TMS zl Module Planning and Implementation Guide 2009-08
Table Of Contents
- Contents
- Glossary of Acronyms and Abbreviations
- 1.0 Purpose
- 2.0 Intended Audience
- 3.0 Objectives
- 4.0 Prerequisites
- 5.0 Skills
- 6.0 The HP ProCurve Threat Management Services zl Module
- 7.0 Common TMS Security Control Points
- 8.0 Deployment Considerations
- 9.0 Installation and Preparation of the TMS zl Module
- 10.0 Configuration of the TMS zl Module
- 11.0 Using multiple HP ProCurve Threat Management Services zl Modules
- Appendix A – Additional References
- Appendix B – Sample Company Information Assets Spreadsheet
- Sample “Information Assets” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Server Network Details” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “TMS Zones” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- “Firewall Rules” tab (See Embedded “Company Information Assets” Microsoft Excel 2003 spreadsheet)
- /Sample “Company Information Assets” Microsoft Excel 2003 spreadsheet
- Appendix C – Information Gathering Tools
- Appendix D - Updating Switch Software
- Appendix E – Emergency Recovery Process
Page 8
6.1.2 Network Address Translation (NAT)
Network Address Translation (NAT) is the process of modifying IP address
information in packet headers in order to map one address space to another.
Itis a very common function for firewalls due to many networks using RFC
1918 private IP addresses, e.g. 10.x.x.x, 172.16-31.x.x, 192.168.x.x on the
inside of the firewall and a small block of publicly routable registered IP
addresses on the outside of the perimeter firewall.
6.1.3 Port Maps
The TMS zl Module supports processing well-known protocols running on
alternate port numbers. Port maps enable the administrator to configure the
TMS zl Module to treat traffic on a configured protocol (ie. TCP or UDP) and
port number. For example, port 8000 as a well-known service for HTTP.
Once a port map for a well-known service running on an alternate port number
is configured, the firewall’s Application Layer Gateways (ALGs) and IPS
signatures will treat traffic on that protocol and port number as the configured
well-known service.
6.1.4 Application Layer Gateways (ALGs) and Port Triggers
The TMS zl Module also supports Application Layer Gateways (ALGs).
ALGs inspect the packets of well known protocols in traffic streams between
two endpoints. In a session between two hosts, the ALG can “eavesdrop” on
the packet flow for a configured service. It performs deep packet inspection at
the OSI Application Layer (Layer 7) for particular application-level
commands, behaviors commonly considered characteristic of exploit attempts,
or other undesirable application activities. In addition, the ALG is intelligent
enough to dynamically open additional, appropriate ports as needed for the
specific service traffic. An example of this is that HTTP “conversations”
between two endpoints can be re-directed to ports other than the well-known
TCP/80. In this situation, the TMS zl HTTP ALG will “eavesdrop” on that re-
direction and intelligently open the additional port the conversation is being re-
directed to for only these two endpoints involved in this specific HTTP
“conversation.”
The TMS zl Module support the following ALGs:
• aim - The AOL IM ALG
• esp - ESP ALG keeps track of SPI values in an IPsec tunnel
• ftpv4 - The FTP ALG
• ike - The IKE ALG
• ils, ils2 - The ILS ALGs process Lightweight Directory Access
Protocol (LDAP) packets that are used to communicate with ILS
servers.
• irc - Internet Relay Chat (IRC) ALG