Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
4-6
Design
Software and Hardware Selection
NIM + Inline IPS
You must complete all of the tasks described in “NIM Standalone” on page 4-5.
If an IPS is already deployed on your network, you can simply configure it to send traps to
PCM+ in response to threats. You can then analyze these traps in PCM+ as you analyze the
events generated by NIM using NBAD. At this point, you should not configure NIM to take
action based on the IPS’s traps.
If you have not yet deployed the IPS, you can deploy it in the desired location and configure it
to send traps to NIM. (You will complete other configuration tasks as well, which are beyond
the scope of this guide.) Alternatively, you can wait to select the IPS’s location until you have
used NIM to locate particularly vulnerable locations on your network.
NIM + IDS
You must complete all of the tasks described in “NIM Standalone” on page 4-5
If an IDS is already deployed in your network, you can simply configure it to send traps to
PCM+ in response to threats. It is possible that when you install NIM, you plan to repurpose
an IPS as an IDS. In this case, ensure that the IPS is in a centralized location and take it offline.
Configure it to send traps to NIM and prepare it to receive mirrored traffic.If you have not yet
deployed the IDS, install it in a centralized location and complete the same configurations.
You must also confirm that your network infrastructure can mirror traffic to your IDS. The
tables in Chapter 3: “Products” show which HP ProCurve switches support the required
functions. For example, most ProCurve switches can mirror traffic from a switch port to an
IDS connected to the same switch (local mirroring), and many support dynamic local mirror-
ing. That is, NIM can configure the local mirroring on the switch in response to a threat.
The switches with ProVision ASICs support remote mirroring. They can mirror traffic to an
IDS that is connected to a different switch. These switches also support dynamic remote
mirroring.
Note that in the case of remote mirroring, both the source and destination switches must
support remote mirroring. Any switches in the path between the source and destination
switches are not required to support remote mirroring—they are just forwarding frames.
However, if the mirrored frames are full-size frames, the intermediate switches must support
jumbo frames (because the mirrored frames are encapsulated and the encapsulation adds
several bytes, making a full-size frame oversize for a typical Ethernet frame size).
If you choose to mirror some traffic to the IDS statically, the IDS will begin detecting threats
and sending traps to NIM. You can then analyze these traps in PCM+ as you analyze the events
generated by NIM using NBAD. However, you might want your switches to mirror traffic to the
IDS only when so configured by NIM in response to a threat. In this case, the IDS will not detect
threats at this point. Later in the security management life cycle, you will plan which threats
should trigger NIM to set up dynamic mirroring to the IDS. At that point, the IDS and the
network infrastructure will be ready.
In either case, configuring NIM to take action based on the IDS’s traps also occurs later in the
security management life cycle.