TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 6
5.0 Skills
The individual following this guide should possess the following skills:
Basic understanding of Stateful Packet Inspection (SPI) firewalls, Intrusion Detection and
Prevention Systems (IDSs/IPSs), and Virtual Private Networks (VPNs)
Familiarity with clustering and other High Availability (HA) technologies like Virtual Router
Redundancy Protocol (VRRP)
Ability to translate security policy requirements into security controls
6.0 The HP ProCurve Threat Management Services zl Module
The HP ProCurve Threat Management Services zl Module is, in essence, a three-in-one security control
module that currently supports three major features: a modern SPI firewall, a network IDS/IPS and a
VPN gateway. Each of these major security control features are further defined in the following
subsections, followed by a brief explanation of the benefits derived from the synergy of having all three
of these controls present in a single, unified threat management platform.
6.1 Stateful Packet Inspection (SPI) Firewall
A firewall is a device intended to deny, proxy, permit, and sometimes, encrypt computer
traffic between different information security domains based upon a security policy
expressed as a set of rules and other criteria.
A stateful firewall is one that performs stateful packet inspection and keeps track of the
state (as in finite state machine) of network connections traveling across it, typically in a
state table, allowing it to operate faster than an application gateway and more
intelligently than a mere packet filter.
Modern packet inspection adds application filtering, where the packet payload is also
inspected. For example, HTTP can be used to present web pages or perform peer-to-peer
file sharing. The latter may be against policy, but firewalls that do not perform deep
packet inspection can’t tell the difference and treat all HTTP traffic the same.
Firewalls are also the most common providers of Network Address Translation (NAT)
services. NAT translates IP addresses as traffic traverses the firewall, most commonly
from routable, publicly-registered addresses to non-routable, private addresses.
The HP ProCurve TMS zl Module is a modern SPI firewall and common use cases are:
• Perimeter policy enforcement - to enforce security policy and provide NAT at the
edge of the company network’s interface with other networks, also known as
perimeter security
• Security Enclave policy enforcement - to provide malware outbreak containment,
granular access control in the data center, Denial of Service (DoS) prevention or, in
the case of multiple TMS zl Modules, Distributed Denial of Service (DDoS)
prevention. Network “compartmentalization” is created by enforcing a more
restrictive security policy at the interface between a collection of high value
information resources within the enterprise network and the rest of the enterprise
network, at other security compartment interfaces, and/or other points within the
enterprise network.