HP ProCurve Threat Management Solution Design Guide 2009-04
3-3
Products
HP ProCurve Hardware
IDM and NIM are integrated so that you can track additional information about offenders and
take additional steps to protect the network when a threat is detected. With PCM+ and NIM,
you can learn an offender’s MAC address, IP address, and host name. When IDM is added, you
can also obtain the username and detailed session information. In addition, NIM and IDM can
work together to prevent an offender from moving from one port to another. If the offender
tries to authenticate from another port, IDM can deny or grant access, according to the
action configured through NIM. (For more information about IDM’s integration with NIM, see
Chapter 4: “Design.”
HP ProCurve Hardware
NIM interacts with HP ProCurve switches and wireless devices to detect network threats and
respond to those threats.
Detection—NIM uses several features of switches and wireless devices in the detection of
network threats. Table 3-1 on page 3-6 lists which switches and wireless devices support which
features. The relevant features for threat management are listed below.
■ sFlow—For switches and wireless devices that support sFlow, NIM can configure ports
to supply sFlow sampling data to a target address (NIM). NIM chooses from user-selected
ports (if any), NIM-selected ports, and ports selected by PCM+ Traffic Monitor (using its
algorithm). NIM’s port-selection algorithm varies the selection of ports, so that over time
it is likely to receive samples of virtually all traffic of interest.
Note that NIM does not need to sample an offender’s port directly to monitor traffic from
the offender; it just needs to sample a port that handles the offender’s traffic. For example,
NIM could sample a switch’s uplink port, which handles all the traffic forwarded to the
directly connected switch. Network behavior anomaly detection (NBAD) tracks IP and
MAC addresses in sampled content, no matter where that content originates on the
network. If NBAD detects an anomaly from a specific IP or MAC address and the same
type of anomaly occurs frequently enough to trigger a security alert, NIM can use PCM+’s
Find Node function to locate the source of the anomaly and then take appropriate action.
If you are also using IDM, NIM can use IDM’s capabilities to learn the offender’s username
and other session information.
During a one-minute time period, NIM can accept 3,000 sFlow port samples from each of
10 agents. That is a total of 30,000 ports every minute.
In addition, NIM supports statistics on up to 7,000 ports per agent. Because sFlow also
includes statistics, NIM can effectively collect statistics on 10,000 ports per agent or 100,000
ports with 10 agents.
■ Connection-rate filtering (Virus Throttle™
technology)—In an attempt to detect virus
activity based on traffic behavior (rather than explicit malware signatures), switches that
support Virus Throttle™ technology monitor network traffic to detect abnormally high
numbers of connection attempts. When a switch detects such an abnormality, it can limit
traffic from the offending host and notify NIM of the condition.
NIM can configure connection-rate filtering on switches that support it and configure those
switches to notify NIM.
■ Local mirroring —In local mirroring, a switch sends a copy of the traffic on selected ports
to a mirror port on the same switch. The mirror port is typically connected to an intrusion
detection system (IDS) that analyzes the traffic and alerts NIM if it discovers a virus or
other attack. Most HP ProCurve switches support local mirroring.
NIM can configure local mirroring on switches that support it.