Sample excerpt. HP ProCurve Threat Management Services zl Module NPI Technical Training. NPI Technical Training Version: 1.

Similar documents
Sample excerpt. Virtual Private Networks. Contents

Palo Alto Networks PCNSE7 Exam

Virtual Private Networks.

QuickSpecs. Models. Features and Benefits Industry-leading warranty. HP ProCurve Threat Management Services zl Module

Firepower Threat Defense Site-to-site VPNs

Barracuda Link Balancer

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

IPv4 Firewall Rule configuration on Cisco SA540 Security Appliance

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

Secure Access Configuration Guide For Wireless Clients

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Presenter John Baker

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Junos Security (JSEC)

Secure management using HP Network Node Manager SPI for SNMPv3

HP0-Y35: WIRELESS NETWORKS ASE 2011 DELTA EXAM

VMware vshield Edge Design Guide

TestOut Network Pro - English 5.0.x COURSE OUTLINE. Modified

Using the Terminal Services Gateway Lesson 10

Securing CS-MARS C H A P T E R

IC32E - Pre-Instructional Survey

Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure

HP Instant Support Enterprise Edition (ISEE) Security overview

Chapter 5. Security Components and Considerations.

Firewalls, Tunnels, and Network Intrusion Detection

Designing Windows Server 2008 Network and Applications Infrastructure

iscsi Security Overview

Indicate whether the statement is true or false.

PRACTICAL NETWORK DEFENSE VERSION 1

Chapter 9. Firewalls

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Skills Assessment Student Training Exam

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

Network Security: Firewall, VPN, IDS/IPS, SIEM

Correct Answer: C. Correct Answer: B

Use the IPSec VPN Wizard for Client and Gateway Configurations

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Cisco Associate-Level Certifications

Implementing Cisco Network Security (IINS) 3.0

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

COMPUTER NETWORK SECURITY

Fundamentals of Network Security v1.1 Scope and Sequence

HP VPN Firewall Appliances

The Internet community has developed application-specific security mechanisms in a number of application areas, including electronic mail (S/MIME,

Implementing Firewall Technologies

CONFIGURING AND DEPLOYING THE AX411 WIRELESS ACCESS POINT

CSC Network Security

PND at a glance: The World s Premier Online Practical Network Defense course. Self-paced, online, flexible access

Service Managed Gateway TM. Configuring IPSec VPN

DOWNLOAD PDF CISCO ASA 5505 CONFIGURATION GUIDE

SecBlade Firewall Cards NAT Configuration Examples

Security Considerations for Cloud Readiness

Network Configuration Example

ActualTorrent. Professional company engaging Providing Valid Actual Torrent file for qualification exams.

Configuring Port-Based and Client-Based Access Control (802.1X)

McAfee Network Security Platform Administration Course

Application Notes for Mirage Networks CounterPoint in an Avaya IP Telephony Infrastructure Issue 1.0

vshield Administration Guide

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

IPSec. Overview. Overview. Levente Buttyán

CSC 6575: Internet Security Fall 2017

Deployments and Network Topologies

Configuration Example

Transparent or Routed Firewall Mode

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

BIG-IP TMOS : Implementations. Version

Network Service Description

Active Directory in Networks Segmented by Firewalls

Setting up a secure VPN connection between two SCALANCE S Modules Using a static IP Address

ASA/PIX Security Appliance

Configuring F5 for SSL Intercept

The IINS acronym to this exam will remain but the title will change slightly, removing IOS from the title, making the new title.

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Junos Security. Chapter 4: Security Policies Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Question No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.

Exam Questions JN0-633

Firewalls for Secure Unified Communications

HIPrelay Product. The Industry's First Identity-Based Router Product FAQ

Stateful Failover Technology White Paper

Reviewer s guide. PureMessage for Windows/Exchange Product tour

Simple and Powerful Security for PCI DSS

Agenda of today s lecture. Firewalls in General Hardware Firewalls Software Firewalls Building a Firewall

Internet security and privacy

ProCurve Manager Plus 2.3

Configure Basic Firewall Settings on the RV34x Series Router

Abstract. Avaya Solution & Interoperability Test Lab

HP Load Balancing Module

Appendix B Policies and Filters

CyberP3i Course Module Series

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Network Security Policy

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Cisco Exam Implementing Cisco Network Security Version: 12.0 [ Total Questions: 186 ]

"Charting the Course... MOC 6435 B Designing a Windows Server 2008 Network Infrastructure Course Summary

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Network Security and Cryptography. December Sample Exam Marking Scheme

Transcription:

