HP ProCurve Threat Management Solution Design Guide
ProCurve Threat Management Solution Design Guide May 2009
© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. Disclaimer This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Contents 1 Customer Needs Internal Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1 Threat Management Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 Documents, Audience, and Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 2 Concepts General Threat Management Architecture . . . . . . . . .
4 Design Software and Hardware Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 PCM+ Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2 Plan Where to Install NIM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3 Choose a Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Customer Needs Internal Threats 1 Customer Needs Because nearly every company has an Internet connection, its network is opened up to potentially millions of users throughout the world. If even a small percentage of those users choose to launch attacks, they will cause considerable damage. For this reason, traditional security solutions focus on technologies such as firewalls that control traffic crossing the border between the public Internet and the private network.
Customer Needs Threat Management Solutions Threat Management Solutions Threat Management Solutions from HP ProCurve Networking can help you protect your network against threats, whether they originate inside or outside the network.
2 Concepts HP ProCurve Networking has identified threat management as a critical component of its ProActive Defense, a comprehensive security vision and strategy that is designed to help companies better protect their networks. (See Figure 2-1.) This strategy actually includes three major components: ■ Access control—granting appropriate access to persons who are authorized to use the network and denying access to persons who have no legitimate business on the network.
Concepts General Threat Management Architecture 2. Respond to the threat. This could be an action taken at: • The device from which the threat propagates—For example, a switch could block a port, limit the port’s available bandwidth, or assign it to a quarantine VLAN. Alternatively, the switch might lock out the offender’s MAC address from all of its ports, or an access point (AP) might lock out the offender’s MAC address from all its wireless LANs (WLANs).
Concepts General Threat Management Architecture Management Station Running HP ProCurve PCM+ and NIM Required for all HP ProCurve Threat Management Solutions, PCM+/NIM detects and responds to threats as well as manages the solution as a whole. PCM+ is a Simple Network Management Protocol (SNMP) console that allows you to manage HP ProCurve devices. NIM is a PCM+ plug-in that provides threat management capabilities.
Concepts General Threat Management Architecture ■ Instrumentation monitor—This feature allows you to configure the switch to send SNMP traps when thresholds are exceeded for: • Packets sent to closed TCP/UDP ports • IP address count • ARP requests received • System resource usage • System delay • Switch login failures • Port authentication failure • MAC address count • MAC moves • Learn discard ■ SNMP authentication —The switch can detect SNMP authentication failures, which might indic
Concepts General Threat Management Architecture If you are using PCM+ 3.0, IDM 3.0, and NIM 2.0 and a NIM mitigation policy is triggered, settings that are specified in the NIM policy override the settings that are specified in the IDM policy for the user in question. For example, suppose a user’s IDM access policy includes a dynamic VLAN assignment. During a network session, the user’s workstation exhibits behavior that triggers a NIM policy, which includes only a rate limit.
Concepts General Threat Management Architecture Traffic in from External Network Management Station: ProCurve Manager Plus Network Immunity Manager Third-party Security Device (IPS) Optional Security Alerts Unblocked Traffic to Internal Network ProCurve Switch Figure 2-2. Threat Management Solution with Inline IPS ■ Offline IDS—If you are using an IDS, you can use it in offline mode and have switches mirror traffic to it. The advantage of using this approach is that you can use fewer IDSs.
Concepts General Threat Management Architecture NIM supports the following third-party security devices: ■ Cisco IPS 4200 Series ■ Fortinet FortiGate/FortiWifi Series ■ SonicWall E-Class NSA Series ■ SonicWall PRO Series ■ TippingPoint IPS Series (Other third-party security devices are not supported at this time.
Concepts General Threat Management Architecture In monitor mode, the TMS zl Module operates as an IDS, which analyzes traffic that is mirrored to it: it detects protocol anomalies and known attacks, viruses, worms, and lax security practices. When it detects a threat, it can log an event, send a notification to a network administrator, or send a notification to an SNMP management console such as PCM+/NIM.
Concepts General Threat Management Architecture 2. • If the HP ProCurve Threat Management Solution includes an external security device (either a third-party device or the TMS zl Module operating in monitor mode) and NIM detects a threat, NIM can cause the switch to send the traffic stream from the affected port to the external security device for more detailed analysis. If the external security device confirms a threat, it sends an alert to NIM.
Concepts The Security Management Life Cycle The Security Management Life Cycle Threat detection and response form the backbone of the day-to-day security management operation on your network, but they are only part of the story. Additional management functions expand the day-to-day operations into a full security management life cycle, as shown in Figure 2-7. . Figure 2-7. Security Management Life Cycle This life cycle is described in the sections that follow.
