TMS zl Management and Configuration Guide ST.1.1.100430
3-7
Initial Setup in Monitor Mode
Deploying the TMS zl Module
The sections below present several typical deployments of a TMS zl Module
operating in monitor mode.
At the Perimeter
The TMS zl Module in monitor mode can be deployed at the perimeter to
monitor traffic routed to and from an external network, such as the Internet
or a remote office. The key reason to deploy the TMS zl Module in monitor
mode at the perimeter is to detect attacks from the Internet.
To detect threats at the perimeter, install the TMS zl Module in a host switch
with a direct connection to the WAN router.
Inside the LAN
The TMS zl Module in monitor mode can be deployed inside the LAN to
monitor traffic on various network segments or departments, such as the
wireless LAN, a data center, or department users. The key reason to deploy
the TMS zl Module in monitor mode inside the LAN is to detect attacks from
malicious internal users.
To detect internal threats, install the TMS zl Module in a host switch that
receives a large proportion of the traffic that you want to analyze. For example,
the host switch might be a core routing switch that connects LAN access
switches to server access switches in a data center. By mirroring switch-to-
switch links on the host switch, you can forward a good sample of mission-
critical traffic to the TMS zl Module. When your network features ProVision
ASIC switches, you can use remote mirroring to expand the scope for the
traffic that the TMS zl Module can analyze.
Installing several TMS zl Modules in host switches in different LAN segments
will also increase the amount of traffic that is analyzed.
Both on the Perimeter and Inside the LAN
A TMS zl Module can be deployed to provide security both on the perimeter
and within the LAN. Implementing both methods allows you to check both
internal and external traffic.
For this use case, the TMS zl Module should be installed in a core routing
switch, which also connects directly to the WAN router.