TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 40
8.4 Correlating Network Listeners with Server Processes
Now that we have a list of applications and the servers that they run on, the next step is to
identify the actual network communication specifics used by each application. Any
existing application or network documentation should be gathered and consulted to assist
in identifying network details and interactivity between servers. The software
manufacturers’ web sites may also provide additional information that can be consulted
for this process. Keep in mind that application default network ports may be changed for
the specific environment so all information should be verified with the IT team. Any
current switch ACLs should also be identified and details captured as part of the
information used in developing the security rules for this installation.
To perform this discovery will require using tools to reveal the network details used by
various applications running on each server. For this discussion, we will be using TCP
View, Process Explorer and research from Internet search engines to help complete the
picture. For Unix servers, other utilities such as PS LSOF can also be used for this
process. TCP View and Process Explorer are Windows-based tools from
Microsoft/Sysinternals and are available for download from Microsoft’s web site. More
information on these tools is available in Appendix C. We will not go into detailed
instructions on these tools so be sure to read the descriptions before using these
programs. These are taken from the included “Help files” and provide a very good, brief
explanation of the capabilities and intent of the programs and some basics on how to use
them.
For this next step, we will be utilizing the “Company Information Assets” information
gathered earlier. This should include a completed list of servers – including all required
fields of information in the example in
Appendix B for each server and each application
running on each server. You may choose to use the “Company Information Assets”
spreadsheet in
Appendix B of this document as a template for assembling this
information. The goal of this process is to identify ALL network traffic running on each
server, including identification of protocol and port for each type of traffic.
Launch the TCP View application logged in as an administrator level account if possible.
Immediately you will see many processes running on the server. It is possible to “copy”
the information displayed on screen for each running process. Right-click on a process,
then “Copy” and “Paste” them into your spreadsheet to capture the details. You can do
this for each process listed.