2/12/19

A strong defense-in-depth approach to network security is becoming more and more the norm in today IT landscape. Securing the endpoints, and servers is assumed as enough; it’s not the case.

The need to monitor the network we maintain is being more and more a MUST. We all deploy networks with security in mind (Right?) be it the networking, storage, servers, virtualization and others. But I know we are all human and we probably don’t do the best job of securing everything.

This is why solutions like a SIEM device, such as a SMA and VMS from SocSoter can be deployed to ensure you are covering all your bases. But 1st in order for you to deploy a SIEM unit you need to setup an interface on a switch that will allow the unit to live promiscuously on the network; this is accomplished with a mirror port.

Below is the instruction on how to setup a mirror port on a Netgear M4300 switch:

(Switch) # Config

(Switch) (Config # monitor session 1 mode 1

(Switch) (Config # monitor session 1 source interface 1/0/1 – 1/0/47

(Switch) (Config # monitor session 1 destination interface 1/0/48

(Switch) (Config # exit

(Switch) # wr mem

The above configuration is how you would setup a mirror on a Netgear switch, the ‘source’ ports are used to designate which ports on the network are being monitored and then the ‘destination’ port is used by the SIEM device to collect the network traffic. The best way to describe how the unit works is like a inline protocol analyzer like Wireshark but it parses this data and a good SIEM unit will then make sense of the gibberish.

I hope this short write up can help someone get a SIEM unit working on a Netgear M4300 switch. 🙂