HP ProCurve Threat Management Solution Implementation Guide
HP ProCurve Threat Management Solution Implementation Guide May 2009
© Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. Disclaimer This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard.
Contents 1 Introduction Documents, Audience, Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1 Using This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-2 2 HP ProCurve Network Immunity Manager Standalone Solution Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3 Step 1: Establish a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Task: Configure a TippingPoint IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-106 Subtask: Update the TippingPoint Operating System . . . . . . . . . . . . . . . . . . . . . . . . . .3-107 Subtask: Modify the Default Security Profile or Create a Security Profile . . . . . . . . . .3-110 Subtask: Edit Action Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-115 Subtask: Configure SNMP Trap Settings . . . . . . . .
Step 2: Detect Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-26 Task: Install the TMS zl Module and Select the Operating Mode . . . . . . . . . . . . . . . . . . . . .4-26 Task: Configure the TMS zl Module in Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-26 Subtask: Plan Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 PCM+ Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 B Initial Setup for the HP ProCurve Manager Agent Install PCM+ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients . . . . . . . . . . . . . . . . . . . . . C-79 Configure an Client-to-Site IPsec VPN on the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . C-79 Create Named Objects for the IPsec Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . C-80 Create an IKE Policy for Connecting to HP ProCurve VPN Clients . . . . . . . . . . . . . . . C-81 Create an IPsec Proposal for Connecting to HP ProCurve VPN Clients . . . . . . . . . .
Introduction Documents, Audience, Assumptions 1 Introduction Documents, Audience, Assumptions The HP ProCurve Threat Management Solution Implementation Guide gives you step-bystep instructions for configuring the components of an HP ProCurve Threat Management Solution. It is a companion guide to the HP ProCurve Threat Management Solution Design Guide, which explains security management practices and helps you plan the incorporation of these practices into your network.
Introduction Using This Guide Using This Guide The security management design outlined in the Threat Management Solution Design Guide includes a series of design steps (see Chapter 4: “Design” in that guide). Because security management is more of a process than a steady state, the design steps are actually an iterative cycle. This Implementation Guide gives you the step-by-step procedures for the activities in that cycle. Both guides are based on the security management life cycle shown Figure 1-1.
2 HP ProCurve Network Immunity Manager Standalone Solution Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 Step 1: Establish a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4 First Time Through the Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP ProCurve Network Immunity Manager Standalone Solution Overview Overview This chapter outlines the activities that you might engage in to set up an HP ProCurve Threat Management Solution that includes: ■ HP ProCurve Manager Plus (PCM+) 3.0 ■ HP ProCurve Network Immunity Manager (NIM) 2.0 ■ HP ProCurve Identity Driven Manager (IDM) 3.
HP ProCurve Network Immunity Manager Standalone Solution Overview Figure 2-1. Security Management Life Cycle To complete the instructions outlined in this chapter, you must have a fully functional PCM+/ NIM server. Further, you must have configured PCM+ and your network infrastructure devices with the appropriate settings so that they can communicate. PCM+ and NIM must be able to receive sFlow data samples and SNMP traps from network infrastructure devices.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Step 1: Establish a Policy If this is your first time through the threat management solution design process, perform the activities in “First Time Through the Process” on page 2-4. If this is your second time or more through the process, skip to “Second and Subsequent Times Through the Process” on page 2-23.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-2. PCM+ Dashboard You can now complete the tasks to configure NIM for your environment. Task: Ensure Policy Execution Is Disabled A policy combines an alert with an action. A setting in the Policy Management window determines whether NIM executes a policy action when the corresponding alert occurs. By default, this setting is disabled.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-3. Preferences Window 2-6 2. Click Policy Management in the navigation tree. 3. In the Configuration Changes section of the Global: Policy Management window, ensure that the Enable policy actions option is not selected. (This is the default setting.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-4. Global Policy Management Window 4. Click OK. Optional Task: Consider Interaction with IDM If you are running IDM, it automatically interacts with NIM. The benefits of integrating NIM and IDM include: ■ Better threat protection—NIM’s actions continue to apply to a user even when the user attempts to connect to a different switch port or wireless access point (AP).
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Task: Start Event Collection Because NIM’s event collection is enabled by default and PCM+ displays events by default, you probably do not have to take any action to have NIM begin to collect events. Just in case someone has changed the default settings, however, you may want to verify that NIM is collecting and displaying events.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-6. Agent Manager > NIM Window 3. Under Security/Monitoring Status, ensure that the Enable option is selected. To globally disable event collection, select the Disable option. 4. Click Configuration. Event types are listed in the navigation tree.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-7. NIM Configuration Window 5. Click the arrow next to ProCurve NBAD Services to expand it. 6. By default, NIM monitors traffic for all NIM events. To check an event, select it in the navigation tree and click the Monitoring tab in the right pane. The Enable Security Monitoring option should be selected. Figure 2-8.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 7. If you do not want to monitor a particular type of event, simply clear the Enable Security Monitoring option. You can also configure the sensitivity of the analysis on this window. Configuring these settings is described later in this chapter. 8. Click Close and then click OK. Task: View Events To view the events collected by PCM+ and NIM, complete the following steps: 1.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Task: Check the Results In addition to viewing the event list, you can see summaries of the event activity in the Security Activity windows. The information on these windows can be displayed according to offenders, alerts, and actions. The Security Activity windows provide a flexible view of event activities and may become your primary source for a quick understanding of the activity on your network.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 3. Click the arrow next to Filtering. You will now see two sections: • Filters—The filters allow you to display particular data. Clear a filter to remove data from the display and select it again to display the data. You can also use the Time Span section to filter data by the duration or time period during which data is collected.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 4. Right-click a line in the list to display a menu. You can select a type of alert from this menu and view additional information about it. Figure 2-12.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 5. From the menu, click Alert Type: ProCurve NBAD Services. A Details window is displayed, providing more information about the security activity, including offender and target information as well as the policy that triggered the alert. You can sort the table in different ways by clicking the category heading at the top of the table (and you can reverse the order of the sort by clicking the category heading a second time).
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 7. To view alerts, click the Alerts tab in the Security Activity window. You will see a display like the one below. Figure 2-14. Devices > Security Activity > Alerts Window 8. Use the View breakdown by drop-down list at the right to select how you want to view the information. 9. To view actions that have been triggered by actual security events, click the Actions tab.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 2. Click the NIM tab in the right pane. 3. Click the Configuration icon. The Exclusion List is displayed. NIM is preconfigured with several exclusions. 4. In the navigation tree, click the arrow next to ProCurve NBAD Services to expand the category. Figure 2-15.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 5. In the navigation tree, select NIM or a particular ProCurve NBAD Services threat. If you select a particular threat, the Exclusion List displays only exclusions that pertain to that threat type. Figure 2-16. NIM Configuration > Exclusion List Window 6. In the NIM > Exclusion List window, click Add. The NIM Add Exclusion Entries window is displayed. Figure 2-17.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy 7. Under Offender, specify a source device, using its IP address, port, or MAC address. 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. For example, you might enter Test NAT to lab. 10. Click OK. The new exclusion is shown in the Exclusion List tab for that threat type.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-19. PCM Event Exclusion Utility 4. In the menu that is displayed, select Exclude offender from security analysis. Figure 2-20. PCM/NIM Exclude Offender from Security Analysis Window 2-20 5. Exclude the device based on MAC address, IP address, or Both MAC and IP. 6. Click OK. The NIM Edit Exclusion Entry window is displayed.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Figure 2-21. NIM Edit Exclusion Entry Window 7. Under Offender, specify a source device, using its IP address, port, or MAC address. 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. 10. Click OK.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Setting the sensitivity can potentially affect the number of false positives and false negatives NIM reports. If you set the sensitivity too high, NIM may identify more false positives, and if you have configured actions for the events, you may shut out traffic that does not actually pose a threat to your network. On the other hand, if you set the sensitivity too low, you risk false negatives.
HP ProCurve Network Immunity Manager Standalone Solution Step 1: Establish a Policy Task: Make a List of Security Events The tasks outlined in the “First Time Through the Process” on page 2-4 provide the information you need to make a list of security events on your network. For each event on the list, and for each significant variation in time and location, note the action that you want to take. Table 2-1.
HP ProCurve Network Immunity Manager Standalone Solution Step 2: Detect Threats Step 2: Detect Threats This section outlines the activities you might engage in as you set up alerts to detect threats on your network. These activities follow the “Detect threats” phase of the security management life cycle. (See Figure 2-1 on page 2-3.) They also match the design steps discussed in Chapter 4: “Design” in the HP ProCurve Threat Management Solution Design Guide.
HP ProCurve Network Immunity Manager Standalone Solution Step 2: Detect Threats 5. In the ProCurve NBAD Services window, click New. The Create Alert window is displayed. Figure 2-23. Create Alert Window 6. Under Select the Alert Type to Create, select Security:ProCurve NBAD Services Alert. 7. For Name, type a name for your alert. 8. Optionally, type a description for the alert. 9. Click OK. Your alert’s name is displayed in the list of ProCurve alerts. 10.
HP ProCurve Network Immunity Manager Standalone Solution Step 2: Detect Threats Figure 2-24. Policy Manager > Alerts > Configuration Window 11. Configure the properties of the alert: a. Select a threat type from the Threat Type drop-down list. (This list reflects all the ProCurve NBAD Services event types listed in the navigation tree of the Policy Manager window.) b.
HP ProCurve Network Immunity Manager Standalone Solution Step 2: Detect Threats 12. Click Apply to complete the alert definition. Edit Alerts. You can edit alerts by completing the following steps: 1. Select the name of the alert in the navigation tree. 2. In the right pane, click the Configuration tab. 3. Change the alert configuration settings as needed. 4. Click Apply. If the alert is part of an existing policy, the following prompt is displayed. Figure 2-25. Enabled Policies Warning Window 5.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Step 3: Respond to Threats This section discusses the activities you might engage to define actions for NIM events. These activities follow the “Respond to threats” phase of the security management life cycle (see Figure 2-1 on page 2-3), and they match the design steps discussed in Chapter 4: “Design” in the HP ProCurve Threat Management Solution Design Guide.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Figure 2-26. PCM+ Dashboard If the default setting has been changed, you can disable policy execution by completing the following steps: 1. Open the Preferences window by completing one of the following: • Click Tools > Preferences. or • Click the Preferences icon in the toolbar. 2. In the navigation tree, click Policy Management. 3.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Figure 2-27. PCM/NIM Global: Policy Management Window 4. Click OK. Second and Subsequent Times Through the Process To set up actions for responding to threats, perform the tasks below. Task: Define an Action In this task, you will define an action that can be used to respond to an alert, which indicates a possible network threat. (In the next task, you will associate the alert with the action, thereby creating a policy.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Figure 2-28. Create an Action Window 4. Select an action. You can select from a list that contains all of the actions available to PCM+. The actions most likely to be relevant to network immunity are listed below. • MAC Lockout —Lock out a MAC address from a switch or access point. • MAC Mirroring—Set up MAC mirroring. • Policy Manager: Display Message Dialog—Display a message on the management console.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 7. Click OK. A window for the action is displayed. The tabs on the window vary, depending on the type of action you select. Figure 2-29.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 8. Click all the tabs in the window that is displayed and enter parameters to define the action. Figure 2-30. Policy Manager > Actions > Window 9. Click Apply to finish creating the action. Modify an Action. To modify the action, complete the following steps: 1. In the navigation tree, select the action. 2. Click Edit. Modify the action settings as necessary. 3. Click Apply. Delete an Action.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Task: Define a Policy NIM takes an action only in response to an alert. The relationship between an alert and an action is established by a policy. To define a policy, complete the following steps: 1. Open the Policy Manager window by completing on of the following: • Click Tools > Policy Manager. or • Click the Policy Manager icon 2. In the navigation tree, select the Policies option.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 8. Click the Times tab. Figure 2-33. Policy Manager > shut Window 9. Configure when the policy will be enforced: a. Any time—If you want the policy to be triggered any time its alert occurs, leave Any time as the setting for Selected Times. b.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Figure 2-34. Configure Times Window The Configure Times window displays times that are already configured. i. 2-36 Click the Create a new time icon . The Create a new Time window is displayed.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats Figure 2-35. Create a new Time Window ii. For Name, type a name that represents the time or period of time that you are configuring. iii. Under Time, select All day or select From and specify a time range. iv. – – – – Under Days of week, select one of the following: Every day Weekdays Weekends Custom i. If you select Custom, select the days of the week when you want the policy enforced.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 10. Click the Sources tab to configure sources from which an alert must originate to trigger the policy. Figure 2-36. > Sources Window 11. Specify the source: Note When specifying a source, be extremely careful. Keep in mind that the source is the device that sends the sFlow data—not necessarily the device to which the offender is connected. a.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 12. Click the Targets tab. 13. Select the target device(s) to which the actions will be applied. In most cases, you will probably target the source of the alert. Figure 2-37.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 14. Click the Alerts tab. 15. Select an alert type from the Available Alerts list. If the alert you want does not exist, you can create it as explained in “Task: Set Up ProCurve NBAD Services Alerts” on page 2-24. 16. Click the >> button to move the alert to the Selected Alerts list. Note that you can specify multiple alerts. Figure 2-38.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 17. Click the Actions tab. Figure 2-39. > Actions Window 18. In the Available Actions list, select the action that you want the policy to execute when the configured alert is received. If the action you want is not in the Available Actions list, you can create it as explained in “Task: Define an Action” on page 2-30. 19. Click the >> button to move the action to the Selected Actions list.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats By default, policies are enabled when they are created. From time to time you might want to disable the execution of some policies and enable others. To disable or enable a policy, complete the following steps: 1. Open Policy Manager by completing one of the following: • Click Tools > Policy Manager. Or • Click the Policy Manager icon in the toolbar. 2. Click the Policies option in the navigation tree.
HP ProCurve Network Immunity Manager Standalone Solution Step 3: Respond to Threats 2. Click Policy Management in the navigation tree. 3. In the Configuration Changes section of the Global: Policy Management panel, select Enable policy actions. Figure 2-41. > Global: Policy Management Panel 4. Click Apply and close the window.
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events Step 4: Analyze Events This section helps you analyze the events that are detected on your network so you can refine your NIM policies to better protect your network and reduce the chance of false positives.
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events 4. The Identify Threat window is the first to display. It describes the possible causes of the selected event. Read the description. Figure 2-42. NBAD Diagnostic Wizard > Identify Threat Window 5. Click Next. 6. The Identify False Positives window describes possible circumstances—other than actual attacks—that might cause the event.
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events Figure 2-43. NBAD Diagnostic Wizard > Identify False Positives Window 7. 2-46 Click Next. The Analyze Threat window presents information about the event so that you can analyze it further. The text box lists known information, such as the offender(s) and victim(s).
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events Figure 2-44. NBAD Diagnostic Wizard > Analyze Threat Note a. Click Event History to see the full event history of the offender. b. Click Policy History to see the policy history of the offender. c. Click Show Map to see the offender in a network map. d. Click Next. If IDM is installed and the offender logged in to the network, the wizard will show the offender’s user name.
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events Figure 2-45. NBAD Diagnostic Wizard > Suggested Actions 9. Click Next. 10. The Execute Action window describes the action you selected in the previous window. If the action is satisfactory, click Execute. If it is not, click Back to make different selections, and then click Execute. When the action completes, click Next. 11. The final window of the wizard shows the action that was taken.
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events Event Log. To view the event log, complete the following: 1. In the PCM+ navigation tree, select a group or device. The selected object’s window is displayed. 2. Click the Events tab. The event log is displayed. 3. Click an event in the list to see the event details in the Event Details box below the event list.
