more commonly referred to as “ping”. Applications for this simple but powerful protocol mechanism range from the familiar “ping” command, to sophisticated management applications that use ICMP echo requests to poll device status or measure network latency.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent ICMP from passing through the firewall, accepting limited ability to manage the devices beyond, or allow ICMP to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for ICMP echo request/response traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks. All ICMP echo request/response protocol traffic is carefully inspected by the ZoneRanger, and responses are matched with known outstanding requests, before being allowed to pass.

ICMP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • NetFlow / sFlow
  • NTP
  • SNMP
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure Syslog

Secure Syslog

Logs typically are not very exciting or flashy, but when you need to understand what is going on in your network, more often than not the critical information you need will be in your device and server logs. Syslog is a common, simple protocol for collecting log information from managed devices and servers across a network. Many network devices and servers can be configured to send Syslog information to designated collection stations, and a variety of management applications have been developed to collect, analyze, and present the information received.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent Syslog information from passing through the firewall, accepting limited ability to receive information from the devices beyond, or allow Syslog messages to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for Syslog traffic, enabling management applications to receive Syslog messages from devices beyond firewalls, while mitigating the associated security risks. All Syslog messages are carefully inspected by the ZoneRanger. Valid messages that match configured filter criteria are forwarded to configured destination addresses. As a result, managed devices are prevented from directing Syslog messages to arbitrary destinations via the ZoneRanger.

Secure Syslog Proxy

Syslog is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure TACACS+/RADIUS

Secure TACACS+/RADIUS

Centralized access control using the TACACS+ and/or RADIUS protocols has become a popular and effective approach for managing secure access to network devices and servers. The ability to manage user authentication, authorization, and accounting in a single server, or a small number of servers, provides a significant advantage both in terms of reduced administrative effort/cost, and improved security, because changes can be made in a more timely and less error-prone manner.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for centralized access control, requiring network administrators to choose between two equally unacceptable alternatives: prevent TACACS+ and RADIUS from passing through the firewall, effectively isolating the devices beyond from the primary centralized access control servers, or allow TACACS+ and/or RADIUS to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for TACACS+ and RADIUS traffic, enabling network devices and servers to effectively reach back through the firewall to the centralized access control servers, while mitigating the associated security risks through careful inspection and filtering of all TACACS+ and RADIUS traffic.

Secure TACACS+ / RADIUS Proxy

In addition to acting as a proxy for TACACS+ and RADIUS traffic originated by network devices and servers, ZoneRanger can also act as a TACACS+ or RADIUS client, using its own proxy service, so that authentication and authorization for access to the ZoneRanger’s own administration interfaces can also configured and monitored from centralized access control servers.

TACACS+ and RADIUS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • Telnet / SSH
  • TFTP
Secure NetFlow/sFlow

Secure NetFlow/sFlow

NetFlow and sFlow are relatively new protocols that can be used to collect sampled traffic and usage/event statistics from network devices. Many network devices and servers can be configured to periodically send NetFlow and sFlow information to designated collection stations, and a variety of management applications have been developed to collect, analyze, and present the information received. Some of these applications focus on network usage, accounting, and billing, while other applications focus on network performance optimization. NetFlow and sFlow are even used by some applications to identify security threats based on recognized attack signatures.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent NetFlow and sFlow information from passing through the firewall, accepting limited ability to receive information from the devices beyond, or allow NetFlow and sFlow messages to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NetFlow and sFlow traffic,enabling management applications to receive NetFlow and sFlow messages from devices beyond firewalls, while mitigating the associated security risks. All NetFlow and sFlow messages are carefully inspected by the ZoneRanger, and valid messages that match configured filter criteria are forwarded to configured destination addresses. This approach prevents managed devices (or malware masquerading as a managed device) from directing NetFlow and sFlow messages to arbitrary destinations via the ZoneRanger.

Secure NetFlow / sFlow Proxy

Secure Telnet & SSH

Secure Telnet & SSH

Even though web-based user interfaces have become very popular, the vast majority of network devices and servers continue to support Telnet, and/or its more security-conscious successor SSH, partly because some users prefer a command-line style of user interface, and partly because the command-line style is better suited to automation. As a result, a significant number of management applications are able to use Telnet and/or SSH to configure, control, or collect information from managed devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for users of these management applications, requiring them to choose between two equally unacceptable alternatives: prevent Telnet and SSH from passing through the firewall, accepting limited ability to manage the devices beyond, or allow Telnet and/or SSH to pass through the firewall, accepting the associated security risks. ZoneRanger resolves this dilemma, acting as a transport-layer proxy for Telnet and SSH traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks in a variety of ways:

  • ZoneRanger effectively breaks the underlying TCP transport connection that carries the Telnet and/or SSH traffic into two connections, helping to protect the management application from TCP-based attacks.
  • ZoneRanger allows management applications to originate Telnet or SSH sessions with managed devices, but connections in the reverse direction are not allowed.
  • ZoneRanger can be configured to restrict Telnet and SSH traffic to specified devices and ports.
  • ZoneRanger can be configured to perform destination port translation, allowing management applications to initiate Telnet or SSH sessions using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).

