From the course: CompTIA Advanced Security Practitioner (CASP+) (CAS-004) Cert Prep

Traffic mirroring

From the course: CompTIA Advanced Security Practitioner (CASP+) (CAS-004) Cert Prep

Start my 1-month free trial Buy for my team

Traffic mirroring

- When we talk about securing our enterprise architecture, we must start with the concept of traffic mirroring. This is important because in order to secure our networks, we have to be able to sensor and monitor our networks, and in order to do that, we have to be able to see all the network traffic going into or out of our networks. This is where traffic mirroring comes into play. Now, traffic mirroring is a generic term that enables you to monitor network traffic passing into or out of a network. When you conduct traffic mirroring, there are four different methods we utilize. SPAN ports, port mirroring, VPC, and network taps. The Switched Port Analyzer Port, or SPAN port, as most people like to call it, is a Cisco-proprietary method of conducting port mirroring. In the industry, most people use SPAN ports and mirrored ports to mean the exact same thing, but technically it's only correct to call it a SPAN port if you're using a Cisco device. For our purposes though, the terms are going to be used interchangeably within this course and on the exam. Essentially, when you set up a SPAN port or a mirrored port, you can configure the router switch to make a copy of every packet that that device processes and then send it out to the SPAN or mirrored port. This allows you to connect the device to that to be able to capture, monitor, or analyze all the packets being sent to or from this portion of the network. For example, if you have a small network, you could simply set traffic mirroring up on your external router and then you'll see all the traffic entering and leaving your network. Different brands of routers have different features in regards to traffic mirroring, but most of them are going to support three different types. Local traffic mirroring, remote traffic mirroring, and ACL-based traffic mirroring. Local traffic mirroring is the most basic form and it allows you to connect a monitoring device or network analyzer to a local port and then receive a copy of every piece of traffic going into or out of that network device copied over to that port. Now, remote traffic mirroring is going to allow you to instead create a GRE tunnel over an IP network, and this will allow you to connect a network analyzer to that network device. This means you don't have to be directly cabled to the router or that switch that's being monitored, and instead you can do it remotely over the network. ACL-based traffic mirroring is going to allow you to monitor the traffic based on the configuration of the interface's ACL. This means instead of seeing everything, you could configure it to only mirror traffic meeting certain permit or deny statements based on your ACLs. Now, the SPAN ports and mirrored ports work great for physical networks, but once things start moving to the cloud, we have to figure out a way to monitor those parts of our network too. Enter the world of traffic mirroring in the virtual private cloud, or VPC. Traffic mirroring can be configured to copy all inbound and outbound traffic to the network interfaces that are attached to your cloud-based servers within a single virtual private cloud. Then that traffic can be sent to a mirrored target, some kind of monitoring appliance in the same VPC, or in a different VPC connected using an intra-region peering or transit gateway as part of your cloud infrastructure. Basically, you're going to configure a traffic mirror session and then configure a set of filter rules that'll be applied to that session. If there's any traffic that matches your filter rules, that traffic is going to be encapsulated into a VXLAN header and sent to your mirror target for monitoring and analysis. Now, the fourth way to capture network data is to use a network tap. A network tap is a physical hardware device that connects to your network. This tool will usually have three ports. One port is going to be dedicated for mirroring and the other two are going to be used to connect to two different parts of your network. For example, you could tap your network between your ISP's modem and your border router. In this case, one port would be plugged into the modem and the other port is plugged into your border router, and the third port is going to be plugged into your monitoring or capture device. As data goes through that network tap, a copy is always sent to the monitoring device in real time. So which of these four options should you use? Well, many people like a hardware tap to be permanently installed for all their network devices. For example, if you want to install a network-based IDS, you can install a network tap and then connect your network-based IDS to that monitoring port of it and be able to see all the network traffic in real time. Now, on the other hand, if you're just troubleshooting a network, you might want to use a SPAN or mirrored port, and that can work well for your purposes. If you're going to be using a cloud solution, well, it's going to have to be a VPC or virtual private cloud, and that'd be the best way for you to go to monitor your cloud architecture. (dramatic static pops)

Contents