TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 136
11.0 Using multiple HP ProCurve Threat Management Services
zl Modules
There are many cases where a single TMS zl Module is capable of meeting most or all of the security
control objectives for a given network environment with the caveat of it becoming a potential single
point of failure. There are some cases however, that, due to the nature of the feature being used, the
physical distribution required, or the impracticality of extending VLANs across the WAN effectively,
require the use of multiple modules.
The following scenarios are presented as possible situations that would require the installation of more
than one TMS zl Module. Discussion on specific solution designs, implementation requirements or
configurations are not presented in this document, with the exception of the standard step-by-step
configuration for High Availability. More details on implementing these scenarios can be found in the
HP ProCurve Threat Management Services zl Module Management and Configuration Guide.
11.1 Perimeter IDS and IPS
It is not possible to have both IDS and IPS configured and running on a single TMS zl
Module. IPS requires a module to operate in routing mode while IDS is typically
configured on a module in monitor mode. For many practical reasons, one module
cannot operate in two different modes at the same time.
In addition, as previously mentioned in Section 7.1.2.1, IDS/IPS, it is a common practice
to implement IDS outside the perimeter firewall. This allows the IDS functionality to
obtain an “attack baseline” of the threat level outside the network perimeter and then
compare it with the number of attack attempts detected by an IPS placed inside the
perimeter firewall. This provides details on the measure of effectiveness of the perimeter
firewall’s policies in mitigating the number of attacks to which the enterprise network is
exposed.
An implementation of this design would require two TMS zl Modules. One TMS zl
Module would be configured in monitor mode running the IDS function and connected
outside the perimeter firewall. The second TMS zl Module needs to be configured in
ruting mode, running the IPS function and connected inside the perimeter firewall.
11.2 Multinational Compartmentalization
As previously shown in Figure 12: Multinational Compartmentalization Security Control
Point(s) in Section 7.3, Compartmentilization, a multinational corporation may choose to
implement security control points at transoceanic link boundaries. This design can serve
to both contain any possible malware outbreak to a geographical region and prevent such
a regional outbreak from consuming highly expensive transoceanic bandwidth.
The TMS zl Module is a blade in a switch and can implement its security control features
between one or more VLANs that are members of different security zones. It would
defeat the purpose of the design to attempt to implement this solution using only a single
TMS zl Module. It is technically feasible to extend VLANs across the transoceanic
WAN. This would allow for multiple, disparate continental region boundary VLANs to