TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 10
detected by default and cannot be disabled by the administrator. Other attack
checking, such as SYN Flooding and WinNuke, among others, may be enabled
or disabled by the administrator.
6.2 Network Intrusion Detection / Prevention System
A network intrusion detection system (IDS) is an independent platform that detects and
logs malicious activity, or intrusions, such as viruses, worms, trojans, denial of service
attacks, and attempts to crack into computers. Suspicious patterns, or signatures are
scanned for by examining network traffic observable via connection to a hub, a switch, a
network tap, or in the case of the TMS zl Module, by mirroring traffic to it.
A network intrusion prevention system (IPS) is an in-line IDS with the added ability to
react, in real-time, to block traffic to prevent malicious or unwanted behavior by
dropping the offending packets while allowing all other traffic to pass.
The HP ProCurve TMS zl Module can act as either a IDS or a IPS. In either mode, the
common use cases are to detect or prevent intrusions at:
• The network perimeter
• The interface between the overall company network and higher-value internal
information resources, for example databases containing financial or human
resources information
• The interface between internal compartments, for example geographic regions or
different departments within a campus
6.3 VPN Gateway
A VPN is a network connected together via communications tunnels over another
network, such as the Internet or a company network. The communications tunnels may
or may not be encrypted and representative technologies include Internet Protocol Secure
(IPsec), Generic Routing Encapsulation (GRE), and Layer 2 Tunneling Protocol (L2TP).
A VPN Gateway is an endpoint used to establish, manage and control VPN tunnel
connections. Unlike the stateful firewall and intrusion detection / prevention controls, the
VPN Gateway’s controls are oriented toward access control, or keeping unauthorized
users off of the network in the first place. The others controls are oriented toward threat
management, which is about detecting and mitigating unauthorized activity by a user that
already has access to the network.
The HP ProCurve TMS zl Module can also act as a VPN Gateway. Common use cases
are performing as a VPN endpoint at the perimeter, the entry to the data center, at the
edges of internal compartments, and terminating end-user and site-to-site VPN remote
access connections.
6.4 Synergy of Unified Threat Management
There are many synergistic benefits to having all three of these security controls provided
by a single, integrated platform:
• A unified management interface, or “single pane of glass”
• Fewer devices in the rack