HP ProCurve Threat Management Solution Design Guide 2009-04
2-3
Concepts
General Threat Management Architecture
Management Station Running HP ProCurve PCM+ and NIM
Required for all HP ProCurve Threat Management Solutions, PCM+/NIM detects and responds
to threats as well as manages the solution as a whole. PCM+ is a Simple Network Management
Protocol (SNMP) console that allows you to manage HP ProCurve devices. NIM is a PCM+
plug-in that provides threat management capabilities.
PCM+/NIM receives traffic samples and polled data from network devices that support sFlow
or XRMON. Both sFlow and XRMON are traffic sampling technologies. sFlow agents run on
network devices to sample traffic and then package the sampled information into small
datagrams and forward them to an sFlow collector. sFlow datagrams include Open Systems
Interconnection (OSI) Layer 2 through Layer 7 information, such as packet-routing information
(source, destination, and hop addresses) as well as authentication information and a payload
sample. XRMON is a sampling technology that preceded the sFlow standard; XRMON samples
only packet headers.
In addition to receiving sFlow and XRMON data, PCM+/NIM can receive SNMP traps from:
■ HP ProCurve switches
■ HP ProCurve wireless devices
■ HP ProCurve TMS zl Module
■ Third-party security devices
Once NIM is aware of a threat on the network, it can direct an HP ProCurve switch, switch
module, or wireless device to take action to respond to the threat. Depending on the capabilities
of the switch or wireless device, this might mean shutting down a port or locking out a MAC
address.
HP ProCurve Infrastructure Devices
HP ProCurve switches and HP ProCurve wireless devices can help detect threats and enforce
NIM’s response to threats. For example, most switches and wireless devices support sFlow
and XRMON, so they can send sampled traffic to NIM. NIM will then use network behavior
anomaly detection (NBAD) to analyze the samples.
In addition, some HP ProCurve switches also support Virus Throttle™ technology. These
switches can detect certain virus activity and immediately take action (such as imposing rate
limits) on the suspicious traffic. They can also issue an alert to NIM, which may then direct the
switches to take action (depending on how you have configured NIM).
Some ProCurve switches also support security features that allow them to monitor traffic for
possible attacks and send an SNMP trap if suspicious traffic or activity is detected. For
example, some switches support:
■ DHCP snooping (including DHCP snooping errant replies)—This feature protects
against DHCP attacks such as:
• DHCP address spoofing, which occurs when rogue DHCP servers provide legitimate
stations with invalid IP addresses
• Address exhaustion, which occurs when rogue stations request IP addresses and try
to exhaust the DHCP server’s supply of IP addresses.
■ Dynamic ARP protection—This feature protects against ARP attacks such as:
• ARP snooping, which occurs when hackers use ARP to discover information about
network devices
• ARP poisoning, which occurs when an unauthorized device forges an illegitimate ARP
response and other devices use the response to change their ARP tables