IT Trenches

March 26, 2008  6:04 PM

Did you see this? – The People’s Forensics

Troy Tate Profile: Troy Tate

This blog topic, and future versions, will be dedicated to websites I discover in my internet journey that seems to be useful and may help someone else out there with some need they may have.

Today’s website is called the Forensics Wiki . Of interest in particular to you security practitioners out there would be the tools section. To gain some education and knowledge, you might want to check out the How-To section. This wiki seems to be in it’s infancy stage. The value potential is high though.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

March 20, 2008  1:09 PM

Researching Network TAPs – an end to network blindness?

Troy Tate Profile: Troy Tate

What is the best means of watching data network traffic at the edge? My need: watch traffic inbound and outbound at the edge of the LAN and be able to remotely view reports. The reports would show information such as: current traffic flow volume & conversations; historic traffic flow volume; netflow data; latency from LAN to remote hosts.

So, some questions need to be asked and some answers given.

Where to place potential solutions:

  1. In the router or “cloud”.
  2. In the edge LAN switch.
  3. Between the router and the edge LAN switch.

What are the potential issues with sensor location:

  1. Router or “cloud” – network address translation (NAT) may hide actual source address information. What load would this service put on the router? Would there be any costs for implementing this on the router and/or in the cloud? We use managed data network services so this could be a concern.
  2. LAN edge switch – is port spanning or “mirroring” a valid option? What other monitoring services can the switch provide? SNMP or RMON? How would the monitor be remotely accessed if there is only one NIC and it is in listening mode only? Note that placing a destination switch port in span mode does not permit any outbound traffic to occur on that interface.
  3. Between the LAN & WAN – is another switch needed with port spanning/mirroring? Would a hub work with it creating a half-duplex link for inbound/outbound traffic?

What hardware provides potential solutions:

  1. Router or “cloud” – not the preferred method since not under my control and may have change request or monthly service costs involved.
  2. LAN edge switch – monitoring system would require dual NIC’s; one to listen/monitor and one for remote access. Port spanning or mirroring could place a load on the switch. SNMP or RMON queries can add traffic to the network link and impact the monitoring accuracy.
  3. Between the LAN & WAN – a hub is not desirable due to the fact mentioned above. It causes a full-duplex link to go to half-duplex and creates a bottleneck even though the WAN link is usually much smaller than the LAN. There is an alternative to the hub. That device appears to be called a network TAP or port aggregator. This is the solution I plan on investigating further.

Has anyone else had experience with implementing a network TAP or port aggregator for network monitoring? I will also discuss what applications I plan on using to monitor network traffic in a future post.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: