HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

4-5

Design

Software and Hardware Selection

Prepare the Infrastructure

The sections that follow explain how to prepare your infrastructure, based on the deployment

option that you have selected.

NIM Standalone

A NIM standalone deployment relies on the network infrastructure for both threat detection

and threat mitigation. This means that your switches and wireless devices must be capable of

doing their part.

For threat detection, verify that your switches and wireless devices support sFlow and that

this feature is enabled. PCM+ will then receive the traffic samples on which NIM performs

network behavior anomaly detection (NBAD) to detect threats.

Check the tables in Chapter 3: “Products” to verify the capabilities of the HP ProCurve switches

you are using. Most HP ProCurve switches and several HP ProCurve wireless devices support

sFlow. If a switch supports Extended Remote Monitoring (XRMON), it can also collect samples

for NIM.

For threat mitigation, NIM can execute any action that is supported on PCM+ and the targeted

infrastructure device, which can be either a wired or a wireless device. The tables in Chapter

3: “Products” display relevant actions. For example, most HP ProCurve switches can shut down

a port or reassign it to a quarantine VLAN in response to a detected event. Many of the switches

and the wireless devices can perform MAC lockout.

Note On the HP ProCurve Wireless Edge Services Module (WESM), the MAC lockout applies to all

adopted radio ports (RPs), which prevents an attacker from continuing an attack by simply

roaming to another RP.

Switches with ProVision ASICs (which include the HP ProCurve 3500yl Series switch, HP

ProCurve 5400zl Series switch, HP ProCurve 6200yl switch, and HP ProCurve 8200zl Series

switch) offer advanced features such as limiting the bandwidth on the port (rate limiting) and

remote mirroring.

At this point in the planning process, you are only beginning to assess the actions available for

threat mitigation. Until you start actually monitoring the threats on your network and estab-

lishing baseline data, you probably should not move switches to get the right capabilities in

the right places or buy new switches to gain capabilities that you do not have. Establishing the

baseline data is described in the next section, “Follow an Iterative Design Process” on page 4-16

NIM + HP ProCurve TMS zl

Module in Monitor Mode

• Internal threat management for a wired network,

wireless network, or both

• Perimeter threat management in addition to internal

threat management

• Anomaly-based and signature-based detection for

the entire network

• Extra protection for the entire network

• Your security policies call for high-confidence

threat detection throughout the network.

• You require a device that can protect you from

perimeter threats and detect internal threats.

Unified Solution A combination of the benefits of the deployment options that you select

Deployment Option Benefits Other Reasons for Selecting the Option