HP ProCurve Threat Management Services zl Module NPI Technical Training NPI Technical Training Version: 1.00 5 January 2009 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Sample excerpt 1

Use Models 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 2

Operating Modes Routing mode Firewall IPS VPN User authentication NAT Routing High availability (HA) Logging Monitor mode IDS Logging Rev. 1.00 3 The TMS zl Module can operate in one of two modes: routing mode or monitor mode. The module s mode affects its functions on every level, so you must select the correct operating mode for the functions that you want the module to perform. The next several slides will describe how these modes in more detail, focusing on you can use each one to protect your network. 3

TMS zl Module in Routing Mode The TMS zl Module actively controls and secures routed traffic. Rev. 1.00 4 In routing mode, the TMS zl Module routes network traffic, and it actively controls and secures the traffic that it routes. You will learn exactly how the module controls and secures traffic later in this training. First, however, you need to understand some general concepts. 4

Internal Ports in Routing Mode Each of the two internal ports supports 10 Gbps. The host switch references the ports by slot and port number. For example, port E1 and E2. Port 1 handles network and management traffic. Port 2 handles high-availability (HA) traffic. Rev. 1.00 5 The TMS zl Module receives traffic from and transmits traffic to its host switch on these internal ports each of which supports 10 Gbps. In routing mode, the two internal ports operate as follows: Port 1 This port sends and receives all network traffic that is being controlled by the TMS zl Module. It also sends and receives all management traffic. Port 2 This port sends and receives traffic related to a High Availability (HA) cluster. When you add VLANs to the TMS zl Module, the data port is automatically tagged for those VLANs. 5

Routing Mode Concepts TMS VLANs A TMS VLAN is routed and controlled by a TMS zl Module operating in routing mode: The VLAN must exist on the host switch. The module has an IP address on each TMS VLAN; its internal port 1 is tagged for the VLAN. The module is the default gateway for endpoints in the VLAN. On other routers, the module is the next-hop to the VLAN. TMS zl Module supports up to 20 VLANs. Rev. 1.00 6 VLANs that are controlled by the TMS zl Module are called TMS VLANs. To add a TMS VLAN to the module, the VLAN must exist on the host switch. However, the host switch does not require an IP address on the VLAN and indeed, typically should not have an IP address. When you decide that you want a VLAN to become a TMS VLAN, you assign the module an IP address on that VLAN. The host switch automatically tags the module s internal port 1 for that VLAN. The TMS zl Module must route traffic for TMS VLANs. Therefore the module s IP address on each TMS VLAN should be the default gateway for endpoints in that VLAN. If your network has other routers for example, a WAN router that connects to the Internet their route to the TMS VLANs should specify an IP address on the TMS zl Module as the next hop. Note that the TMS zl Module filters all traffic routed out of or in to each TMS VLAN. It does not filter traffic between devices in the same VLAN. The TMS zl Module supports up to 20 VLANs. 6

Routing Mode Concepts Zones Zones allow you to separate the network into logical areas of trust: Define the VLANs in each zone Apply unique access policies to each zone Two types of zones are supported: Self zone any IP address configured on the module 9 access control zones (which contain one or more TMS VLANs):» Internal» External» DMZ» Zone1 to Zone6 Rev. 1.00 7 As mentioned earlier, the TMS zl Module allows you to separate the network into logical areas of trust. You define these zones when you add TMS VLANs to the module: specifically, you must add each VLAN to a particular zone. You can then apply unique access policies to each zone or to certain VLANs or certain IP addresses within a zone. The module has two types of zones. The Self zone includes any IP address configured on the module. It controls traffic that is originated by the module and traffic that is destined to the module itself. (The Self zone does not include traffic that the module is simply routing.) The other nine zones are access control zones, which are used to control traffic that is routed between TMS VLANs. To begin using the zones, you add the TMS VLANs you have defined to a particular zone. The nine access control zones are named Internal, External, DMZ, Zone1, Zone2, Zone3, Zone4, Zone5, and Zone6. The Internal zone is intended for traffic that is internal to your private network. The External zone is intended for external traffic such as Internet traffic. The DMZ zone is intended for servers and security devices placed between the internal and external networks. You can use the six numbered zones to define internal and external traffic in more granular ways. For example, if you installed the TMS zl Module on a university network, you could assign the Student VLAN to Zone1 and the Faculty VLAN to Zone2. Despite the intended uses, access control zones are fully customizable. You can use only the zones that you need for your particular environment, and you can add whatever TMS VLANs you want to a particular access control zone. The only rule is that each TMS VLAN can only be assigned to one zone. 7

