Ad Widget

Collapse

Security. Active passive proxies

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mangust
    Junior Member
    • Dec 2015
    • 8
    #1

    Security. Active passive proxies

    Hello.

    I have some concern about security on my installation.

    I have two organizations that I need to monitor. Very soon I want to expand and add more clients.

    Previously I installed separate zabbix servers for each organization in the cloud, deployed proxy (active) for each organization and was gathering data without problem.

    Because it become difficult to maintain two separate servers, copying templates between them etc. I've decided to consolidate into one server.

    The first concern if my proxy is active, that in theory one organization can download node list and checks from another. I am trying to switch to passive proxy.

    Passive proxy listen on 10051 expecting server to connect.

    Question: how can I limit who can connect to 10051 apart from firewall? If some clients running active mode, can those nodes without authorization collect data on behalf of the server? They connect to 10051 on the proxy, right? Or should I use only passive clients only and open proxy port 10051 only for connection from the server?

    Regards
    Tags: passive proxy, security
    • ingus.vilnis
      Senior Member
      Zabbix Certified Trainer
      Zabbix Certified SpecialistZabbix Certified Professional
      • Mar 2014
      • 908
      #2
      Hi,

      A single proxy will get only the list of hosts that are set to be monitored by this proxy in main Zabbix server.
      Switching to passive proxies will not give you any benefits in this regard but will potentially worsen the performance of your Zabbix server.

      You can log on to database on any of the proxies and check "hosts" table if it has all hosts or only the ones meant to be monitored by this proxy.

      Zabbix server will not send away information to any device connecting to 10051 if the device is not added to Administration -> Proxies.

      If you really want to secure your network then try building encrypted VPN tunnels between your proxies and server. In upcoming Zabbix 3.0 encryption will be available out of the box.

      Best Regards,
      Ingus

        Comment

        • mangust
          Junior Member
          • Dec 2015
          • 8
          #3
          Hi Ingus.

          Thank you for quick reply.


          >> A single proxy will get only the list of hosts that are set to be monitored by this proxy in main Zabbix server.

          Yes, but it can use any name, if compromised and proxy name guessed.
          So if I have:
          org01.proxy01
          org01.proxy02
          org01.proxy03
          org02.proxy01
          org02.proxy02

          So if anyone from any allowed on firewall hosts (active proxy or client) connect and say I am "org02.proxy01" will get structure for organization 02. department 01 and so on.

          VPN will not protect organizations from each other in this setup.

          May be I should use MD5 hash string as a proxy name to secure it. Will be tricky to choose correct one then creating a host.

          Passive may reduce performance, but increase security. And don't know other work around.

          >> Zabbix server will not send away information to any device connecting to 10051 if the device is not added to Administration -> Proxies.

          It will send to any device that will guess proxy name in Administration -> Proxies There is no IP for active proxy, only name.

          >> If you really want to secure your network then try building encrypted VPN tunnels between your proxies and server.

          Tunnel is already in place. It is protecting network, but not authenticate active proxies or clients.

          If I use passive proxy, then any of its active clients allowed to connect to it on 10051, can say "i am your server, give me counters, execute some scripts"

          It is all ok, but we just did security check for government project. We not even tried to include zabbix into that cluster for security reason

          Big hopes on 3.0. So far will use passive proxies with firewall that restrict 10051 connections only from server. Or maybe there is better solution, or I am too paranoid.

            Comment

            Previous template Next
            Working...