Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
2-8
Concepts
General Threat Management Architecture
In monitor mode, the TMS zl Module operates as an IDS, which analyzes traffic that is
mirrored to it: it detects protocol anomalies and known attacks, viruses, worms, and lax
security practices. When it detects a threat, it can log an event, send a notification to a
network administrator, or send a notification to an SNMP management console such as
PCM+/NIM.
Figure 2-5. Threat Management Solution with the TMS zl Module Operating in Monitor Mode
Detecting and Responding to Threats
These components work together to detect and respond to threats, as described below:
1. Several detection activities happen simultaneously:
Figure 2-6. Threat Management Solution’s Ability to Detecting and Responding to Threats
NIM analyzes traffic metrics (an sFlow or XRMON stream of sampled traffic) from the
network, looking for anomalies that indicate the presence of a threat. This process is
called network behavior anomaly detection, or NBAD.
ProCurve Switch
Traffic in
from Network
Traffic out
to Network
Mirrored Traffic
(in Tunnel)
TMS zl Module
in Monitor Mode