As security has risen to the forefront of IT concerns, firewall-based network partitioning has become a security best practice; unfortunately, firewalls either create a barrier which defeats the goal of centralized management, or must be configured to allow management protocol traffic, which defeats the goal of security, due to the inherent insecurity of management protocols (lack of strong authentication/encryption, ease of spoofing).

Partitioning networks using firewalls is a standard IT practice adopted, but with that comes a management dilemma. Management professionals need to configure, monitor, and control devices and servers regardless of their network location, but security professionals typically resist creating firewall rules to accommodate management protocols, due to associated vulnerability concerns. So how can companies leverage their existing management infrastructure across the entirety of their firewall-partitioned network, without compromising security?

Tavve (pronounced “TAH-vay”) has developed the ZoneRanger product, in order to enable companies to leverage their centralized management infrastructure across firewall-partitioned networks, while mitigating risks associated with management protocols.

Recently we had a chance to meet with Jim Doble, CTO and Chief Architect, Donnie Goins, CEO of Tavve and discuss about ZoneRanger and their company.

Here is an excerpt from the interview.

SM: So let us start at the beginning – what is Tavve’s raison d’etre ?

JD: Tavve has been providing solutions that enhance and augment third party network management applications for over ten years. More recently, we have seen companies that had made significant investments in centralized management infrastructure struggling with the management vs security dilemma. They want to leverage their management investment across the entirety of their networks, regardless of firewall-based partitioning, but they don’t want to compromise the security of their networks. To resolve this dilemma, Tavve has developed the ZoneRanger product, which serves to extend the reach of existing centralized management applications, while mitigating security risks associated with management protocols.

SM: Who is your target market? Is there are a specific industry vertical that you focus on?

JD: The typical ZoneRanger customer is managing a heterogeneous network, making use of a variety of management applications from a variety of vendors, and at the same time has a strong business need for network security, based on industry mandates, or simply the nature of their business. Current customers include financial services institutions, health care companies, managed service providers.

SM: How do you see yourself in a HP NNM, Cisco Network Management environment?

JD: Interestingly enough, Tavve started out as a provider of enhancements and add-on tools tightly integrated with HP OpenView NNM and Tivoli NetView. With ZoneRanger, we made a strategic decision to provide a transparent proxy solution that would be able to work with a wider variety of management applications, without requiring custom development to integrate with specific applications. As a result, our customers have been able to use ZoneRanger with many different management applications, including HP OpenView NNM, CiscoWorks, Concord eHealth, and many more.

SM: So are you saying that all the large companies are out there have this problem and need your solution?

JD: Let me explain the problem in a little more detail and you will see why. IT organizations are typically charged with providing great service, continuity and meeting SLAs, while at the same time reducing costs. In order to accomplish this, most organizations have invested heavily in management tools to automate the necessary processes. No single vendor or tool provides the complete, best answer, so most of these companies have purchased a variety of tools from different vendors. At the same time, regulatory and corporate security mandates have resulted in the partitioning of corporate networks into zones with different levels of trust. For example, companies that provide an internet presence place their web servers in the DMZ. Given that the DMZ is exposed to the internet, it has a greater risk of compromise, so a firewall is placed between the DMZ and the internal corporate network. The presence of this firewall makes it difficult for management applications in the internal corporate network to manage the devices and servers in the DMZ. You can open up the firewall to management protocol traffic, but that defeats the purpose. You can deploy additional copies of management applications in the DMZ but that increases cost and defeats the goal of centralized management. By placing a ZoneRanger in the DMZ you get the best of both worlds: you get the benefits of centralized management, and you don’t need to open up the firewall to permit management protocols. And the DMZ is just one example. The same problem arises wherever firewall-based network partitions are introduced, whether it be to meet industry requirements such as PCI DSS, or simply to isolate departments that handle sensitive information, such as HR or accounting. So in short, the answer to your question is yes. Management tools are everywhere, firewalls are everywhere, and we believe the best solution for them to co-exist happily is ZoneRanger

A typical partitioned network

SM: So how is Zone Ranger different from a agent based architecture?

JD: The problem with agents is that everybody has their own.  If you have management applications from ten different vendors, you will have ten different agents, and typically these agents are neither simple nor cheap. With ZoneRanger, you have a single solution that works with all of your management applications.

SM: That would make the whole configuration and change management easy. Wouldn’t it?

JD: Exactly. In fact, some of our customers like ZoneRanger because it simplifies the process of configuring access restrictions on managed devices.  Given that all management protocol transactions are proxied through the ZoneRanger, managed devices can be configured to permit access from the ZoneRanger and nothing else. Management applications can be added, removed, or changed, but there is no need to modify the access control lists in the managed devices, because all management traffic is funneled through the ZoneRanger.

SM: Talking about some of the trends, Cloud Computing is all the rage now. Some of your customers must be considering Cloud based services. Have you certified ZoneRanger with say Amazon Cloud or Rackspace Cloud? If not what are your plans to support them?

JD: Most of our existing customers are in the financial services space, and as you can imagine, they are pretty conservative when it comes to doing things outside their own networks. That being said, when critical functionality is migrated into a cloud, the functionality needs to be managed, and ZoneRanger, or a repackaging of ZoneRanger technology, may provide the answer for doing that securely.

SM: Let’s talk about business. What is your primary channel for sales? Your salesforce or do you have channel partnerships?

DG: Our primary sales channel is our direct sales force.  We value the close relationships we develop with our customers using the direct sales model.  We’ve started partnering with MSPs and we believe it gives us an opportunity to reduce our sales cycle because the MSPs have customer accounts and know of the problem they are trying to solve.  The MSPs like the ZoneRanger  because of the additional services they sell to their existing customers.

SM: Excellent. Thanks a lot for your time and information you shared on ZoneRanger.

Company Profile

Name:
Product	ZoneRanger, a management proxy firewall provides a cost-effective and secure solution to extend the reach of management applications through firewalls.
Key Customers	International Banks, Credit Card Companies, Defense Contractors, HealthCare providers
Critical Problem Solved	Simplify and streamline the management of technologies deployed in partitioned firewall environments Reduce the Security risk involved in managing technology components in the DMZ, Firewall environment Reduce costs incurred due to deploying multiple installations of management applications.