HP ProCurve Network Immunity Manager Standalone Solution Step 4: Analyze Events Figure 2-46. PCM+/IDM Users Window This example shows an offender tried to move to the another port to connect to the network. Because NIM-IDM integration is enabled, IDM mitigates the attacker. 5. 2-50 Click Close.
3 HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3 Step 1: Establish a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-5 First Time Through the Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Contents Task: Configure a Fortinet FortiGate UTM Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-59 Subtask: Set Up the UTM Device and Load the Operating System . . . . . . . . . . . . . . . .3-59 Subtask: Set Up Communication with PCM+ and NIM . . . . . . . . . . . . . . . . . . . . . . . . .3-64 Subtask: Configure IPS Settings and Logging on the Fortinet UTM Device . . . . . . . . .
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Overview Overview This chapter outlines the activities that you might engage in to set up an HP ProCurve Threat Management Solution that includes the following: ■ HP ProCurve Manager Plus (PCM+) 3.0 ■ HP ProCurve Network Immunity Manager (NIM) 2.0 ■ HP ProCurve Identity Driven Manager (IDM) 3.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Overview Figure 3-1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Step 1: Establish a Policy In this first step, you will establish a policy for NIM’s Network Behavior Anomaly Detection (NBAD) events. In “Step 2: Detect Threats” on page 3-25, you will integrate your third-party security device with NIM and configure a policy to support events from that device.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Figure 3-2. PCM+ Dashboard You can now complete the tasks to configure NIM for your environment. Task: Ensure Policy Execution Is Disabled A policy combines an alert with an action. A setting in the Policy Management window determines whether NIM executes a policy action when the corresponding alert occurs. By default, this setting is disabled.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Figure 3-3. Preferences Window 2. Click Policy Management in the navigation tree.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 3. In the Configuration Changes section of the Global: Policy Management window, ensure that the Enable policy actions option is not selected. (This is the default setting.) Figure 3-4. Policy Management > Global Policy Management Window 4. Click OK. Optional Task: Consider Interaction with IDM If you are running IDM, IDM automatically interacts with NIM.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Task: Start Event Collection You probably do not have to do anything to start event collection because NIM’s event collection is enabled by default and PCM+ displays events by default. However, you may want to verify that NIM is collecting and displaying events. To enable event collection (or to verify that event collection is enabled), complete the following steps: 1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Figure 3-6. Agent Manager > NIM Window 3. Under Security/Monitoring Status, ensure that the Enable option is selected. To globally disable event collection, select the Disable option. 4. 3-10 Click Configuration. Event types are listed in the navigation tree.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Figure 3-7. NIM Configuration Window 5. Click the arrow next to ProCurve NBAD Services to expand it. 6. By default, NIM monitors traffic for all NIM events. To check an event, select it in the navigation tree and click the Monitoring tab in the right pane. The Enable Security Monitoring option should be selected. Figure 3-8.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 7. If you do not want to monitor a particular type of event, simply clear the Enable Security Monitoring option. You can also configure the sensitivity of the analysis on this window. Configuring these settings is described later in this chapter. 8. Click Close and then click OK. Task: View Events To view the events collected by PCM+ and NIM, complete the following steps: 1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Task: Check the Results In addition to viewing the event list, you can see summaries of the event activity in the Security Activity windows. The information on these windows can be displayed according to offenders, alerts, and actions. The Security Activity windows provide a flexible view of event activities and may become your primary source for a quick understanding of the activity on your network.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 3. Click the arrow next to Filtering. You will now see two sections: • Filters—The filters allow you to display particular data. Clear a filter to remove data from the display and select it again to display the data. You can also use the Time Span section to filter data by the duration or time period during which data is collected.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 4. Right-click a line in the list to display a menu. You can select a type of alert from this menu and view additional information about it. Figure 3-12.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 5. From the menu, click Alert Type: ProCurve NBAD Services. A Details window is displayed, providing more information about the security activity, including offender and target information as well as the policy that triggered the alert.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 7. To view alerts, click the Alerts tab in the Security Activity window. You will see a display like the one below. Figure 3-14. Devices > Security Activity > Alerts Window 8. Use the View breakdown by drop-down list at the right to select how you want to view the information. 9. To view actions that have been triggered by actual security events, click the Actions tab.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 2. Click the NIM tab in the right pane. 3. Click the Configuration icon. The Exclusion List is displayed. NIM is preconfigured with several exclusions. 4. In the navigation tree, click the arrow next to ProCurve NBAD Services to expand the category. Figure 3-15.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 5. In the navigation tree, select NIM or a particular ProCurve NBAD Services threat. If you select a particular threat, the Exclusion List displays only exclusions that pertain to that threat type. Figure 3-16. NIM Configuration > Exclusion List Window 6. In the NIM > Exclusion List window, click Add. The NIM Add Exclusion Entries window is displayed. Figure 3-17.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy 7. Under Offender, specify a source device, using its IP address, port, or MAC address. 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. For example, you might enter Test NAT to lab. 10. Click OK. The new exclusion is shown in the Exclusion List tab for that threat type.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Figure 3-19. PCM Event Exclusion Utility 4. In the menu that is displayed, select Exclude offender from security analysis. Figure 3-20. PCM/NIM Exclude Offender from Security Analysis Window 5. Exclude the device based on MAC address, IP address, or Both MAC and IP. 6. Click OK. The NIM Edit Exclusion Entry window is displayed.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Figure 3-21. NIM Edit Exclusion Entry Window 7. Under Offender, specify a source device, using its IP address, port, or MAC address. 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. 10. Click OK.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Setting the sensitivity can potentially affect the number of false positives and false negatives NIM reports. If you set the sensitivity too high, NIM may identify more false positives, and if you have configured actions for the events, you may shut out traffic that does not actually pose a threat to your network. On the other hand, if you set the sensitivity too low, you risk false negatives.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 1: Establish a Policy Task: Make a List of Security Events The tasks outlined in the “First Time Through the Process” on page 3-5 provide the information you need to make a list of security events on your network. For each event on the list, and for each significant variation in time and location, note the action that you want to take. Table 2-1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Step 2: Detect Threats The threat detection phase of the security management life cycle is shown in Figure 3-1 and discussed in Chapter 4, “Design,” of the HP ProCurve Threat Management Solution Design Guide. This section guides you through the activities that will enable threat detection on your network.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-23. Configuring Local Mirroring f. Select Local Monitoring. g. Click Enable Mirror Port. Figure 3-24. Enabling the Port for Local Monitoring h. 2. 3-26 Click Close. Set up the monitor port (source of the traffic). a. Select the source port in the port list. b. Click the Tools Menu icon on the toolbar and select Monitor Port. c. Click a destination port in the list to select it.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-25. Selecting a Local Destination Port d. Click OK. The port list indicates which ports are monitoring and being monitored. Figure 3-26.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Set Up Remote Mirroring When the source port (the traffic of interest) and the destination port (the IDS) are on different switches, the process uses remote mirroring. Mirrored traffic between the source and destination switches is encapsulated in an IPv4 tunnel. Static remote port mirroring is similar to static local port mirroring, described previously.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-27. Configuring Remote Mirroring f. Select Remote Monitoring. g. Click Enable Mirror Port. Figure 3-28. Enabling the Port for Remote Mirroring h. Click the source switch in the list that appears. i. Click OK. j. Click Close.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 3. Set up the monitor port (source of the traffic). a. Select the destination switch from the list of groups and devices in the left navigation tree. b. Click the Port List tab. c. Click the Port Status subtab. d. Select the destination port in the list. e. Click Tools on the toolbar and click Monitor Port in the menu. f. Click a destination port in the list to select it. Figure 3-29.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 3. Use the command-line interface (CLI) to set the 4200 Series Sensor’s IP address and the access list that lets you use the sensor’s Web browser interface. For example, the following commands assign the sensor an IP address of 172.30.2.207 with a subnet mask of 255.255.255.0 and a default gateway of 172.30.2.1. The access-list command allows access only from a management station at 172.30.2.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-31. The Java Tab in Java 1.5 iv. Click View under Java Applet Runtime Settings. Figure 3-32. Java 1.5 Runtime Settings v. In the Java Runtime Parameters field, type -Xmx256m. vi. Click OK. vii. Click OK. 5. Open the 4200 Series Sensor’s Web browser interface by typing https:// in a browser’s address bar. (You many need to accept security certificates a few times.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 7. Scroll down (if necessary) and select Update Sensor. Figure 3-33. Updating Sensor Software 8. 9. In the right pane, specify the location of the update package file.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Set Up Communication Between the Cisco IPS 4200 Series Sensor and PCM+/NIM PCM+ uses SNMP to communicate with the devices it manages. To enable PCM+/NIM to receive SNMP traps and other SNMP communications from the Cisco 4200 Series Sensor, you must configure SNMP settings on the sensor to match those configured in PCM+/NIM: 1. Click Run IDM. 2. Click Configuration on the toolbar. 3.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats d. Optionally, type information in the Sensor Contact and Sensor Location fields. e. Accept the default Sensor Agent Port of 161, unless you are using a different port in PCM+. f. Accept the default Sensor Agent Protocol of UDP, unless you are using TCP in PCM+. g. Click Apply. 6. In the navigation bar, select SNMP > Traps Configuration. 7. Configure SNMP trap settings. a.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats g. Click OK. h. Click Apply. Subtask: Discover the Cisco IPS 4200 Sensor in PCM+ Test your communications setup by checking to see whether PCM+ discovers the Cisco 4200 Series Sensor using the PCM+ Manual Discovery Wizard. Complete the following steps: 1. Open the PCM+ management interface. 2. Click Tools > Manual Discovery. 3. When the Welcome window is displayed, click Next. 4.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Synchronize Time Between the Cisco IP 4200 Sensor and PCM+ You should synchronize the time between the Cisco 4200 Series Sensor and PCM+. Doing so makes it much easier to identify an event at the sensor as the same one that is received at the management station.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Configure Detection Options You can configure detection options and actions to control how the Cisco 4200 Series Sensor detects malicious traffic on your network and responds to it. You can configure three types of options: ■ Signature definitions—Signatures are templates that describe malicious behavior on the network, such as the behavior of viruses and other malware, and define responses to those behaviors.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-38. Adding a New Policy d. 4. Click OK. The new policy is displayed in the list of policies in the navigation bar. Configure signature definitions. a. If necessary, expand Signature Definitions in the navigation bar. b. In the expanded list in the navigation bar, select the policy that you want to configure. c. Configure actions. You might want to define which actions are performed if an event occurs.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-39. Editing the Actions in a Signature Policy iv. Select the actions you want to assign that signature. The default action for the 3002 TCP SYN Port sweep signature shown in Figure 3-39 is Produce Alert. Accept that action because it creates an entry in the sensor’s log.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats v. Click OK. The new actions are added to the Actions column for the signature. Figure 3-40. Signature Window Showing New Actions vi. Make sure the Enabled checkbox is selected. If it is not, select it. By default, when the sensor takes an action it maintains that action until you reverse it manually.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats . Figure 3-41. Creating a Timeout for Signature Actions An Alert Interval check box and option are listed under the Specify Alert Interval entry.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats iv. Set the Alert Interval checkbox and set a value, in seconds. Figure 3-42. Specifying an Alert Interval in the Edit Signature Window Note that green check marks identify the entries you selected. v. Click OK. vi. Click Apply. 6. Configure the event action rules, which control the sensor’s response to events on the network and allow you to tune the sensitivity of that response.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats e. In the right pane, click Add. The Add Event Action Override window is displayed. Figure 3-43. Overriding Event Action Defaults 7. f. For Risk Rating, select LOWRISK. g. Select the check box in the Assigned column of the Deny Packet Inline (inline) action. Make sure the corresponding Enabled check box is selected. h. Click OK.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats c. In the right pane, click the Operation Settings tab. d. Make sure the Enable Ignored IP Addresses check box is selected. Figure 3-44. Excluding IP Addresses from Anomaly Detection e. Enter the IP addresses of the devices you want to exclude from anomaly detection in the Source IP Addresses and Destination IP Addresses boxes, as appropriate. f. Click Apply.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-45. Sample Network Illustrating an Inline IPS This section describes the additional setup required if you are using the Cisco 4200 Series Sensor as an IPS. Configuring NIM’s response to the threat is covered in “Step 3: Respond to Threats” on page 3-126. To set up the Cisco Series Sensor as an IPS, complete the following steps: 1. 3-46 Check the current sensor configuration. a.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats c. Click Summary to display the state of all the interfaces. The example configuration uses a four-port sensor, and by default that sensor is configured as shown in Figure 3-46. Figure 3-46. The Interfaces Summary Window 2. Enable two interfaces. To use the sensor as an IPS, you need to use two of its ports (interfaces) as an interface pair. a. In the left navigation bar, click Interfaces. b.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-47. Enabling Interfaces 3. 3-48 Create an inline interface pair. In normal operation, a packet enters the sensor on the first interface of the pair and exits on the second interface. If the sensor detects an attack, it denies the packet and does not send it out the second interface. a. Click Interface Pairs in the navigation bar. b. Click Add. The Add Interface Pair window is displayed. c.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-48. Adding an Interface Pair 4. Click OK. The interface pair information is displayed in the main Interface Pairs window.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-49. The Interface Pairs List a. 5. 3-50 Click Apply. Set up a virtual sensor. a. At the bottom of the left navigation bar, click the Policies tab. b. Click IPS Policies. c. Click Add Virtual Sensor. d. Enter a name for the virtual sensor. Optionally, you can add a description. e.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats i. Set the AD Operational Mode to Inactive. (The sensor documentation recommends a setting of Inactive for one-directional traffic, such as that through an IPS interface pair.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 7. Optionally, test the IPS configuration to verify that it is responding to malicious traffic. a. You can use port scanning software to probe ports on your network in such a way that the sensor detects it as malicious traffic. A common program for scanning ports in this way is NMAP (which is available at www.insecure.org).
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-52. Viewing Events in the Cisco IPS 4200 Series Sensor c. Verify that PCM+ sees the events. The PCM+ event log includes events the sensor forwarded as SNMP traps. i. Return to the PCM+ management interface. ii. Select the device or group in the navigation tree where you expect to see events from the sensor. iii. Click the Events tab in the right pane. This displays the PCM+ event log.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-53. Cisco IPS 4200 Series Sensor Events Listed in PCM+ Events Window Once you are confident that sensor events are being reported to PCM+, you can set up an non-ProCurve Security Devices alert in NIM’s Policy Manager to capture the event, and you can set up a policy to respond to the alert with an action.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-54. Sample Network with Cisco 4200 Series Sensor Operating as an IDS The procedure covers only the setup of the sensor for IDS operation; NIM’s response to the threat is covered in “Step 3: Respond to Threats” on page 3-126. To set up the sensor as an IDS, complete the following steps: 1. Manually set up local mirroring in PCM+ as instructed in “Set Up Local Mirroring” on page 3-25. 2.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-55. Selecting an Interface for the IDS 3. 3-56 Set up a virtual sensor. a. At the bottom of the navigation bar, click the Policies tab. b. Click IPS Policies. c. Click Add Virtual Sensor. d. For Virtual Sensor Name, type a name. e. Optionally, add a description. f. Select a promiscuous interface (suitable for IDS monitoring) from the Interfaces list. Click Assign. g.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-56. Adding a Virtual Sensor k. Optionally, click the double arrow icon to change the default values under Advanced Options: i. Specify how the sensor tracks inline TCP sessions (by Interface and VLAN, VLAN Only, or Virtual Sensor). The default is Virtual Sensor. This is almost always the best option to choose. ii. l. Select the Normalizer mode (Strict Evasion Protection or Asymmetric Mode Protection).
