Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
2-4
Concepts
General Threat Management Architecture
Instrumentation monitor—This feature allows you to configure the switch to send SNMP
traps when thresholds are exceeded for:
Packets sent to closed TCP/UDP ports
IP address count
ARP requests received
System resource usage
System delay
Switch login failures
Port authentication failure
MAC address count
MAC moves
Learn discard
SNMP authentication —The switch can detect SNMP authentication failures, which might
indicate that an intruder is trying to gain access to the switch.
Command-line interface (CLI) password authorization failures—The CLI authorization
feature links a network administrator’s login to a specific set of CLI commands. If the
switch detects a number of password authorization failures that exceed the established
limit, the switch can send an SNMP trap to NIM. This condition may indicate that a hacker
is trying to access the switch.
NIM’s default policy for ProCurve wired infrastructure devices takes advantage of some of
these security features. This default policy contains the following alerts:
ARP protection errant reply—The switch received an unsolicited ARP reply.
DHCP snooping errant reply—The switch received a DHCP Offer packet from a rogue
DHCP server.
Port security authentication failure—Web authentication, MAC authentication, or 802.1X
authentication failed on a switch port.
SNMP authorization failure—The switch’s SNMP agent received a protocol message that
was not properly authenticated.
Virus Throttle™—Virus Throttle (also called connection-rate filtering) detected a large
number of IP connections within a short time period.
For a list of switches that support these detection features, see Chapter 3: “Products.”
You can also create alerts based on other SNMP traps that switches send.
HP ProCurve IDM (Optional)
Another PCM+ plug-in, IDM allows you to create policies that control access and network rights
based on user, device, location, and time. IDM and NIM are integrated so that you can track
additional information about offenders and take additional steps to protect the network when
a threat is detected. With PCM+ and NIM, you can learn an offenders MAC address, IP address,
and host name. When IDM is added, you can also obtain the username and detailed session
information. In addition, NIM and IDM can work together to prevent an offender from moving
from one port to another. If the offender tries to authenticate from another port, IDM can deny
or grant access, according to the action configured through a NIM mitigation policy.