Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
2-5
Concepts
General Threat Management Architecture
If you are using PCM+ 3.0, IDM 3.0, and NIM 2.0 and a NIM mitigation policy is triggered, settings
that are specified in the NIM policy override the settings that are specified in the IDM policy
for the user in question. For example, suppose a user’s IDM access policy includes a dynamic
VLAN assignment. During a network session, the user’s workstation exhibits behavior that
triggers a NIM policy, which includes only a rate limit. During that network session, the user
keeps the other IDM policy settings that were defined (such as the dynamic VLAN), but the
rate limit from the NIM policy overrides whatever rate limit setting the IDM policy has (such
as no rate limit).
When the user re-authenticates, however, the NIM policy completely replaces the IDM policy.
All the settings in the NIM policy, including settings that have not been explicitly defined,
entirely replace the settings in the IDM policy. When the user in the example given above
reauthenticates, the user receives the rate limit setting but no VLAN assignment (because the
NIM policy does not include a VLAN assignment). If you want the user to continue to receive
the dynamic VLAN assignment, you must define that setting (as well as the rate limit) in the
NIM policy.
A software update scheduled for release this year will change this behavior: When a NIM policy
is triggered, only the settings that are explicitly defined in the NIM policy will override the
settings in the IDM policy when the user reauthenticates. In the example given above, NIM will
apply the rate limit that is set in the NIM policy, but leave the VLAN assignment that was set in
the IDM policy. When the user tries to reauthenticate, the user will receive the same combined
settings: the rate limit from the NIM policy and the VLAN assignment from the IDM policy.
(Check the ProCurve Web site at www.procurve.com for updates to this and other products.)
Supported Third-Party Security Device (Optional)
NIM supports third-party security devices such as an intrusion detection system/intrusion
prevention system (IDS/IPS) or a Unified Threat Management (UTM) system.
An IDS monitors network traffic for threats, such as viruses, worms, Trojans, denial-of-service
(DoS) attacks, and so on. When an IDS detects such threats, it can create a log message, send
an email to a network administrator, or send a notification to another device. An IPS can detect
the same types of threats, but it can also mitigate these threats. For example, an IPS may take
an action such as blocking the traffic.
UTMs are multifaceted security systems that provide IDS/IPS, firewall, antivirus, antispam,
VPN, and content-filtering capabilities. In a Threat Management Solution, the IDS/IPS functions
of a UTM operate as a standalone IDS/IPS device and will be treated accordingly in this guide.
These security devices can be deployed in several ways, depending on the capabilities of the
device.
Inline IPS—You can place an IPS inline with the traffic that you want to monitor. An
advantage of using an inline IPS is that you can detect threats as they occur. If you are
using an IPS, you can configure it to take immediate action against threats. The disadvan-
tage of using this approach is that you will probably require multiple IPSs to deploy at
various choke points on the network.