Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
21222324252627282930
2-14
Concepts
The Security Management Life Cycle
Figure 2-10. Network Immunity Manager Dashboard in PCM+
In addition to detecting threats, NIM also uses the Find Node capability of PCM+ to
determine the switch port or AP where the threat originates. This allows any threat
response actions to be applied at the point in the network where they will be most effective.
Signature detection —An IDS/IPS (such as the TMS zl Module’s IDS/IPS) can use signa-
tures to detect threats. A signature is a preset definition that specifies characteristics that
are indicative of a particular attack. The IDS/IPS checks all traffic for the characteristics
that are defined in that signature. For example, the signature for a virus might define the
port that the virus targets, which the module checks in the TCP or UDP header. The
signature might also specify the commands that the virus executes, which the module
checks in the packet payload.
Signature-based detection detects known threats with a high degree of certainty. However,
because a signature must be developed for each new threat, signature-based detection
does not detect new or undocumented threats.
Protocol anomaly detection—An IDS/IPS can filter traffic for protocol anomalies at the
application level of the packet payload. Because each application protocol specifies
particular policies and behavior, the IDS/IPS examines traffic to verify that traffic for a
particular application behaves as expected. The ability to detect protocol anomalies can
help the IDS/IPS identify new attacks.
When NIM detects a threat or is notified of a threat by another component in the Threat
Management Solution, it can trigger an alert. You can then configure actions based on individual
alerts, as described in the next section.