Routing Mode Concepts A Packet s Zone Every packet has a source and destination zone: Source zone = the zone of the TMS VLAN on which the packet arrived Destination zone = the zone of the forwarding VLAN in the route to the packet s destination Rev. 1.00 8 The concept of zones is most important for firewall access policies. You will learn more about these policies later in this training. For now, you simply need to understand that each packet the TMS zl Module receives is defined according to its source zone and its destination zone. The packet s source zone is the zone of the TMS VLAN on which the packet arrived. In other words, it is the zone for the source device s VLAN. This VLAN might be the VLAN in which the packet originated, or it might be the VLAN on which another router has routed the packet to the TMS zl Module. The packet s destination zone is the zone of the forwarding VLAN in the route to the packet s destination which might be the VLAN to which the packet is destined or which might be a VLAN on the way to the final destination network (often the case for external traffic). 8

A Packet s Zone Example 1 Rev. 1.00 9 In this example, the TMS zl Module receives a packet. The packet s source IP address is 10.1.10.50, and its destination IP address is 10.1.30.15. The module determines that the source zone is Internal because the source address is in the Faculty VLAN, which is in the Internal zone. The packet s destination IP address is in the Server VLAN, which is a connected VLAN. Because this VLAN is in the Internal zone, the packet s destination zone is also Internal. The TMS zl Module will apply Internal-to-Internal access policies to the packet. 9

A Packet s Zone Example 2 Rev. 1.00 10 In this example, the module receives a packet with source IP address 10.1.20.50 and destination IP address 172.18.5.3. The packet s source zone is Internal because it arrived from a device in the Student VLAN, which is in the Internal zone. This packet is destined to an address in a network that is not connected to the TMS zl Module. However, the module has a default route through 172.16.1.1, which is the IP address of the network s WAN router. The module will forward the packet using the default route. Because the 172.16.1.0/24 network is associated with the External zone, this packet s destination zone is External, and the TMS zl Module will apply Internal-to-External access policies to it. 10

Use Models for Routing Mode Rev. 1.00 11 Let s look at some examples of how you can deploy a TMS zl Module operating in routing mode. You can use the module as a traditional firewall or IPS deployed at the perimeter. In this case, the module filters all traffic sent between the internal and external network. However, the module s primary function is to protect your network from unauthorized uses by authorized, internal users by filtering all internal routed traffic. We ll look at this use model first. 11

Internal Threat Protection The TMS zl Module is the default gateway for internal VLANs. The module controls traffic using one or more of these features: Firewall with optional user authentication IPS VPN NAT Rev. 1.00 12 When the TMS zl Module provides internal threat prevention, it must act as the default gateway for internal VLANs. It can then control internal traffic. The two primary functions of the module are typically its firewall and IPS. The firewall detects and blocks certain DoS attacks and control users access to particular resources. You also have the option to add user authentication to the firewall. The IPS detects a wide array of threats and mitigates them. Another feature that you can use for internal threat prevention is the module s VPN. You might use the VPN to encrypt internal traffic that is destined to certain resources that require high confidentiality. Finally, some networks might require internal NAT. For example, the network might have different segments, some more public than others. You might want to conceal the IP addresses in the more private areas from users in the more public areas. This and the next several slides will guide you through deploying a TMS zl Module for internal threat protection. For now, I will be showing you how to configure VLANs and IP addresses so that traffic passes through the module correctly. You will learn about more detailed use models for particular features later in this training. At that point, you will also learn exact CLI commands and step-by-step instructions for setting up particular module features. 12

Deployment for Internal Threat Protection Existing Network Design Rev. 1.00 13 One last note before we examine the deployment process: because the deployment will involve changes to network addressing, you should complete it after normal business hours and during a scheduled outage. In this example, a ProCurve 8212zl switch acts as the core routing switch for a university. The university s internal network is divided into four VLANs. The Management VLAN (VLAN 2) includes infrastructure devices and the IT staff s workstations. The Faculty VLAN (VLAN 10) includes the faculty s workstations. The Student VLAN (VLAN 20) includes ports in student housing rooms and computer labs. The DataCenter VLAN (VLAN 30) includes all private network resources. The 8212zl switch has an IP address on each of these VLANs and routes all internal traffic. Its own default gateway is the WAN router, a ProCurve Secure Router 7203dl. 13

Deployment for Internal Threat Protection Remove IP Addresses from the Switch Rev. 1.00 14 You will install the new TMS zl Module in this core switch. You should access the module and install the product license. The next step is to remove all IP addresses from the switch except its management IP address. Change the switch s default gateway address to the IP address that you plan to assign to the TMS zl Module on this VLAN. The module is going to be the default gateway for all internal devices. Remember: You remove only the IP addresses from the VLANs. The VLANs themselves must still exist on the switch. 14

