Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
4-21
Design
Follow an Iterative Design Process
Plan Your Responses. For each event in your list and for each significant variation in time
and location, note the action you want to take. At this step in the process, you are just making
a list of events and possible responses; in later steps you will define alerts based on the events
and create actions to respond to the alerts.
All PCM+ action types are available for responses. Common action types for threat manage-
ment are listed below:
Port shutdownshut down the port where the offending host connects
VLAN assignmentassign the offending host to a specific VLAN (typically a quarantine
VLAN)
MAC lockoutlock the offending host’s MAC address out of the network
Rate limitinglimit the bandwidth allowed on the offending host’s port
Port mirroring or MAC mirroring configurationredirect a potential offender’s traffic
to an IDS for further evaluation
Email notificationsend an e-mail with details of the event to the specified e-mail
address
Message in dialog boxdisplay a dialog box with event details and an optional message
Notification onlynotify the management console of the event; take no other action
From here, go on to “Step 2: Detect Threats” on page 4-22.
Second and Subsequent Times Through the Process
After you have been through the process once, subsequent passes allow you to refine your
responses based on the activity you actually observed on your network.
Adjust. Compare the network activity that you observed in step 4 (analysis) the last time you
went through the process with the list of events and responses that you created the last time
that you went through step 1 (establish the policy). Update your event list by adding new events.
You could delete events that no longer seem to be occurring if you feel that you have completely
eliminated their causes. But for most events that you did not observe the last time you went
through the process, it is prudent to regard them as merely dormant; keep them in the list so
NIM can respond to them if they recur.
For new events on the list, plan suitable responses. This could include planning to reconfigure
some of the equipment on your network: you might move an IPS to a better position for
protecting critical network resources such as servers, or you might rearrange some switches
to make remote mirroring capabilities more available in areas that are highly vulnerable to
threats.
As in the first time through the process, at this step you are just planning. You will actually
make changes to the alerts and actions in later steps.
Get Creative. After you have been through the process once and have a good idea of network
activity patterns, you can sometimes respond better to events by taking complex actions.
For instance, suppose that you have an IDS on your network and NBAD indicates possible
threat activity in a new part of your network. Your response might be to define an action that
configures switches to mirror data from that part of the network to the IDS for additional
monitoring. If NIM then receives a trap from the IDS indicating a true threat, you can take
action to mitigate the threat.