Network Monitoring within a DMZ

Transcription

1 Network Monitoring within a DMZ January 2005 Gary Schlachter Tavve Software Co. Tavve Software Co. One Copley Plaza Suite 480 Morrisville, NC

2 Network Monitoring within a DMZ. Executive Summary With the proliferation of DMZ s (so-called De-Militarized Zones or firewall-protected areas) and Extranets today, network managers are increasingly faced with the problem of monitoring these protected areas using their existing management investment. Although network management encompasses many areas, this paper defines monitoring as actively polling devices, interfaces, and applications for status and then notifying network management software in the Network Operations Center (NOC) of any problems. This document will describe a number of different solutions for monitoring DMZ devices: Open Firewall, Vendor Specific Tools, Tavve ZoneRanger. The DMZ The number of DMZs is rapidly growing as more and more businesses use the Internet for retailing, business-to-business communications, or simply having a Web presence for marketing. While an Internet presence is the lifeblood of companies like ebay and Amazon, it has become just as important for many other companies both big and small. Even though the.com period has ended, businesses are increasingly using the Internet as a means to both generate brand awareness and revenue. So as the general population s use of the Internet increases, business s use of DMZs will expand as well. Besides an Internet retail DMZ, another increasing use of firewall-protected areas is between cooperating businesses. Businesses may need to share information, process orders, or manage inventory between each other. In order to accomplish these tasks, the businesses need access to the same systems. The common network configuration for this shared environment is to have a set of systems that are separated by firewalls from both companies so that each can access the systems but not have access to the others private networks. The concept of the DMZ as a firewall-protected area is also frequently used within corporations to segment user communities for security reasons. Corporations want to keep their accounting departments securely separated from their engineering departments. Corporate espionage, computer hacking, and malicious employees all need to be guarded against through the use of firewall-protected areas. This use of the DMZ is becoming more prevalent as companies become more security conscious. Copyright 2004 Tavve Software Co. 2

3 Thus the need for firewall-protected areas or DMZs continues to increase for a variety of reasons. As this need expands, so does the need to manage the devices within these areas. The Network Operations Center The Network Operations Center (NOC) is the center of network management activity within a corporation. The NOC, especially in large corporations, is a very sophisticated and complex organization of hardware, software, and personnel. In many cases, the NOC is responsible for managing servers, networking equipment, Operating Systems, and software applications. Thus it is the on-going challenge for those NOC personnel to manage the corporate environment no matter how it is configured or segregated. Very large corporations may have multiple NOCs depending on how they manage their environment. NOCs could be separated for geographically reasons across the world to take advantage of time zones or proximity to other corporate assets. NOCs could be separated by management function such as by networking equipment, servers, or applications. NOCs may also be separated due to corporate mergers to allow the prior individual companies to maintain their own independent NOCs. The use of multiple NOCs compounds the complexity of managing the corporate network. Thus the NOC has the responsibility of managing the corporate network so that the business of the corporation can be accomplished. That management of the network requires that the NOC have specific abilities to probe and collect information from the network devices in order to properly monitor them. However the responsibility of managing can be made more complicated by the design of the network itself or by other internal organizations influence over the network. The Security Team Soon after the creation of the corporation, corporate security was created to protect the assets of the business. Until recently, corporate security was primarily concerned with physical security of locations, personnel, processes, documents, etc. However, over the last years and the proliferation of the Internet, corporate security was presented Copyright 2004 Tavve Software Co. 3

4 with a whole new challenge. Electronic attacks from outside the corporation as well as from within the corporation are a constant concern of the Security Team. At the extreme, if the corporation s business could function without networking computers together, that would be ideal environment for corporate security. As soon as devices are connected, there is the opportunity for a security breach adversely affecting the business. Obviously, networking is required in today s corporations, so the Security Team is challenged with protecting the corporate data and assets in an increasing hostile networked world. So the Security Team looks to minimize any area or communication that could compromise the security of the network. The Problems With the requirement of the Network Operations Center to collect data and poll network devices and the requirement of the Security Team to protect corporate information by minimizing communications, the missions of these two groups are often at odds. This difference in goals and philosophy lead to conflicts and compromises between the two organizations. Nowhere is this conflict more poignant than in the DMZ. The DMZ is inherently insecure since it allows the outside world into, at least a portion of, the corporate network. Thus the Security Team is particularly interested in guaranteeing that the corporate network is secure from being accessed through the DMZ. But, since the Network Operations Center personnel are charged with managing the entire corporate network, network management includes managing into the DMZ. Therefore, the NOC needs some ability to view the devices in the DMZ, collect data about those devices, and monitor those devices for operability. Another problem within the NOC itself concerns how the network is monitored and managed. Due to network size and complexity, large corporations use a variety of network management tools like HP OpenView, IBM NetView, Micromuse NetCool, CA Unicenter, Concord NetHealth, NetScout ngenius, etc to manage their network. Many times companies use more than one set of tools from more than one vendor. This is especially true if there are multiple NOCs or specializations within the NOC by hardware, software, region, etc. Thus, there is a need for multiple tools to be able to manage devices across the corporate network and possibly within the DMZ itself. The Solution Option I Open Firewall One solution, which would satisfy the NOC personnel, is to allow network management traffic through the firewall to monitor the DMZ devices. This would involve configuring the firewall to allow communications between the DMZ devices and the network management station. This would allow the network management station (NMS) to use ICMP and SNMP to poll the devices through the firewall to determine whether or not they are available. If the DMZ device could not be reached via ICMP, the NMS would notify NOC personnel to investigate the problem. Copyright 2004 Tavve Software Co. 4

