Manualshelf

HP ProCurve Threat Management Solution Implementation Guide 2009-05

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
81828384858687888990
3-25
HP ProCurve Network Immunity Manager with a Third-Party IDS/IPS
Step 2: Detect Threats
Step 2: Detect Threats
The threat detection phase of the security management life cycle is shown in Figure 3-1 and
discussed in Chapter 4, “Design,” of the HP ProCurve Threat Management Solution Design
Guide. This section guides you through the activities that will enable threat detection on your
network.
The solution features a NIM deployment that interacts with third-party devices to detect and
respond to network threats. Instructions for configuring the following IDSs and IPSs to work
with NIM are provided on the page numbers listed below:
Cisco IPS 4200 Series Sensor—page 3-30
Fortinet FortiGate UTM—page 3-59
SonicWALL E-Class 5500—page 3-83
TippingPoint IPS—page 3-106
This chapter does not cover all aspects of the devices’ operation. Each product’s documenta-
tion is your primary reference for detailed installation and operating instructions.
Support issues with any third-party products should be directed to the appropriate vendor or
support provider. If, however, a potential interoperability issue is reported to a ProCurve
Competency Center, ProCurve will assist in confirming whether or not NIM is functioning
correctly, and if it is not, will work with you to resolve the issue.
Task: Set Up Static Mirroring, as Needed
When you use an IDS to detect malicious traffic on the network, you use the port mirroring
function of ProCurve switches to copy traffic from a port of interest to the device that is acting
as the IDS. The IDS examines the traffic and notifies the management station of any malicious
traffic it finds. The management station, running PCM+ and NIM, takes appropriate action
based on the nature of the threat: shutting down the attacker’s port or blocking the MAC address
of the attacker from the network, for example.
Set Up Local Mirroring
This process uses local port mirroring when the source port (the traffic of interest) and the
destination port (the IDS) are on the same switch. You can set up static local port mirroring
using PCM+, as follows:
1. Set up the mirror (destination) port. This is the port to which the IDS is attached.
a. In the groups or devices in the left navigation tree, select the switch.
b. Click the Port List tab.
c. Click the Port Status subtab.
d. Select the destination port in the list.
e. Click the Tools Menu icon on the toolbar and click Configure Mirror Port in the menu.