TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 28
In this example, the application servers in the data center, which process PCI
data, are only accessible from outside of their enclave (e.g. from the system
administrator at the headquarters campus) via a VPN connection into the PCI
security enclave within the data center, strictly limiting the scope of PCI
compliance.
Typical controls implemented by VPN Gateways are:
• Authentication via Xauth against an internal, local list, RADIUS
• Source authentication and data integrity through Authentication Header
(IPsec AH)
• Source authentication, data integrity and confidentiality using
Encapsulating Security Payload (IPsec ESP)
• Anti-replay with configurable window size of acceptable sequence
number difference
7.3 Network Compartmentalization (Multiple security enclaves)
Perimeter security and added security for the Data Center have previously been shown
and discussed in some detail. A third common placement scenario for the TMS zl
Module is to separate, or compartmentalize, portions of the internal, trusted network and
create multiple security enclaves. There are many business reasons to compartmentalize
the network, including IT governance, regulatory compliance, malware outbreak
containment, and isolation of higher risk activities from mission-critical and/or sensitive-
data activities. Each of these business cases comes down to a permutation of information
security risk mitigation.
The following diagrams will show a number of possible compartmentalization designs,
but, due to the number of possibilities, detailed examination of the firewall policies,
IDS/IPS specific signatures, protocol-specific anomalies and general IP anomalies will
not be provided with each of the example architectures.