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats b. Find the event in the sensor’s event log: i. Click Monitoring in the toolbar. ii. In the left navigation bar, click Events. Select options to view the events in which you are interested. Figure 3-57. Setting Parameters for the Events List iii. Click View to see the event list. Depending on the options you have selected, the event list will display a variety of detected events.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats iii. Click the Events tab in the right pane. This displays the PCM+ event log. Your event will be in the log (as long as you specified an action of Request SMNP Trap in the signature definition and set an appropriate risk rating range in the event action override). Given the number of events that PCM+ logs, knowing the time the event occurred on the sensor will help you to locate it.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 2. Connect a network cable from the computer's network interface to an Internal port on the UTM device. 3. Open a Web browser and enter https://192.168.1.99 in the address bar. (Be sure to use https.) You might need to click Yes or OK a few times to get through security warnings or to accept digital certificates. 4. When the login window is displayed, type admin for Name and click the Login button.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-59. Setting the Session Timeout Interval d. e. 6. For Idle Timeout, enter a value in minutes. Click the Apply button. Optionally, set the system time on the UTM device to match the system time on your management station. (This makes it easier to correlate events.) a. In the navigation bar, click System. b. Click Status. c. In the System Time field, click Change. Figure 3-60. The Time Settings Window d. e.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 7. If your UTM device does not have current operating system, install it now. a. In the navigation bar, click the System tab. b. Click Status. c. In the Firmware Version section, click Update. Figure 3-61. Updating the FortiGate Operating System 8. 3-62 d. Click Browse, browse to the .out firmware file you downloaded earlier, select it, and click Open. The file path will appear in the Upload File section. e.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-62. Changing the Operation Mode c. In the Operation Mode section, click Change.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats d. Click the Operation Mode drop-down box and select Transparent. Figure 3-63. Configuring Operation Settings e. Type an IP address and subnet mask for the UTM device. f. Type the IP address for the default gateway. g. Click Apply. The new IP address is applied to the UTM device, and you lose your connection to the device. h. Connect a network cable to a port on the UTM device. i.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-64. Enabling the UTM’s SNMP Agent 5. Click the Create New button to create a new SNMP community. The New SNMP Community window is displayed. 6. Define the SNMP community settings. a. For Community Name, type the community name. To simplify interaction with PCM+, enter public. That is the default community name used by PCM+. b. In the Hosts section, enter the IP address of PCM+.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-65. Configuring New SNMP Community Parameters Depending on which model of the UTM device you are using and how you are using it in your network, you might use various combinations of interfaces (such as WAN or external interfaces, internal interfaces, or DMZ interfaces). Each interface you use must be configured for SNMP to allow communication with PCM+.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 4. Find the interface in the list and click its edit icon in the far right column. Figure 3-66. Accessing Individual Interface Settings 5. Select the SNMP check box and click OK. Figure 3-67. Enabling SNMP on an Individual Interface SNMP access is enabled for that interface.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-68. Interface View Showing SNMP Enabled 6. Repeat these steps for each interface you will connect to the network. If you change your network topology and reconfigure the ports on the UTM device, remember to enable SNMP for any interfaces you add. You can test your communications setup by checking to see whether PCM+ discovers the UTM device. Complete the following steps: 1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 5. Click Next and enter any information required in the following windows. When PCM+ discovers the UTM device, the device is displayed in the left navigation bar. Figure 3-69. PCM+ Management Interface Showing Discovered FortiGate UTM Device Subtask: Configure IPS Settings and Logging on the Fortinet UTM Device The IPS settings govern how the UTM detects malicious traffic on your network.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats To configure the IPS settings, complete the following steps: 1. Set up the signature definitions. The UTM device maintains a table of signatures, and each entry in the table includes, among other things, the name of the signature, whether detection and logging are enabled, the action to be taken by the UTM, and the severity level assigned to the attack.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-71. Edit the Action the Fortinet UTM Device Takes in Response to a Threat You can modify the Echo.Reply signature to simplify the testing of the UTM device’s communication with PCM+/NIM. The Echo.Reply signature is disabled by default. You can enable it to have the UTM device respond to pings. When Echo.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-73. Edit Protection Profiles d. Expand the IPS section to display these settings. e. For IPS Signature and IPS Anomaly, select which levels of attack cause an event to be logged. If you want the UTM device to be sensitive to all potential threats, select the Low or Information check boxes as well as the more severe settings.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats f. Scroll down (if necessary) to the Logging section and expand it. g. In the IPS section, select the Log Intrusions check box. Figure 3-75. Enable Logging for IPS Events h. 4. Scroll down (if necessary) and click OK. Set up logging on the UTM. This allows you to verify that the UTM sees the event activity. a. In the navigation bar, click the Log & Report tab. b. Click Log Config. c. Click Log Setting. d.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-76. Configuring Log Settings g. Click Apply. Optional Subtask: Set Up the UTM Device for IPS Operation When the Fortinet FortiGate UTM device is used as an IPS, it operates in inline mode in the network. Traffic flows through the UTM device until it detects a virus or other threat based on the settings you have configured.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-77. Sample Network Illustrating an IPS Device Operating In-Line The procedure covers only the setup of the UTM device for IPS operation. Configuring NIM’s response to the threat is covered in “Step 3: Respond to Threats” on page 3-126. To set up the UTM device as an IPS, complete the following steps: 1. Connect the network cables to the device. 2.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats d. Click the editing icon for the policy row that you selected. The Edit Policy window is displayed. e. Select the Protection Profile check box to enable a profile, and then select a profile from the drop-down list to the right. Figure 3-79. Enabling a Protection Profile in a Firewall Policy f. 3. Click OK. Optionally, test the IPS setup to verify that it is functioning properly. a. Generate events.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-80. Attack Log Summary on the System Status Window – Alternatively, you can check the UTM device’s log. In the navigation bar, click the Log&Report tab; click Log Access; click the Memory tab; and in the Log Type list at the top of the report, select Attack Log. The detailed log of attacks is displayed. Figure 3-81.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats c. Verify that PCM+ receives the events. The event log in PCM+ shows events from the sensor that are forwarded to PCM+/NIM as SNMP traps. To see an event in the PCM+ Event window, complete the following steps: i. In the left navigation tree, click a group or device. ii. Click the Events tab in the right pane.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Note that this IDS configuration works only with static port mirroring (either local or remote). It does not work with dynamic mirroring reconfiguration under the control of NIM. Figure 3-83 shows the sample network used to illustrate the IDS setup procedure. The procedure covers only the setup of the UTM device for IDS operation: NIM’s response to the threat is covered in “Step 3: Respond to Threats” on page 3-126.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-84. Selecting a Port to Act as Sniffer In the example network, the UTM device’s WAN1 port is the management port, and the WAN2 port is the sniffer port. 4. Connect a cable from the management port of the UTM device to the switch. Do not connect the sniffer port yet because this will cause a loop in your network. 5. Make sure that SNMP communications are set up on the UTM device.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Check for successful SNMP communication with PCM+ by using the Manual Discovery Wizard in PCM+ (Tools > Manual Discovery Wizard) to discover the UTM device. 6. In the left navigation bar, click the Firewall tab and then click Policy. Make sure that no policy is configured for the interface pairs on which the sniffer port resides (as either a source or destination).
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats For the example network, the entire command sequence is listed below: config system interface edit wan2 set arpforward disable set ips-sniff-mode enable set ips-sniff-signature info low medium high critical set ips-sniff-anomaly info low medium high critical end 8. Connect a cable from the sniffer port of the UTM device to the switch.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Once you are confident that the events from the UTM device are being reported to PCM+, you can set up a non-ProCurve Security Devices alert in NIM’s Policy Manager to capture the event, and you can set up a policy to respond to the event with an appropriate action.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 3. Click the device for which you want to download software. A menu (Service Management - Associated Products) of download choices is displayed. Figure 3-87.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 4. Click the View License Keyset link near the top of the window. A new window is displayed, showing the license key for your UTM device in a text box. Figure 3-88. The Product License Keyset 5. Copy the license key string, paste it into a text editor (such as Notepad), and save it on your network management station. The license key is a long string that extends far past the edges of the text box.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-90. Download Center Page 9. Click the link to download the latest version of the SonicOS Enhanced software. You should use version 4.0 or later for operation with NIM. Save the software file on your management station. 10. Return to the Service Management - Associated Products window. 11. Click the Download Signatures link in the left column. The Download Signature Files window is displayed. Figure 3-91.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Return the UTM Device to Its Factory Default Configuration If your UTM device is not set to its factory default configuration, you can do that in one of two ways: ■ If you have access to the UTM device’s management interface, do the following: a. In the left navigation bar, click System > Settings. b.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Set Initial UTM Device Parameters.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 5. Click the Boot icon at the right end of the Uploaded Firmware line. The UTM device will reboot, and you will lose your browser connection. Figure 3-94. Booting the UTM with Uploaded Firmware 6. When the device has finished rebooting, log in again. Disable the DHCP Services. DHCP is enabled by default. To set up ports for IPS or IDS operation, you should disable it. Complete the following steps: 1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-95. The DHCP Server Window 2. Clear the Enable DHCP Server check box. 3. Click Accept. Configure SNMP Settings and Discover the UTM Device in PCM+. PCM+ uses SNMP to communicate with all the devices it manages. You must configure SNMP settings on the UTM device, so it can send SNMP traps to PCM+/NIM.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 2. Scroll down to the Advanced Management section and make sure that the Enable SNMP check box is selected. Figure 3-96. Enabling SNMP 3. Click Configure.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 4. In the Configure SNMP window that is displayed, configure: • Get Community Name: public • Trap Community Name: public • Host 1: the IP address of the server running PCM+ Figure 3-97. Configuring SNMP Parameters 5. Click OK. 6. Click Accept at the top of the System > Administration window. PCM+ and your UTM device should now be able to communicate. To test communications with PCM+: 1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-98. The SNMP Window of the Manual Discovery Wizard 5. Click Next and take any actions required in the discovery wizard’s subsequent windows. PCM+ should then be able to discover the UTM device. Figure 3-99.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Set the UTM Device’s Idle Timeout (Optional). The idle timeout is set to 5 minutes by default. You will probably want to set it to a larger value to avoid having to log in frequently. To set the idle timeout, complete the following steps: 1. In the left navigation bar, click System > Administration. 2. Under Login Security, type a new value in the Log out the administrator after inactivity of (minutes) box.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-101. Changing the Password 3. Type the new password for New Password and Confirm Password. 4. Click Accept. Optional Subtask: Set Up for IPS Operation To use the SonicWALL UTM device with NIM, you must set it up for either IPS operation (this subsection) or IDS operation (the following subsection). Tasks required for the IPS setup are discussed in the next several pages.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats The example network shown in Figure 3-102 uses a UTM device to protect a data center from malicious activity in the rest of the network. Figure 3-102. A Sample Network Using an IPS Device Configure the Network Ports. You will need to configure two network ports for inline IPS operation. This section outlines the setup on ports X0 and X1. (On UTM devices with many ports, you can use any two ports.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-103. The UTM Device Interfaces Window 3. The Edit Interface X1 window is displayed.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-104. The Edit Interface X1 Window 3-98 4. Click OK. 5. Click the Configure icon on the X0 line. 6. In the Edit Interface window that is displayed, fill in the following values: • Zone: LAN • IP Assignment: Layer 2 Bridged Mode • Bridged to: X1 • Management: Select the check boxes for all communication types you will use in managing the device.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-105. The Edit Interface X0 Window 7. Click OK. These actions apply the X1 port’s IP address to the X0 port. Because this changes the IP address of the port to which your browser is connected, you will lose your browser’s connection to the GUI. 8. On your management station, change the IP address to an address on a valid subnet—one that can communicate with the UTM device’s new IP address.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-106. Selecting the Access Rules to Be Displayed 5. Click OK to display firewall rules governing WAN-to-LAN traffic. Figure 3-107. The Firewall Access Rules Window 6. 3-100 In the access rules list, click the Configure icon.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 7. The Edit Rule window is displayed. In the Action line, click Allow. Figure 3-108. The Edit Firewall Rule Window 8. Click OK. At this point your UTM device functions somewhat like an Ethernet cable, allowing traffic to pass in both directions. To test the setup, confirm that packets can pass through the device as follows: 1. From a host on the X0 side of the UTM device, ping a host or device on the X1 side. 2.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-109. Copying the License Key String into the Interface 5. Click Submit. Install the Signatures. The signatures contain the definitions of anomalous behavior that the UTM device detects. To install the signatures, complete the following steps: 1. Access the UTM device’s Web browser interface. 2. In the left navigation bar, click Security Services > Summary. 3.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-110. SonicWall Security Services > Intrusion Prevention 6. Click Accept. 7. Click Configure IPS Settings. 8. Select the Enable IP Reassembly check box. 9. Click OK. 10. If you want to fine tune response of categories of signatures or individual signatures, set the Categories drop-down list in the IPS Policies section to All signatures or to a signature category.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 3. Select All Categories in the View Styles menu. Figure 3-111. Categories Window 4. In the Attacks category, select the check boxes for Log, Alerts, and Syslog. 5. Click Accept. A simple test allows you to verify that intrusion prevention is functioning properly. This test makes use of the Echo Reply signature, which detects the response to a ping. To test the intrusion prevention setup, follow the steps below: 1.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-112. A Sample Network Showing an Inline IPS So far, the setup procedure has configured the UTM device to detect and log malicious traffic. To complete the setup of the device as an IPS, complete the following actions: 1. Make sure the network cables connect the UTM device to your network as an inline IPS. In the example setup, the data center is connected to the X1 (WAN) port on the UTM device.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-113. PCM+ Event Log Showing Events from the SonicWALL UTM Device Once you are confident that the events from the UTM device are being reported to PCM+, you can set up a non-ProCurve Security Devices alert in NIM’s Policy Manager to capture the event. You can also create a policy to respond to the event with an appropriate action. Alerts and policy actions are covered later in this chapter.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Note ProCurve has tested NIM to interoperate with and take alerts from certain third-party IDS/IPS devices such as the TippingPoint IPS. If a potential interoperability issue is reported to an HP ProCurve Competency Center, ProCurve will assist in confirming whether or not HP ProCurve Network Immunity Manager is functioning correctly, and if it is not, ProCurve will work with you to resolve the issue.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-115. TippingPoint Network > Configuration > Network Ports Window 5. To view which software version the TippingPoint IPS is running, click System > Update. Figure 3-116.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 6. If you need to update the TippingPoint software, complete the following steps. a. Click the TOS/DV Update tab. Figure 3-117. TippingPoint System > Update > TOS/DV Update Window b. Under Step 1, click the Threat Management Center link (https://tms.tippingpoint.com) to check for updated software. c. Log in to the Threat Management Center. You must have an account to access this site. d.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats h. Under Step 4, type the complete path where the software installation package is located, or use the Browse button to locate the software installation package on your workstation or network and then select it. i. Click Install Package. A progress window is displayed as the upgrade begins.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats • Infrastructure Protection—Designed to protect network infrastructure devices such as routers and switches as well as network bandwidth, this category includes: – Network Equipment – Traffic Normalization • Performance Protection—Created to prevent applications from consuming bandwidth, these filters prevent legitimate resources from being “choked out.