In addition to enabling management applications to access command line interfaces for managed devices, ZoneRanger SSH proxy can also be used for secure file transfer (i.e. SCP, SFTP), reducing the need to use less secure protocols such as FTP or TFTP.Telnet and SSH are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • TFTP
Secure FTP

Secure FTP

FTP is one of the oldest and simplest ways to transfer files within your network. Although newer alternatives to FTP may offer greater convenience and/or security, there still are times when working with specific applications or devices, FTP may be the solution of choice.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for FTP users, requiring network administrators to choose between two equally unacceptable alternatives: prevent FTP from passing through the firewall, accepting the resulting loss of ability to transfer files to/from the devices beyond, or allow FTP to pass through the firewall, accepting the associated security risks.

FTP is especially difficult for firewalls due to its use of separate control and data connections. While control connections are always directed at a well-known port, data connections use dynamically assigned ports, making it difficult to configure the firewall to allow only the needed ports. Making matters worse, the direction in which the data connection is initiated depends on whether requested transfer mode is active or passive, making it difficult to implement a policy preventing initiation of connections from less secure network zones to more secure network zones.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for FTP traffic, enabling FTP client applications to extend their reach beyond firewalls, while mitigating the associated security risks. All FTP control connection traffic is carefully inspected by the ZoneRanger, and data connections are matched with known outstanding transfer requests, before being allowed to pass.

Secure FTP Proxy

The ZoneRanger FTP proxy feature supports all FTP protocol transactions defined in RFC 959, including:

  • Get File Request (from devices in a firewall-partitioned zone)
  • Put File Request (to devices in a firewall-partitioned zone)
  • List Directory Request
  • Delete File Request
  • Rename File Request

In addition to supporting active and passive mode file transfers, the ZoneRanger FTP proxy feature also includes an optional active-to-passive conversion feature, allowing an FTP client’s active mode transfer requests to be presented to clients as passive mode requests, so that clients that only support active mode are able to exchange files with servers that only support passive mode.

FTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure NTP

Secure NTP

The Network Time Protocol (NTP) is an older, but still very useful, Internet protocol designed to allow network devices and servers to synchronize their clocks with one or more centralized time servers, across a variable-latency network. In applications where time synchronization across devices is important, the ability to administer time across a large number of devices from a small number of centralized time servers using NTP is a significant advantage.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for NTP, requiring network administrators to choose between two equally unacceptable alternatives: prevent NTP traffic from passing through the firewall, effectively isolating the devices beyond from the primary time servers, or allow NTP traffic to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as an application-layer proxy firewall for NTP traffic, enabling network devices and servers to effectively reach back through the firewalls to the centralized time servers, while mitigating the associated security risks through careful inspection and filtering of all NTP traffic.

ZoneRanger’s NTP proxy service can be configured to operate in either of two modes:

  • The ZoneRanger can obtain its time from a centralized NTP server, and can act as a secondary time server, responding autonomously to NTP requests from client devices.
  • The ZoneRanger can act as straight NTP protocol proxy, inspecting NTP requests received from client devices, relaying valid requests onto a centralized timer server, and relaying server responses back to the requesting clients.

Secure NTP Proxy

NTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP
Secure TFTP

Secure TFTP

Trivial File Transfer Protocol (a.k.a. TFTP) is not as trivial as its name suggests. Even though TFTP is a very simple, very basic file transfer protocol, it plays an important role in enabling management applications to manage the network device configurations. The majority of network devices provide mechanisms whereby they can be commanded to transfer their configuration files to/from a TFTP server, and a growing number of management applications have been developed, taking advantage of these mechanisms, to provide advanced configuration management services for large numbers of network devices.

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for these applications, requiring network administrators to choose between two equally unacceptable alternatives: prevent TFTP traffic from passing through the firewall, accepting the resulting loss of ability to transfer configuration files to/from the devices beyond, or allow TFTP traffic to pass through the firewall, accepting the associated security risks. These security risks, in the case of TFTP, are significant, given that TFTP does not require login, and uses UDP, which is relatively easy to spoof, as a transport protocol.

ZoneRanger resolves this dilemma by acting as a proxy TFTP server. Managed devices, acting as TFTP clients, are instructed to transfer files to and from the ZoneRanger, rather than communicating directly with the management applications, eliminating the need to open the firewall to TFTP traffic. The ZoneRanger can proxy TFTP requests through to the management applications, or can be configured to transfer files to/from an internal directory, or to/from directories on the servers where the management applications are installed.

Secure FTP Proxy

The ZoneRanger TFTP proxy feature can be used together with the SNMP proxy feature to handle the situation where managed devices are instructed to transfer configuration files using an SNMP set request. When the ZoneRanger sees an SNMP set request that appears to be instructing a device to perform a configuration file transfer, it can modify the request, effectively redirecting the request to use the ZoneRanger’s TFTP server, then when the managed device initiates the request, will proxy the file transfer through to the originally requested TFTP server.