Concepts The Security Management Life Cycle A policy takes the general form shown below. If , then For example, a policy might be: If a known virus is detected, block the port that it comes from. A policy could include a collection of similar threats and responses. The available choices for threats and responses come from NIM, HP ProCurve switches, HP ProCurve security devices, and third-party security devices.
Concepts The Security Management Life Cycle Traffic in from Network ProCurve Switch Mirrored Traffic Traffic out to Network Third-party Security Device Figure 2-8. Local Mirroring • Remote mirroring—Remote mirroring is similar to local mirroring, except that the source ports and the mirror ports are on different switches. Mirrored traffic between the switches is encapsulated in an IPv4 tunnel.
Concepts The Security Management Life Cycle The following ProCurve switches support MAC mirroring: ■ • HP ProCurve 3500yl Series switch • HP ProCurve 5400zl Series switch • HP ProCurve 6200yl switch • HP ProCurve 6600 Series switch • HP ProCurve 8200zl Series switch Virus Throttle™ technology (connection-rate filtering)—Certain switches can use HP ProCurve’s Virus Throttle™ technology to detect virus activity based on traffic behavior rather than on comparison with known virus signatures.
Concepts The Security Management Life Cycle Figure 2-10. Network Immunity Manager Dashboard in PCM+ In addition to detecting threats, NIM also uses the Find Node capability of PCM+ to determine the switch port or AP where the threat originates. This allows any threat response actions to be applied at the point in the network where they will be most effective. ■ Signature detection —An IDS/IPS (such as the TMS zl Module’s IDS/IPS) can use signatures to detect threats.
Concepts The Security Management Life Cycle Threat Response NIM is the primary means for controlling the actions that are taken in response to threats. While other components in the HP ProCurve Threat Management Solution can also control responses, NIM provides centralized control over a variety of mitigation actions on devices that PCM+ has discovered. NIM allows you to create actions—threat responses that NIM will take—to be performed when certain alerts are triggered.
Concepts The Security Management Life Cycle Figure 2-11 shows the PCM+ Policy Manager. As you can see, there are preconfigured alerts for the TMS zl Module and the third-party security devices that NIM supports. You can also modify these preconfigured alerts or create new ones. Figure 2-11. Default ProCurve Threat Management Services Alert Window Interaction of NIM and IDM—Starting with NIM v2.0 and IDM v3.
Concepts The Security Management Life Cycle Event Analysis NIM can provide reports on the location and frequency of threat events on your network, identity of persistent offenders, actions taken to protect the network, and similar information. You can use these reports for a variety of purposes: ■ Network policy refinement—With additional knowledge about the types and seriousness of threats against your network, you can tune your network policies to provide more effective protection.
Concepts Deployment Options Deployment Options You have a number of options for deploying a Threat Management Solution, depending on which components you decide to use. The following examples show different deployments in a corporate headquarters environment. These deployments can be adapted to other environments (such as large departments and remote branch offices) as needed.
Concepts Deployment Options of the malicious activity and then takes the action that you have configured to neutralize that activity. For example, you may have configured an action such as shutting down the port where the activity originates. ■ NIM + wireless devices—Using NIM with wireless devices is really just a special case of the NIM standalone deployment. As Figure 2-13 shows, a WESM can send wireless sFlow data to NIM.
Concepts Deployment Options Note that the MAC lockout applies to all RPs managed by the WESM. Even if the attacker roams to a different RP (on the same WESM), the MAC address of the attacker is still locked out of the network. ■ NIM + Inline IPS—In this deployment, an IPS is placed inline between two points on the network, causing all traffic between those points to pass through it. The IPS inspects all the traffic, and if it recognizes a virus or similar attack it blocks the attacker’s traffic.
Concepts Deployment Options Note that inline systems are effective in monitoring and preventing attacks, but by their nature, they can cause bottlenecks in high-traffic areas. ProCurve recommends that you deploy IPSs at critical network locations requiring high security or in areas where there is a high probability of attack. ■ NIM + Offline IDS—In this deployment an offline IDS passively detects attacks by monitoring traffic sent to it from a mirror port.
Concepts Deployment Options IDSs differ from IPSs in that they are not part of the normal traffic path. While this means that they are not able to block traffic when they detect an attack, it also means that they will not cause a traffic bottleneck. In addition, the flexibility of mirroring (especially remote mirroring) allows you to change the source of the traffic that you send to the IDS to meet changing conditions on your network.
