TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 12
As with inbound, the traffic is first processed by the firewall. If permitted by the security
policy rules, it is then passed to the Intrusion Prevention System for deeper inspection
prior to being optionly encrypted by the VPN Gateway.
6.5 Named Objects
Another feature of the TMS zl Module that is used across all the integrated security
platform is “Named Objects.” The TMS zl Module supports named objects for greater
ease of configuration. A named object is a logical “container” that can be used in
firewall access policies, NAT policies, port triggers, and IPsec policy traffic selectors to
represent one or more addresses, one or more services, or a schedule. The advantage to
using named objects is that you can create the object, then if the parameters of the object
change, you edit the object only once, and the change takes effect in all of the policies
that include the object.
You can create the following types of named objects:
• Address objects (maximum 500), which are configured as follows:
o Single-entry address objects:
- IP—a single IP address
- Range—a single range of IP addresses
- Network—a single network IP address and subnet mask
o Multiple-entry address objects:
- IP—a list of up to 100 non-contiguous IP addresses
- Range—a list of up to 100 ranges of IP addresses
- Network—a list of up to 100 network IP addresses and subnet
masks
- Domain name—one DNS name or a list of up to 10 names, which
the TMS zl Module dynamically resolves provided that a DNS
server is specified.
• Address groups (maximum 1000), which contain multiple address objects
• Service objects (maximum 500):
o Protocol and single port—one Layer 4 protocol and a single port, such as
TCP 80
o Protocol and port range object—one Layer 4 protocol and a range of
ports, such as UDP 50000–50010
o IANA-assigned Internet protocol— one predefined Layer 3 protocol
• Service groups (maximum 5000), which contain multiple service objects
• Schedule objects (maximum 25), which specify the following:
o Days of the week—one or more days during the week, which begin and
end at midnight