Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
311312313314315316317318319320
4-100
HP ProCurve Network Immunity Manager with HP ProCurve Security Devices
Step 4: Analyze Events
Step 4: Analyze Events
This section helps you analyze the events that are detected on your network so you can refine
your NIM policies to better protect your network and reduce the chance of false positives.
These activities follow the “Analyze events” phase of the security management life cycle (see
Figure 4-1 on page 4-4), and they match up with the design steps discussed in Chapter 4:
“Design” in the HP ProCurve Threat Management Solution Design Guide. If you are following
the steps in the design guide, this chapter will guide you through the activities for analyzing
events.
All Times Through the Process
Event analysis is the same whether this is your first time or a subsequent time through the
process. To analyze the events that have occurred during this cycle, perform the tasks that
follow.
Use the information you gather in these tasks to plan refinements to your network immunity
policy. You might also wish to use this information for other purposes outside normal network
operation, such as general business process improvement or regulatory compliance reporting.
Task: Verify That Events Trigger the Alerts and Actions
After you configure your alerts, actions, and policies, you might want to test your settings and
see if they work as you intended. You can use several tools (such as Nmap) to send traffic that
mimics an attack. (Nmap is available at www.insecure.org.) Set up two workstations and
designate one as the offender and one as the victim. Then use Nmap or a similar tool to send
a scan or traffic with protocol anomalies. The following commands will trigger the protocol
anomaly alert:
Nmap -sX <Victim IP>
Nmap -A -T4 <victim IP>
Nmap -sF <victim IP>
After entering these commands in Nmap, check the PCM+ Events windows to verify that PCM+
received the related events. If it did not, you might need to check the SNMP settings on the
switch or the IPS (depending on where you launch the attack on your network).
You can also access the switch to which the offender workstation connects and see what
actions, if any, were taken. For example, if you have configured Quarantine VLAN as an action,
you can access the switch and enter:
ProCurve switch# show vlans