Concepts Deployment Options Internet NIM SNMP Traps to NIM Data Center TMS zl Module Routes Traffic Between Internal Network and Internet Routing Switch Routes Traffic on Internal Network HP ProCurve 5406zl Switch with TMS zl Module Employee Cubicles Visitor Lobby Conference Rooms Figure 2-16. NIM with the TMS zl Module Operating in Routing Mode and Providing Perimeter Protection Although you can use the TMS zl Module for perimeter protection, its main function is to provide internal protection.
Concepts Deployment Options (For specific information on how to configure the TMS zl Module in routing mode to provide internal protection, see the HP ProCurve Threat Management Services zl Module Management and Configuration Guide, which is available on the HP ProCurve Network Web site at http://www.procurve.com/customercare/support/manuals/index.htm.
Concepts Deployment Options Services zl Module Management and Configuration Guide, which is available on the HP ProCurve Network Web site at http://www.procurve.com/customercare/support/manuals/index.htm.) You can use a TMS zl Module in monitor mode to detect threats in internal traffic or external traffic destined to the internal network or both.
Concepts Deployment Options NIM Internet NIM Response to Any Supported Switch or Wireless Device Security Alerts Data Center HP ProCurve 5406zl Switch with TMS zl Module Mirrored Traffic Mirrored Traffic Employee Cubicles Visitor Lobby Conference Rooms Figure 2-18. NIM with the TMS zl Module Operating in Monitor Mode (as an IDS Only) ■ Unified solution—The deployment options described in this section can all be combined to operate simultaneously in a network environment.
Products HP ProCurve Software 3 Products This chapter describes the products that can be part of an HP ProCurve Threat Management Solution. Some products are required, and others are optional. HP ProCurve Software Every HP ProCurve Threat Management Solution includes HP ProCurve Manager Plus (PCM+) and HP ProCurve Network Immunity Manager (NIM), which is a plug-in for PCM+.
Products HP ProCurve Software HP ProCurve Manager Plus PCM+ is a general network management application for HP ProCurve network devices. It hosts additional application components, such as NIM and IDM, and provides a single management interface as well as device interface functions. PCM+ provides features such as the Policy Manager, Find Node, and Traffic Monitor, which are particularly important to threat management.
Products HP ProCurve Hardware IDM and NIM are integrated so that you can track additional information about offenders and take additional steps to protect the network when a threat is detected. With PCM+ and NIM, you can learn an offender’s MAC address, IP address, and host name. When IDM is added, you can also obtain the username and detailed session information. In addition, NIM and IDM can work together to prevent an offender from moving from one port to another.
Products HP ProCurve Hardware ■ Remote mirroring—Remote mirroring is similar to local mirroring, except that the copied traffic is sent to a mirror port on a different switch. See Table 3-1 to see which switches support remote mirroring. Note that both the source and destination switches must support remote mirroring, and if the mirrored frames are full-size frames, any intermediate switches must support jumbo frames. NIM can configure remote mirroring on switches that support it.
Products HP ProCurve Hardware Response—In responding to detected threats, NIM relies on several features of switches and wireless devices. Table 3-2 indicates which switches and wireless devices support these features. The relevant features for threat detection and response are listed below. ■ Port shutdown—NIM can direct most HP ProCurve switches to block traffic on a specified port (typically the port where an attack originates).
Products HP ProCurve Hardware Table 3-1.
Products HP ProCurve Hardware Table 3-2. Response Capabilities of HP ProCurve Switches and Wireless Devices Device Port Shutdown MAC Lockout Port-Rate Limit VLAN Assignment Local Mirror Reconfig. 1600 switch ✔ ✔ 2400 switch ✔ ✔ 2500 switch ✔ ✔ ✔ 2510 switch ✔ ✔ ✔ ✔ ✔ ✔ ✔ Remote Mirror Reconfig. MAC Mirror Reconfig.
Products HP ProCurve Threat Management Services zl Module HP ProCurve Threat Management Services zl Module Installed in either an HP ProCurve 8200zl Series or 5400zl Series switch, the TMS zl Module can operate in one of two modes—routing mode or monitor mode—and its operating mode determines the functionality it provides. In routing mode the TMS zl Module provides a stateful firewall, IPS, and virtual private network (VPN) capabilities.
Products Third-Party Security Devices Third-Party Security Devices NIM supports the third-party security devices listed in this section. It can be configured to receive SNMP traps from these products and can then respond to those traps. Cisco IPS 4200 Series The Cisco IPS 4200 Series can function as an IPS or IDS in your network. These devices can detect and act on malicious traffic on your network.
