TMS zl Management and Configuration Guide ST.1.1.100226
1-32
Overview
Deployment Models for Monitor Mode—Threat Detection
Deployment Models for Monitor Mode—
Threat Detection
In monitor mode, the TMS zl Module can detect known DoS attacks, exploits,
worms, viruses, and other threats that are launched by external or internal
users (users who have been allowed access to the network). It logs the attack
internally and can forward the log to a syslog server, to an SNMP server, to an
SNMP trap server, or as an email. However, the module in monitor mode does
not take action to mitigate the threat.
Deployment Location
The TMS zl Module can detect threats that originate within or without your
private network. You must simply mirror the proper network traffic to the
TMS zl Module’s internal data port (port 1).
For example, to use the module to detect internal threats, you could install
the module in a core 5400zl or 8200zl switch and mirror the Interswitch Links
(ISLs) to the module’s data port. To have the module detect external threats,
you could connect a 5400zl or 8200zl switch to your external router. You would
then mirror the traffic from the port that connects to the router to the module’s
internal data port.
The ProCurve 5400zl or 8200zl Switch Series support remote mirroring. If you
have other switches that support this feature, you can mirror traffic from those
switches to the module’s data port.
Deployment Tasks for Internal Threat Detection
You must complete these tasks to deploy the TMS zl Module to detect (but not
mitigate) internal threats:
1. Install the TMS zl Module in a ProCurve 5400zl or 8200zl switch in a core
location.