Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
21222324252627282930
2-16
Concepts
The Security Management Life Cycle
Figure 2-11 shows the PCM+ Policy Manager. As you can see, there are preconfigured alerts
for the TMS zl Module and the third-party security devices that NIM supports. You can also
modify these preconfigured alerts or create new ones.
Figure 2-11. Default ProCurve Threat Management Services Alert Window
Interaction of NIM and IDM—Starting with NIM v2.0 and IDM v3.0, NIM actions take
precedence over IDM actions both immediately, when the NIM mitigation policy is triggered,
and when a user tries to reauthenticate.
For example, suppose that a user has authenticated and been placed in a VLAN by an IDM
access policy. The user’s laptop is infected with a virus, which NIM detects. The action for the
related alert is to place the user’s traffic in a quarantine VLAN. The user’s traffic is immediately
placed in the quarantine VLAN because the NIM action overrides the VLAN assignment in the
IDM policy. In addition, if this user tries to reauthenticate from either the current or a different
port, the user’s traffic will still placed in a quarantine VLAN.
TMS zl Module—As mentioned earlier, in routing mode the TMS zl Module provides a firewall
and an IPS. Consequently, it can take independent action against specified threats, ranging
from closing a TCP/UDP port, blocking traffic, ending a session, or merely logging an event.
The TMS zl Module can also notify NIM when it detects a threat.
Switch and third-party device actions—You can also have HP ProCurve switches and third-
party security devices take the actions that are built into them. For instance, certain HP
ProCurve switches can rate-limit or block traffic when a virus event is detected, and a third-
party IPS device can block traffic through the device when it detects a known virus based on
its signature. You can configure these devices to act independently of NIM, or you can have the
devices forward their alerts to NIM and have NIM handle the responses. (You may find it simpler
to have NIM manage the responses centrally.)