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-120. Edit Security Profile Window 3. The default security profile applies to all virtual segments. Typically, you will leave this setting. 4. Under Profile Details (Advanced), edit the subcategory settings. 5. 3-112 a. Leave the Enable option selected for the subcategories that you want the TippingPoint IPS to apply to traffic. For the strongest security, leave all the subcategories enabled. b.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Create a Security Profile. Complete the following steps: 1. Click IPS > Security Profiles. Figure 3-121.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 2. Click Create Security Profile. Figure 3-122. TippingPoint Create Security Profile Window 3. For Profile Name, type a name. For example, you might type NIM-related. 4. Optionally, type a description to help you remember the purpose of the security profile. 5. Under Virtual Segments, select the traffic that you want to protect this security profile. 6. 3-114 a.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats The configured security profile is shown below. Figure 3-123. TippingPoint Create Security Profile Window 7. Click Save. Subtask: Edit Action Sets You will now edit the action sets that are used with NIM. Action sets determine what steps the TippingPoint IPS takes if it detects a threat.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 1. Click IPS > Action Sets. Figure 3-124. TippingPoint IPS > Action Sets Window 2. Click the Notification Contacts tab in the right corner. 3. Click Add Contact. Figure 3-125. TippingPoint Create Contact Window 4. Under Contact Details, configure settings for the PCM+/NIM Server. a. 3-116 For Contact’s Name, type a name such as PCM+ Server or NIM Server. b.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats e. Click Create. The server is now listed on the Notification Contacts window, as shown below. Figure 3-126. TippingPoint Notification Contacts Window 5. Click IPS > Action Sets. 6. Click the pencil icon for Permit + Notify or Permit + Notify + SNMP trap, depending on which TippingPoint IPS you are using. The Edit Action Set window is displayed. 7.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Configure SNMP Trap Settings You will now configure the SNMP Trap settings on the TippingPoint IPS. 1. Click System > Configuration > SMS & NMS. 2. Under NMS Settings, type public for NMS Community String. 3. For NMS Trap IP Address, type the IP address of the PCM+/NIM server. 4. For NMS Trap Port, accept the default of 162 or type the port that your company uses for SNMP traffic. 5.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-129. PCM+ Manual Device Discovery Wizard 5. Click Next. The Connection Status window is displayed. 6. If PCM+ successfully establishes communicates with the TippingPoint IPS, click Next. (If there is a problem, check the SNMP settings on both the TippingPoint IPS and PCM+ and make sure they match.) The Discovery Status window is displayed. 7. After PCM+ completes its discovery process, click Next. 8.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Figure 3-130. TippingPoint Folder Dashboard in PCM+ 10. Select the TippingPoint IPS that PCM+ just discovered. Task: Configure Non-ProCurve Security Devices Alerts in PCM+ In the last task in Step 1, you made a list of security events that occurred on your network. Now you will set up alerts that correspond to those events.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats Subtask: Modify a Default Non-ProCurve Security Devices Alert At least one default alert is defined for each alert type. To illustrate how you can modify a default alert, this section uses the default TippingPoint alert as an example. To view or modify the default TippingPoint alert, complete the following steps: 1. Open the Policy Manager by clicking Tools > Policy Manager. 2.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 4. Click the Configuration tab in the right pane. Figure 3-132. Default TippingPoint Alert in PCM+ Policy Manager Window 5. Configure settings for triggering the alert: • Trap OID—By default, the alert can be triggered by any SNMP trap. If you want to limit which SNMP traps trigger the alert, configure this setting. • Severity—Configure this setting if you want to trigger an alert based on how critical an event is.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 6. • Trap source ID—Configure this setting if you want the alert to trigger if an SNMP trap originates from a particular device. For example, you might enter the IP address of the TippingPoint IPS, such as 10.1.1.6. • Trap text—Configure this setting if you want the alert to trigger if an SNMP trap contains a particular word or phrase. Configure occurrences and time period settings for the alert. a.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 6. For Name, type a name that is meaningful to you. For example, you might type Custom TippingPoint. Figure 3-134. PCM+ Create Alert Window 7. Click OK. The new alert is listed in the navigation tree. 8. Select the new alert and click the Configuration tab. Figure 3-135.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 2: Detect Threats 9. Configure settings for triggering the alert: • Trap OID—By default, the alert can be triggered by any SNMP trap. If you want to limit which SNMP traps trigger the alert, configure this setting. • Severity—Configure this setting if you want to trigger an alert based on how critical an event is.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats You can delete an alert by completing the following steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, click the arrow next to Alerts and Security. 3. In the navigation tree, select Non-ProCurve Security Devices. 4. In the right pane, select the alert and click Delete. 5. Click Apply. 6.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats Figure 3-136. PCM+ Dashboard If the default setting has been changed, you can disable policy execution by completing the following steps: 1. Open the Preferences window by clicking Tools > Preferences. 2. In the navigation tree, click Policy Management.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 3. In the Configuration Changes section of the Global: Policy Management window, make sure the Enable Policy Actions option is cleared. Figure 3-137. PCM+ Global: Policy Management Window 4. Click OK. Second and Subsequent Times Through the Process This section describes how to configure actions for Non-ProCurve Security Devices alerts.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats To configure MAC lockout as an action, complete the following steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, select Actions. Figure 3-138. PCM+ Manage Actions Window in Policy Manager 3. Click New in the Manage Actions window. The Create New Action window is displayed. 4. Under Select the Action type to create, select MAC Lockout. 5.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats Figure 3-139. PCM+ Action Window in Policy Manager 7. Select the MACs in the event checkbox or type the MAC address in the box provided. 8. Click Apply. Task: Select Enable/Disable Port as an Action If your third-party device or NIM detects suspicious behavior, you may want to prevent the offender from accessing your network by disabling the associated port.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats Figure 3-140. PCM+ Manage Actions Window in Policy Manager 3. Click New in the Manage Actions window. The Create New Action window is displayed. 4. Under Select the Action type to create, select Enable/Disable Port. 5. For Name, type a name that is meaningful to you. For example, you might type just Disable port. The new action is displayed in the navigation tree. 6.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats Figure 3-141. PCM+ Action Window in Policy Manager 7. Select the Disable. 8. Click Apply. Task: Select Rate Limiting as an Action If your third-party device or NIM detects suspicious behavior, you may want to limit the bandwidth the offender can use. To configure rate limiting action, complete the following steps: 1. 3-132 Open Policy Manager by clicking Tools > Policy Manager.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 2. In the navigation tree, select Actions. Figure 3-142. PCM+ Manage Actions Window in Policy Manager 3. Click New in the Manage Actions window. The Create New Action window is displayed. 4. Under Select the Action type to create, select Rate Limit. 5. For Name, type a name that is meaningful to you. For example, you might type just Rate limit. The new action is displayed in the navigation tree.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 6. Select the new action and click the Rate Limiting tab in the right pane. Figure 3-143. PCM+ Action Window in Policy Manager 7. Select Configure rate limiting on targeted ports. 8. Select Enable rate limiting. 9. For Rate Limit, type a percentage. 10. Click Apply.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 2. In the navigation tree, select Actions. Figure 3-144. PCM+ Manage Actions Window in Policy Manager 3. Click New in the Manage Actions window. The Create New Action window is displayed. 4. Under Select the Action type to create, select Quarantine VLAN. 5. For Name, type a name that is meaningful to you. For example, you might type just Quarantine VLAN. The new action is displayed in the navigation tree. 6.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 7. For Quarantine VLAN ID, type a number, such as 50. Figure 3-145. PCM+ Action Window in Policy Manager 8. For Port Tag Status, select Tagged or Untagged. 9. Select Create VLAN if it does not exist already. 10. Select Enable rate limiting. 11. For IP config, select Disabled or DHCP. If you select DHCP, type a Subnet Mask in the box provided. 12. Click Apply.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 8. Click the Times tab. Figure 3-146. PCM+ Policy Manager > Window 9. Note Configure when the policy will be enforced: a. Any time—If you want the policy to be triggered any time its alert occurs, leave Any time as the setting for Selected Times. b.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats c. New Time—Click New. The Configure Times window is displayed. Figure 3-147. PCM+ Configure Times Window The Configure Times window displays times that are already configured. i. 3-138 Click the Create a new time icon . The Create a new Time window is displayed.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats Figure 3-148. PCM+ Create a New Time Window ii. For Name, type a name that represents the time or period of time that you are configuring. iii. Under Time, select All day or select From and specify a time range. iv. – – – – Under Days of week, select one of the following: Every day Weekdays Weekends Custom If you select Custom, select the days of the week when you want the policy enforced. i.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats Figure 3-149. PCM+ > Sources Window 11. Specify the source: Note When specifying a source, be extremely careful. Take into account how the non-ProCurve security devices report the source in an alert. a. Any source—If you want the policy to act on alerts from any source, leave Any source under Selected Groups. b.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 13. Select the target device(s) to which the actions will be applied. In most cases, you will probably target the source of the alert. Figure 3-150. PCM+ > Targets Window 14. Click the Alerts tab. Figure 3-151.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 15. Add or remove an alert: • Add an alert by selecting it in the Available Alerts list and clicking the >> button to move it to the Selected Alerts list. If the alert you want does not exist, you can create it as explained in “Subtask: Create a Non-ProCurve Security Devices Alert” on page 3-123. Note that you can specify multiple alerts.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 3: Respond to Threats 18. Select one of the following: • Execute All—NIM performs all actions on all target devices in the specified order. • Execute Until Success—NIM attempts actions in order on each target device until an action succeeds, then moves on to the next target device. • Act on Edge Ports Only—NIM attempts the actions on edge ports if the action is port-oriented. 19.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Step 4: Analyze Events This section helps you analyze the events that are detected on your network so you can refine your NIM policies to better protect your network and reduce the chance of false positives.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events In the following example output, VLAN 50 was created on the switch to quarantine a workstation that was sending suspicious traffic: Maximum VLANs to support: 256 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name | Status Voice Jumbo ------- -------------------- + ---------- ----- ----1 DEFAULT_VLAN | Port-based No No 10 VLAN10 | Port-based No No 16 VLAN16 | Port-based No No 50 VLAN-5050 | Por
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Task: Use the NBAD Diagnostic Wizard NIM features a tool designed to help you make sense of and respond to NBAD events. You can use the NBAD Diagnostic Wizard to identify the possible cause of an NBAD alert and determine possible solutions. This wizard is especially helpful when you need to quickly resolve an attack detected by the NBAD engine.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Figure 3-155. NBAD Diagnostic Wizard > Identify False Positives Window 7. Click Next. The Analyze Threat window presents information about the event so that you can analyze it further. The text box lists known information, such as the offender(s) and victim(s).
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Figure 3-156. NBAD Diagnostic Wizard > Analyze Threat Note a. Click Event History to see the full event history of the offender. b. Click Policy History to see the policy history of the offender. c. Click Show Map to see the offender in a network map. d. Click Next. If IDM is installed, and the offender logged in to the network, the wizard will show the offender’s user name.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Figure 3-157. NBAD Diagnostic Wizard > Suggested Actions 9. Click Next. 10. The Execute Action window describes the action you selected in the previous window. If the action is satisfactory, click Execute. If it is not, click Back to make different selections, and then click Execute. When the action completes, click Next. 11. The final window of the wizard shows the action that was taken.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Event Log. To view the event log, complete the following: 1. In the PCM+ navigation tree, select a group or device. The selected object’s window is displayed. 2. Click the Events tab. The event log is displayed. 3. Click an event in the list to see the event details in the Event Details box below the event list. Use the filters above the event list to filter the events reported in the list.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events Figure 3-158. PCM+/IDM Users Window This example shows an offender tried to move to the another port to connect to the network. Because NIM-IDM integration is enabled, IDM mitigates the attacker. 5. Click Close.
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS Step 4: Analyze Events 3-152
4 HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-3 Step 1: Establish a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-5 First Time Through the Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Contents Task: Configure the TMS zl Module in Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-57 Subtask: Access the TMS zl Module’s CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-57 Subtask: Configure the Initial Settings for Monitor Mode . . . . . . . . . . . . . . . . . . . . . . . .4-59 Subtask: Access the Web Browser Interface . . . . . . . . . . . . . . . . . . . . . . . . . . .
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Overview Overview This chapter outlines the activities that you might engage in to set up an HP ProCurve Threat Management Solution that includes: ■ HP ProCurve Manager Plus (PCM+) 3.0 ■ HP ProCurve Network Immunity Manager (NIM) 2.0 ■ HP ProCurve Identity Driven Manager (IDM) 3.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Overview Figure 4-1. Security Management Life Cycle To complete the instructions outlined in this chapter, you must have a fully functional PCM+ server with both NIM and IDM installed. Further, you must have configured PCM+ and your network infrastructure devices with the appropriate settings so that they can communicate. PCM+ and NIM must be able to receive sFlow data samples and SNMP traps from network infrastructure devices.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Step 1: Establish a Policy In this first step, you will establish a policy for NIM’s NBAD events. In “Step 2: Detect Threats” on page 4-26, you will integrate the TMS zl Module with NIM and configure a policy to support events from that device. If this is your first time through the threat management solution design process, perform the activities in “First Time Through the Process” on page 4-5.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Figure 4-2. PCM+ Dashboard You can now complete the tasks to configure NIM for your environment. Task: Ensure Policy Execution Is Disabled A policy combines an alert with an action. A setting in the Policy Management window determines whether NIM executes a policy action when the corresponding alert occurs. By default, this setting is disabled.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy If the default setting has been changed, you can disable policy execution by completing the following steps: 1. Open the Preferences window by completing one of the following: • Click Tools > Preferences. or • Click the Preferences icon in the toolbar. Figure 4-3. Preferences Window 2. Click Policy Management in the navigation tree.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 3. In the Configuration Changes section of the Global: Policy Management window, ensure that the Enable policy actions check box is not selected. (This is the default setting.) Figure 4-4. Global Policy Management Window 4. Click OK.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy To enable event collection (or to verify that event collection is enabled), complete the following steps: 1. Open the Agent Manager window by completing one of the following: • Click Tools > Agent Manager. or • Click the Agent Manager icon in the toolbar. Figure 4-5.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 2. Click the NIM tab in the right pane. Figure 4-6. Agent Manager > NIM Window 3. Under Security/Monitoring Status, ensure that the Enable option is selected. To globally disable event collection, select the Disable option.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 4. Click Configuration. Event types are listed in the navigation tree. Figure 4-7. NIM Configuration Window 5. Click the arrow next to ProCurve NBAD Services to expand it.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 6. By default, NIM monitors traffic for all NIM events. To check an event, select it in the navigation tree and click the Monitoring tab in the right pane. The Enable Security Monitoring check box should be selected. Figure 4-8. NIM Configuration > > Monitoring Window 7. If you do not want to monitor a particular type of event, simply clear the Enable Security Monitoring check box.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Figure 4-9. > Events Window To view additional event information, see the next task. Task: Check the Results In addition to viewing the event list, you can see summaries of the event activity in the Security Activity windows. The information in these windows can be displayed according to offenders, alerts, and actions.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 2. Click the Security Activity tab. The Offenders tab is selected by default, so you will see a display similar to the one below. Figure 4-10. Devices > Security Activity Window Note 4-14 If you are using IDM, offenders are listed by name (rather than IP address or host name), and alert totals are tallied for the name (which might be associated with several IP addresses).
