Setting up a network tap

The SecurityOnion github page is an excellent resource for those looking for the hardware needed to capture packets. There are multiple ways to tackle the problem of gathering network packets, ranging from the ghetto to full enterprise solutions. 

Basic LAN Tap
For those with a simple network, you can buy a Star LAN Tap. You can find these through a simple Google search or on the hakshop at myshopify. This is great for those that want to try out a network tap without making a large investment, as these can be had for less then $20.

Network Tap
For an enterprise network, I highly recommend buying a network tap for two reasons.
1. Network Tap captures all traffic. Other solutions may drop packets.
2. A passive Network Tap can fail over and allow traffic when power is disrupted.

I have heard good things about Netoptics/Ixia taps and would advise getting one with the ability to do port aggregation.

Span port / Port mirroring
Port spanning is another option and can use your existing network infrastructure if your switches support this capability. However, there needs to be careful consideration as the network traffic being mirrored on the Span port can overflow and lead to packet loss. For example, if the span port only supports up to 100 megabits, and you have three ports on the switch already consuming 50 megabits each, this results in a total of 150 megabits being mirrored on the span port. As a result the extra data beyond 100 megabits will get dropped.

For my own personal network, I decided to use the Netgear, GS105Ev2, switch with port mirroring capabilities. The switch was listed SecurityOnion website as possible hardware to use. The switch has had fairly stable performance but requires Windows for configuration and initial setup.

To setup the switch, you would need to first download the Prosafe Plus Configuration Utility which only works on Windows. Then run the Prosafe Plus Configuration Utility.



The software requires that the computer in which you are administering the device and the switch must be on the same subnet otherwise you will receive the following error.



I have personally found that a common cause is using a wireless connection when attempting to change the settings on the switch.

Once physically plugged into the ISP provided router / switch, I will sometimes continue to receive the same error message, "switch and manager IP address are not in the same subnet!"

I have found it helps to select IP setting on the bottom right.









Once in the IP settings, either check "Refresh" or toggle DHCP mode to be Disabled then back to Enabled.


Once successfully logged into switch. Go to System > Monitoring > Mirroring

Select Enable to turn on the Port Mirroring feature, then select the ports you want to monitor by checking Source Port, and selection the port you want to be the destination for traffic aka span port.


References:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware

http://hakshop.myshopify.com/products/throwing-star-lan-tap

My personal network setup, multi-part series

It has been almost half a year since I last blogged. It is time to brush off the cobwebs and start blogging! There are many ways to implement network security monitoring at home. My personal network is just one way to setup NSM in a home environment.

Wax on, wax off. 

Before eagerly buying equipment and getting hands on keyboard, general architecture and considerations need to be made. First, understand your environment and needs.

Some considerations

Where do you want visibility in your home network?  

What are your ingress/egress points?

How do most endpoints get to the internet?

Are there specific digital assets you want to gain network visibility?

Many home networks likely consist of one device that serves as the modem, switch, and wireless router. For example, this Actiontec device is usually used by Verizon FIOS customers has a router and wireless router all wrapped into one appliance.

When having a combined network gateway, you need to consider how and if you are going to monitor endpoints that connect wirelessly. If you have one of these all-in-one devices and ISP router serves as the default gateway for both wired and wireless traffic, then you will have a blindspot in your visibility of endpoints connecting to the wireless router. This is because there is no way to place an NSM solution inline before the ISP router. 

For my network architecture, I have another switch with port mirroring enabled connected to the network gateway, then I have setup a wireless access point off the additional switch. 

Stay tuned while I make another post about setting up a network tap.