One way output to remote XI server

[Chris Hardick]

Hi

I am investigating a potential XI architecture for a project.
The main server and monitored nodes are on a closed network with no access to the internet. The nature of the system means this wont change.

I would like to send information from this XI server to a remote XI server via a Data diode - this mechanism that physically enforces one way traffic only is considered the most secure arrangement, a Firewall arrangement may be possible but is considered less secure.
This remote server resides on a more open network, possibly cloud infrastructure, and allow remote access to XI web interface to offsite support engineers.
My question is whether the outbound transfer using NRDP would work when traffic is one way only

Thanks for any help you can provide.

Chris

[mcapra]

NRDP is built on top of HTTP (TCP) requests, which requires a 3-way handshake. NSCA is also built on top of TCP and has the same restrictions.

I dunno what a "data diode" is in this case, but it sounds like your situation demands a UDP protocol for communication rather than TCP? Granted it's been a while since I've gotten into the weeds with this sort of stuff, I think doing something with SNMP traps is probably the best "out of the box" solution here. Else I guess you could rig up some AMQP broker in-between the two networks -- AMQP 1.1 supports UDP if the specific broker/client allows it. Or just a generic UDP proxy service to receive the messages and forward them to your "external" Nagios XI instance via NRDP.

It's certainly doable, I'm just not seeing a turn-key solution.

[lmiltchev]

Thanks @mcapra!

@Chris Hardick, let us know if you have any further questions or it is OK to close this topic.

[Chris Hardick]

Thanks @mcapra

I have passed on your response to those in my team who know far more about comms than i do.
I can see that the trap side of things could be configured to work, but I guess WMI responses would not be covered.

The data diode is essentially a device that will only allow traffic in a single direction, this is achieved physically to maximise security.
https://en.wikipedia.org/wiki/Unidirectional_network

An alternative solution would be to use a network eavesdrop device that would replicate all traffic received by our local XI instance and pass it through the data diode to a similarly configured cloud based XI instance. Do you think this could work?

Thanks for your help

[mbellerue]

An alternative solution would be to use a network eavesdrop device that would replicate all traffic received by our local XI instance and pass it through the data diode to a similarly configured cloud based XI instance. Do you think this could work?

This one is definitely beyond anything I've worked with in the past. But just knowing what I know about TCP traffic, I would assume you would run into the same sort of problem as with the 3-way handshake. You can send the packets to XI, but when XI confirms, the confirmation packets go off into the void. Unless there's something about network eavesdrop devices that can take care of that.