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 3. Click the arrow next to Filtering. You will now see two sections: • Filters—The filters allow you to display particular data. Clear a filter to remove data from the display and select it again to display the data. You can also use the Time Span section to filter data by the duration or time period during which data is collected.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 4. Right-click a line in the list to display a menu. You can select a type of alert from this menu and view additional information about it. Figure 4-12.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 5. From the menu, click Alert Type: ProCurve NBAD Services. A Details window is displayed, providing more information about the security activity, including offender and target information as well as the policy that triggered the alert.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 7. To view alerts, click the Alerts tab in the Security Activity window. You will see a display like the one below. Figure 4-14. Devices > Security Activity > Alerts Window 8. Use the View breakdown by drop-down list at the right to select how you want to view the information. 9. To view actions that have been triggered by actual security events, click the Actions tab.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 3. Click the Configuration icon. The Exclusion List is displayed. NIM is preconfigured with several exclusions. 4. In the navigation tree, click the arrow next to ProCurve NBAD Services to expand the category. Figure 4-15. NIM Configuration > Exclusion List Window The Exclusion List shows all of the current exclusions for the category or threat type you select in the navigation tree.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 5. In the navigation tree, select NIM or a particular ProCurve NBAD Services threat. If you select a particular threat, the Exclusion List displays only exclusions that pertain to that threat type. Figure 4-16. NIM Configuration > Exclusion List Window 6. In the NIM > Exclusion List window, click Add. The NIM Add Exclusion Entries window is displayed. Figure 4-17.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy 7. Under Offender, specify a source device, using its IP address, port, or MAC address. 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. For example, you might enter Test NAT to lab. 10. Click OK. The new exclusion is shown in the Exclusion List for that threat type.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Figure 4-19. PCM Event Exclusion Utility 4. In the menu that is displayed, select Exclude offender from security analysis. Figure 4-20. PCM/NIM Exclude Offender from Security Analysis Window 4-22 5. Exclude the device based on MAC address, IP address, or Both MAC and IP. 6. Click OK. The NIM Edit Exclusion Entry window is displayed.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Figure 4-21. NIM Edit Exclusion Entry Window 7. Under Offender, specify a source device, using its IP address, port, or MAC address. 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. 10. Click OK.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Setting the sensitivity can potentially affect the number of false positives and false negatives NIM reports. If you set the sensitivity too high, NIM might identify more false positives, and if you have configured actions for the events, you might shut out traffic that does not actually pose a threat to your network. On the other hand, if you set the sensitivity too low, you risk false negatives.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 1: Establish a Policy Task: Make a List of Security Events The tasks outlined in the “First Time Through the Process” on page 4-5 provide the information you need to make a list of security events on your network. For each event on the list, and for each significant variation in time and location, note the action that you want to be taken. Table 4-1.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Step 2: Detect Threats This section guides you through the activities that will enable threat detection on your network. The threat detection phase of the security management life cycle is shown in Figure 4-1 and discussed in Chapter 4, “Design,” of the HP ProCurve Threat Management Solution Design Guide. Threat detection is the same, whether this is your first time or a subsequent time through the process.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats These zones enable you to create areas of trust on your network. For example, you may create a highly secure zone for company executives and the finance department and a less secure zone for guest users. This allows you to apply different access policies to these zones and ensure that your confidential data is well protected. With the exception of Self and External, all of the zones are functionally equivalent.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-23. Sample Network Once you associate a VLAN with a zone, it is called a TMS VLAN. The TMS zl Module filters traffic that crosses a TMS VLAN boundary, but not traffic that is transmitted within the same TMS VLAN.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats The TMS zl Module is designed to run multiple products on the same module, and each product that is running on the module is assigned an index number at boot time. At the switch prompt, type the following command to view the indices and chassis slots: Hostswitch# show services Installed Services Slot Index Description Name C,E 1. Services zl Module services-module C,E 2.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats -------------- ServiceOS ----------------J9154A ServiceOS version 1.0.081219 Description: HD Service OS Vendor: HP Build Date: Dec 19 2008 11:56 Partitions: 1=TOOLS.0.081219 2=CFSOS.0.081219 3. If you have not done so already, activate the TMS OS by registering it, receiving a valid license, and installing it on the module.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Hostswitch# show services Installed Services Slot Index Description Name C,E 1. Services zl Module services-module C,E 2. Threat Management Services zl Module tms-module In this installation, the index number 2 corresponds to the TMS OS.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 6. Configure an IP address for the TMS zl Module’s interface on that VLAN. hostswitch(tms-module-C:config)# vlan ip address 7. Optionally, you can configure a priority VLAN to ensure that you can always access the Web browser interface (even if the TMS zl Module is handling an extremely high volume of traffic).
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats b. If the default gateway is not in a management access zone, the TMS zl Module will block ICMP echo packets between the Self zone and the gateway’s zone until you create an access policy to allow this traffic. i. Create an access policy to permit ICMP echo packets between the Self zone and the gateway’s zone.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Parameter Options protocol • • • • • • • • • • • • • service • Services such as bootps, bootpc, http, or https For a complete list of services, see the HP ProCurve Threat Management Services zl Module Management and Configuration Guide.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Access the TMS zl Module’s Web Browser Interface and Change the Manager Password You can now access the TMS zl Module’s Web browser interface. Complete the following steps: 1. Open a Web browser (Internet Explorer 7 or 8 or Firefox 2.x or 3) to access the Web browser interface through a secure HTTPS session.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Configure SNMP Settings To enable PCM+ to discover the TMS zl Module, you must configure the module to use the same SNMP settings that you are using on PCM+. If PCM+ is configured to SNMP v2, for example, you must configure the TMS zl Module to use SNMP v1/v2, and you must configure the module’s SNMP communities to match the communities configured on PCM+.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 4. For Role, select Manager (read/write) or Operator (read only). Select the role that corresponds with the community name that you typed in step 3. 5. For Write Access, select Unrestricted (read/write) or Restricted (read only). Select the access that corresponds with the community name and role that you specified in steps 3 and 4. 6. Click Apply. 7. Click Save. Subtask: Configure SNMPv3 Settings.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 1. Select the logging level. a. Click System > Logging > Settings. b. From Log messages with, select Information. Figure 4-29. TMS zl Module System > Logging > Settings c. 2. Accept the other default values and click Apply My Changes. Specify the SNMPv2 trap server. a. Click the SNMP Traps tab. b. Select the Enable SNMPv2 traps check box. c. Click Add another destination. d.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 3. 4. Configure the SNMPv3 trap server. a. Select the Enable SNMPv3 traps check box. b. Click Add another destination. c. For Server Address, type the IP address of the PCM+/NIM server. d. For Username, type the username configured for the SNMPv3 settings on the PCM+/ NIM server. e. For Auth Passphrase, type a password. f. From the Auth Protocol list, select MD5 or SHA-1. g.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 5. Click Apply My Changes. 6. Click Save. Subtask: Enable Communication Between the TMS zl Module and the PCM+/NIM Server PCM+/NIM allows you to configure and manage multiple TMS zl Modules at the same time. First, however, you must ensure that the TMS zl Module can communicate with the PCM+/NIM server.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 9. Click OK. 10. Click Save. Subtask: Create Access Policies.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Note It is not recommended that you enable logging permanently, because policy logging is processor intensive. Use logging for troubleshooting and testing only. 11. Optionally, in the Insert Position field, specify the priority of this access policy. 12. Click Apply, then optionally click the Advanced tab.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-32. ProCurve TMS zl Module Folder Dashboard in PCM+ Subtask: View Zones in NIM. Complete the following steps: 1. In the PCM+ navigation tree, select the TMS zl Module. 2. Click the TMS-Network tab. 3. Click the Zones tab and expand the zone folders to view the VLANs in each.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-33. PCM+ TMS-Network Window To associate a VLAN with a zone, you use a wizard, which is described in the next section. Subtask: Associate a VLAN with a Zone. Once you associate a VLAN with a zone, it becomes a TMS VLAN. To begin configuring TMS VLANs, complete the following steps: 4-44 1. In the PCM+ navigation tree, right-click the TMS zl Module folder or a TMS zl Module. 2.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-34. PCM+ Zone Wizard (for TMS zl Module) 4. Select VLAN Configuration. This option allows you to associate a VLAN with a zone and configure an IP address for the module on that VLAN. The other option, Management Access, allows you to enable management access on a zone. 5. Click Next. The Select Firewall Devices window is displayed. 6.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-35. PCM+ Zone Wizard (for TMS zl Module) 9. Click Next. 10. Under Selected Vlans, select one of the VLANs to configure. 11. Under Associate Zone, select the appropriate zone. 12. Under Configure IP, select DHCP or Static. If you select Static, type an IP address and subnet mask.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-36. PCM+ Zone Wizard (for TMS zl Module) 13. Click Next. A summary window is displayed, listing the configuration changes you have entered. 14. If the changes are correct, click Next. (If not, click Back to change your configuration.) After you approve your changes, the Applying Settings window is displayed.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-37. PCM+ > TMS-Firewall > Access Policies > Unicast Window Subtask: Determine What Access Policies Are Needed and Configure Them. By default, TMS zl Module denies all traffic unless you explicitly permit it.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats To begin configuring access policies, complete the following steps: 1. In the navigation tree, right-click the TMS zl Module folder or a TMS zl Module. 2. When a menu is displayed, click TMS-Firewall > Firewall Access Policies Wizard. The Firewall Access Policies Wizard is launched. 3. Click Next. The Select Configuration Action window is displayed. Figure 4-38. PCM+ Firewall Access Policies Wizard 4. 5.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-39. PCM+ Firewall Access Policies Wizard 9. In the left pane, click Add. A paper icon with a number 1 is displayed in the below the words Add Delete. Note that the configuration options on this window match the corresponding window in the TMS zl Module’s Web browser interface. 10. For Action, select Permit Traffic or Deny Traffic. 11. For From, select the source zone. 12.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats c. For Destination, select one of the following: – Accept the default settings, Use defined objects and Any Address. – Select a defined address object—For Options, accept Use defined objects and then select an address object. You must configure this address object in advance. – Customized service—For Options, select Enter custom IP, IP/mask or IP-Range and then type an IP address or IP address range.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-40. PCM+ Signature Download Window (for TMS zl Module) 3. If you have a proxy server, select Modify Proxy Server Settings. a. Select Enable Proxy Server. b. For Address, type the IP address of the proxy server. c. For Port, type the port number for the proxy server. 4. To specify how often the TMS zl Module checks for updates, select Modify Signature Download Schedule and select a time interval.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-41. PCM+ Signatures Wizard (for TMS zl Module) 4. Scroll through the list to view the signatures the IPS uses. Notice that each threat is assigned one of the following threat levels: • Critical • Severe • Minor • Warning • Information In the next section, you will configure an action for each threat level. 5. By default, all signatures are enabled.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Configure Actions for the IPS. You can configure the TMS zl Module’s IPS to take action if it detects a problem. The actions you select are based on the severity of the threat.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Enable IPS. IPS is disabled by default. To enable IPS and configure the way it scans traffic, complete the following steps: 1. In the PCM+ navigation tree, right-click the TMS zl Module. 2. In the menu that is displayed, click TMS-IPS > Settings. The Settings window is displayed. 3. Select IPS Status and then Enable IPS. Figure 4-43. PCM+ Settings Window (for TMS zl Module) 4.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Synchronize TMS Properties. If you want to ensure that PCM+/NIM has the latest configuration information from your TMS zl Module, you can synchronize the TMS properties. To do so, complete the following steps: 1. In the PCM+ navigation tree, right-click the TMS zl Module. 2. In the menu that is displayed, click TMS-Synchronize Properties. The Synchronize TMS Properties window is displayed.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Task: Configure the TMS zl Module in Monitor Mode Rather than have the TMS zl Module route and filter traffic (using its firewall and IPS), you might want to have the module function as an IDS and check the suspicious traffic that is mirrored to its internal data port (port 1).
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats If the show services command does not show index 2, Threat Management Services zl Module, the module might be booted to the Services OS. In this case, you need to boot the module to the TMS OS. 1. Access the Services OS context: hostswitch# services 1 Replace with the letter of the slot in which the module is installed. Enter 1 to access the Services OS.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Configure the Initial Settings for Monitor Mode The initial setup steps for the TMS zl Module in monitor mode are listed below. ■ Set the operating mode to monitor. ■ Specify a management VLAN. (The default is VLAN 1.) ■ Configure a static IP address for the VLAN. ■ Configure a default gateway. To configure the initial settings on the TMS zl Module in monitor mode, complete the following steps: 1.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Note The management IP address should be static. Do not use DHCP to obtain this address. 7. The module’s default gateway is automatically set when you configure the IP address and VLAN. However, if you want to manually set the default gateway, enter the following command: hostswitch(tms-module-C:config)# ip route 0.0.0.0/0 8.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 6. Click Save. Subtask: Configure Log Settings To configure log settings, complete the following steps: 1. Select System > Logging and click the Settings tab. Figure 4-4. TMS zl Module > System > Logging > Log Settings Window 2. From the list, select the lowest severity level of the messages that you want to forward. 3.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Configure SNMP Settings To enable management through PCM+ and NIM, you must configure the TMS zl Module’s SNMP settings. The module supports SNMPv1/v2c or SNMPv3. To configure SNMP settings, complete the following steps: 1. Click System > Settings and then click the SNMP tab. Figure 4-7.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 7. Click Save. Subtask: Configure SNMPv3 Settings. Complete the following steps: 1. From the System > Settings > SNMP window, select Enable SNMPv3. 2. Click Add another user. The Add SNMPv3 User window is displayed. Figure 4-9. Add SNMPv3 User Window 3. For User Name, type the SNMPv3 user name for the account. 4. For Role, select the role of the account: Manager (read-write) or Operator (read only). 5.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats To configure SNMP traps, complete the following steps: 1. Click System > Logging and then click the SNMP Traps tab. Figure 4-10. System > Logging > SNMP Traps Window 2. 3. To enable SNMP traps, do one or both of the following: • Select the Enable SNMPv2 traps check box. • Select the Enable SNMPv3 traps check box. If you enabled SNMPv2 traps, configure the server address and community name: a.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 5. If you enabled SNMPv3 traps, configure the following settings: a. Under Enable SNMPv3 traps, click Add another destination. The Add SNMPv3 Destination window is displayed. Figure 4-12. Add SNMPv3 Destination Window 6. b. For Server Address, type the IP address or FQDN of PCM+. c. For Username, type the SNMPv3 username for an account on the server. This must match the username configured on PCM+. d.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 6. If PCM+ successfully establishes communication with the TMS zl Module, click Next. (If there is a problem, check the SNMP settings on both the TMS zl Module and PCM+ and make sure they match.) The Discovery Status window is displayed. PCM+ may take a while to discover the TMS zl Module’s configuration settings. 7. After PCM+ completes its discovery process, click Next. 8.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Before the TMS zl Module can download the signatures, the following settings must be configured: ■ DNS server(s) and domain name ■ Default gateway To download the signatures, complete the following steps: 1. In the PCM+ navigation tree, right-click the TMS zl Module. 2. In the menu that is displayed, click TMS-IPS > Signature Download. Figure 4-46. PCM+ Signature Download Window (for TMS zl Module) 3.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 3. When the Welcome window is displayed, click Next. Figure 4-47. PCM+ Signatures Wizard (for TMS zl Module) 4. Scroll through the list to view the signatures the IPS uses. Notice that each threat is assigned one of the following threat levels: • Critical • Severe • Minor • Warning • Information In the next section, you will configure an action for each threat level. 5.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Configure IDS Signature Preferences. The module’s IDS engine can be configured to perform either optimized session inspection or full-session inspection. When configured for optimized session inspection, the IDS/IPS engine will inspect a sample of the traffic for a given session.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Synchronize TMS Properties. If you want to ensure that PCM+/NIM has the latest configuration information from your TMS zl Module, you can synchronize the TMS properties. To do so, complete the following steps: 1. In the PCM+ navigation tree, right-click the TMS zl Module. 2. In the menu that is displayed, click TMS-Synchronize Properties. The Synchronize TMS Properties window is displayed.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats This section explains how to configure ProCurve Security Devices Alerts. For now, there is one such alert—the default ProCurve Threat Management Services Alert, but you can create additional alerts. (For information about configuring ProCurve NBAD Services Alerts, see “Task: Set Up ProCurve NBAD Services Alerts” on page 2-24 in Chapter 2: “HP ProCurve Network Immunity Manager Standalone Solution.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 4. Click the Configuration tab in the right pane. Figure 4-51. PCM+ Policy Manager > Default ProCurve Threat Management Services Alerts Window 5. Configure settings for triggering the alert: • Trap OID—By default, the alert can be triggered by any SNMP trap. If you want to limit which SNMP traps trigger the alert, configure this setting.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats • Signature ID, Signature Sub-ID, or Signature Name—Configure one or more of these settings to trigger the alert if an event matches or does not match a particular signature. (For steps on accessing the signatures, see “Subtask: View, Disable, or Enable Signatures” on page 4-52.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Figure 4-52. PCM+ Create Alert Window 8. Click OK. The new alert is listed in the navigation tree. 9. Select the new alert and click the Configuration tab. Figure 4-53.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 10. Configure settings for triggering the alert: • Trap OID—By default, the alert can be triggered by any SNMP trap. If you want to limit which SNMP traps trigger the alert, configure this setting. • Severity—Configure this setting if you want to trigger an alert based on how critical an event is.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats Subtask: Edit or Delete a ProCurve Security Devices Alert At any time, you can edit or delete alerts using the steps outlined in this section. Subtask: Edit a ProCurve Security Devices Alert. Complete the following steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, click the arrow next to Alerts, Security, and ProCurve Security Devices and then select the alert. 3.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 2: Detect Threats 5. In the navigation tree, select ProCurve Security Devices > ProCurve Threat Management Services. Figure 4-54. NIM Configuration > Exclusion List Window 6. In the NIM > Exclusion List window, click Add. The NIM Add Exclusion Entries window is displayed. Figure 4-55. NIM Add Exclusion Entries Window 7. Under Offender, specify a source device, using its IP address, port, or MAC address.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 8. Under Victim, specify a destination device, using its IP address, port, or MAC address. 9. For Comment, type a plain-text comment that describes the purpose of this exclusion. 10. Click OK. The new exclusion is shown in the Exclusion List tab for ProCurve Threat Management Services.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Subtask: Ensure Policy Execution Is Disabled Alternatively, if you decide to set up actions and policies the first time you go through the process, ProCurve strongly recommends that you disable policy execution. (This is the default setting, but you should ensure that no one has changed it.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Figure 4-57. PCM+ Global: Policy Management Window 4. Click OK. Optional Task: Consider Interaction with IDM If you are running IDM, IDM automatically interacts with NIM. The benefits of integrating NIM and IDM include: ■ Better threat protection—NIM’s actions continue to apply to a user even when the user attempts to connect to a different switch port or wireless access point (AP).
