Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 108
  • Last Modified:

System Monitoring Behind Multiple Firewalls

Our company has recently been tasked with figuring out a way to monitor Windows systems in layer 3 of the purdue model which will be behind firewalls at layer 3.5 to 4 and 3.5 to 3.  Per a security policy we have in place, no traffic is being allowed out of 3 to 4, but is allowed to 3.5.  We currently use SCOM, SIM, Commvault and vCenter for alerting and backups on physical and virtual servers, but run into a scalability issue if we need to stand up all of these consoles at all the locations this could potentially be set up at.  In a nutshell we are looking for a way to maintain our centralized management, but still utilize our tools on layer 3 to receive alerting.  Is anyone aware of a product that would forward alerts from the servers to these monitoring tools without having to stand up these systems in the DMZ?
0
rymeat
Asked:
rymeat
  • 2
1 Solution
 
btanExec ConsultantCommented:
I am thinking remote probes as described in the below PRTG use case. It has metric to monitor various aspects and the SSL connection to its core server at central serves the main nerve to all remote probe deployed

Http://www.paessler.com/manuals/prtg9/remote_probes_and_multiple_probes

Another is to leverage SCOM’s ACS (Audit Collection Services) in each untrusted domain (it can be co-located on the Gateway server), but since it requires an Active Directory domain, it is not suitable for workgroups.  Also to use a central ACS Collector (and associated ACS database) in the management VLAN. This required each agent (ACS Forwarder) to have direct communications on TCP 51909 with the central ACS Collector. It required additional firewall rules to be created.

http://technet.microsoft.com/en-us/library/hh212823.aspx

setting up SCOM across untrusted domains and workgroups requires the use of SCOM Gateway servers or using certificates for mutual authentication. If you are working with trusted domains, you do not need to use Gateway servers. The advantage of using Gateway servers is to facilitate communication across firewalls, by limiting the amount of access rules that need to be created.

http://blogs.technet.com/b/cliveeastwood/archive/2007/05/11/how-to-configure-audit-collection-system-acs-to-use-certificate-based-authenication.aspx

for info on opening ports on the firewall:

Between SCOM servers/agent and AD : Global Catalog (TCP 3268/3269), LDAP (TCP/UDP 389) and RPC (TCP 135)
Between SCOM servers/agents and DNS : UDP 53
Between SCOM servers and Agents : TCP 5723
1
 
btanExec ConsultantCommented:
The answer shared already shared PRTG as a mean of sending the traps for central monitoring which has far more granular metric on the serber service and likewise the event forwarding via ACS setup aince user is using SCOM. A SIEMS will be good for collection of syslog rather than traps for correlation of security event though author does not have. The port opening are also highlighted.

For consideration of ID: 40219678 as solution
1

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now