TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 7
6.1.1 Zone-Based Firewall
The TMS zl Module is specifically a zone-based, rather than a traditional
interface-based, firewall. Zone-based firewalls have greater granularity, more
flexibility, and are conceptually simpler in their security control model. The
TMS zl Module uses zones to control traffic. Zones are logical groupings of
TMS VLANs that have similar security needs or levels of trust that organize
the network into different security regions. VLANs are assigned to zones and
typically, security policy rules are applied to traffic moving between zones, but
they can also be applied to traffic that moves between VLANs within a single
zone. The originating or destination VLAN within either zone that the traffic
moves between does not matter. This allows controls to be applied based on
an overall security posture desired for an entire region within the network
rather than on specific subnets and/or VLANs, simplifying the administrator’s
management tasks.
The TMS zl Module supports two types of zones:
• Self
Traffic that originates in or is destined to the Self zone includes:
– The Self zone allows you to control sessions that originate or
terminate on the TMS zl Module itself. It contains all of the module’s
IP addresses on the TMS VLANs. Addresses to which destination
NAT is applied are also part of the Self zone. In other words, when the
TMS zl Module applies destination NAT to traffic, the pre-NAT traffic
may be destined to an address that exists on the module or to another
address. In either case, the traffic is considered to be destined to the
Self zone.
• Management traffic
• IKE traffic for establishing VPNs for which the TMS zl
Module is the gateway
• Routing updates
• User authentication
• Traffic to which destination NAT will be applied
•
Access control
• Internal—your private network
– The TMS zl Module supports nine access control
zones, which have the following names and intended purposes:
• External—the Internet or other untrusted networks
• DMZ—demilitarized zone; publicly-accessible servers that are
logically located between the private network and the external
network
• Zone1 through Zone6—any user-defined purpose, as needed