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Second and Subsequent Times Through the Process This section describes how to configure actions for a variety of alerts, including ProCurve NBAD Services alerts, ProCurve Security Devices alerts, ProCurve Wired Devices, and ProCurve Wireless Devices.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 4. Under Select the Action type to create, select MAC Lockout. 5. For Name, type a name that is meaningful to you. For example, you might type just MAC lockout. 6. Optionally, type a description of the action in the Description text box. 7. Click OK. The new action is displayed in the navigation tree. 8. Select the new action and click the MACs tab in the right pane. Figure 4-59.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Task: Select Enable/Disable Port as an Action If an alert is triggered, you might want to prevent the offender from accessing your network by disabling the associated port. To configure this action, complete the following steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, select Actions. Figure 4-60. PCM+ Manage Actions Window in Policy Manager 3.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 7. Select the new action and click the Port Status tab in the right pane. Figure 4-61. PCM+ Action Window in Policy Manager 4-84 8. Select Enabled. 9. Click Apply.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Task: Select Rate Limiting as an Action If an alert is triggered, you might want to limit the bandwidth the offender can use. To configure rate limiting as an action, complete the following steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, select Actions. Figure 4-62. PCM+ Manage Actions Window in Policy Manager 3. Click New in the Manage Actions window.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 7. Select the new action and click the Rate Limiting tab in the right pane. Figure 4-63. PCM+ Action Window in Policy Manager 8. Select Configure rate limiting on targeted ports. 9. Select Enable rate limiting. 10. For Rate Limit, type a percentage. 11. Click Apply.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Task: Select Quarantine VLAN as an Action For some alerts, you might want to place the offender’s traffic in a quarantine VLAN to protect your network resources from potential infection or damage. To configure Quarantine VLAN as an action, complete the following steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, select Actions. Figure 4-64.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 9. For Quarantine VLAN ID, type a number, such as 50. Figure 4-65. PCM+ Action Window in Policy Manager 10. For Port Tag Status, select Tagged or Untagged. 11. Select Create VLAN if it does not exist already. 12. For IP config, select Disabled or DHCP. If you select DHCP, type a Subnet Mask in the box provided. 13. Click Apply. 14. Click Close.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 2. Click the Port List tab and then the Port Status tab. 3. In the Port Status table, select the port that you will designate as the mirror port. For the TMS zl Module, this is port 1, so if the module is installed in slot E you would select E1. 4. Click the Configure Mirror Port icon (which is located above the Port Status tab). Figure 4-66. PCM+ Port List > Port Status 5.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 8. Click Close to save the mirror port setting. Subtask: Configure the Action. To configure port mirroring as an action, complete these steps: 1. Open Policy Manager by clicking Tools > Policy Manager. 2. In the navigation tree, select Actions. Figure 4-68. PCM+ Manage Actions Window in Policy Manager 4-90 3. Click New in the Manage Actions window. The Create New Action window is displayed. 4.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 8. Select the new action and then click the Port Mirroring tab. Figure 4-69. PCM+ Actions > Window in Policy Manager 9. Complete step a or step b to configure a mirror destination: a. Select Any available mirror destination and click Close. b. Select Any of below selected mirror destinations. i. Click Add. The Select Mirror Window is displayed.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Task: Define a Policy NIM takes an action only in response to an alert. The relationship between an alert and an action is established by a policy. When setting up these relationships, you can either modify an existing default policy, such as the Default Security Policy—ProCurve Security Devices, or you can create a new policy. The configuration process is very similar for both.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats c. New Time—Click New. The Configure Times window is displayed. Figure 4-72. PCM+ Configure Times Window The Configure Times window displays times that are already configured. i. Click the Create a new time icon . The Create a new Time window is displayed.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Figure 4-73. PCM+ Create a New Time Window ii. For Name, type a name that represents the time or period of time that you are configuring. iii. Optionally, type a description of the time. iv. Under Time, select All day or select From and specify a time range. v.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 5. Click the Sources tab to configure sources from which an alert must originate to trigger the policy. Figure 4-74. PCM+ > Sources Window 6. Specify the source: a. Any source—If you want the policy to act on alerts from any source, leave Any source under Selected Groups. b.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 7. Click the Targets tab. Figure 4-75. PCM+ > Targets Window 8. 4-96 Select the target device(s) to which the actions will be applied. In most cases, you will probably target the source of the alert, so you can leave the Target all alert sources (devices & ports) that trigger this policy option selected.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 9. Click the Alerts tab. 10. Select an alert type from the Available Alerts list. If the alert you want does not exist, you can create it as explained in “Subtask: Create a ProCurve Security Devices Alert” on page 4-73. 11. Click the >> button to move the alert to the Selected Alerts list. Note that you can specify multiple alerts. Figure 4-76.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats 12. Click the Actions tab. Figure 4-77. PCM+ > Actions Window 13. In the Available Actions list, select the action that you want the policy to execute when the configured alert is received, and click the >> button to move the action to the Selected Actions list. In the example, you could select MAC Lockout, Disable port, Rate limit, and Quarantine VLAN.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 3: Respond to Threats Task: Enable Policy Execution Policy execution must be explicitly enabled for policy-based actions to be applied. Policy execution is disabled by default, and you might have disabled policy execution (or left it disabled) in earlier steps. To enable policy execution, complete the following steps: 1. Open the Preferences window by clicking Tools > Preferences. 2.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events Step 4: Analyze Events This section helps you analyze the events that are detected on your network so you can refine your NIM policies to better protect your network and reduce the chance of false positives.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events In the following example output, VLAN 50 was created on the switch to quarantine a workstation that was sending suspicious traffic: Maximum VLANs to support: 256 Primary VLAN : DEFAULT_VLAN Management VLAN : VLAN ID Name | Status Voice Jumbo ------- -------------------- + ---------- ----- ----1 DEFAULT_VLAN | Port-based No No 10 VLAN10 | Port-based No No 16 VLAN16 | Port-based No No 50 VLAN-5050
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events 3. Click the Configure Mirror Port icon and then click View Mirror Port Status. Figure 4-79. PCM+ View Mirror-Port Status Window From this window, you can disable the mirror port or stop monitoring a source. 4. Click Close. Task: Set up Reporting Although you can generate many reports in PCM+, this section describes only reports that are directly applicable to NIM and the TMS zl Module.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events 1. In the navigation tree, select a group or device and then click the Events tab in the right panel. 2. Right-click any NBAD event with an origin of NIM and select NBAD Diagnostic Wizard. 3. When the NBAD Diagnostic Wizard opens, click Next to begin. 4. The Identify Threat window is the first to display. It describes the possible causes of the selected event. Read the description. Figure 4-80.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events 6. The Identify False Positives window describes possible circumstances—other than actual attacks—that might cause the event. If the event is caused by legitimate network activity, select the box to identify it as a false positive. This option will allow you to skip the Analyze threat step. Figure 4-81.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events 7. Click Next. The Analyze Threat window presents information about the event so that you can analyze it further. The text box lists known information, such as the offender(s) and victim(s). Figure 4-82. NBAD Diagnostic Wizard > Analyze Threat Note a. Click Event History to see the full event history of the offender. b. Click Policy History to see the policy history of the offender. c.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events 8. The Suggested Actions window provides suggestions for actions you can take to mitigate the threat. Select an action or exclude this event from future analysis if it is a false positive. Some actions require additional information. For example, if you select Rate Limit, you must specify the rate limit percentage. Figure 4-83. NBAD Diagnostic Wizard > Suggested Actions 9. Click Next. 10.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events ■ The History tab of the Policy Activity window gives details on security policies that have been triggered. ■ If you are using IDM, you can view users in IDM and see a list of all of the mitigation actions taken against them. Event Log. To view the event log, complete the following: 1. In the PCM+ navigation tree, select a group or device. The selected object’s dashboard is displayed. 2.
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices Step 4: Analyze Events 3. Click the Users tab. 4. Right-click a specific user and select Show mitigations. Figure 4-84. PCM+/IDM Users Window This example shows that an offender tried to move to another port to connect to the network. Because NIM-IDM integration is enabled, IDM mitigates the attack. 5. 4-108 Click Close.
A Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ This section describes how to install HP ProCurve Manager Plus (PCM+) 3.0, HP ProCurve Identity Driven Manager (IDM) 3.0, and HP ProCurve Network Immunity Manager (NIM) 2.0 on a Windows Server 2003 server. You can obtain the installation CD, which includes a 30-day trial version of PCM+, with new ProCurve switches. You can also purchase PCM+ from a ProCurve solutions provider. The first step in installing PCM+ 3.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ PCM also requires one of the following operating systems: ■ Microsoft Windows Server 2003 Enterprise Edition with Service Pack (SP) 2 ■ Microsoft Windows XP with SP 2 or SP 3 Windows Server 2003 provides better performance. You should use Windows XP for small networks only. If you do not already have a system that meets these hardware and software requirements, plan to purchase what you do not have.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-3. 5. Click Next. Figure A-4. 6. ProCurve Manager Install Wizard—License Agreement Page ProCurve Manager Install Wizard—Readme Page Scroll through the Readme page if desired and then click Next.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-5. 7. Click Next. Figure A-6. A-4 ProCurve Manager Install Wizard—Current Configuration Detection Page ProCurve Manager Install Wizard—PCM Feature Recommended Page 8. Click Next. The Choose Install Set page is displayed. 9. Select the ProCurve Manager 3.0, Identity Driven Management 3.0, and Network Immunity 1.0 check boxes.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-7. ProCurve Manager Install Wizard—Choose Install Set Page If desired, you could also select the Mobility Manager 3.0 check box. (Configuring this option is beyond the scope of this document.) 10. Click Next. Figure A-8. ProCurve Manager Install Wizard—IDM and PCM Important Information Page 11. Read the information displayed in the window in Figure A-8. Click Next.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-9. ProCurve Manager Install Wizard—Choose Install Folder Page 12. Accept the default install folder or click Choose to select another install folder. 13. Click Next. Figure A-10. ProCurve Manager Install Wizard—Pre-Installation Summary Page 14. Review the pre-installation summary and click Install. 15.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-11. ProCurve Manager Install Wizard—Installing HP ProCurve Manager Page 16. The window shown in Figure A-11 is displayed while PCM+ installs. Once installation is complete, the IDM-Domain Connection Information page is displayed. 17. Type your domain ("realm") name for Realm, and your alias domain name for Alias. This becomes IDM’s default realm and alias (in this example, PROCURVELABS.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ 19. On this page you will configure communication between the server and remote agents. Select the use default check boxes next to Password under both Server Identity and New Agents. The corresponding passwords are automatically filled in. Figure A-13. ProCurve Manager Install Wizard—Server to Agent Connection Page 20. Accept all other default settings and click Next. The PCM Administrator password page opens. 21.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ 23. Click Next. The Initial Discovery Settings page is displayed. 24. In the Start from device box, type the IP address of a switch in the Management VLAN (in this example, the address of the routing switch: 10.2.0.1). Figure A-15. ProCurve Manager Install Wizard—Initial Discovery Settings Page 25. The Automatically register as a trap receiver check box should be selected by default. 26. Click Next.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-16. ProCurve Manager Install Wizard—Set default SNMP parameters Page 29. Click Next. The Set default CLI parameters page is displayed 30. Configure command-line interface (CLI) access from PCM+ to ProCurve devices. The default configuration uses Telnet. a. Select Telnet or SSH (secure). b. In the Timeout in sec box, type a number between 1 and 60. c. In the Retries box, type a number between 1 and 5. d.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-17. ProCurve Manager Install Wizard—Set default CLI parameters Page 31. Click Next. The Set HTTP Proxy page is displayed. Figure A-18. ProCurve Manager Install Wizard—Set HTTP Proxy Page 32. Configure settings for an HTTP proxy if your network uses one. The example network does not. 33. Click Next.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-19. ProCurve Manager Install Wizard—Configure Automatic Updates Page 34. Configure settings for updates to PCM+. Select one of the following options: • Download and install automatically—PCM+ checks the ProCurve Web site for updates and downloads them, without interaction from you or another network administrator.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ Figure A-20. ProCurve Manager Install Wizard—Install Wizard Complete Page 35. Click Next. The Please Wait page is displayed while PCM is configured for your system. Figure A-21. ProCurve Manager Install Wizard—Install Complete Page 36. When the Install Complete page is displayed, click Done.
Initial Setup for HP ProCurve Manager Plus and Network Immunity Manager Install PCM+ A-14
B Initial Setup for the HP ProCurve Manager Agent Install PCM+ When you run a distributed PCM+ architecture, you should install a local PCM+ agent at each network segment that you want to protect. NIM can then provide more immediate detection and mitigation of threats. This section describes how to install the PCM 3.0 agent. The first step in installing the PCM 3.0 Agent is to ensure that your system meets the system requirements for the agent. PCM 3.
