Manualshelf

TMS zl Management and Configuration Guide ST.1.0.090213

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
1-36
Overview
IDS/IPS
from the known pattern, using polymorphism or other evasion techniques.
Protocol anomaly detection helps the TMS zl Module to catch these variant
attacks. Finally, protocol anomaly detection does not require signature
updates or subscription licenses, thus lowering the administrative overhead.
Port Maps. In order to check for protocol anomalies, the TMS zl Module
must know with which application a particular session is associated. The
module receives this information from its port maps. For example, traffic for
an HTTP (Web) session is typically destined to TCP port 80. Therefore, the
module’s default port map matches TCP port 80 to HTTP. The module applies
the HTTP protocol anomaly checks to traffic in a session with a TCP destina-
tion port of 80.
The TMS zl Module’s port map is user-customizable. If your servers use non-
traditional ports for particular applications, you must specify the correct port
for that application in your network. For example, your Web servers use TCP
destination port 8080. Map this port to HTTP; otherwise, the TMS zl Module
will treat the traffic destined to 8080 as generic TCP traffic and will not screen
it for HTTP protocol anomalies.
Note The TMS zl Module’s firewall ALGs also use the port map to identify traffic
types.
Threat Mitigation
In routing mode, when the TMS zl Module acts as an IPS (a function that you
must enable manually), it can mitigate threats. When the module detects a
threat, it creates a log entry and takes one of these actions:
Terminate the session—The TMS zl Module closes the session with the
offending traffic. It drops all traffic that is associated with the session. For
example, if the threat was detected in an HTTP session to a private server,
the offender is blocked from sending any traffic to that server on the HTTP
port.
Block the packet—The TMS zl Module drops the packets from the
suspect stream so that it does not reach the intended target. However,
other traffic within the session is allowed.
Allow the packet—The TMS zl module allows the packet to proceed to
its destination but still logs the threat.