Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
241242243244245246247248249250
4-27
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices
Step 2: Detect Threats
These zones enable you to create areas of trust on your network. For example, you may create
a highly secure zone for company executives and the finance department and a less secure
zone for guest users. This allows you to apply different access policies to these zones and
ensure that your confidential data is well protected.
With the exception of Self and External, all of the zones are functionally equivalent. The Self
zone is used to control traffic to and from the module’s interfaces. The External zone, on the
other hand, is designed to provide enhanced protection from external networks. The firewall
applies additional attack checks for traffic originating on the External zone, so you should
typically associate VLANs that connect to untrusted networks such as the Internet with the
External zone.
As you begin to plan your TMS zl Module deployment, you should list the VLANs on your
company’s network and determine which VLANs have similar security needs. For example,
Figure 4-23 shows a company network with several VLANs. As this company’s network
administrators plans their deployment, they might first begin by assigning VLAN 11 to the
External zone because this is the VLAN that connects to the Internet.
The composition of other zones, however, depends on the security requirements for devices
and users in each VLAN. In the example network, most employees, including temporary
employees, are placed in VLAN 5. The network administrators might assign this VLAN to the
Internal zone.
Executives, the finance department, and the human resources department are placed in VLAN
7. Because network administrators want to prevent unauthorized users from accessing infor-
mation and devices in VLAN 7, they will associate this VLAN with a different zone: Zone 1. The
network administrators can then easily apply different access policies to Zone 1 than they apply
to other zones. In addition, any traffic sent between Zone 1 and every other zone will be filtered
and controlled. (Note that it is also possible to control traffic between two VLANs within the
same zone. However, putting the VLANs into different zones makes it easier to apply access
policies.)
The network administrators will then assign VLAN 3 and VLAN 9 to Zone 2 so that they can
properly secure the network infrastructure devices.
Finally, they will place VLAN 13 in the DMZ zone because it includes Web, FTP, and email
servers.