TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 23
Permit
Simple Network Management Protocol
(SNMP, UDP/161)
Apps, SQL,
AD, SMB,
Management
External
Permit
Server Message Block (SMB, UDP/135-139,
445 and TCP/135-139, 445)
Management
SMB
Permit
Active Directory (AD, UDP/42, 53, 88, 135,
137, 138, 389, 445, 1512 and TCP/42, 53, 88,
135, 137, 139, 389, 445, 636, 1512, 3268,
3269, AD-fixed-port, FRS-fixed-port)
Management
AD
Note: DS-fixed-port and FRS-fixed-port require registry changes on all Global
Catalog, Domain Controller and Member Servers to fix the Directory Services and
File Replication Service ports to single ports vs. the default behavior of fully
dynamic Remote Procedure Call (RPC) that would require TCP/1024-65535 to be
opened.
Permit
Structured Query Language (SQL, TCP/1433
[SQL Server], 1521 [Oracle], 1533 [Informix],
2638 [Sybase], 3306 [mySQL], 5432
[PostgreSQL])
Management
SQL
Deny
All other traffic from the Mgmt zone from
entering the External, Apps, SQL, AD or
SMB zones
Management
AD, Apps,
External, SMB,
SQL
Permit
Simple Network Management Protocol
(SNMP) Traps (UDP/162)
SMB
Management
Permit
Server Message Block (SMB, UDP/135-139,
445 and TCP/135-139, 445)
SMB
AD, Apps, SQL
Permit
Active Directory (AD, UDP/42, 53, 88, 135,
137, 138, 389, 445, 1512 and TCP/42, 53, 88,
135, 137, 139, 389, 445, 636, 1512, 3268,
3269, AD-fixed-port, FRS-fixed-port)
SMB
AD
Note: DS-fixed-port and FRS-fixed-port require registry changes on all Global
Catalog, Domain Controller and Member Servers to fix the Directory Services and
File Replication Service ports to single ports vs. the default behavior of fully
dynamic Remote Procedure Call (RPC) that would require TCP/1024-65535 to be
opened.
Deny
All other traffic
SMB
AD, Apps,
External,
Management,
SQL
Permit
Simple Network Management Protocol
(SNMP) Traps (UDP/162)
AD
Management
Permit
Server Message Block (SMB, UDP/135-139,
445 and TCP/135-139, 445)
AD
SMB
Permit
Active Directory (AD, UDP/42, 53, 88, 135,
137, 138, 389, 445, 1512 and TCP/42, 53, 88,
135, 137, 139, 389, 445, 636, 1512, 3268,
3269, AD-fixed-port, FRS-fixed-port)
AD
Apps, External,
Management,
SMB, SQL
Note: DS-fixed-port and FRS-fixed-port require registry changes on all Global
Catalog, Domain Controller and Member Servers to fix the Directory Services and
File Replication Service ports to single ports vs. the default behavior of fully
dynamic Remote Procedure Call (RPC) that would require TCP/1024-65535 to be