TFTP is part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • HTTP / HTTPS
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
Secure HTTP/HTTPS

Secure HTTP/HTTPS

Although originally associated with the World Wide Web, web protocols such as HTTP and HTTPS have also become a common way for network devices and servers to provide intuitive, user-friendly management interfaces, which can be used to configure, control, and monitor managed devices.
The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for HTTP and HTTPS users, requiring them to choose between two equally unacceptable alternatives: prevent HTTP and HTTPS from passing through the firewall, accepting limited ability to access the devices beyond, or allow HTTP and HTTPS to pass through the firewall, accepting the associated security risks.

ZoneRanger resolves this dilemma, acting as a transport-layer proxy for HTTP and HTTPS traffic, enabling management applications to extend their reach beyond firewalls, while mitigating the associated security risks in a variety of ways:

  • ZoneRanger effectively breaks the underlying TCP transport connection that carries the HTTP and/or HTTPS traffic into two connections, helping to protect the management application from TCP-based attacks.
  • ZoneRanger allows management applications to originate HTTP or HTTPS sessions with managed devices, but connections in the reverse direction are not allowed.
  • ZoneRanger can be configured to restrict HTTP and HTTPS traffic to specified devices and ports.
  • ZoneRanger can be configured to perform destination port translation, allowing management applications to initiate HTTP or HTTPS sessions using standard well-known ports, to devices that have been configured to use non-standard ports as a security precaution (i.e. to fool/confuse port scanners).

Secure HTTP / HTTP Proxy

HTTP and HTTPS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • TACACS+ / RADIUS
  • Telnet / SSH
  • TFTP

Our customers realize ROI is in months, not years.

Request a Demo

Sign-up now for a look behind the solution with a one-on-one demonstration of ZoneRanger.

The ZoneRanger

MANAGEMENT THROUGH FIREWALLS
SECURITY
CHALLENGES
Management Through Firewalls

How do you manage what you cannot see? Corporate information on the Internet is mandatory, and it exposes the network to threats. The battle lines are drawn between security and network management. The invention of the firewall stopped many intruders. Firewalls also stopped network management. To solve this problem, extensive firewall rules had to be written to allow management traffic to pass through corporate firewalls. Security experts agree that network management protocol pose a significant security risk for corporate networks. In many cases, SNMP and other protocols are not allowed to pass through the firewalls. Without these protocols, network managers cannot ensure availability of data or applications. DMZs (extranets, untrusted zones, etc.) were the initial areas of concern.

These customer-facing networks outside the firewall are an organization’s connection to customers for e-commerce and marketing. This component of IT targets 100% uptime availability. Network and security teams struggle with a fair compromise to achieve this goal. ZoneRanger was built to address these issues. With an extensive customer list and nine years of developing network management software for HP OpenView, our consultants have encountered these problems many times. Our goal was to build a secure network appliance to support the applications and protocols required to meet the needs of the network management team without violating the network security policies.

Secure Proxy Server for Network Management Protocols

ZoneRanger is typically deployed outside the firewall. It communicates via an Industry standard 128-bit encrypted (SSL) TCP connection to a Ranger Gateway inside the firewall. Using the concept of a proxy server, the Ranger Gateway delivers requests to the ZoneRanger and in turn, the ZoneRanger to the device. Management applications can now communicate with devices outside the firewall without additional rules or open ports.

Secure Remote NMS (Network Management Systems)

For remote (secure) locations, ZoneRanger can be deployed as an independent network management system. This 2U rack-mounted appliance can also report to a primary NMS like HP OpenView. A simple web interface is provided to give operations personnel a view into the health of the remote network.

Challenges

Firewall Rule Changes — Death by Committee. The impact of changing a firewall rule or opening another port on the firewall is complicated. ZoneRanger eliminates the need for multiple rules and ports for your management traffic. Adding a device or new management application no longer requires a rule change.

Too Many Traps or No Traps at All. Few organizations allow traps from the DMZ. Those that do are challenged to sort the valid from the worthless. The opposite solution is no traps and no warning of problems. ZoneRanger blocks unauthorized traps while acceptable traps are consolidated and filtered. Traps can be configured for multiple delivery destinations based on source addresses, PDU data, or var binds.

Syslog and Cisco Log Messages. Log files provide a history of the life of the system. This rich information is sitting on those devices in the DMZ and often unavailable to operations personnel. ZoneRanger establishes source-based rules to forward messages to the correct destination inside the firewall.

Using Netflow Data from the DMZ. Netflow and sFlow provide real-time network data that includes security threats, QOS, utilization, and user / application monitoring. Due to security, most organizations allow no UDP traffic to pass through the firewall. ZoneRanger filters and securely passes Netflow / sFlow data to specific destinations in the intranet. This feature is application to any Netflow / sFlow collector.

Ready to find out more? Contact Us