Deployment for Internal Threat Protection Add VLANs and Zones to the TMS zl Module Rev. 1.00 15 Next, add all VLANs on the host switch as TMS VLANs. In this example, the Management VLAN is added to Zone1. Zone1 is then enabled for management access on the TMS zl Module, allowing only IT staff in the management VLAN to access the module. In this example, all other internal VLANs (those for faculty, students, and the DataCenter) are assigned to the Internal zone. The VLAN on which the module and host switch connect to the WAN router in this example, VLAN 99 is assigned to the External zone. The next slide shows the IP addresses assigned to the VLANs. 15

Deployment for Internal Threat Protection Assign VLAN IP Addresses on the TMS zl Module Rev. 1.00 16 This slide illustrates the IP addresses assigned to the TMS zl Module on the TMS VLANs. As you see, most of the IP addresses are the IP addresses that you removed from the host switch. In this example, the host switch was the default router for internal endpoints. You can leave all DHCP scopes and static settings intact; the TMS zl Module will now be the router. To allow the module to route traffic out to the Internet, you must configure the default gateway that you removed from the host switch in this example, the module s default gateway is 10.1.99.2 because that is the Ethernet IP address of the WAN router. At this point, you can begin configuring the module s firewall, IDS/IPS, and other features. The module is ready to control traffic. In fact, the TMS zl Module will deny any traffic that is not explicitly granted by the default access policies already in place. (Some routing protocols are allowed by default, and when you set up a management zone, a number of access policies were automatically created for you. To permit other traffic, you must begin to create access policies.) 16

Perimeter Threat Protection The TMS zl Module routes traffic between the internal and external networks. It controls traffic using one or more of these features: Firewall with optional user access control IPS NAT VPN with optional user authentication Rev. 1.00 17 Some companies may want to deploy the TMS zl Module as a perimeter device. This is a valid use model (although perimeter threat protection alone does not protect the network as thoroughly as perimeter threat protection used in combination with internal threat protection). In a perimeter deployment, the TMS zl Module performs all of the functions that we have discussed but controls only traffic routed between the internal and external network rather than also traffic that is routed within the internal network. 17

Deployment for Perimeter Threat Protection Existing Network Design Rev. 1.00 18 The next several slides will guide you through deploying the TMS zl Module at the perimeter. The example network is similar to the network in the internal threat protection example. However, this slide shows all internal VLANs grouped together because the TMS zl Module will not distinguish between them. 18

Deployment for Perimeter Threat Protection Remove the External IP Address from the Switch Rev. 1.00 19 In this example, the TMS zl Module is installed in an 8212zl switch that connects to the WAN router and that is also the core routing switch. In your network, these might be separate switches. You should install the module in the 5400zl switch or 8212zl switch that is closest to the WAN router. After you install the module, you must install its product license. Then you can begin changing IP addresses for the deployment. On the core routing switch (which may or may not be the module s host switch), remove the IP address on the VLAN that connects to the WAN router (and from there to the Internet). Also change the routing switch s default gateway to the IP address that you plan to assign to the TMS zl Module on an internal VLAN. In this way, you assure that all internal traffic destined to the external network is routed through the TMS zl Module. 19

Deployment for Perimeter Threat Protection Add VLANs and Zones to the TMS zl Module Rev. 1.00 20 Access the TMS zl Module CLI (as you will learn how to do a bit later) and add two VLANs. The VLAN that connects to the WAN router is associated with the External zone. (Note that, to add this VLAN to the TMS zl Module, it must be present on the host switch. If necessary, extend the VLAN to the host switch.) You selected an IP address for the TMS zl Module on an internal VLAN when you set up the new default gateway for the core routing switch. Add this VLAN to the TMS zl Module and associate it with the Internal zone. Enable management on the Internal zone. 20

Deployment for Perimeter Threat Protection Assign VLAN IP Addresses on the TMS zl Module Rev. 1.00 21 You already chose an IP address for the TMS zl Module on VLAN associated with the Internal zone. Configure that address now. On the VLAN associated with the External zone, assign the module the IP address that you removed from the core routing switch. Make sure that the WAN router s route to the internal network specifies this IP address as the next-hop, which ensures that all external traffic is routed through the TMS zl Module before it reaches the internal network. 21

