Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
291292293294295296297298299300
4-78
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices
Step 3: Respond to Threats
8. Under Victim, specify a destination device, using its IP address, port, or MAC address.
9. For Comment, type a plain-text comment that describes the purpose of this exclusion.
10. Click OK. The new exclusion is shown in the Exclusion List tab for ProCurve Threat
Management Services.
Step 3: Respond to Threats
This section discusses the activities you might engage in to define actions for NIM events that
are related to NBAD and the TMS zl Module. These activities follow the “Respond to threats”
phase of the security management life cycle (see Figure 4-1 on page 4-4), and they match the
design steps discussed in Chapter 4: “Design” in the HP ProCurve Threat Management
Solution Design Guide. If you are following the steps in the design guide, this section will guide
you through the activities for responding to threats.
First Time Through the Process
The first time through the process, you have two choices:
Skip this step.
Ensure policy execution is disabled.
Skip This Step
The first time you go through the security management life cycle, ProCurve recommends that
you skip this step and go to “Step 4: Analyze Events” on page 4-100. This first time you are just
establishing the baseline level of potential threat activity on your network, and you might not
be ready to have NIM take any action against those threats. Once you become familiar with all
the potential threats and activities on your network, you can then take better-coordinated
actions than if you start responding to every potential threat from the outset.
Keep in mind that when the TMS zl Module is operating in routing mode, it will automatically
respond to some threats. The firewall automatically checks all the traffic the TMS zl Module
handles for the following:
IP spoofing
Ping of death
LAND attacks
IP reassembly attacks
You can also configure the firewall to perform additional attack checks.
When the firewall detects one of these attacks, it will automatically drop the traffic.
Depending on how you have configured the TMS zl Module’s IPS, it might also respond to
attacks—without any intervention from NIM. For instructions on configuring IPS actions, see
“Subtask: Configure Actions for the IPS” on page 4-54.