Manualshelf

HP ProCurve Threat Management Solution Design Guide 2009-04

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
4-22
Design
Follow an Iterative Design Process
Note Note that your IDS might be on a different switch from the source of new activity. In this case,
you can use remote mirroring—as long as the switches involved support remote mirroring.
Otherwise, you cannot mirror the traffic without changing your topology.
You may be able to use multiple alerts defined for the same event type to fine tune your
responses. For example, you might know that if NIM detects 20 IP address sweep events in a
second (from a single host), you need to shut down the offending port. But when NIM detects
only five IP address sweep events in a second, you may not know whether the events indicate
a problem or not. So you could set up two alertsone for 20 events per second and one for
five events per secondand tailor policies for the two situations. For the higher frequency
alert, you could take action by shutting down the port immediately; for the lower frequency
alert, you could activate mirroring to direct the suspect traffic to an IDS, which would examine
the traffic for signs of a virus or other attack. (If you did select mirroring as the action, you
would create an additional policy that responds to an event from the IDS).
Step 2: Detect Threats
Like step 1, step 2 is divided into two sections:
First time through the process
Second and subsequent times through the process
First Time Through the Process
In this step you use the events that you listed in the previous step to guide your setup for threat
detection.
Install IDSs/IPSs and Adjust Topology (Optional). Using the information obtained
when NBAD created the baseline for NBAD events, you are now ready to begin installing your
IDSs/IPSs (if they are not already running in your network). If you are using IDSs, you should
generally install them in a central location or near the location that seems to be most vulnerable
to threats. Take into consideration where traffic will need to be mirrored and the mirroring
capabilities of your switches. For example, if your switches do not support remote mirroring,
you must connect an IDS to each switch that you want to mirror potentially suspect traffic.
If you have IPSs, you should install one at each choke point where you want to monitor traffic.
If you have an existing IDS/IPS already installed on your network, you should evaluate its
location. You may need to move it.
You must also re-evaluate the switches in your topology. If you have ProCurve switches that
support remote mirroring, you might need to move these switches to make this capability more
available in network segments that are particularly vulnerable to threats.
Configure Network Equipment for Threat Detection. If you need to configure switches,
access points (APs), or third-party security devices for threat detection, do it now. This could
include setting up sFlow on switches or APs (however, PCM+ typically configures sFlow on
managed devices by default), configuring security capabilities such as DHCP protection or
Virus Throttle
TM
, or enabling device-specific events on IPS or IDS devices. You may be able to
configure switches and APs from PCM+; for a third-party security device you will use the
device’s CLI or Web-browser interface.
Adjust Sensitivities as Needed. If necessary, adjust the sensitivity for NBAD events. (To
adjust these sensitivities, access the NIM Configuration > <Event type> > Monitoring window
in the Agent Manager.)