Chapter 18: Whitelist - Tavve zoneranger User Manual

Chapter 18: Whitelist

Inbound
ZoneRanger can receive many different types of inbound data such as SNMP traps, Syslog
messages, TACACS+ requests, etc. In the case of a node-licensed ZoneRanger, the source of the
information will be verified as a managed node before the data will be processed based on the
ZoneRanger configuration. In the case of a ZR-SPX licensed ZoneRanger, no management check
occurs and the data will be processed based on the ZoneRanger configuration.
ZoneRanger may be configured with a specific set of devices ("whitelist") from which it will
receive information. Thus, when the Whitelist feature is enabled, only inbound data with a source
address configured in the whitelist, will be further processed based on the ZoneRanger
configuration. If the source address of the inbound data is not specified in the whitelist, it will
dropped with no further processing.
For security purposes, the whitelist provides a mechanism for the ZR-SPX licensed ZoneRanger to
restrict the set of IP addresses from which it will accept information. In the case of the node-
licensed ZoneRanger, the use of the whitelist provides an additional security check as well as a
performance improvement in that the ZoneRanger will no longer need to verify whether or not the
incoming source address is from a managed node.
Joined Ranger Gateways and redundant ZoneRangers are automatically whitelisted, but will not
appear in the whitelist configuration. However, new Join requests from another Ranger Gateway
and Redundancy requests from another ZoneRanger will be subject to the whitelist. Thus, the IP
address of the new Ranger Gateway or new redundant ZoneRanger must be specified in the
whitelist for the request to be successful.
Outbound
ZoneRanger can proxy many different types of outbound data such as SNMP proxy, ICMP proxy,
TCP Proxy, etc. In the case of a node-licensed ZoneRanger, the destination of the request will be
verified as a managed node before the request will be processed based on the ZoneRanger
configuration. In the case of a ZR-SPX licensed ZoneRanger, no management check occurs and the
request will be processed based on the ZoneRanger configuration.
ZoneRanger may be configured with a specific set of devices ("whitelist") to which it will send
information. Thus, when the Whitelist feature is enabled, only outbound data with a source address
configured in the whitelist, will be further processed based on the ZoneRanger configuration. If the
source address of the outbound data is not specified in the whitelist, it will dropped with no further
processing.
For security purposes, the whitelist provides a mechanism for the ZR-SPX licensed ZoneRanger to
restrict the set of IP addresses from which it will send information. In the case of the node-licensed
ZoneRanger, the use of the whitelist provides an additional security check as well as a performance
improvement in that the ZoneRanger will no longer need to verify whether or not the outgoing
source address is from a managed node.
Enforcing the whitelist for outbound requests will include any traffic sent from the ZoneRanger.
Thus is will effect Discovery, Root Cause, and Diagnostics requests initiated by the ZoneRanger as
well as requests proxied from a joined Ranger Gateway.
Joined Ranger Gateways and redundant ZoneRangers are automatically whitelisted, but will not
appear in the whitelist configuration. However, new Join and Redundancy requests initiated from
the ZoneRanger will be subject to the whitelist. Thus, the IP address of the new Ranger Gateway or
new redundant ZoneRanger must be specified in the whitelist for the request to be successful.
ZoneRanger 5.5 User's Guide 57