Products Third-Party Security Devices 3-10
Design 4 Design After completing the design process outlined in this chapter, you should have: ■ A list of the software and hardware you need to implement an HP ProCurve Threat Management Solution on your network ■ A design that you can implement to provide threat protection for your network Do not be surprised, however, if your design does not at first seem as solid as you expected.
Design Software and Hardware Selection You might proceed through the life cycle a couple of times before you completely understand how security threats affect your network and how you want to deal with those threats. And because all networks are different and the threats affecting them are continually changing, your approach may often be guided more by a combination of intuition and reasonable guesses than by a definitive script.
Design Software and Hardware Selection Table 4-2 PCM Recommended Hardware Configuration Network Size CPU RAM Disk Space NIC 50 or fewer devices Two 3.0 GHz Xeon/PentiumV or equivalent 2 GB 120 GB 100/1000 MB 51 to 350 devices Two 3.0 GHz Xeon/Pentium V or equivalent 3 GB 120 GB 100/1000 MB 351 to 1200 devices Four 3.0 GHz Xeon/Pentium V or equivalent 4 GB 120 GB 100/1000 MB 1201 to 2400 devices Four 3.
Design Software and Hardware Selection Table 4-4 PCM Agent Recommended Hardware Configuration Network Size # of Remote Agents CPU RAM Disk Space NIC 50 or fewer devices 1 local; remote optional One 3.0 GHz Xeon/Pentium V or equivalent 2 GB 40 GB 100 MB 51 to 350 devices 1 local; remote optional One 3.0 GHz Xeon/Pentium V or equivalent 2 GB 40 GB 100 MB 351 to 1200 devices 1 local + 3 remote Two 3.
Design Software and Hardware Selection Deployment Option Benefits Other Reasons for Selecting the Option NIM + HP ProCurve TMS zl Module in Monitor Mode • Internal threat management for a wired network, • Your security policies call for high-confidence threat detection throughout the network. wireless network, or both • Perimeter threat management in addition to internal • You require a device that can protect you from perimeter threats and detect internal threats.
Design Software and Hardware Selection NIM + Inline IPS You must complete all of the tasks described in “NIM Standalone” on page 4-5. If an IPS is already deployed on your network, you can simply configure it to send traps to PCM+ in response to threats. You can then analyze these traps in PCM+ as you analyze the events generated by NIM using NBAD. At this point, you should not configure NIM to take action based on the IPS’s traps.
Design Software and Hardware Selection NIM + TMS zl Module You must complete all of the tasks described in “NIM Standalone” on page 4-5. You must also determine whether the TMS zl Module will operate in routing mode or monitor mode. In routing mode, the TMS zl Module acts as an IPS, giving you all of the benefits of a NIM + IPS deployment. However, the module can protect a larger network segment than many traditional IPSs.
Design Software and Hardware Selection The sections that follow describe these features in more detail. Actions Applied Regardless of User Connection Point When NIM takes action against an offender, often the action applies to the precise port to which the offender connects. This precision is desirable because the threat is blocked without blocking legitimate traffic from other users. However, if the offender moves to a different port, NIM must detect the threat again and then take action again.
Design Background for Planning NIM Policies Background for Planning NIM Policies Before you start the design process, it is useful to have a picture of how the policy-setting process works. This section provides a general overview to help you become familiar with the process. Do not think of this overview as a set of instructions: you will find those instructions in the HP ProCurve Threat Management Solution Implementation Guide (which will be released in May 2009).
Design Background for Planning NIM Policies If you look at the general policy flow diagram in Figure 4-3, you will see where many of those events occur. External Events ProCurve Events Virus Throttling IDS, IPS Events Events sFlow and XRMON Data Set Sensitivities NBAD engine Security Monitoring Panel NBAD Events Define Alerts Alerts Section Actions Section Alerts Define Policies Define Actions Actions Policies Section Policy Configuration Manager Panel Policies Figure 4-3.
Design Background for Planning NIM Policies Alerts Alerts are, essentially, events that you can act on.
Design Background for Planning NIM Policies You can define other alerts by selecting a type of event, giving it a name, and specifying a frequency of occurrence. To create an alert, you access the PCM+ Policy Manager and select Alerts and Security in the navigation tree, as shown Figure 4-5. Figure 4-5. Policy Manager > Alerts > You can then click New to begin creating the alert. Figure 4-6.
Design Background for Planning NIM Policies The Alert Type you select determines the settings you can configure for the alert. For example, if you select the ProCurve Security Devices Alert, you can create an alert based on: ■ Severity level of the threat ■ Signature ID ■ Signature sub-ID ■ Signature name ■ Trap source IP address ■ Trap text Other alert types allow you to define different settings such as the number of times an event occurs before an alert is triggered.
