A project I work on has a similar setup (pieces of an organization
separately attached to the Internet). There was enough autonomy that
they did not want central management, so the net management "hole" in the
firewall could at first be entirely closed, then opened when some
management station from behind the firewall needed to get to the
outer router, for example.
In this restricted case (one router being accessed), you could use
the TIS toolkit "plug" to wire SNMP from a management station to
the router. We handle console-style interactions with a serial
line from the router console to an inside host (and then use "tip"
to access the router). Distances between components can prevent
this simple setup.
The other approach is to devise the components so that they do
not need "management". For example, static routing and a fixed
configuration (access lists, addresses, etc) means you don't need to
fiddle with the router very often. Monitoring the number of bytes
and packets is easily done with the "plug" mentioned above.
For notification of outages, you could consider using the "plug"
to let echoes go from your inside station to some host, say, on
your Internet provider's network. This gives you basic connectivity
info, but without trying to accomodate SNMP traps.
Firewalls can make you reexamine the "management" that *needs* to
occur and how widespread your realm really is. You may find you
don't need to monitor things like the NIC being up, when it's a
pain to configure and justify through the firewall.
Walt
References:
|
|
