View
1.456
Download
1
Category
Tags:
Preview:
DESCRIPTION
What is a ZoneRanger
Citation preview
ZoneRanger Management Through Firewalls
Jeff OlsonRegional Sales Manager
Jeff.olson@tavve.com
Improve Security. Remove Complexity. Reduce Cost.
2
Network Management Evolution
In the “Golden Era” of Network Management, everything was connected and specific protocols
weren’t restricted
3
True Security = No Traffic
The only completely risk-free solution is NOT passing any protocols through the firewall.
Remedy
Concord
CiscoWorks
NNM
Trusted Network
DMZ / Untrusted Network
SNMP
ICMP
Syslog
Netflow
X
X
X
X
X
X
X
X
4
Security Analysis of Management Protocols
ICMP NoneAuthentication Encryption Easy to Spoof
None YesSNMP v1 / v2c Yes
SSH Good Good No
FTP In the Clear None No
Syslog None None YesNetFlow None None Yes
sFlow None None YesTFTP None None Yes
HTTPS Good Good No
HTTP In the Clear None No
SNMP v3Simplistic
GoodNoneGood No
5
Defining DMZ / Untrusted Network
A DMZ is any network separated from the corporate network by a firewall
DMZ’s may be separated from the corporate network by multiple firewalls
Includes Virtual DMZ’s
A DMZ can be used internally to separate business functions from malicious attacks and cyber crime
Due to security concerns, DMZ’s are often difficult to manage from the corporate network (or NOC)
6
Industry Choice 1: Define Firewall Rules
DMZ
HPNNMCorporate Network
OtherMgmt.App.
• Define firewall rules to allow traditional management protocols to pass through the firewall (restricted to management application servers).
• Traditional management protocols are not particularly secure.
• Time consuming, error-prone, more rules than you think!
• Process and efforts is repeated for each firewall / DMZ
• Define firewall rules to allow traditional management protocols to pass through the firewall (restricted to management application servers).
• Traditional management protocols are not particularly secure.
• Time consuming, error-prone, more rules than you think!
• Process and efforts is repeated for each firewall / DMZ
Opsware
7
Firewall Rules - 1
Management Application
Server
DMZDevice
The simplified view… The reality
Management Application
Server
DMZDevice
ICMPSNMPSyslogSSH
NetFlowsFlow
…
8
Simplifying Firewall Configuration - 2
Management Application
Servers
DMZDevices
Management Application
Servers
DMZDevices
ZoneRanger
RangerGateway
9
Proxy Firewall Example: SNMP Get/Set
Get Request
Get Response
ManagementApplication
Server
DMZDevice
Get Request
Get Response
ManagementApplication
Server
DMZDevice
Get Response
ProxyFirewall
Get Request
10
Proxy Firewall Example: Syslog Forwarding
SyslogMessage
ManagementApplication
Server
DMZDevice
SyslogMessage
ManagementApplication
Server
DMZDevice
SyslogMessage
ProxyFirewall
11
ZR Supported Outbound Requests
• ICMP – “ping”• TCP – Transmission Control Protocol• SNMP v1 / v2c / v3 – Simple Network Management Protocol
– v3 – enable v3 for selected DMZ devices (DMZ router) without upgrading the entire DMZ or trusted side
• HTTPS – Secure Hypertext Transfer Protocol• TFTP – Trivial File Transfer Protocol• SSH – Secure Shell• SOCKS – SOCKetS (secure proxy)• FTP – File Transfer Protocol• ICMP/SNMP Proxy Caching
12
ZR Supported Inbound Requests
• UDP – Unreliable Datagram Protocol
• SNMP Traps
• NetFlow – network performance
• Syslog – “system logging” protocol
• TACACS+ - authentication, authorization and accounting
• Radius - authentication, authorization and accounting
• NTP – Network Time Protocol
13
Transparent Applications
• Fault (Network Management System – NMS)
HP OpenView NNM, IBM Tivoli NetView, OpenNMS, MS-Mom, Solarwinds, CA Unicenter
• Fault (Systems Management)
Entuity, SiteScope, EMC Smarts, IBM Tivoli Netcool, Bladelogic
• Configuration
Voyence, OpsWare, HP NCM, Cisco NCM, CiscoWorks
• Accounting
NetQoS, Fluke/Crannog NetFlow Tracker, Cisco ACS
• Performance
CA eHealth, InfoVista, PRTG, MRTG, HP OVPI, SevOne, OPNET
• Security
Cisco MARS, Arcsight, enterasys Dragon (DSCC)
14
ZoneRanger Business Case
Eliminate the human error (risk) of firewall rules and reduce the open firewall ports
Increase access to DMZ devices and at the same time increase overall network security
Reduce labor to create and maintain extensive firewall rules for DMZ(s)
Address compliance requirements of SOX, PKI, ISO 27001, HIPAA
15
Select Tavve Customers
Recommended