TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 3
Table of Contents
1.0 Purpose ............................................................................................................................................ 5
2.0 Intended Audience .......................................................................................................................... 5
3.0 Objectives ....................................................................................................................................... 5
4.0 Prerequisites .................................................................................................................................... 5
5.0 Skills ............................................................................................................................................... 6
6.0 The HP ProCurve Threat Management Services zl Module ........................................................... 6
6.1 Stateful Packet Inspection (SPI) Firewall .................................................................................... 6
6.1.1 Zone-Based Firewall ............................................................................................................. 7
6.1.2 Network Address Translation (NAT) ................................................................................... 8
6.1.3 Port Maps .............................................................................................................................. 8
6.1.4 Application Layer Gateways (ALGs) and Port Triggers ...................................................... 8
6.1.5 Denial of Service (DoS) Attack Prevention .......................................................................... 9
6.2 Network Intrusion Detection / Prevention System ..................................................................... 10
6.3 VPN Gateway ............................................................................................................................. 10
6.4 Synergy of Unified Threat Management .................................................................................... 10
6.5 Named Objects ........................................................................................................................... 12
7.0 Common TMS Security Control Points ........................................................................................ 14
7.1 Perimeter .................................................................................................................................... 14
7.1.1 Firewall ............................................................................................................................... 16
7.1.2 IDS/IPS ............................................................................................................................... 17
7.1.3 VPN Gateway ..................................................................................................................... 19
7.2 Data Center Security Enclave .................................................................................................... 20
7.2.1 Firewall ............................................................................................................................... 22
7.2.2 IDS/IPS ............................................................................................................................... 26
7.2.3 VPN Gateway ..................................................................................................................... 27
7.3 Network Compartmentalization (Multiple security enclaves) ................................................... 28
7.3.1 Firewall ............................................................................................................................... 33
7.3.2 IDS/IPS ............................................................................................................................... 34
7.3.3 VPN Gateway ..................................................................................................................... 35
8.0 Deployment Considerations .......................................................................................................... 37
8.1 Overview .................................................................................................................................... 37
8.2 Identify any existing policies ..................................................................................................... 38
8.3 Identifying Information Assets To Be Protected........................................................................ 38
8.4 Correlating Network Listeners with Server Processes ............................................................... 40
8.5 Designing Security Controls ...................................................................................................... 41
9.0 Installation and Preparation of the TMS zl Module ...................................................................... 45
9.1 Installing the ProCurve Threat Management Services zl Module ............................................. 45
9.1.1 Updating Switch Software .................................................................................................. 45
9.1.2 Physical Installation ............................................................................................................ 47
9.2 Preparing the TMS zl Module for Configuration ....................................................................... 48
9.2.1 Ensure switch time is set properly ...................................................................................... 48
9.2.2 Service Operating System ................................................................................................... 48
9.2.3 Activating the TMS Application ......................................................................................... 49
9.2.4 Accessing the TMS Product................................................................................................ 49
9.2.5 Initial Log Settings .............................................................................................................. 50
9.2.6 Ensuring Management Access Under Heavy Load ............................................................ 60
10.0 Configuration of the TMS zl Module ........................................................................................... 61