Archive for 15 May, 2009

Quis custodiet ipsos facis?

Posted in Why watch the wire? on 15 May, 2009 by Alec Waters

According to the Magic Internet, that means “who watches the packets?” I bet my latin teacher would have a few comments on that translation…

Anyway, we’ve decided that we’re interested in the network traffic crossing the point between our switch and our small-office router. We have made this decision because we do not wish to trust our security solely to preventative measures which will inevitably let us down. We want to try to spot the Badness getting in and out, and this is the way to do it.

The practicalities of this are twofold – we need a sensor with which to collect the traffic, and we need some way of directing our traffic to it so that it can be examined.

For the most part, the sensor is some kind of computer with at least one network interface of a type appropriate to your infrastructure (e.g., perhaps it’s an ordinary copper ethernet interface, or a fibre-optic interface, or even a wifi one). The sensor will not interfere with the collected traffic in any way, as it will usually be fed a copy of the traffic you want to inspect. This prevents the mere presence or absence of the sensor from breaking any of your stuff, and also has the happy side effect of preventing the Baddies from even knowing you’ve deployed it.

There are a number of ways we can get a copy of our network traffic to our sensor:

  • If our switch is capable of it, we might be able to set up a SPAN port. We can configure a SPAN port that will output a copy of everything sent and received on the switchport that connects to our router. By plugging our sensor into this SPAN port, it will be able to see all of our Internet traffic.
  • If our sensor has two or more monitoring interfaces, we can use a network tap. A tap will physically sit on the path between our switch and our router, and will “syphon off” a copy of the network traffic for our sensor to look at. Although the tap is inline, it doesn’t alter the observed traffic and it won’t permit the sensor to inject any traffic of its own. It’s the purest form of capture, and can be dropped in without altering the configuration of any other devices. Tap manufacturer Netoptics has a comparison between tap and SPAN here.
  • A final option might be something like Cisco’s Raw IP Traffic Export (RITE). This is something of a last choice, though; generally speaking tap and SPAN are superior options. However, for some topologies this may be the only option – you may not be physically able to use tap or SPAN if you want to capture the traffic crossing a virtual IP interface on a layer three switch, for example.

For the sake of simplicity, let’s say our sensor has just one monitoring interface and we’re feeding it from a SPAN port on our office’s switch. We are now ready to spot the Badness! However, our sensor needs to be able to do something with the traffic we’re spewing at it. We need to be able to receive it, store it, inspect it, mine it.

Hold tight – things are about to get interesting!

Alec Waters is responsible for all things security at Dataline Software, and can be emailed at alec.waters(at)