Design Background for Planning NIM Policies You can then click New to begin creating an action. Figure 4-8. Create Action Window Note that when you select an action type, the window shows you all the types of actions that PCM+ knows about. Many of these actions are not related to NIM. (In theory, you could make some pretty odd choices for responding to threats, such as setting Spanning Tree Protocol parameters. But if you define such an action, PCM+ will execute it.
Design Background for Planning NIM Policies Policies Policies match alerts to actions. NIM provides default policies that are related to the alert types. To view or modify a default policy, select it in the navigation tree of the Policy Manager window. For example, Figure 4-9 shows the alerts for the default security policy, ProCurve NBAD Services. Figure 4-9. Policy Manager Window You can create additional policies to respond to the threats that are detected on your network.
Design Follow an Iterative Design Process Follow an Iterative Design Process The design steps outlined in this section will take you through the initial setup and continuing management of your network’s threat management functions. The steps are based on the security management life cycle, which you should use as a general template for planning your solution.
Design Follow an Iterative Design Process Keep It Simple. The first time through the process you are looking for the general pattern of activity and threats on your network. (Save the more time-consuming responses, such as moving switches that support dynamic mirroring, for later cycles of the process when you have a better idea of where your detection capabilities are most needed.) The default settings in PCM+ and NIM provide a good starting point: ■ Traffic monitoring is enabled by default in PCM+.
Design Follow an Iterative Design Process Figure 4-11 shows the wizard’s Identify False Positives window for an IP Address Sweep event. Figure 4-11. NBAD Diagnostic Wizard > Identify False Positives Window ■ 4-18 NBAD Event Sensitivities—If a particular type of event is associated with frequent false positives, you should adjust the sensitivity level for that NBAD event until the event disappears (or occurs only for real threats).
Design Follow an Iterative Design Process Figure 4-12 shows the NIM Configuration > > Monitoring window, where you can configure the sensitivity level. Figure 4-12. NIM Configuration > > Monitoring Window ■ Exclusion List—If you know the source of an event and are satisfied that it is benign (such as the multi-homed device mentioned earlier), you can exclude that host from consideration for that particular event by putting it on an exclusion list.
Design Follow an Iterative Design Process The Network Immunity Manager Dashboard will also help you analyze event data. (See Figure 4-13.) At a glance, you can see the top offenders, device trouble spots, group trouble spots, alert rates, top alerts, action rates, and top actions. The dashboard also displays the NBAD Analyzer Status, which reports the events that NBAD will detect when it analyzes traffic: ■ DNS Tunneling—The DNS packet format is altered to disguise malicious payload as valid data.
Design Follow an Iterative Design Process Plan Your Responses. For each event in your list and for each significant variation in time and location, note the action you want to take. At this step in the process, you are just making a list of events and possible responses; in later steps you will define alerts based on the events and create actions to respond to the alerts. All PCM+ action types are available for responses.
Design Follow an Iterative Design Process Note Note that your IDS might be on a different switch from the source of new activity. In this case, you can use remote mirroring—as long as the switches involved support remote mirroring. Otherwise, you cannot mirror the traffic without changing your topology. You may be able to use multiple alerts defined for the same event type to fine tune your responses.
Design Follow an Iterative Design Process Set up Alerts. Use the Alerts section in the Policy Manager to define alerts for the events you listed in step 1, above. Second and Subsequent Times Through the Process The next time you go through the security management life cycle, you should re-evaluate your alerts. If, in the previous step, you have added new types of events to your list or planned alerts that trigger at higher-frequency or lower-frequency events, define those alerts now.
Design Follow an Iterative Design Process Second and Subsequent Times Through the Process Perform the following tasks to enable threat response on your network. Define Actions. Use the Actions section of Policy Manager to define actions. These actions should match the responses on the list you generated in step 1. Define Policies. Use the Policies section of Policy Manager to define policies that match alerts to actions, according to the list of events and responses you generated in step 1.
Design Follow an Iterative Design Process Figure 4-15. NBAD Diagnostic Wizard > Analyze Threat Window You can click Event History and Policy History to view this offender’s event history and policy history, or click Show Map to display this offender’s location on your network map, as shown in Figure 4-16.
Design Follow an Iterative Design Process Figure 4-16. Network Map Window Plan Refinements to the NIM Policy. Based on the analysis above, update the event list for your network and plan responses for new events. You may want to change threshold levels for alerts, and you may want to change responses that have proved ineffective.
ProCurve 5400zl Switches Installation and Getting Startd Guide Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
