Sounds like one hell of a fortress to me, and I think you're locking yourself down more than needed.
What is it that keeps you from allowing traffic from the inside to get through? I can't see the security issue in that one!
As long as the connection is opened from the inside (pier 2 or 3), I can't see the problems.
I would set it up this way:
Pier 1: IM Daemon/Server, monitoring local pier, allows Remote connection from known IP[range].
Pier 2: Just like pier 1
Pier 3: Serves local map of pier 3, and one 'global' map with status for the two others [Probe: Map Status].
Remote can also show Pier 1 & 2 maps, if needed.
Hope it helps.
On torsdag, mar 6, 2003, at 21:45 Europe/Copenhagen, Mike Dustan wrote:
We have a multi-tiered network here, divided into three tiers for security purposes. Machines at tier 1 are (relatively) wide open; machines at tier 2 cannot be seen AT ALL from tier 1, and tier 2 machines have very specific one-way port forwarding to see tier 1. Tier 3 is similarly buried beneath tier 2. Intermapper running on a tier 1 machine can see nothing on tiers 2 or 3. Intermapper on tier 2 could conceivably SNMP-query tier 1 machines but the responses would be blocked.
So far it looks as if each tier will have to have its own standalone IM machine. This is okay, except we'd like to be able to monitor them all together with IM Remote to avoid a proliferation of screens for operators to watch.
The only scheme we've been able to come up with is to find a way for tier 2 and 3 IM's to create some form of snapshot file which is then pushed up to tier 1 on some kind of regular basis. Ideally this would be via UDP through a strictly write-only port (i.e. not even acks going back down). If the "snapshot" contained enough information to be able to query devices etc. on it (albeit at a single point in time), this might be just what we need.
Anyone have any ideas as to how we could do this more elegantly without opening up exploitable ports between tiers?
Jakob Peterh�nsel
'I don't have to try to be a sex bomb, I am one!' - Kylie Minogue
Email: [EMAIL PROTECTED] AIM: Marook Phone: +45 40163806
____________________________________________________________________ List archives: http://www.mail-archive.com/intermapper-talk%40list.dartware.com/ To unsubscribe: send email to: [EMAIL PROTECTED]
