Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
31323334353637383940
3-4
Products
HP ProCurve Hardware
Remote mirroringRemote mirroring is similar to local mirroring, except that the copied
traffic is sent to a mirror port on a different switch. See Table 3-1 to see which switches
support remote mirroring. Note that both the source and destination switches must
support remote mirroring, and if the mirrored frames are full-size frames, any intermediate
switches must support jumbo frames.
NIM can configure remote mirroring on switches that support it.
MAC mirroring—Switches that support MAC mirroring can mirror traffic based on source
MAC address and/or destination MAC address. In a Threat Management Solution, you can
isolate the MAC address of a device that is sending suspicious traffic and use MAC
mirroring to forward this traffic to NIM for further analysis. Check Table 3-1 to see which
switches support MAC mirroring.
NIM can configure remote mirroring on switches that support it.
Signature detection—An IDS/IPS (such as the TMS zl Module’s IDS/IPS) can use signatures
to detect threats. Signatures contain the patterns within the packet payload or header that
are known to indicate attacks. Many viruses, worms, Trojans, backdoors, port scans,
protocol anomalies, and other known attacks can be detected by signatures.
Protocol anomaly detection—An IDS/IPS can filter traffic for protocol anomalies at the
application level of the packet payload. By comparing the actual behavior of application
traffic against its expected behavior, the IDS/IPS can detect anomalies that may indicate
an attack.
Simple Network Management Protocol (SNMP) traps—Some ProCurve switches support
the following security features and can send NIM SNMP traps if they detect possible
problems (such as SNMP authentication failures). You can configure NIM to further
analyze the event or take action.
Dynamic Host Configuration Protocol (DHCP) snooping
Dynamic Address Resolution Protocol (ARP) protection
Instrumentation monitor
SNMP authentication
CLI password authentication
Port security authentication