ZoneRanger Management Through Firewalls

Jeff OlsonRegional Sales Manager

Jeff.olson@tavve.com

Improve Security. Remove Complexity. Reduce Cost.

2

Network Management Evolution

In the “Golden Era” of Network Management, everything was connected and specific protocols

weren’t restricted

3

True Security = No Traffic

The only completely risk-free solution is NOT passing any protocols through the firewall.

Remedy

Concord

CiscoWorks

NNM

Trusted Network

DMZ / Untrusted Network

SNMP

ICMP

Syslog

Netflow

X

X

X

X

X

X

X

X

4

Security Analysis of Management Protocols

ICMP NoneAuthentication Encryption Easy to Spoof

None YesSNMP v1 / v2c Yes

SSH Good Good No

FTP In the Clear None No

Syslog None None YesNetFlow None None Yes

sFlow None None YesTFTP None None Yes

HTTPS Good Good No

HTTP In the Clear None No

SNMP v3Simplistic

GoodNoneGood No

5

Defining DMZ / Untrusted Network

A DMZ is any network separated from the corporate network by a firewall

DMZ’s may be separated from the corporate network by multiple firewalls

Includes Virtual DMZ’s

A DMZ can be used internally to separate business functions from malicious attacks and cyber crime

Due to security concerns, DMZ’s are often difficult to manage from the corporate network (or NOC)

6

Industry Choice 1: Define Firewall Rules

DMZ

HPNNMCorporate Network

OtherMgmt.App.

• Define firewall rules to allow traditional management protocols to pass through the firewall (restricted to management application servers).

• Traditional management protocols are not particularly secure.

• Time consuming, error-prone, more rules than you think!

• Process and efforts is repeated for each firewall / DMZ

• Define firewall rules to allow traditional management protocols to pass through the firewall (restricted to management application servers).

• Traditional management protocols are not particularly secure.

• Time consuming, error-prone, more rules than you think!

• Process and efforts is repeated for each firewall / DMZ

Opsware

7

Firewall Rules - 1

Management Application

Server

DMZDevice

The simplified view… The reality

Management Application

Server

DMZDevice

ICMPSNMPSyslogSSH

NetFlowsFlow

…

8

Simplifying Firewall Configuration - 2

Management Application

Servers

DMZDevices

Management Application

Servers

DMZDevices

ZoneRanger

RangerGateway

9

Proxy Firewall Example: SNMP Get/Set

Get Request

Get Response

ManagementApplication

Server

DMZDevice

Get Request

Get Response

ManagementApplication

Server

DMZDevice

Get Response

ProxyFirewall

Get Request

10

Proxy Firewall Example: Syslog Forwarding

SyslogMessage

ManagementApplication

Server

DMZDevice

SyslogMessage

ManagementApplication

Server

DMZDevice

SyslogMessage

ProxyFirewall

11

ZR Supported Outbound Requests

• ICMP – “ping”• TCP – Transmission Control Protocol• SNMP v1 / v2c / v3 – Simple Network Management Protocol

– v3 – enable v3 for selected DMZ devices (DMZ router) without upgrading the entire DMZ or trusted side

• HTTPS – Secure Hypertext Transfer Protocol• TFTP – Trivial File Transfer Protocol• SSH – Secure Shell• SOCKS – SOCKetS (secure proxy)• FTP – File Transfer Protocol• ICMP/SNMP Proxy Caching

12

ZR Supported Inbound Requests

• UDP – Unreliable Datagram Protocol

• SNMP Traps

• NetFlow – network performance

• Syslog – “system logging” protocol

• TACACS+ - authentication, authorization and accounting

• Radius - authentication, authorization and accounting

• NTP – Network Time Protocol

13

Transparent Applications

• Fault (Network Management System – NMS)

HP OpenView NNM, IBM Tivoli NetView, OpenNMS, MS-Mom, Solarwinds, CA Unicenter

• Fault (Systems Management)

Entuity, SiteScope, EMC Smarts, IBM Tivoli Netcool, Bladelogic

• Configuration

Voyence, OpsWare, HP NCM, Cisco NCM, CiscoWorks

• Accounting

NetQoS, Fluke/Crannog NetFlow Tracker, Cisco ACS

• Performance

CA eHealth, InfoVista, PRTG, MRTG, HP OVPI, SevOne, OPNET

• Security

Cisco MARS, Arcsight, enterasys Dragon (DSCC)

14

ZoneRanger Business Case

Eliminate the human error (risk) of firewall rules and reduce the open firewall ports

Increase access to DMZ devices and at the same time increase overall network security

Reduce labor to create and maintain extensive firewall rules for DMZ(s)

Address compliance requirements of SOX, PKI, ISO 27001, HIPAA

15

Select Tavve Customers