Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
111112113114115116117118119120
3-54
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS
Step 2: Detect Threats
Figure 3-53. Cisco IPS 4200 Series Sensor Events Listed in PCM+ Events Window
Once you are confident that sensor events are being reported to PCM+, you can
set up an non-ProCurve Security Devices alert in NIM’s Policy Manager to capture
the event, and you can set up a policy to respond to the alert with an action.
Optional Subtask: Set Up an IDS
When the Cisco 4200 Series Sensor is used as an IDS, it operates offline in monitor mode. That
is, it is not in the direct line of network traffic. Traffic is mirrored from one or more switch
ports on the network. At the same time as that traffic is flowing normally through the network,
a copy of the traffic is mirrored to the IDS. The IDS inspects the traffic, and if it detects a
network threat it notifies the PCM+/NIM management station. The management station can
then take action to respond to the threat.
Figure 3-54 shows the Cisco 4200 Series Sensor when it is used as an IDS on a sample network.
In this network, an IDS is attached to one of the switches in the network, which mirrors traffic
to the IDS. This mirroring can be local to the switch where the IDS is attached, or it can be
from a remote switch. In this example, local mirroring is used. The mirroring is set up manually,
but NIM can also set it up as a response to an event on the network.