Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
51525354555657585960
4-8
Design
Software and Hardware Selection
The sections that follow describe these features in more detail.
Actions Applied Regardless of User Connection Point
When NIM takes action against an offender, often the action applies to the precise port to which
the offender connects. This precision is desirable because the threat is blocked without
blocking legitimate traffic from other users. However, if the offender moves to a different port,
NIM must detect the threat again and then take action again.
When NIM integrates with IDM, the process is streamlined, and your network is protected more
quickly. When NIM detects a threat, it works with IDM to determine the offender’s username.
When NIM takes an action, it also reports the action to IDM, and IDM recognizes that this action
applies to the user. If the user moves to a different port and attempts to reconnect and log in
to the network, IDM enforces NIM’s action. For example, it immediately denies the user
network access.
Username Displayed in NIM Tables and Reports
Whenever NIM detects a threat, it attempts to find the source of the threat—in other words,
the offender. On its own, NIM can determine the offender’s MAC address and IP address and
locate the offender’s point of connection.
You can probably locate an endpoint from this information, which would allow you to remove
a virus. However, particularly in the case of a malicious attack, you are probably more
interested in the user who generated the attack. Users can be mobile. You might not know
exactly who uses a particular workstation or laptop. And even if a particular device is used by
a certain person, it is difficult to be sure that this person is, in fact, the one who connected to
the network when the attack was launched.
With NIM and IDM integration, you can discover this vital information, and all NIM tables and
reports display the offender’s username. In this way, you can better address the root of the
problem or build a better disciplinary case against an offender, if necessary.
Mitigation Actions for a User Displayed in IDM
Just as you can view an offender’s username in NIM tables and reports, you can view
information relevant to threat management in IDM. That is, you can view a user in IDM and
see the actions that NIM has applied to this user.
In this way, you can troubleshoot a user’s connection. For example, a user might complain that
he has entered the correct password but cannot connect. By viewing the user information in
IDM, you can see that NIM is blocking the user’s access. Perhaps the user’s device is infected
without his knowledge. Once you know what the problem is, you can help the user to resolve it.
By examining the actions taken against a user, you can also build a better picture of the user’s
activity and potential misuse of the network. All of this information may be crucial for
complying with regulations.
Use of Locations and Times Configured in IDM
If you already use IDM, you have probably configured a variety of times and locations necessary
for your environment. When you enable NIM to integrate with IDM, you can use all of those
times and locations in NIM’s policies, both speeding the configuration of policies and minimiz-
ing the chance of a misconfiguration.