5 Although the NOC staff would find this to be an acceptable solution, the Security Team would not for a couple of reasons. First, ICMP and SNMP are very insecure protocols that can be spoofed by malicious hackers to send possibly harmful information directly to the NMS. So allowing ICMP or SNMP traffic through the firewall is not likely to pass the Security Team as an acceptable risk for managing the DMZ devices. Second, ignoring the fact that the traffic is ICMP or SNMP, this solution could be made more secure by configuring the firewall to only allow direct communications between the network management station and each DMZ device. However, this too causes problems for the Security Team since they are typically the controllers of the firewall. This technique would cause the Security Team to be constantly updating the firewall with new rules as DMZ devices were added, deleted, moved, re-iped, etc. With each firewall change, there is the possibility, however remote, that a mistake could be made causing a loss of communications to the DMZ or worse, a security breach into the corporate network. In general, the Security Team would prefer not to make frequent changes to the firewall configuration. Thus, due to the inherent insecurity of ICMP, this solution would not be acceptable to the Security Team. The Solution Option II Vendor Specific Tools The next possible solution would be to place vendor proprietary agents/tools in the DMZ. The features and functions of each vendor s agents or tools vary. However, the two basic techniques either use a remote polling station within the DMZ or use individual agents residing on the DMZ devices themselves. In the case of the remote polling station within the DMZ, the vendor tool polls the devices in the DMZ and then sends proprietary information to the vendor s network management station. Depending on the tool, a small number of firewall ports need to be configured to allow direct communication between the polling station and the network management station. The vendor information may or may not be transmitted securely (encrypted) to the NMS. If the number of required firewall ports is not excessive, this solution could be acceptable to the Security Team since the security risk would be lower and they would not need to make frequent firewall changes. However, NOC personnel may not be happy with this solution. The use of a proprietary vendor solution may be sufficient if it has the desired feature set and the NOC uses a single set of tools from the particular vendor. But if the NOC uses multiple network management tools from several vendors, a single vendor remote polling station is not sufficient. Also, the use of a vendor proprietary solution forces the NOC to continue to use the current network management station which makes it difficult for them to switch to another network management toolset. Copyright 2004 Tavve Software Co. 5

6 In the case of using individual agents on the DMZ devices, each agent would need to be installed on each managed DMZ device. The NMS would then communicate with each agent to check the status of each DMZ device. The firewall would need to be configured to allow each DMZ device to communicate with the NMS. The vendor information may or may not be transmitted securely (encrypted) to the NMS. In using the individual agent technique, the Security Team does not prefer this solution. From the Security Team point-of-view, the amount of firewall configuration necessary for each vendor agent to communicate with the NMS would be excessive. The firewall configuration would need to be modified for each new DMZ device leading to firewall complexity and the number of connections through the firewall could be a security risk. The NOC personnel also do not prefer the individual agent solution for this problem. Using proprietary agents requires the deployment and configuration of an agent for each DMZ device, which is burdensome for the NOC staff to coordinate and manage. The use of individual agents also forces the Network Operations Center to use a particular vendor tool set making it difficult for them to change vendors. The Solution Option III Tavve ZoneRanger The third option is to use a product from Tavve called ZoneRanger. ZoneRanger is an appliance that is installed in the DMZ. ZoneRanger discovers and polls the DMZ devices and communicates any status changes to any vendor s NMS through the firewall. A software application called Ranger Gateway is installed on a machine near or on the NMS. The ZoneRanger communicates encrypted information regarding the status of DMZ devices using one firewall rule to the Ranger Gateway, which then communicates to the NMS the status of the DMZ device in the form of an SNMP Trap. NMS Ranger Gateway F I R E W A L L DMZ ZoneRanger Managed Device Managed Device Managed Device This solution is acceptable to the Security Team since only one firewall rule is necessary to allow communication from the DMZ devices to the NMS. The use of ZoneRanger also has the added benefit since the data coming from the ZoneRanger to the Ranger Gateway is encrypted, further increasing security. Copyright 2004 Tavve Software Co. 6

7 The NOC personnel also find this solution acceptable since it provides a mechanism to remotely poll the DMZ devices using a single application (appliance), which simplifies configuration. Since the ZoneRanger works with any NMS, the NOC has the flexibility to configure the Ranger Gateway to send the status of the DMZ devices to multiple network management tools. Due to ZoneRanger s vendor neutrality, the NOC has the added ability to change network management toolsets without changing the way the DMZ devices are managed. Conclusion Corporations ever-expanding use of the DMZ or firewall protected areas for retailing, business-to-business communications, or simply having a Web presence for marketing, presents a network management challenge to the Network Operations Center and a security challenge to the corporate Security Team. Both groups need to find a suitable solution to allowing the NOC to manage the devices within the DMZ without compromising security as dictating by the corporate Security Team. There are a number of possible solutions that vary on their acceptability to both the NOC personnel and the Security Team. The solution which best meets the needs of the Security Team by minimizing firewall access and configuration and meets the needs of the NOC personnel by providing the necessary monitoring, low amount of configuration, as well as the flexibility to make future network management toolset changes is the Tavve ZoneRanger. Copyright 2004 Tavve Software Co. 7