Initial Setup for the HP ProCurve Manager Agent Install PCM+ The PCM Agent also requires one of the following operating systems: ■ Microsoft Windows Server 2003 Enterprise Edition with Service Pack (SP) 2 ■ Microsoft Windows XP with SP 2 or SP 3 Windows Server 2003 provides better performance. You should use Windows XP for small networks only. If you do not already have a system that meets these hardware and software requirements, plan to purchase what you do not have.
Initial Setup for the HP ProCurve Manager Agent Install PCM+ Figure B-2. 3. ProCurve Agent Setup Wizard—License Agreement Page Review the terms of the license agreement and then click I Agree. Figure B-3. ProCurve Agent Setup Wizard—Choose Install Location Page 4. In the Choose Install Location page, accept the default destination folder, or click Browse to select another location in which to install the PCM Agent. 5. Click Next. The Agent Information page is displayed.
Initial Setup for the HP ProCurve Manager Agent Install PCM+ 6. Accept the default agent type: PCM Agent. 7. In the Name box, type a name for the PCM Agent (in this example: ProCurveAgent1). If you so choose, you can also type a description for the agent in the Description box. Figure B-4. 8. Accept the default password and port and click Next. The Server Information page is displayed. Figure B-5.
Initial Setup for the HP ProCurve Manager Agent Install PCM+ 9. In this example, you will not configure the PCM Agent to initiate communication with the PCM server. If you wanted to choose this option, however, you would select the Agent Initiates Connection check box. Then, in the PCM Server Information section, you would type the IP address for the PCM server, and either accept the default password for the server or clear the Use Default check box and type a new password in the Password field. 10.
Initial Setup for the HP ProCurve Manager Agent Install PCM+ Figure B-7. ProCurve Manager Install Wizard—Installing Page 13. When installation is complete, click Next. Figure B-8. ProCurve Manager Install Wizard—Installation Complete 14. Click Finish.
C Configure VPNs Using the HP ProCurve Threat Management Services zl Module Contents Configure a Site-to-Site IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-4 Create Named Objects for the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-4 Create an IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C-6 Install Certificates for IKE .
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Contents Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients . . . . . . . . . . . . . . . . . . . . . C-79 Configure an Client-to-Site IPsec VPN on the TMS zl Module . . . . . . . . . . . . . . . . . . . . . . C-79 Create Named Objects for the IPsec Client-to-Site VPN . . . . . . . . . . . . . . . . . . . . . . . . C-80 Create an IKE Policy for Connecting to HP ProCurve VPN Clients . . . . . . . . . . . . . . .
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Overview Overview In routing mode, the HP ProCurve Threat Management Services (TMS) zl Module provides virtual private network (VPN) capabilities, allowing you to protect confidential communications transmitted across less secure networks.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Configure a Site-to-Site IPsec VPN This section explains how to configure a site-to-site IPsec VPN between two TMS zl Modules. For this example, the modules authenticate each other with digital certificates, and instructions are included for installing these certificates. You must complete these tasks on each module: 1. Create named objects. See “Create Named Objects for the VPN” on page C-4.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-1. Add IP Address Object Window 4. c. Click Single-entry. d. In the box below, type the IP address of this TMS zl Module on the VLAN on which it contacts the remote gateway. For this example, type 10.1.1.2. e. Click Apply. Create an object for the remote VPN gateway address: a. For Name, type a name that is meaningful to you. For this example, type RemoteGateway. b.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 5. 6. c. Click Single-entry. d. In the box below, type the IP address of the remote TMS zl Module that the local module can reach. For this example, type 10.2.12. e. Click Apply. Create an object for the local endpoints: a. For Name, type a name that is meaningful to you. For this example, type LocalEndpoints. b. For Type, select Network (IP/Mask) or IP Range.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-4. Add IKE Policy Window—Step 1 of 3 4. For IKE Policy Name, type a string that is unique to this policy. For this example, type SiteB. The string can include 1 to 15 alphanumeric characters. 5. For IKE Policy Type, select Site-to-Site (Initiator & Responder). 6. For Local Gateway, specify an IP address on this module.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 8. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. This ID must match exactly, in both type and value, the remote ID specified on the remote endpoint. In addition, it must match exactly one of the subject names in the certificate that you will install on the module. a.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-5. Add IKE Policy Window—Step 2 of 3 11. Under IKE Authentication, configure these settings (which must match exactly the settings on the remote module): a. For Key Exchange Mode, select Main Mode or Aggressive Mode. For this example, select Main Mode. b. For Authentication Method, select one of the following: – DSA Signature – RSA Signature For this example, select RSA Signature. 12.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open. For this example, leave the default, 28800. Valid values are between 300 seconds and 86400 seconds (1 day). 13. Click Next. Figure C-6. Add IKE Policy Window—Step 3 of 3 14. Select Disable XAUTH. 15. Click Finish. The IKE policy is displayed in the VPN > IPsec > IKEv1 Policies window.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-7. VPN > Certificates > IPsec Certificates Window 3. Generate a private key: a. In the Private Keys section, click Generate Private Key. Figure C-8. Generate Private Key Window b. For Private Key Identifier, type a unique, descriptive string between 1 and 31 alphanumeric characters. For this example, type Key. c. For Key Algorithm, select RSA or DSA. For this example, select RSA.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-9. VPN > Certificates > IPsec Certificates Window (Private Key Added) 4. Next, create a certificate request: a. In the VPN > Certificates > IPsec Certificates window, click Generate Certificate Request. Figure C-10. Generate Certificate Request Window 5. For Certificate Request Name, type a unique, descriptive alphanumeric string. For this example, type TMS1. 6.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 7. For Private Key Identifier, select the private key that you added in step 3 on page C-11. For this example, select Key. 8. For Subject Name, type the FQDN of the TMS zl Module. Use the format . For this example, type TMSM.procurve.com. The certificate request will store this name as a distinguished name, automatically adding /CN= in front of the name that you type. 9.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 11. Click the Edit icon in the Tools column for the certificate request. Figure C-12. Certificate Request Data Window 12. Copy the data (for example, by pressing [Ctrl] + [c]) and paste it in a document created in a text editor. Save the file (if necessary, using the file extension required by your CA).
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-14. Import Certificate Window c. Under Select global trusted certificate, type the path and filename for the CA root certificate. Alternatively, click Browse and navigate to the CA root certificate file. d. Click Apply. The CA root certificate is displayed in the VPN > Certificates > Certificate Authorities window. Figure C-15.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN b. Click Import Certificate under Certificates. Figure C-17. Import Self Signed Certificate Window c. Under Select self-signed certificate, type the path and filename for the TMS zl Module’s certificate. Alternatively, click Browse and navigate to the certificate file. d. Click Apply. The module’s certificate is displayed under Certificates in the VPN > IPsec > IPsec Certificates window.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN b. Click Import CRL. Figure C-20. Import CRL Window c. For Select CRL, type the path and filename for the CRL. Alternatively, click Browse and navigate to the CRL file. d. Click OK. The CRL is displayed in the VPN > Certificates > CRL window. Figure C-21. VPN > Certificates > CRL Window (CRL Added) 19. Click Save.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-23. Add IPsec Proposal Window 4. For Proposal Name, type a unique, descriptive string of 1 to 10 alphanumeric characters. The string must be unique to this proposal. For this example, type ESP3desMD5. 5. For Encapsulation Mode, select Tunnel Mode. 6. For Security Protocol, select AH or ESP. For this example, select ESP. 7.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Create an IPsec Policy for a Site-to-Site VPN That Uses IKE This section explains how to configure an IPsec policy for a site-to-site VPN. The IPsec policy includes the security settings for the VPN connection and also selects traffic for the connection. Follow these steps to create the IPsec policy: 1. In the left navigation bar of the Web browser interface, select VPN > IPsec. 2.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 7. Leave the Position box empty. When you leave this box empty, the IPsec policy is automatically added as the highestpriority policy. 8. Next, configure the VPN traffic selector, which determines which endpoints can send and receive traffic over the VPN tunnel: 9. For Traffic Selector, configure these settings: a.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Note If your traffic selector includes traffic to which the module also applies NAT (for example, your module might apply NAT to all local traffic destined to external IP addresses), you must create a NAT exclusion policy. See the HP ProCurve Threat Management Services zl Module Management and Configuration Guide. 10. For Proposal, select your IPsec proposal. For this example, select Esp3desMd5.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 17. Click Next. Figure C-28. Add IPsec Policy Window—Step 3 of 4 18. The Step 3 of 4 window allows you to configure settings for IKE mode config, which is not valid for a site-to-site VPN. Click Next.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-29. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. For this example, leave the default settings. Note For more information on advanced settings, see the HP ProCurve Threat Management Services zl Module Management and Configuration Guide. 20. Click Finish.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN 3. Make sure that None is selected for User Group. 4. Click Add a Policy. 5. Allow IKE messages from the remote gateway. a. For Action, accept the default: Permit Traffic. b. For From, select the remote zone. For this example, select External. c. For To, select Self. d. For Service, select isakmp. e. For Source, specify the IP address of the remote gateway.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN For this example, select the RemoteGateway address object. (You can also click Options, select Enter custom IP, IP/mask or IP-Range, and type the IP address of the remote module.) Figure C-31. Add Policy Window g. 7. Click Apply. Permit traffic from the local endpoints to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the local zone.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Figure C-32. Add Policy Window g. 8. Permit traffic from the remote endpoints to the local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. For this example, select External. c. For To, select the local zone. For this example, select Internal. d. For Service, leave Any Address. e. f. g. 9. Click Apply. This is the most basic configuration.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN f. For Destination, leave Any Address or specify the local gateway IP address. For this example, select the LocalGateway address object. g. Click Apply. h. For From, select Self. i. For To, select the remote zone. For this example, type External. j. For Service, select ipsec-nat-t-udp. k. For Source, leave Any Address or specify the local gateway IP address.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Site-to-Site IPsec VPN Setting Local Module Remote Module IKE policy Policy Type Site-to-Site (Initiator & Responder) Site-to-Site (Initiator & Responder) Local Gateway 10.1.1.1 10.2.1.2 Local ID Type Distinguished Name Distinguished Name Local ID Value /CN=TMSM.procurve.com /CN=TMSB.procurve.com Remote ID Type Distinguished Name Distinguished Name Remote ID Value /CN=TMSB.procurve.com /CN=TMSM.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients This section provides instructions for configuring the TMS zl Module as the gateway for a clientto-site VPN for Window XP clients. The VPN will use L2TP over IPsec, which is supported by these clients.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 3. Create an object for the local VPN gateway address: a. For Name, type a name that is meaningful to you. For this example, type LocalGateway. You can use only letters, numbers, and the underscore character (_) in this field. b. For Type, select IP. Figure C-33. Add IP Address Object Window 4. 5. 6. C-30 c. Click Single-entry. d.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 7. Click Save. Create an IKE Policy for a Client-to-Site L2TP over IPsec VPN Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate VPN connections with remote Windows XP clients: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IKEv1 Policies tab. Figure C-34.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 6. For Local Gateway, specify an IP address on this module. You have two options: • Click IP Address and type the IP address in the box. Type the same IP address that you configured for the LocalGateway address object (the IP address on the TMS VLAN that remote clients contact). • 7. Click Use VLAN IP Address and select a VLAN from the list.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-36. Add IKE Policy Window—Step 2 of 3 10. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode. b. For Authentication Method, select Preshared Key. c. Type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box. Type the same string in the Confirm Preshared Key box.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-37. Add IKE Policy Window—Step 3 of 3 14. Click Finish. The IKE policy is displayed in the VPN > IPsec > IKEv1 Policies window. Create an IPsec Proposal for an L2TP over IPsec VPN Follow these steps to configure an IPsec proposal for an L2TP over IPsec client-to-site IPsec VPN: 1.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Table C-5. IPsec Security Settings Proposed by Windows XP Clients Proposal Security Protocol Encryption Algorithm Authentication Algorithm 1 ESP 3DES SHA-1 2 ESP 3DES MD5 3 ESP DES SHA-1 4 ESP DES MD5 Figure C-39. Add IPsec Proposal Window 7. Click OK. The IPsec proposal is displayed in the VPN > IPsec > IPsec Proposals window. Figure C-40.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-41. VPN > IPsec > IPsec Policies Window 3. Click Add IPsec Policy. Figure C-42. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type a unique, alphanumeric string between 1 and 10 characters. For this example, type L2tpIpsec. 5.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 9. b. For Local Address, specify the IP address configured as the local gateway in the IKE policy. For this example, select the LocalGateway address object. c. For Local Port, type 1701. d. For Remote Address, select Any. e. For Remote Port, type 1701. For Proposal, select the IPsec proposal that you just configured. For this example, select ESPTrans. 10.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-44. Add IPsec Policy Window—Step 3 of 4 17. Clear the Enable IP Address Pool for IRAS (Mode Config) check box. 18. Click Next. Figure C-45.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 19. Leave the default settings in the Advanced Settings (Optional) section. 20. Click Finish. The IPsec policy is displayed in the VPN > IPsec > IPsec Policies window. Configure a Group for the Remote Users You must create at least one user group on the TMS zl Module for the remote users. If you desire, you can create multiple groups.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-47. VPN > IPsec > L2TP Remote Access Window 3. Click Add L2TP Policy. Figure C-48. Add L2TP Policy Window—Step 1 of 2 C-40 4. For Policy Name, type a unique name for this policy. The name can be between 1 and 30 alphanumeric characters. 5.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-49. Add L2TP Policy—Step 2 of 2 8. For Proposal, select the IPsec proposal that you just configured. For this example, select ESPTrans. 9. For SA Lifetime in seconds, leave the default 28800. 10. For SA Lifetime in Kilobytes, leave the default 0. 11. Leave the Enable PFS (Perfect Forward Secrecy for keys) check box clear. 12.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-51. Add Dial-In User Window—Step 1 of 3 4. For Dial-In User Name, type a name for this user. The name can be 1 to 16 alphanumeric characters. For this example, type user1. This setting only affects how the user is displayed in the dial-in user list on the module. 5.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 10. For Authentication Protocol, select Any or MS-CHAP. For this example, select Any. 11. Configure the user’s dial-in credentials: a. For User, type the username that the remote user will use to log on to the VPN connection. b. For Password, type the password for the username. 12. Click Next. Figure C-53. Add Dial-In User Window—Step 3 of 3 13.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Access Policies for an L2TP over IPsec VPN You must configure firewall access policies to permit IKE traffic from the remote clients as well as the permit the remote clients to access local services after they establish the L2TP connection. Before you begin configuring firewall access policies, determine the zone on which traffic from the remote clients arrives.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-54. Add Policy Window g. 4. Click Apply. Allow IKE messages to the remote endpoints. a. For Action, leave the default, Permit Traffic. b. For From, select Self. c. For To, select the remote zone. For this example, select External. d. For Service, select isakmp. e. For Source, leave Any Address or specify the local gateway IP address.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-55. Add Policy Window g. 6. Click Apply. Permit L2TP traffic from the module to the remote endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select Self. c. For To, select the remote zone. For this example, select External. d. For Service, select l2tp-udp. e.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients c. For To, select the local zone. For this example, select Internal. d. For Service, leave Any Address. This is the most basic configuration. You could also permit only certain types of traffic. 9. e. For Source, specify the virtual addresses that the TMS zl Module assigns to L2TP endpoints. For this example, select the DialIn address object. f.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Configure a Windows XP SP2 Client for L2TP over IPsec This section includes step-by-step instructions for using the New Connection Wizard to configure a Windows XP SP2 client to establish a L2TP over IPsec connection to the TMS zl Module.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-57. Windows XP—New Connection Wizard 7. Click Next. 8. For Company Name, type a meaningful name. For this example, type TMS. Figure C-58. Windows XP—New Connection Wizard 9. Click Next.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-59. Windows XP—New Connection Wizard 10. If the Public Network page is displayed, specify whether the client needs to make a dial-up connection. If the workstation’s Internet connection is through a dial-up connection, select that connection for Automatically dial this initial connection. Otherwise, select Do not dial the initial connection. 11.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 14. If the Smart Cards page is displayed, complete these steps: a. Select Do not use my smart card. Figure C-61. Windows XP—New Connection Wizard b. Click Next. Figure C-62. Windows XP—New Connection Wizard 15. If prompted, select whether only the current user can make this connection or all users on this workstation.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-63. Windows XP—New Connection Wizard 16. If you want, select the Add a shortcut to this connection to my desktop check box. Click Finish. 17. The Connect window should be displayed. Figure C-64. Connect Window 18. Click Properties to open the Properties window. 19. Click the Networking tab. 20.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-65. Windows XP— Properties Window > Networking Tab 21. Select Internet Protocol (TCP/IP) in the This connection uses the following items box and click Properties. 22.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients Figure C-66. Windows XP— Properties Window > Security Tab 25. Click Settings next to Advanced (custom settings). Figure C-67. Windows XP—Advanced Security Settings 26. For Data encryption, ensure that Require encryption (disconnect if server declines) is selected. 27. Select Allow these protocols.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site L2TP over IPsec VPN for Windows XP Clients 28. Clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box. If it is not already selected, select the check box for the authentication protocol specified in the TMS zl Module L2TP dial-in user account. If the module allows any protocol, you can select multiple check boxes. However, you must always clear the Microsoft CHAP Version 2 (MS-CHAP v2) check box.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients 33. For Password, type the password that you specified for this dial-in user on the TMS zl Module. The password matches the setting in the Add Dial-In User—Step 2 of 3 window. 34. Click Connect. After a minute or so, you should see a message that informs you that the connection was successful.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients 3. Create an object for the local VPN gateway address: a. For Name, type a name that is meaningful to you. For this example, type LocalGateway. You can use only letters, numbers, and the underscore character (_) in this field. b. For Type, select IP. Figure C-70. Add Address Window 4. 5. c. Click Single-entry. d.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients b. Create one address object for each remote client: i. For Name, type a name that is meaningful to you. For this example, type Client1. ii. For Type, select IP. iii. Click Single-entry. iv. In the box below, specify the client’s public IP address. v. Click Apply. vi. Repeat these steps for each remote Macintosh client. vii. Click Close in Add Address window.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Create an IKE Policy for Connecting to IPSecuritas Clients Follow these steps to create an IKE policy that the TMS zl Module can use to negotiate VPN connections with remote IPSecuritas clients: 1. In the left navigation bar of the Web browser interface, click VPN > IPsec. 2. Click the IKEv1 Policies tab. Figure C-72. VPN > IPsec > IKEv1 Policies Window 3.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients • 7. Click Use VLAN IP Address and select a VLAN from the list. Select the TMS VLAN on which remote clients contact the module. For Local ID, configure the ID that the TMS zl Module sends to authenticate itself. a. For Type, select the ID type: – IP Address – Domain Name – Email Address – Distinguished Name For this example, select IP Address. b.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-74. Add IKE Policy Window—Step 2 of 3 10. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. For this example, select Aggressive Mode. b. For Authentication Method, select Preshared Key. c. Type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients c. For Authentication Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – MD5 – SHA-1 For this example, leave the default MD5. d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds and 86400 seconds (1 day).
