ACL Protects Against Insider Threat

Insider threats are in the news. With all the time and money invested in individual security clearances, there is still risk. That risk is a human.

How do you globally restrict access to your infrastructure?

Every day a very large number of very smart people enter your facility with a green badge. 99.999% of them are trustworthy, but there is that very small group who enter the building with intent to steal information or do harm. How do you globally restrict access to your infrastructure, while giving people access to the systems and information required to do their jobs?The current options include:

  • Single sign-on,
  • multiple login/password combos,
  • credentials ….

There is no single answer and the threat gets smarter.

A New Mousetrap for ACLs

ACLs (access control lists) are one of the many tools used to control device access. For each device, the ACL must be set to restrict protocol access to a source device or range of devices. More users, more protocols, and more devices all means more work.

Consider a solution that incorporates a combination of physical access, current user groups, and existing management applications to restrict access to 95% of individual’s access to devices anywhere in your network.

The Tavve ZoneRanger™ (ZR) is a 1U rack-mounted appliance or VMWare appliance. Normally the ZoneRanger™ was used as an edge device to securely manage a DMZ across a firewall boundary. For this deployment model, the ZoneRanger™ is on the dirty side of the firewall and connected via a FIPS 140-2 encrypted tunnel to the Tavve RangerGateway (RG). A validation and deep packet inspection must be successfully completed for every message prior to it being sent.

To address the insider threat challenges, this model is reversed. The process has four major steps:


  • First step, we deploy the RangerGateway in the NOC/SOC which is separated by a firewall from the rest of the core network.
  • Second step, we deploy the ZoneRanger™ in the core of the network and “join” the two systems. This join establishes the FIPS 140-2 tunnel.
  • Third step is created the routing connection from all management applications in the NOC/SOC to the RangerGateway.
  • The final step is to set up the device ACLs to restrict all management traffic to come from one of the ZoneRanger™ IP addresses.
    • The ratio of RG:ZR is 1:1 or 1:many or many:1.
    • There are multiple levels of redundancy and the number of ZRs is impacted by this decision.

Once this model is deployed, several things have happened to greatly restrict access, save labor (time), and reduce human error.

  1. Unless you are in the NOC/SOC, you are unable to view, modify, or access any device.
  2. For most environments, the number of ACLs is substantially reduced. With a large reduction in the number of ACLs, the setup, deployment, and ongoing maintenance of each device is drastically. The savings here is labor.
  3. By reducing the time to deploy and manage the device, we reduce the complexity and human mistakes.

The combination of the RangerGateway, firewall (ANY vendor), and the ZoneRanger™ make this solution one which can be deployed quickly and efficiently. It is 100% vendor independent for management applications, firewalls, and end devices.

Fences, guards, and firewalls keep 99% of the world outside your facilities. For the 100s to 1000s that enter every day with a green badge, this solution isolates your infrastructure down to the very short list of IT professionals with physical access to the NOC/SOC.

Why Tavve ZoneRanger™

The ZoneRanger™ supports all dominant industry protocols and is fully vendor independent. This independence allows our customers to choose the management applications, firewalls, and end devices from ANY vendor.

For more information contact Jeff Olson, Director of Sales at 919.654-1231 or