I'm having a running debate with myself over where it makes
most sense to place a network management station in an firewall architecture
in the real world. Opinions are welcome....
dreez
A firewall can be made up of IP filter in a router OR application level
filtering on a (say) Unix dual-homed gateway. The NMS can be on the
internal net OR on the firewall if it is a workstation OR off of
the firewall if it is a IP router/filter.
NMS
|
|
|
NMS ----------------------
| | |
| | |
--------------------- | Firewall | --------------------
internal | | public
| |
---------------------
NMS on internal network:
------------------------
Advantages:
1) Probably most common setup
2) NMS performs NMS functions and firewall performs firewall functions
Disadvantages:
1) Must program firewall to pass net management packets
2) NMS might need access to DNS for full functionality so firewall must
pass DNS information
3) NMS traffic from public network might impact internal LAN performance
4) Public network now has access to internal agents
5) Misc. esoteric security risks like running protocols over net management
traffic effectively bypassing firewall, trojan horses leaking internal
information
through NMS traffic,
NMS on/off of firewall:
-----------------------
Advantages:
1) Internal agents protected from public network
2) Easier to achieve global view because of ready access to
internal and public DNS systems
3) Internal and public net management traffic is kept separate
4) Closes some security holes mentioned above
Disadvantages:
1) Mixed functionality/purpose of firewall
2) Firewall platform may not be robust enough to host NMS
(e.g. firewall may be old/slow equipment with old OS, only
firewall affordable is IP router)
|
|
