Proxy SNMP Trap Reception from DMZ



Similar documents
Network Monitoring within a DMZ

Secure Management Through Firewalls

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Detection of illegal gateways in protected networks

FIREWALLS & CBAC. philip.heimer@hh.se

Cornerstones of Security

Firewalls. CEN 448 Security and Internet Protocols Chapter 20 Firewalls

The Bomgar Appliance in the Network

SolarWinds Log & Event Manager

Using a Cisco PIX Firewall to Limit Outbound Internet Access

Multi-Homing Dual WAN Firewall Router

EXINDA NETWORKS. Deployment Topologies

Internet Security Firewalls

How To Set Up Foglight Nms For A Proof Of Concept

Agenda. Understanding of Firewall s definition and Categorization. Understanding of Firewall s Deployment Architectures

This presentation describes the IBM Tivoli Monitoring 6.1 Firewall Implementation: KDE Gateway Component.

Best of Breed of an ITIL based IT Monitoring. The System Management strategy of NetEye

Configuring a customer owned router to function as a switch with Ultra TV

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

SANGFOR SSL VPN. Quick Start Guide

Secure Web Appliance. Reverse Proxy

Overview. Firewall Security. Perimeter Security Devices. Routers

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

To Configure Network Connect, We need to follow the steps below:

Wholesale Dial NMS Case Study

8. Firewall Design & Implementation

Where can I install GFI EventsManager on my network?

Payment Card Industry (PCI) Data Security Standard

Cisco Secure PIX Firewall with Two Routers Configuration Example

Internet Security Firewalls

Guideline on Firewall

Firewall Architecture

FIREWALL ARCHITECTURES

nappliance misa Server 2006 Standard Edition Users Guide For use with misa Appliances 2006 nappliance Networks, Inc.

allow all such packets? While outgoing communications request information from a

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

MN-700 Base Station Configuration Guide

Network Security. Tampere Seminar 23rd October Overview Switch Security Firewalls Conclusion

The SpeedTouch and Firewalling

emerge 50P emerge 5000P

Hosting more than one FortiOS instance on. VLANs. 1. Network topology

Half Bridge mode }These options are all found under Misc Configuration

Helping You Piece IT Together. Best Practices for Log Monitoring

This article describes a detailed configuration example that demonstrates how to configure Cyberoam to provide the access of internal resources.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

Security perimeter white paper. Configuring a security perimeter around JEP(S) with IIS SMTP

What would you like to protect?

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Many network and firewall administrators consider the network firewall at the network edge as their primary defense against all network woes.

DDoS Protection Technology White Paper

WHITE PAPER September CA Nimsoft For Network Monitoring

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

HP Operations Agent for NonStop Software Improves the Management of Large and Cross-platform Enterprise Solutions

Premier Services Program (PSP) Tools: Security Overview

CMPT 471 Networking II

Firewalls and System Protection

Best Practices: Pass-Through w/bypass (Bridge Mode)

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Firewalls. Chapter 3

Architecture Overview

BROADBAND FIREWALL ROUTER WITH 1-USB + 1-PARALLEL PRINT SERVER PORT

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Installing Version 7.6 The Latest Tips

Multifunctional Broadband Router User Guide. Copyright Statement

How To Manage Ipv6 Networks On A Network With Ipvv6 (Ipv6) On A Pc Or Ipv4 (Ip6) (Ip V6) Or Ip V6 ( Ipv5) ( Ip V5

Barracuda Link Balancer Administrator s Guide

Tutorial 3. June 8, 2015

8/26/2007. Network Monitor Analysis Preformed for Home National Bank. Paul F Bergetz

A Quick Guide to Publish Thecus NAS on Internet. Contents

H0/H2/H4 -ECOM100 DHCP & HTML Configuration. H0/H2/H4--ECOM100 DHCP Disabling DHCP and Assigning a Static IP Address Using HTML Configuration

IPS Anti-Virus Configuration Example

Networking Topology For Your System

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

GFI Product Manual. Deployment Guide

Figure 41-1 IP Filter Rules

Nimsoft for Network Monitoring. A Nimsoft Service Level Management Solution White Paper

Product Overview. Product Family. Product Features. Powerful intrusion detection and monitoring capacity

Firewalls. Steven M. Bellovin Matsuzaki maz Yoshinobu

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

P-660R-T1 v3 QUICK START GUIDE. ADSL2+ Access Router DEFAULT LOGIN DETAILS. Firmware v3.40 Edition 1, 09/2008. IP Address:

- Introduction to PIX/ASA Firewalls -

Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING

SE 4C03 Winter 2005 Firewall Design Principles. By: Kirk Crane

application note LAN Power: HP Web QoS with HP ProCurve Switches What is WebQoS? How WebQoS Classifies and Prioritizes Traffic

LotWan Appliance User Guide USER GUIDE

Implementing Network Address Translation and Port Redirection in epipe

Firewall Environments. Name

HP ProLiant Essentials Vulnerability and Patch Management Pack Planning Guide

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

Where can I install GFI EventsManager on my network?

