First a disclaimer: This methodworks for a home network, maybe a small business network. I do describe how to do this using a specific vendors equipment. This isnt an endorsement of the vendor.
Back in the 100 BaseT days, it was pretty easy to make your own tap. You could essentially just connect the network cables transmit line to the receive pins of a output plug, and all it took was four network plug, a punch down tool and a bit of wire. Sadly, with Gigabit Ethernet, both pairs are used to transmit and receive. Tapping this type of network is a bit more tricky and requires more sophisticated circuitry.
You can buy some relativelycheap Taps, but often a simple switch is cheaper, and provides similar capabilities. To monitor just a single network segment, a simple switch like this may be perfectly acceptable, and with port-based VLANs, you can even aggregate multiple segments." />
There are three possible spots to connect a sensor:
- Between Firewall and Modem: In this case, you will see all the traffic entering / leaving the network. But you will only see the NATed traffic assuming that the firewall/router also does NAT. It will be difficult to assign traffic to a particular device on your network
- LAN: This is the network we use to connect our workstations/mobile device. We can define a port on the LAN switch as a mirror port and at least mirror the port connected to the gateway. This should give us a nice spot to connect a sensor.
- WAN: Same as for the LAN port, a mirror port on the switch will allow us to watch traffic to/from the servers connected to this switch
So how do we monitor traffic in both networks, the LAN and the WAN segment? There are a couple of options here:
Run the sensor on your Firewall/Router
If you are using a homemade Linux deviceor PF Sense, then it is pretty easy to install tools like snort or even bro on the device as well. Again: We are talking home network here. But even in a home network, I find that this type of setup quickly runs out of steam, in particular, if you are using less than state-of-the-art hardware.
Run a dedicated sensor, with multiple network cards
You will need a network card for each segmentand one more for a management network. In the diagram this would require at least three (LAN, DMZ + management) or even four (LAN, DMZ, WAN + management) . Finding a small / low-cost system with more than two network cards is challenging. But luckily, with some port-based VLAN trickery, our cheap monitor switch can be coerced into aggregating multiple networks.
Aggregating Multiple Network Segments with a Switch
I am using the Netgear GS105Ev2 switch. This is a 5 port switch that offers port-based VLANs and port mirroring, the two features I am going to use here. Other switches that provides these two features should work as well. This switch currently sells for about $45.
First, figure out which port you would like to use how. In my example, I am using:
Port 1 to manage the switch
Port 2,3,4 to connect to the different network segments
Port 5 to connect to the sensor (and remember that the monitoring interface of the sensor has no IP address, but is just listening)
First, lets configure the mirror feature. We define ports 2,3,4 as source" />
Next, lets define the VLANs. Setting up port-based VLANs is CRITICAL since we do not want to shortcut" />
So how bad is it? Does it work at all?
It does work pretty well. I still have to measure the exact throughput. The admin interface for the switch does become unresponsive pretty quickly, but well, once it is set up, you dont need to touch it anymore. There are better switches with more buffer memory that you can often get on eBay for not much more money. I am having a hard time finding real gigabit taps for less than a few hundred dollars on eBay. But you may get lucky. Many of the taps that you find around this same price are typically actually just switches that are preconfigured with a monitoring port.
Let me know if it works for you, or if you have better ideas to monitor multiple gigabit network segments. If you are just interested in using a switch as a tap, there are a couple of videos on YouTube walking you through the setup.
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.