TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 25
SMB, SQL
Scenario 2 - Typical firewall controls for a data center as a single,
monolithic enclave, as in Figure 7, above:
Action
Description
From Zone
(Source)
To Zone
(Destination)
Permit
Simple Network Management Protocol
(SNMP) Traps (UDP/162)
External
Internal
Permit
Server Message Block (SMB, UDP/135-139,
445 and TCP/135-139, 445)
External
Internal
Permit
Active Directory (AD, UDP/42, 53, 88, 135,
137, 138, 389, 445, 1512 and TCP/42, 53, 88,
135, 137, 139, 389, 445, 636, 1512, 3268,
3269, AD-fixed-port, FRS-fixed-port)
External
Internal
Note: DS-fixed-port and FRS-fixed-port require registry changes on all Global
Catalog, Domain Controller and Member Servers to fix the Directory Services and
File Replication Service ports to single ports vs. the default behavior of fully
dynamic Remote Procedure Call (RPC) that would require TCP/1024-65535 to be
opened.
Permit
Structured Query Language (SQL, TCP/1433
[SQL Server], 1521 [Oracle], 1533 [Informix],
2638 [Sybase], 3306 [mySQL], 5432
[PostgreSQL])
External
Internal
Permit
Unity (UDP/137, 138, 5000-5020, 22800-
32767 and TCP/80, 135, 139, 443, 445, 3389,
5000-5020, 5060, 5900) and Citrix (TCP/80,
443, 1494, 1604)
External
Internal
Deny
All other traffic
External
Internal
Permit
Simple Network Management Protocol
(SNMP, UDP/161)
Internal
External
Permit
Server Message Block (SMB, UDP/135-139,
445 and TCP/135-139, 445)
Internal
External
Permit
Active Directory (AD, UDP/42, 53, 88, 135,
137, 138, 389, 445, 1512 and TCP/42, 53, 88,
135, 137, 139, 389, 445, 636, 1512, 3268,
3269, AD-fixed-port, FRS-fixed-port)
Internal
External
Note:
DS-fixed-port and FRS-fixed-port require registry changes on all Global
Catalog, Domain Controller and Member Servers to fix the Directory Services and
File Replication Service ports to single ports vs. the default behavior of fully
dynamic Remote Procedure Call (RPC) that would require TCP/1024-65535 to be
opened.
Permit
H.323 (UDP/1719, TCP/1720) / SIP
(TCP/UDP/5060) / RTP/RTCP (dynamically
assigned, but automatically discerned via
H.323 / SIP Application Layer Gateways)
Internal
External
Deny
All other traffic
Internal
External