01-05-2016 01:03 PM
We are looking at the idea of enabling openflow to a HP Van controller on one of our vlans
We see alot of internet scanning activity on that vlan we want to block/quarantine once a theshold is hit or even throttle if possible ?
We use 2x HP 5900AF-48XG-4QSFP+ in an IRF stack, running Comware 7.1.045 2311P01 currently
Do you think HP Van and this network protector sdn app would be possible solution to our problem ?
Network protector details:
You can see from the below, we are trying to stop the below which we can see via current sflow reporting
Each color in the bars is a single src IP address on our side, the hight of the bars in the uniq destination IP's on the specific tcp ports, so this shows scanning on VNC ports and https
Smart Spaces TME
Solved! Go to Solution.
01-06-2016 09:43 AM
Network Protector is not going to be the right solution for this problem. Network Protector is designed to listen to client side DNS requests from a controlled network and filter those DNS requests against the TippingPoint RepDV security database.
Since the scanning behavior described is initiated from the Internet, Network Protector would not be able to see the initial DNS requests and thus not be able to provide any protection, visibility or mitigation.
Scott Koster | Product Line Manager, Campus Switching Software
Aruba, a Hewlett Packard Enterprise Company
Re: HP Van Network Protector
04-22-2016 04:45 PM
I think it may be possible to craft a solution to this problem using HPE networking products, but as Scott Koster pointed out above the current release of the Network Protector application wouldn't solve it.
The possible solutions I can think of are:
1. Replace the 5900 IRF stack with a 5400R VSF stack or 3810 N-member stack. The 5400R/3810 include a feature called "connection-rate-filtering" which will perform the exact function that you're wanting. It will perform this function within the switch (without a controller) but will need to be populated with all statically-assigned IPs, and only enabled on edge-facing ports. I don't know if this is a possibility, since I don't know if your mention of "currently" was in reference to the hardware (5900) or the firmware (Comware 7.1).
2. Write a custom application which runs on the HPE VAN SDN controller which controls flows and monitors traffic in the desired way.