TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 16
7.1.1 Firewall
Typical controls implemented by firewalls at the perimeter include, but are, of
course, not limited to:
• Performing one-to-one NAT from registered, publicly routable IP
addresses in the External zone to private, non-publicly-routable IP
addresses for the Web Server, FTP Server and Proxy E-Mail Server in the
DMZ zone
• Permitting Simple Mail Transfer Protocol (SMTP) traffic from the
External zone to the Proxy E-Mail Server in the DMZ zone.
• Allowing File Transfer Protocol (FTP) traffic from the External zone to
the FTP Server in the DMZ zone.
• Permitting the Hyper Text Transfer Protocol (HTTP) and HTTP Secure
(HTTPS) traffic from the External zone to the Web Server in the DMZ
zone
• Denying all other traffic from the External zone from entering either the
DMZ or Internal zones
• Allowing SMTP traffic from the Proxy E-Mail Server in the DMZ Zone
to the internal E-Mail Server in the Internal zone.
• Permitting Structured Query Language (SQL) traffic from the Web
Server in the DMZ Zone to the Database Server in the Internal zone
• Prohibiting all other traffic from the DMZ zone from entering either the
Internal or External zones
• Performing many-to-one or many-to-many NAT from private, non-
publicly-routable IP addresses in the Internal zone to registered, publicly
routable IP addresses in the External zone
• Using port maps to map HTTP traffic on non-standard ports (ie.
TCP/8000) to the HTTP service so it will be examined by IPS as HTTP
traffic
• Allowing HTTP and HTTPS traffic from the Internal zone to the DMZ
and External zones
• Permitting Simple Network Management Protocol (SNMP) traffic from
the Management Server in the Internal zone to the DMZ zone
• Denying all other traffic from the Internal zone to the DMZ and External
zones