Manualshelf

TMS zl Management and Configuration Guide ST.1.2.100916

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
61626364656667686970
1-32
Overview
Deployment Models for Monitor Mode—Threat Detection
Deployment Models for Monitor Mode—
Threat Detection
In monitor mode, the TMS zl Module can detect known DoS attacks, exploits,
worms, viruses, and other threats that are launched by external or internal
users (users who have been allowed access to the network). It logs the attack
internally and can forward the log to a syslog server, to an SNMP server, to an
SNMP trap server, or as an email. However, the module in monitor mode does
not take action to mitigate the threat.
Deployment Location
The TMS zl Module can detect threats that originate within or without your
private network. You must simply mirror the proper network traffic to the
TMS zl Module’s internal data port (port 1).
For example, to use the module to detect internal threats, you could install
the module in a core 5400zl or 8200zl switch and mirror the Interswitch Links
(ISLs) to the module’s data port. To have the module detect external threats,
you could connect a 5400zl or 8200zl switch to your external router. You would
then mirror the traffic from the port that connects to the router to the module’s
internal data port.
The 5400zl or 8200zl Switch Series support remote mirroring. If you have other
switches that support this feature, you can mirror traffic from those switches
to the module’s data port.
Deployment Tasks for Internal Threat Detection
You must complete these tasks to deploy the TMS zl Module to detect (but not
mitigate) internal threats:
1. Install the TMS zl Module in a 5400zl or 8200zl switch in a core location.
2. Create a mirror session for which the TMS zl Module’s data port (port 1)
is the destination exit port. For the session source, specify ports, trunks,
or VLANs on the module’s switch. If you are using remote mirroring,
configure a mirror session on each remote switch. The TMS zl Module’s
host switch should be the destination.
For instructions, see the Management and Configuration Guide for the
Series 3500yl, 6200yl, and 5400zl Switches and the 8212zl Switch.