Hello board
First of all, i have asked the same question yesterday in the #zabbix IRC channel and i have received a lot of very valuable information from the folks over there. So it's not a matter of being ungrateful or anything. I just though i might get some more information in here.
Requirement: I need to come up with a possible zabbix architecture in a very high security environment which has to comply with a lot of different regulations.
Environment: The environment consists of five different security zones which are pretty much build on top of each other and form a stack. Establishing a communication session is only allowed from a more secure zone into a less secure zone (for example from zone 3 to zone 4) and not the other way around. Communication sessions also have to be terminated in every zone. Means when you need to send data from zone 2, you need to terminate the communication in zone 3, then in 4, until you can get to zone 5. So placing a Zabbix proxy in each zone which is reporting directly to a centralized Zabbix server is not an option.
The Zabbix master server is placed in a dedicated management and monitoring zone. So monitoring data has to be sent from each of the security zone traversing all less secure zones until i can reach the Zabbix server in the management zone. Establishing a communication can only be done from a more secure zone into a less secure zone.
Possible scenarios:
Proxy: Our first idea was to place a proxy in each zone. But since the proxy has to communicate with the Zabbix server directly from within each zone, this is not an option. One of the fellow guys from the IRC channel made the interesting suggestion to use something like SSL port forwarding from one proxy to the next one. I will follow up on this and check if this would comply with the security restrictions we have to deal with.
Nodes: Another scenario would be to place a dedicated Zabbix node into each zone. This would give us the advantage that we could maintain monitoring and alerting capabilities in each of the zones, even if the communication link is broken. But is also raises a few questions. What ports a being used in order to sync Zabbix nodes? Also one of the users in the channel has mentioned, that the sync between the zabbix nodes might break and cause problems. What are your experiences with the multi node setup? Are there any known problems or bugs with this type of design?
So does anyone here have any other suggestions or comments to share on this topic? All your help is very much appreciated.
Thanks a lot
Tibor
First of all, i have asked the same question yesterday in the #zabbix IRC channel and i have received a lot of very valuable information from the folks over there. So it's not a matter of being ungrateful or anything. I just though i might get some more information in here.
Requirement: I need to come up with a possible zabbix architecture in a very high security environment which has to comply with a lot of different regulations.
Environment: The environment consists of five different security zones which are pretty much build on top of each other and form a stack. Establishing a communication session is only allowed from a more secure zone into a less secure zone (for example from zone 3 to zone 4) and not the other way around. Communication sessions also have to be terminated in every zone. Means when you need to send data from zone 2, you need to terminate the communication in zone 3, then in 4, until you can get to zone 5. So placing a Zabbix proxy in each zone which is reporting directly to a centralized Zabbix server is not an option.
The Zabbix master server is placed in a dedicated management and monitoring zone. So monitoring data has to be sent from each of the security zone traversing all less secure zones until i can reach the Zabbix server in the management zone. Establishing a communication can only be done from a more secure zone into a less secure zone.
Possible scenarios:
Proxy: Our first idea was to place a proxy in each zone. But since the proxy has to communicate with the Zabbix server directly from within each zone, this is not an option. One of the fellow guys from the IRC channel made the interesting suggestion to use something like SSL port forwarding from one proxy to the next one. I will follow up on this and check if this would comply with the security restrictions we have to deal with.
Nodes: Another scenario would be to place a dedicated Zabbix node into each zone. This would give us the advantage that we could maintain monitoring and alerting capabilities in each of the zones, even if the communication link is broken. But is also raises a few questions. What ports a being used in order to sync Zabbix nodes? Also one of the users in the channel has mentioned, that the sync between the zabbix nodes might break and cause problems. What are your experiences with the multi node setup? Are there any known problems or bugs with this type of design?
So does anyone here have any other suggestions or comments to share on this topic? All your help is very much appreciated.
Thanks a lot
Tibor
Comment