Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
4-17
Design
Follow an Iterative Design Process
Keep It Simple. The first time through the process you are looking for the general pattern
of activity and threats on your network. (Save the more time-consuming responses, such as
moving switches that support dynamic mirroring, for later cycles of the process when you have
a better idea of where your detection capabilities are most needed.) The default settings in
PCM+ and NIM provide a good starting point:
Traffic monitoring is enabled by default in PCM+. This allows NIM to receive traffic
samples (sFlow and XRMON), and NIM analyzes this information to detect NBAD events.
NIM receives a variety of SNMP traps from HP ProCurve wired and wireless products about
security events. (To see which products support various security features, see Table 3-1 in
Chapter 3: “Products.”) NIM also receives SNMP traps from third-party security devices
that are configured to provide security notifications. (Because this is the first time through
the process you might not have these traps set up on your switches and security devices;
you can always set them up on subsequent cycles through the process.)
NIM’s default security policy detects and logs incoming security events (both from NBAD
and from the SNMP traps); these events are reflected in the Network Immunity Manager
Dashboard.
The default settings will probably provide enough information for your first time through the
process. But if you want to see more information or a customized view of the information, you
can set up your own alerts as well as policies to log those alerts and notify you of their
occurrence.
Be Aware of False Positives. Not all events result from malicious activity: benign events on
your network may sometimes be reported as potential threats. For example, multi-homed
devices might trigger IP spoofing events because these devices show more than one IP address.
A workstation searching for updates to antivirus software might try to contact several update
servers in an attempt to find one that is online and thereby cause an IP address sweep event.
NIM has built-in mechanisms for avoiding false positives. In addition, there are a few other
ways of dealing with false positives:
NBAD Diagnostic Wizard—When an NBAD event is displayed in the Events window, you
can right-click it and access the NBAD Diagnostic Wizard. This wizard helps you analyze
the specific event that you have selected. It identifies the threat, provides information
about any related false positives, analyzes the threat, lists suggested actions, and allows
you to immediately take an action.