Search 85,950 posts and 653 resources contributed by 43,586 members or post a topic.

Already Joined? Sign in
Highly Secure DMZ requirements

Page 1 of 1 (3 items) | RSS

rated by 0 users
Not Answered This post has 0 verified answers | 2 Replies | 2 Followers | 537 Views


1 Posts
Points 8
kdogulas1 posted on Tue, Jun 23 2009 4:45 PM
rated by 0 users

Hello:

We are considering installing SolarWinds Orion NMS (and some additional modules such as NetFlow Traffic Analyzer and Network Configuration Manager).  Orion NMS will reside in our "business" network.  We have several high security (federally mandated security requirements) DMZs that we won't be able to poll from our business network. 

I was curious if we could install a remote polling engine in each DMZ, and open only a single IP address and single TCP port through the DMZ firewall back to our business network.  I'm hoping the remote polling engine will collect all of the data and forward it to the NMS (SQL database) across this one IP address / one TCP port number.

The Knowledge Base seems to indicate that only TCP port 1433 is required (sourced from inside our DMZ). 

Is there any encryption available between the remote polling engine and the SQL server?

 

Thanks

All Replies


1,000 Posts
Points 5,477
SolarWinds Certified Professional
Yann replied on Thu, Jun 25 2009 5:47 AM
rated by 0 users

Hello,

kdogulas1:
Is there any encryption available between the remote polling engine and the SQL server?

In theory this should be possible but I doubt it has been tested by developers or is simply supported.

http://blogs.msdn.com/sql_protocols/archive/2005/10/04/476705.aspx

The file that contains the connection string is
\Program Files\Solarwinds\Orion\SWNetPerfMon.db

Having SQL data crossing networks might quickly create a bottleneck especially if you use the NetFlow module.

The recommended architecture would be to install a second instance of Orion (e.g. 1 Orion SL100 + 1 Database) in the DMZ and use the EOC console to view information from all your Orion instances (from your Business Network + DMZ).

Information transfered between the EOC console and the Orion servers is encrypted by default and use the TCP port 17777. It uses asynchronous requests and is less subject to network latency.

http://www.solarwinds.com/products/orion/eoc/

I advise you to contact your sales engineer to see how he/she could further help you to design your NMS using SolarWinds products.

HTH,

Yann

  • | Post Points: 3

131 Posts
Points 464
jswan replied on Mon, Jul 6 2009 5:33 PM
rated by 0 users

Yann's suggestion is no doubt the way to go, but in the absence of EOC I believe you could also use native Microsoft IPSec between the servers to avoid the need for SQL server SSL encryption. I know of one decent sized organization that does this for regulatory compliance purposes with an OLTP application.

NPM 9.5 SP4, NTA 3.6, APM 3.1, NCM 5.5.2

  • | Post Points: 1
Page 1 of 1 (3 items) | RSS

© 2003 - 2010 SolarWinds, Inc. All Rights Reserved.

Who is SolarWinds?

SolarWinds is rewriting the rules for how companies manage their networks. Guided by a global community of network engineers, SolarWinds develops simple and powerful network management software and network monitoring software for networks of all sizes. SolarWinds also offers a network certification program to become a SolarWinds Certified Professional (SCP).

What is thwack?

thwack, SolarWinds online community site, was designed by network engineers, for network engineers. thwack is a vibrant, growing community of more than 30,000 IT pros who share a passion for technology.

Explore Resources, Answers, Templates, and Advice

Download Free Networking Tools

Learn More About SolarWinds Products