Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
4-19
Design
Follow an Iterative Design Process
Figure 4-12 shows the NIM Configuration > <Event type> > Monitoring window, where
you can configure the sensitivity level.
Figure 4-12. NIM Configuration > <Event type> > Monitoring Window
Exclusion List—If you know the source of an event and are satisfied that it is benign (such
as the multi-homed device mentioned earlier), you can exclude that host from consider-
ation for that particular event by putting it on an exclusion list. (See the Exclusion List
tab in Figure 4-12.)
By default, NIM puts the PCM+ server and managed devices in the exclusion list to
minimize false positives because these devices may generate false IP spoofing events and
false IP address sweep events when they try to establish contact with large numbers of
devices on the network.
Mirror Traffic to IDS—If your network includes an IDS, you can get a second opinion on
an event. If you are uncertain whether an event is really malicious, you can mirror traffic
from the event’s source to an IDS for further analysis. If the IDS also finds a problem, your
diagnosis of a malicious event is strengthened.
List Events. When you have finished your initial data collection and experimentation, make
a list of the types of events you see on your network. Include events detected by NIM’s NBAD
analysis, ProCurve switches, ProCurve wireless devices, the TMS zl Module, and any third-
party security devices. Look for patterns in the time of day and the location of the events: NIM
lets you classify events by these parameters as well as by event type. Determine threshold
levels of activity for each event type.
You can view a list of events that have occurred by accessing the Devices > Events window.
To view only NIM events, use the NIM filter.