4/14/19

When it comes to network security, we all do the basics but do we truly know what is happening on our network?

We need to monitor our network traffic and it’s no longer just a nice thing but a normal thing. We used to think that securing the edge and put AV/AM on a PC was ENOUGH, but it’s not.

This is why solutions like a SIEM device, such as a SMA and VMS from SocSoter can be deployed to ensure you are covering all your bases. But 1st in order for you to deploy a SIEM unit you need to setup an interface on a switch that will allow the unit to live promiscuously on the network; this is accomplished with a mirror port.

Below is the instruction on how to setup a mirror port on a Cisco 3750X switch:

Some keywords:

Source: This follows at the end

  1. [both] = inbound and outbound monitoring

Destination: This follows at the end

  1. [encapsulation dot1q] <<- for when your trunking multiple vlans
  2. [ingress vlan] <<- set the default vlan

 

(Switch) # Config t

(Switch) (Config # monitor session 1 source interface 1/0/1 – 1/0/47 both

(Switch) (Config # monitor session 1 destination interface 1/0/48 encapsulation dot1q

(Switch) (Config # exit

(Switch) # copy running-config startup-config

The above configuration is how you would setup a mirror on a Cisco switch, the ‘source’ ports are used to designate which ports on the network are being monitored and then the ‘destination’ port is used by the SIEM device to collect the network traffic. The best way to describe how the unit works is like a inline protocol analyzer like Wireshark but it parses this data and a good SIEM unit will then make sense of the gibberish.