Deployment for Perimeter Threat Protection Create a Route to the Internal Network Rev. 1.00 22 If the internal network includes more VLANs than the one that you configured on the TMS zl Module, you must create a route to the rest of the network. The next-hop router should be the internal routing switch. At this point, all traffic between the internal and external network passes through the TMS zl Module. You can now control traffic between the internal and external networks. 22

Feature Interaction for Routing Mode Rev. 1.00 23 The TMS zl Module that operates in routing mode supports multiple features the firewall, the IPS, VPNs, and NAT. As you configure the TMS zl Module, it is important to understand how these features interact. When the TMS zl Module receives a packet, it first checks whether it is an IP security, or IPsec, packet that is part of an active Security Association, or SA. In other words, the modules checks to see if it is an inbound encrypted packet. If it is, the module checks the packet s integrity, decrypts it, and decapsulates it. The module then passes the packet to the firewall. (Packets that fail integrity checks or cannot be decrypted are dropped). Non-IPsec packets are sent directly to the firewall. The firewall filters the traffic with enabled attack checks. Then the firewall looks for the packet s session. If the session does not exist, the firewall checks the packet against its access policies to determine whether it should be allowed. All packets that do not explicitly match an access policy are dropped. If the packet is allowed by an access policy and IPS is enabled for that policy, the module sends it to the IPS for protocol anomaly checks and signature-based threat detection. (When IPS is disabled, this step is skipped). If the IPS detects a threat, it handles the packet based on the action that is configured for threats of that severity. If the packet passes the IPS checks, the firewall once again processes the packet, now checking whether the packet is selected for NAT and, if so, translating the source or destination IP address as specified. Next, the module checks the packet against IPsec policies. If an IPsec traffic selector selects the traffic, the module encrypts and encapsulates the packet as specified in the corresponding IPsec SA. (If such an SA does not exist, the module can establish it.) At this point, the TMS zl Module is ready to forward the packet. It looks up the route to the packet s destination and forwards it accordingly. 23

TMS zl Module in Monitor Mode IDS threat detection and notification only Analyzes traffic that is mirrored to its internal port 1 (does not use zones) Use models: Internal threat detection Perimeter threat detection Rev. 1.00 24 A TMS zl Module that operates in monitor mode analyzes traffic that is mirrored to its internal port 1. The module can use its IDS/IPS signatures to screen the traffic for threats. However, the module acts only as an IDS that is, it detects the threats but does nothing on its own to mitigate them. It does, however, log the threats to its internal log. It can also notify an administrator with an email or send a trap to a syslog or SNMP server. You can use a monitor mode TMS zl Module to detect threats in internal traffic or external traffic destined to the internal network or both. The next slides show how. 24

Internal Ports in Monitor Mode Port 1 is reserved for data; mirror data to this port. Example: If the module is in slot E, mirror traffic to E1. Port 2 is used for management traffic. Rev. 1.00 25 In monitor mode, the two internal ports operate differently than they do in routing mode. Port 1 This port is used for data. When operating in monitor mode, the data that the TMS zl Module receives is mirrored traffic. Port 2 This port is used for management traffic. When you configure the management VLAN for the TMS zl Module, port 2 automatically becomes an untagged member of the management VLAN. For example, if you configure VLAN 2 as the management VLAN and the TMS zl Module is installed in slot C, the internal port C2 is untagged for VLAN 2. 25

Internal Threat Detection with Local Mirroring The TMS zl Module can detect threats in internal traffic that passes through its host switch. Rev. 1.00 26 As you plan your TMS zl Module s deployment, consider whether you will use local mirroring or remote mirroring (or a combination of local and remote mirroring). When you use local mirroring, the switch mirrors traffic on its local ports to the TMS zl Module. The module can only detect threats in traffic that passes through its host switch. Therefore, for internal threat detection, you should install the module in a core switch. You can then mirror uplink ports to the TMS zl Module s internal port, and the module will examine the network traffic. 26

Perimeter Threat Detection with Local Mirroring The TMS zl Module can detect threats in external traffic that passes into the internal network through its host switch. Rev. 1.00 27 For external threat detection, you should install the module in a switch that connects to the WAN router. You can then mirror the traffic arriving from the external network directly to the module. 27

Internal or Perimeter Threat Detection with Remote Mirroring The TMS zl Module can detect threats in traffic throughout the network. Rev. 1.00 28 The 5400zl or 8212zl switch in which you install the module is capable of remote mirroring. If other switches in your network also feature this capability, you can mirror traffic from these switches to the module no matter where the switches are installed. In this way, the module can detect threats in traffic that does not pass through the network core. Note, however, that the more traffic you mirror, the more overhead you add to your network. 28

Network of Choice 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback