Manualshelf

TMS zl Management and Configuration Guide ST.1.1.100226

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
71727374757677787980
1-41
Overview
IDS/IPS
Note The TMS zl Module’s firewall ALGs also use the port map to identify traffic
types.
Threat Mitigation
In routing mode, when the TMS zl Module acts as an IPS (a function that you
must enable manually), it can mitigate threats. When the module detects a
threat, it creates a log entry and takes one of these actions:
Terminate the session—The TMS zl Module closes the session with the
offending traffic. It drops all traffic that is associated with the session. For
example, if the threat was detected in an HTTP session to a private server,
the offender is blocked from sending any traffic to that server on the HTTP
port.
Block the packet—The TMS zl Module drops the packets from the
suspect stream so that it does not reach the intended target. However,
other traffic within the session is allowed.
Allow the packet—The TMS zl module allows the packet to proceed to
its destination but still logs the threat.
No matter which action you choose, threats are logged locally. You can also
configure the module to forward logs about threats of a specific severity (such
as Minor and higher). You can forward logs as one or more of the following:
SNMP traps
Syslog messages
Email messages
See “Configuring Event Logging” in Chapter 3: “Initial Setup in Monitor
Mode.”
IDS/IPS Configuration
The TMS zl Module allows you to create your own settings for mitigating
various types of threats. You control the following parameters:
Which threats are detected:
Choose which signatures to enable for signature-based detection
Configure protocol anomaly settings, in which you specify the
allowed values for the parameters analyzed for various protocols. For
example, you can specify the maximum allowed length of a URL
request.