Intranet, Extranet, Firewall

SOLARWINDS ENGINEER S TOOLSET FAST FIXES TO NETWORK ISSUES

I N S T A L L A T I O N M A N U A L

Chapter 4 Customizing Your Network Settings

Proxy Server, Network Address Translator, Firewall. Proxy Server

PFSENSE Load Balance with Fail Over From Version Beta3

HoneyBOT User Guide A Windows based honeypot solution

Secure Network Design: Designing a DMZ & VPN

Chapter 4 Customizing Your Network Settings

Transcription:

Proxy SNMP Trap Reception from DMZ Anthony V. Edwards Tavve Software Co. Tavve Software Co. One Copley Plaza Suite 480 Morrisville, NC 27560 +1 919-460-1789 www.tavve.com

Proxy SNMP Trap Reception from DMZ Executive Summary Anthony V. Edwards Tavve Software Co. With the proliferation of DMZ s (so-called De-Militarized Zones or firewall protected areas) and extranets today, network managers are increasingly faced with the problem of receiving from servers and networking equipment when security policy prevents from crossing the firewall from these segregated areas. This paper discusses three solutions for SNMP trap reception from the DMZ: 1) add a trap receiver into DMZ, 2) use a separate network management network, or 3) add a proxy trap receiver into DMZ. This paper discusses the problem the security policy creates and three solutions for this problem. The SNMP trap Receiver Network managers have embraced receiving to monitor network activities and troubles for a long time. Network managers trust and rely upon those. Many sites configure their equipment to forward all to a single trap receiver (or Network Management System (NMS)), which processes them to raise alerts or warnings. A variety of applications are available today to process. NMS platforms include Hewlett Packard s OpenView Network Node Manager, IBM Tivoli s NetView, Computer Associates Unicenter, Concord Communication s Aprisma, BMC Software Visualis, Open Service NerveCenter, and others. For point solutions, products include Concord Communication s TrapExploder, Micromuse NetCool SNMP Trap Probe, and others. Shareware products include Net-SNMP s snmptrapd. When Security Becomes an Obstacle can be received as long as the network path allows it. Increasingly, security policies are prohibiting the passing of trap traffic. The firewall becomes an obstacle, preventing these messages from reaching the trap receiver. For example, see Figure 1 depicting an agent failing to transmit to its Aprisma receiver. Clearly, if the firewall blocks from the receiver, it is time to re-architect this part of the network management design. In the remainder of this paper, we will look at three possible solutions: (1) add a trap receiver on the DMZ side, (2) use a separate network management network, or (3) use a proxy trap receiver. Copyright 2005 Tavve Software Co. 2

Trap Receiver Aprisma SNMP trap Firewall SNMP trap Agent Figure 1. Security Policy Means the Firewall Blocks. Solution 1: Add a Trap Receiver A solution to the security policy issue of no through the firewall is to deploy a trap receiver in the DMZ (such as DNNM). Instead of the going through the firewall, it instead goes to the DMZ trap receiver server. The receiver then requires an instance of trap processing (or NMS) software. Some applications use TCP through the firewall (such as a web browser) that interfaces with the NMS software. This requires at least one firewall rule per trap receiver to allow the central server enterprise-side application to interface with the DMZ trap receiver. See Figure 2 below. NMS Server NNM Trap synch/update Admin Firewall Trap Receiver DNNM DMZ#1 DNNM DMZ#2 Agent Figure 2. A Trap Receiver (DNNM) per DMZ Design Copyright 2005 Tavve Software Co. 3

To implement this solution, you will need a trap receiver (DNNM) in every isolated DMZ that contains equipment to monitor, even if that DMZ only contains a few devices. For each trap receiver, you need to 1. Acquire and install a computer as the hardware for the receiver 2. Purchase and install the trap processing software 3. Add a firewall rule (or likely more) so the trap receiver can communicate with the enterprise-side NMS; perhaps this is just user web access from the enterprise, but more than likely it is more involved, depending upon your NMS. 4. Configure the servers to forward to new trap processing software The advantage of this solution is: 1. It requires no more expertise to setup/configure trap receivers in a DMZ than ordinarily needed in the enterprise. The disadvantages of this solution are: 1. The extra cost required for each instance of NMS software per DMZ 2. The additional hardware cost involved with those new NMS instances 3. The added labor cost involved with OS and NMS software setup 4. The delays or justifications with security to negotiate all those new firewall rules 5. The ongoing labor cost involved with OS and software maintenance/upgrades Solution 2: Use Separate Network Management Network Another solution to the security policy issue of no through the firewall is to deploy a parallel network management network. All devices generating need an interface dedicated to a network management traffic only subnet. The trap receiver is deployed as dual-homed with one interface on the corporate network and one interface on the network management network. are carried over the network management network to the trap receiver. The trap receiver communicates to the NMS over the corporate network (or it may be the same server). To implement this solution, you will need a dedicated interface per device: 1. Dedicate an Ethernet interface on each server to the network management network 2. Dedicate an Ethernet interface on each router to the network management network 3. Connect your switch s network management LAN port to the network management network. If your switch does not have a dedicated management port, then it cannot be part of this solution. 4. Add an extra network interface to the NMS 5. Configure all these dedicated interfaces to be on the same subnet The advantages of this solution are: 1. This is a very low cost approach, presuming the dedicated interface cost is low. 2. There is no need for a dedicated NMS per DMZ Copyright 2005 Tavve Software Co. 4

3. No proxy software or appliance is needed The disadvantages of this solution are: 1. It may be difficult to get approval from your security group. Security groups consider the scenario where a DMZ device becomes compromised. In such a scenario, security may be concerned that attacking traffic may infiltrate the network management network. In turn, the attacking traffic could infiltrate the NMS before ultimately attacking the corporate network. Such an attack would circumvent the protection of the firewall, which is undesired. 2. Some network equipment (such as switches) do not have a dedicated network management interface, rendering this solution incomplete. NMS Server Visualis Admin trap receiver trap receiver Firewall Net Mgmt Subnet Agent Figure 3. A separate network management subnet bypasses firewall Solution 3: Add a Proxy Trap Receiver Another solution to the security policy issue of no through the firewall is to deploy proxy receivers in the DMZ. Instead of the SNMP trap traffic going through the firewall, it instead goes to the proxy receiver. The proxy receiver in the DMZ then communicates to proxy software in the enterprise, which can be co-located with the enterprise-side trap receiver. The proxy software generates the for the trap receiver. The trap receiver conveys the messages to the application server, even if the Copyright 2005 Tavve Software Co. 5

trap processing software is located on a different server. This requires only one firewall rule to allow the proxy receiver to forward the messages. One such proxy trap receiver is Tavve s ZoneRanger system/network management appliance. It fits into the solution as shown in Figure 5 below. NMS Server Trap receiver NetView trap receiver trap synch/update Admin Proxy Software Ranger Gateway Firewall Proxy Trap Receiver ZoneRanger DMZ#1 ZoneRanger DMZ#2 Agent Figure 4. Proxy Trap Receivers Sharing One Central Trap Receiver Design To implement this solution, you will need a proxy trap receiver in every isolated DMZ that contains devices generating. Several proxy trap receivers can report their messages to the same central trap receiver. For each proxy trap receiver, you need to 1. Acquire and install a proxy trap receiver appliance (ZoneRanger) 2. Add one firewall rule so the proxy trap receiver can communicate with the proxy software on the NMS 3. Configure the devices generating to send them to the new trap receiver. Copyright 2005 Tavve Software Co. 6

If the proxy trap receiver is an appliance, such as ZoneRanger, you do not need to configure rules for system administrator or software maintenance access through the firewall to it. The one firewall rule that allows the ZoneRanger to communicate with the complementary Ranger Gateway software also allows configuration by web browsing to a Ranger Gateway port. The advantages of this solution are: 1. The ZoneRanger appliance does not require system or software maintenance to setup or maintain the system/network management support team configures it 2. No more additional trap receiver servers required than usual 3. Only one firewall rule (per proxy trap receiver) needed in firewall (easier to negotiate with security) 4. It can proxy all or it can selectively proxy some based on filtering criteria. Criteria are setup in named groups. Each group is a list of traps. 5. Aside from proxying, it proxies other network management traffic (SNMP, syslog messages, NetFlow, sflow) The disadvantage of this solution is: 1. It is a new tool, so some learning is required Figure 5. Sample ZoneRanger Screenshot. Copyright 2005 Tavve Software Co. 7

Conclusion When the security policy of your enterprise prevents you from sending your to your enterprise-side central trap receiver, you can choose one of three solutions: (a) add a trap receiver into each isolated DMZ, (b) use a separate network management network, or (c) add a proxy trap receiver into each isolated DMZ. Depending upon product and ongoing administration costs, one solution may be more favorable than the other for your enterprise. Product References 1. Hewlett-Packard OpenView Network Node Manager. http://www.managementsoftware.hp.com/products/nnm/ 2. IBM Tivoli NetView. http://www.ibm.com/software/tivoli/products/netview/ 3. Computer Associates Unicenter. http://www3.ca.com/solutions/product.asp?id=2869 4. Concord Communication s Aprisma. http://www.concord.com/products/fault_mgt/shtml 5. BMC Software Visualis. http://www.bmc.com/products/proddocview/0,2832,19052_19429_26272_8024,0 0.html 6. Open Service NerveCenter. http://www.openservice.com/products/nervecenter.jsp 7. Concord Communication s TrapExploder. http://www.concord.com/solutions/products/trapex.shtml 8. Micromuse NetCool SNMP Trap Probe. http://www.micromuse.com/products_sols/all_probes.html 9. Net-SNMP s snmptrapd. http://www.net-snmp.net/ 10. Tavve Software ZoneRanger. http://www.tavve.com/dynamic.asp?id=44 Copyright 2005 Tavve Software Co. 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information