Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
21222324252627282930
2-13
Concepts
The Security Management Life Cycle
The following ProCurve switches support MAC mirroring:
HP ProCurve 3500yl Series switch
HP ProCurve 5400zl Series switch
HP ProCurve 6200yl switch
HP ProCurve 6600 Series switch
HP ProCurve 8200zl Series switch
Virus Throttle™ technology (connection-rate filtering)—Certain switches can use HP
ProCurve’s Virus Throttle™ technology to detect virus activity based on traffic behavior
rather than on comparison with known virus signatures. A switch that is set up for Virus
Throttle™ monitors traffic to detect abnormally high numbers of connection attempts.
When a switch detects this abnormality, it can take different actions, depending on how
you have configured it. It can:
Limit traffic from the offending host
Block the traffic entirely,
Send a notification to NIM
If you configure the switch to send a notification, NIM can then take an action based on a
policy that you have set up.
Currently the following switches support the Virus Throttle™ technology:
HP ProCurve 3500yl Series switch
HP ProCurve 5300xl Series switch
HP ProCurve 5400zl Series switch
HP ProCurve 6200yl switch
HP ProCurve 6600 Series switch
HP ProCurve 8200zl Series switch
Chapter 3: “Products” includes details about the HP ProCurve products that support these
technologies. Chapter 4: “Design” contains more information on how these technologies are
used.
Threat Detection StrategiesThe HP ProCurve Threat Management Solution uses the
following to detect threats:
NBADAs mentioned earlier, NIM uses NBAD to detect anomalous, and possibly threat-
ening, behavior in network traffic. NBAD monitors a stream of sampled traffic sent to it
by switches and wireless devices on the network and builds a profile of what normal traffic
looks like. (Information about network traffic can be seen at a glance on the Network
Immunity Manager Dashboard as shown in Figure 2-10.) When NIM senses a departure
from normal—an anomaly—it can trigger an alert and then take a predetermined action
based on the alert. A typical action might be to instruct a switch to shut down the port from
which the anomaly originates.