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-76. VPN > IPsec > IPsec Proposals Window 3. Click Add IPsec Proposal. The Add IPsec Proposal window is displayed. Figure C-77. Add IPsec Proposal Window 4. For Proposal Name, type a unique, descriptive string of 1 to 10 alphanumeric characters. The string must be unique to this proposal. For this example, type ESP3desMD5. 5.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-78. VPN > IPsec > IPsec Proposals Window (Proposal Added) 10. Click Save. Create an IPsec Policy for a Client-to-Site IPsec VPN with Macintosh IPSecuritas Clients This section explains how to configure an IPsec policy for a client-to-site VPN that is intended for Macintosh IPSecuritas clients.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-80. Add IPsec Policy Window—Step 1 of 4 4. For Policy Name, type a unique, alphanumeric string between 1 and 10 characters. For this example, type MacClients. 5. By default, the Enable this policy check box is selected, which means that the policy will take effect as soon as you finish it. Leave the check box selected. 6. For Action, select Apply.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients b. For Local Address, specify the IP addresses of all local endpoints that the remote clients are allowed to access. For this example, select the LocalEndpoints address object that you created earlier. (You could also manually type an IP address, an IP address range, or a network address in CIDR format.) c.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-81. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select the IKEv1 policy that you just configured. For this example, select MacClients. 13.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-82. Add IPsec Policy Window—Step 3 of 4 17. Clear the IP Address Pool for IRAS (Mode Config) check box. 18. Click Next.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-83. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. For this example, leave the default settings. Note For more information on advanced settings, see the HP ProCurve Threat Management Services zl Module Management and Configuration Guide. 20. Click Finish.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients You should also determine the zone for local endpoints to which the remote clients are allowed access. The instructions below will refer to this zone as the “local zone.” If remote clients are allowed to access multiple zones, you must create policies for each of these zones. In this example, the single local zone is the Internal zone. 1.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients 5. Permit traffic from the remote endpoints to local endpoints: a. For Action, leave the default, Permit Traffic. b. For From, select the remote zone. For this example, select External. c. For To, select the local zone. d. For Service, leave Any Service. This is the most basic configuration.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Configure the Macintosh IPSecuritas Client This section includes step-by-step instructions for configuring a Macintosh IPSecuritas client to establish a VPN connection to the TMS zl Module. These instructions have been tested with the Macintosh OS X Leopard 10.x operating system and IPSecuritas 3.x. Follow these steps: 1.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients Figure C-87. IPSecuritas 6. For Profile, select the profile that you just created. Figure C-88. IPSecuritas—Connections > Edit Connections 7. Click Connections > Edit Connections. Figure C-89.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients 8. Click the Add Connections icon. 9. Specify a significant name for the connection, such as Main Campus. Figure C-90. IPSecuritas—Connections > General Tab 10. Click the General tab. 11. For Remote IPSec Device, type the IP address at which the client reaches the TMS zl Module. 12.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients 13. Click the Phase 1 tab and configure the following, which must match settings in the IKE policy on the TMS zl Module: a. For Lifetime, select Seconds, then type a value in the box. For this example, type 28800. b.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients c. For Encryption, select one (or more) of the following check boxes: – DES – 3DES – AES 256 – AES 192 – AES 128 For this example, select the 3DES check box. d. For Authentication, select one (or more) of the following check boxes: – HMAC MD5 – HMAC SHA-1 For this example, select HMAC MD5. Figure C-92. IPSecuritas—Connections > Phase 2 Tab 16.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients d. In the Preshared Key box that is displayed, type the key that you specified in the TMS zl Module IKE policy. For this example, type procurvekey!. Figure C-93. IPSecuritas—Connections > ID Tab 17. Click the Options tab. 18.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for Macintosh IPSecuritas Clients 19. Close the Connections window. Figure C-95. IPSecuritas > Preferences 20. In the IPSecuritas main menu, click Preferences. Figure C-96. IPSecuritas—Preferences Window 21. Ensure that the Randomize and Exclusive Trail check boxes are selected. Accept the rest of the defaults and close the Preferences window.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-97. IPSecuritas—Startup Window 22. To connect, select the profile that you just created. Then select the connection that you just configured. 23. Click Start. Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients This section provides instructions for configuring the TMS zl Module as the gateway for a clientto-site VPN for HP ProCurve VPN clients.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 5. Configure authentication settings for XAUTH. See “Configure Authentication for XAUTH” on page C-91. 6. Create the necessary firewall access policies. See “Access Policies for an Client-to-Site IPsec VPN for HP ProCurve VPN Clients” on page C-93. 7. Create a static route, if necessary. See “Verify Routes” on page C-96.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 4. 5. Create an object for the local endpoints: a. For Name, type a name that is meaningful to you. For this example, type LocalEndpoints. b. For Type, select Network (IP/Mask) or IP Range. For this example, select Network (IP/ Mask). c. Click Single-entry. d.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-100. Add IKE Policy Window—Step 1 of 3 6. For Local Gateway, specify an IP address on this module. You have two options: • Click IP Address and type the IP address in the box. Type the same IP address that you configured for the LocalGateway address object (the IP address on the TMS VLAN that remote clients contact). • 7.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients b. For Value, type the correct value. If you select IP Address for Type, the address that you specify in the Value box must match the IP address that you specified for the local gateway. Table C-8 shows the format for each ID type. For this example, type 10.1.1.1. Table C-8. Local ID Values Local ID Type Remote ID Value Examples IP Address A.B.C.D 10.1.1.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-101. Add IKE Policy Window—Step 2 of 3 10. Under IKE Authentication, configure these settings: a. For Key Exchange Mode, select Main Mode or Aggressive Mode. For this example, select Main Mode. b. For Authentication Method, select Preshared Key. c. Type a string of 12 to 49 alphanumeric or special characters in the Preshared Key box.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients c. For Authentication Algorithm, select one of these protocols, listed from least secure (and least processor-intensive) to most: – MD5 – SHA-1 For this example, leave the default MD5. d. For SA Lifetime in Seconds, type the number of seconds that the IKE SA is kept open. Valid values are between 300 seconds and 86400 seconds (1 day).
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-104. Add IPsec Proposal Window 4. For Proposal Name, type a unique, descriptive string of 1 to 10 alphanumeric characters. The string must be unique to this proposal. For this example, type ESP3desMD5. 5. For Encapsulation Mode, select Tunnel Mode. 6. For Security Protocol, select AH or ESP. For this example, select ESP. 7.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Create an IPsec Policy for a Client-to-Site IPsec VPN with HP ProCurve VPN Clients This section explains how to configure an IPsec policy for a client-to-site VPN that is intended for HP ProCurve VPN clients.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 5. By default, the Enable this policy check box is selected, which means that the policy will take effect as soon as you finish it. Leave the check box selected. 6. For Action, select Apply. 7. Leave the Position box empty. When you leave this setting empty, the IPsec policy is automatically added as the highestpriority policy. 8.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 9. For Proposal, select the IPsec proposal that you just configured. For this example, select Esp3desMd5. 10. Click Next. Figure C-108. Add IPsec Policy Window—Step 2 of 4 11. For Key Exchange Method, keep the default, Auto (with IKEv1). 12. For IKEv1 Policy, select the IKEv1 policy that you just configured. For this example, select MacClients. 13.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-109. Add IPsec Policy Window—Step 3 of 4 17. Configure the IP addresses and other settings assigned to remote endpoints through IKE mode config: a. The Enable IP Address Pool for IRAS (Mode Config) check box should be selected. b. For IRAS IP Address/Mask, type the IP address that the TMS zl Module will use to route traffic from the remote clients.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 18. Click Next. Figure C-110. Add IPsec Policy Window—Step 4 of 4 19. If desired, configure settings in the Advanced Settings (Optional) section. For this example, leave the default settings. Note For more information on advanced settings, see the HP ProCurve Threat Management Services zl Module Management and Configuration Guide. 20. Click Finish.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Follow these steps: 1. Select Network > Authentication. Figure C-111. Network > Authentication > RADIUS Window 2. Click the Local Users tab. 3. Click Add Group. The Add Group window is displayed. Figure C-112. Add Group Window 4. Note For Group Name, type the name of the user group. For this example, type EmployeesA.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-113. Add User Window 8. b. For Username, type the username for the user that you are adding. c. For Password and Verify password, type the password for the user. d. For Inactivity Timeout, type the number of seconds that you want an inactive session to remain open. e. Click OK.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients f. For Destination, leave Any Address or specify the IP address configured for the local gateway in the IKE policy. For this example, select the LocalGateway address object. Figure C-114. Add Policy Window g. 4. Click Apply. Allow IKE messages to the remote endpoints. a. For Action, leave the default, Permit Traffic. b. For From, select Self. c.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients g. For Destination, leave Any Address or specify the local gateway IP address. For this example, select the LocalGateway address object. h. Click Apply. i. For From, select Self. j. For To, select the remote zone. For this example, select External. k. For Service, select ipsec-nat-t-udp. l.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients t. Click Apply. u. Then permit the remote users in this group to access other local servers. For Action, select Permit Traffic. v. For From, select the IKE mode config zone. For this example, select Zone1. w. For To, select the local zone. For this example, select Internal. x. For Service, leave Any Service. This is the most basic configuration.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-115. Security Policy Editor Window 3. Right-click the My Connections folder and click Add > Connection. 4. Type a meaningful name for the new connection. 5. If you desire, under Connection Security, select the Only Connect Manually check box. Figure C-116.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 6. Under Remote Party Identity and Addressing, specify the addresses in the internal network that the remote client can reach. These settings must match the local addresses in the traffic selector of the TMS zl Module’s IPsec policy: a. For ID Type, select the type of value or object configured for the Local Address in the module’s traffic selector.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-117. ProCurve VPN Client—Security Policy Editor—New Connection > My Identity Window 11. Configure authentication settings to match the settings on the TMS zl Module. This configuration uses preshared keys: a. For Select Certificate, select None. b. Click Pre-Shared Key. Figure C-118. ProCurve VPN Client—Security Policy Editor— Pre-Shared Key Window c.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients Figure C-119. ProCurve VPN Client—Security Policy Editor—My Identity Note When you select IP Address for the ID Type, the ProCurve VPN client automatically submits the IP address on which it makes the connection. 14. In the left navigation pane of the Security Policy Editor, expand Security Policy. 15. Expand Authentication (Phase 1) and click Proposal 1.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients 16. In the right pane, configure security settings to match those in the TMS zl Module’s IKE policy: a. For Encrypt Alg, select the encryption algorithm specified on the module. For this example, select 3DES. b. For Hash Alg, select the authentication algorithm specified on the module. For this example, select MD5. c. For SA Life, select Seconds.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients b. If the module’s IPsec proposal specifies ESP for the protocol, select the Encapsulation Protocol (ESP) check box. Then match other settings in the module’s IPsec proposal: – For Encrypt Alg, select the encryption algorithm specified on the module. For this example, select 3DES. – For Hash Alg, select the authentication algorithm specified on the module.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients a. In the Security Policy Editor, select the connection that you just configured. b. Select File > Export Security Policy. Figure C-123. Export policy to Window in the ProCurve VPN Client c. Click Browse next to the Filename box, navigate to the folder where you want to save the policy, and type the name for the policy.
Configure VPNs Using the HP ProCurve Threat Management Services zl Module Configure a Client-to-Site IPsec VPN for HP ProCurve VPN Clients f. If you want, select the Protect Exported Policy check box to password-protect the policy. Then, type the password and confirm it. Tell users the password so that they can use the policy. g. Select one of the following options: – Unlocked policy—Users can change any settings. – Partially locked policy—Users can configure My Identity settings only.
ProCurve 5400zl Switches Installation and Getting Startd Guide Technology for better business outcomes To learn more, visit www.hp.com/go/procurve/ © Copyright 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty.
