Basic LAN Tap
For those with a simple network, you can buy a Star LAN Tap. You can find these through a simple Google search or on the hakshop at myshopify. This is great for those that want to try out a network tap without making a large investment, as these can be had for less then $20.
Network Tap
For an enterprise network, I highly recommend buying a network tap for two reasons.
1. Network Tap captures all traffic. Other solutions may drop packets.
2. A passive Network Tap can fail over and allow traffic when power is disrupted.
I have heard good things about Netoptics/Ixia taps and would advise getting one with the ability to do port aggregation.
Span port / Port mirroring
Port spanning is another option and can use your existing network infrastructure if your switches support this capability. However, there needs to be careful consideration as the network traffic being mirrored on the Span port can overflow and lead to packet loss. For example, if the span port only supports up to 100 megabits, and you have three ports on the switch already consuming 50 megabits each, this results in a total of 150 megabits being mirrored on the span port. As a result the extra data beyond 100 megabits will get dropped.
For my own personal network, I decided to use the Netgear, GS105Ev2, switch with port mirroring capabilities. The switch was listed SecurityOnion website as possible hardware to use. The switch has had fairly stable performance but requires Windows for configuration and initial setup.
To setup the switch, you would need to first download the Prosafe Plus Configuration Utility which only works on Windows. Then run the Prosafe Plus Configuration Utility.
The software requires that the computer in which you are administering the device and the switch must be on the same subnet otherwise you will receive the following error.
I have personally found that a common cause is using a wireless connection when attempting to change the settings on the switch.
Once physically plugged into the ISP provided router / switch, I will sometimes continue to receive the same error message, "switch and manager IP address are not in the same subnet!"
I have found it helps to select IP setting on the bottom right.
Once in the IP settings, either check "Refresh" or toggle DHCP mode to be Disabled then back to Enabled.
Once successfully logged into switch. Go to System > Monitoring > Mirroring
Select Enable to turn on the Port Mirroring feature, then select the ports you want to monitor by checking Source Port, and selection the port you want to be the destination for traffic aka span port.
References:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware
http://hakshop.myshopify.com/products/throwing-star-lan-tap
No comments:
Post a Comment