Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
4-20
Design
Follow an Iterative Design Process
The Network Immunity Manager Dashboard will also help you analyze event data. (See
Figure 4-13.) At a glance, you can see the top offenders, device trouble spots, group trouble
spots, alert rates, top alerts, action rates, and top actions. The dashboard also displays the
NBAD Analyzer Status, which reports the events that NBAD will detect when it analyzes traffic:
DNS Tunneling—The DNS packet format is altered to disguise malicious payload as valid
data.
Duplicate IP Address—Multiple IP addresses are detected for one MAC address.
IP Address Spoofing—Two or more IP addresses are assigned to the same computer.
IP Address Sweep—The packet size deviates from packet size normally used.
Protocol AnomaliesThere is invalid or unusually high-protocol usage.
Rogue NAT or Router—Unauthorized NAT-enabled router or unauthorized/undiscovered
non-NAT router is present on the edge port.
Small Frame IP Address Sweep—Packet contains smaller frames than normally used.
TCP Port Sweep—One source IP address is contacting an unusually large number of TCP
ports.
UDP Port Sweep—One source IP address is contacting an unusually large number of UDP
ports.
As mentioned earlier, the NBAD Analyzer Status also reports the number of anomalies detected
and whether or not NBAD has completed a baseline for each anomaly.
Figure 4-13. Network Immunity Manager Dashboard in PCM+