HP ProCurve Threat Management Solution Design Guide 2009-04
2-9
Concepts
General Threat Management Architecture
• If the HP ProCurve Threat Management Solution includes an external security device
(either a third-party device or the TMS zl Module operating in monitor mode) and NIM
detects a threat, NIM can cause the switch to send the traffic stream from the affected
port to the external security device for more detailed analysis. If the external security
device confirms a threat, it sends an alert to NIM.
• If the ProCurve infrastructure includes ProCurve switches that can analyze the net-
work traffic for behavioral patterns that indicate a virus, these switches will detect
suspicious traffic and take action (blocking propagation of the virus across subnet
boundaries, for example) and/or send an alert to NIM.
• If the Threat Management Solution includes a TMS zl Module that is operating in
routing mode, it filters traffic, using its firewall and IDS/IPS. The TMS zl Module looks
for known attacks, malware, and lax security practices. If it detects such a threat, the
TMS zl Module can take the action (such as block traffic or terminate a user session)
that you configured, send an alert to NIM, or both.
2. If NIM detects a threat or receives a threat notification from a switch or external security
device, it does the following:
• It uses the Find Node capability of PCM+ to determine which port on which switch or
wireless device or which IP address is the source of the threat. If you are also using
IDM, NIM will use IDM to learn the username associated with the threatening traffic.
• If you have set up and enabled a policy to handle the specific type of threat, NIM
responds to the threat by directing the switch, security device, or wireless device to
take action at that port or across a range of ports. This action typically shuts down the
offender’s port, assigns the port to a quarantine VLAN, locks out the offending MAC
address, or takes some other remedial action.