Introduction

The demilitarized zone (DMZ) is a term often used to describe a security island or security perimeter that protects the corporate network from untrusted networks to which it is connected. It’s often used to guard Internet connection from intruders (ingress) while governing how much access corporate users have to the Internet (egress).

Working with the corporate security group to implement an NNM solution for managing the DMZ may result in their unexpectedly imposing technical constraints that must be addressed before the solution is acceptable in this special environment.

Special security configurations for UNIX systems in a DMZ environment include limiting available network services and allowing access to specific services like telnet to specific users and systems. Avoid denial of service (DOS) attacks by configuring static routes, ARP caches, and DNS data.

Managing a network through a firewall means allowing specific TCP and UDP ports to and from the NNM system through the packet filters (assuming the firewall is based on packet filtering technology). Either the NNM system is outside the DMZ or inside it. The impact on the firewall packet filters is different in each case.

Router access control lists (or access-lists) can prevent NNM from discovering and determining their configuration. NNM systems need to be given read-only (RO) access to at least the SNMP daemon (a.k.a. SNMP server).

Packet filtering with a router is a common way to prevent unwanted traffic from an untrusted network to enter the DMZ. The filter typically allows only specific connections to specific servers while simultaneously preventing IP spoofing attacks.

Accessing an NNM system remotely is essential for off-site personnel. Secure solutions range from low-performance dial-up access and medium-performance ISDN and DSL, to high-speed cable modems. Security authentication is available using double passwords, token cards, and VPN.

Disaster recovery is especially important for systems that manage the DMZ (or are located in it). These systems are at greater risk for disaster than normal management systems.