Network management and monitoring are crucial in today's increasingly complex and heterogeneous network environment. Swift detection and response to a failing mission-critical networked resource can prevent considerable financial losses. Most of today's network management platforms use the industry-standard Simple Network Management Protocol (SNMP) to communicate with resources being managed. The Gauntlet Firewall includes an SNMP proxy that allows the network management station to communicate securely with the managed resources across the firewall.
The Gauntlet Firewall also includes SNMP agent software. Refer to Chapter 32, “Managing the Network Management Agent,” for more information about the SNMP agent.
This chapter discusses the concepts behind the SNMP proxy and explains how it works, how to configure it, and how to start it. The chapter consists of these sections:
The SNMP proxy is an application-level proxy that provides configurable access control and logging of SNMP traffic. The SNMP proxy passes network management station (manager) requests to the managed resources (agents), and accepts trap requests from agents using rules you supply.
Using the SNMP configuration rules, you can configure the firewall to allow a manager to query specific agents, and accept traps from selected agents. You can configure the proxy to allow connections based on:
agent
operation
The proxies log all successful and unsuccessful connection attempts and the amount of data transferred.
These access controls allow you to have more control over the connections to and from your system than you had without a firewall. The logging capabilities are also much more extensive.
The firewall runs the SNMP proxy (snmp-gw) as a daemon listening for requests on the default SNMP port (UDP port 161) and agent trap port (UDP port 162). These ports are configurable.
When the firewall receives SNMP messages on the SNMP port, the proxy assumes the request is from the SNMP network manager. The proxy compares the name of the requesting host with the name configured on the firewall as the network manager. If the request came from a different host, the SNMP proxy will log the request and drop the packet. If the name of the requesting host matches the name of the firewall manager, the proxy will check its configuration to see if the requesting manager is allowed to use the operation to the requested agent.
If the request is for an operation or agent that is not permitted, the SNMP proxy will log the request and drop the packet. If the request is for an operation and agent that are permitted, the proxy will forward the request to the SNMP agent.
When the agent responds, the proxy verifies that the response came from the agent and that the packet is a valid SNMP response packet. The proxy then forwards the response back to the SNMP manager.
Because the SNMP proxy forwards the manager's request to the agent (after permission checks) and doesn't proxy the request on behalf of the SNMP manager, the SNMP request can work only when the firewall is using transparency. Therefore, the SNMP proxy works only when the SNMP manager is on the inside network and agents are on the outside or service network with the default firewall configuration.
When the firewall receives an SNMP trap on the agent trap port, the proxy checks its configuration information to determine whether the agent is allowed to send traps through the firewall. If the agent is not allowed to send traps through the firewall, the firewall logs the trap request and drops the packet. If the agent is allowed to send traps through the firewall, the firewall sends the trap onto the SNMP network manager.
If the proxy is operating transparently, the firewall sends the trap to the SNMP network manager specified in the trap. If the proxy is not operating transparently, the firewall sends the trap to the SNMP network manager specified on the firewall. In the default configuration, the SNMP manager is on the trusted network and can transparently access the agents, which are on the untrusted networks.
To access the SNMP proxy configuration:
Configuring the Gauntlet Firewall involves planning, configuring proxy settings, and enabling the proxy.
When planning the firewall for SNMP services:
Identify the network manager that will use the proxy.
Determine the hostname or IP address of the resources (agents) that the network manager will manage across the firewall and the SNMP operation restrictions on each agent.
Determine the agent response time-out that the network manager will use. The firewall uses a default value of 10 seconds. Consider setting the time-out to the same value used by the SNMP manager.
Determine the SNMP Port and agent trap port that will be used.
Configure the SNMP proxy to enforce company security policies.
To configure SNMP proxy settings:
In the SNMP window, provide information about the proxy and the network manager that can use the proxy.
Manager's Network Address
IP address or host name of the system that is the network manager. Wildcards * are not valid.
Click Configure.
The Add SNMP Agents window displays.
Provide information about the agents the network manager can contact and the types of operations the manager can perform.
Hostname
Host name of an agent. Specify by host or network. The wildcard * is valid. If you enter a host name, you do not need to enter an IP address.
IP Address
EIP address of an agent. Specify by host, subnet, or network. The wildcard * is valid. If you enter an IP address, you do not need to enter a host name.
Access
Specify whether these rules permit or deny access to and from this agent. Remember, “That which is not explicitly permitted is denied.” Once you create a deny rule for one agent, you must create explicit permit rules for other agents.
Operations
Types of operations that the network manager can exchange with this agent.
Click Add.
Click OK.
