Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
2-11
Concepts
The Security Management Life Cycle
A policy takes the general form shown below.
If <threat>, then <response>
For example, a policy might be:
If a known virus is detected, block the port that it comes from.
A policy could include a collection of similar threats and responses.
The available choices for threats and responses come from NIM, HP ProCurve switches, HP
ProCurve security devices, and third-party security devices.
You can also configure policies that are based on:
Time—By default, policies apply to all times. However, you can apply a policy during
predefined time periods such as Business Hours. You can also create your own times.
Sources or location
—Rather than apply a policy to all traffic in a network, you can select a
particular device group and have NIM apply the policy only for alerts originating from that
group. The device group can be one of PCM+’s default groups (that is, a particular switch
family), but more commonly policies are applied to a PCM agent group or a custom group
that is defined for a particular location.
Threat Detection
The next step in the security management life cycle is threat detection. Threats can be detected
in a variety of ways, depending on how you design your HP ProCurve Threat Management
Solution. NIM, the ProCurve infrastructure, the TMS zl Module, or third-party security devices
can detect threats.
The following technologies can be used in the detection process.
s
Flow
Most HP ProCurve switches, the HP ProCurve AP 530, and the HP ProCurve Wireless
Edge Services zl/xl Module (WESM) can provide sampled traffic data using sFlow. When
configured for sFlow, the switch, AP 530, or WESM samples traffic from one or more ports
and provides the sampled traffic to PCM+ or another sFlow collector. NIM then analyzes the
sFlow data to detect behavioral anomalies. Note that NIM also supports XRMON in exactly
the same way that it handles sFlow.
Port mirroringHP ProCurve switches can copy the traffic from selected ports and
provide it as a data stream to a mirror port. An IDS/IPS device connected to the mirror port
can then analyze the data stream and look for threats. There are two types of port mirroring:
Local mirroring
—In local mirroring, the source ports and the mirror port are on the
same switch. Most currently available HP ProCurve switches and many older HP Pro-
Curve switches support local mirroring. For a list of switches that support local mirroring,
see Chapter 3: “Products.”