I don't like to spy my users, but if the boss asks to me I have to report to him eventual malicious traffic, What is the right product to make it?
My reference product to make it is NTOP. NTOP is an opensource traffic monitoring probe that run other linux and unix-like system operative, it shows to you the network usage, and a with a browser you can have a snapshot of what happening in your network.
Luca Deri, University of Pisa developed and mantains it.
The integration in a network:
If you have a network based on CISCO switches, you can use the SPAN feature. So you can able the SPAN on you Network-Core to mirror the traffic on the port connected to the ntop server.
For Example:
I have a Network core made with 2 CISCO 3750, it's connected with the firewall through the port GigabitEthernet 0/0/1. Ntop server has 2 gigabitports, the first gigabit ports is in promiscous mode (ntop sets it for you) and it recieves traffic mirrored with SPAN feature from the ports GigabitEthernet 0/0/2 of the Core. The second port is connected to the network and it has an IP address of our network, so we can reach with a browser our ntop server.
On the switches I will configure:
conf term
monitor session session_number source interface GigabitEthernet0/0/1 both
monitor session session_number destination interface GigabitEthernet0/0/2
end
write mem
now connect with your browser to:
http://ntop-ipaddress:3000
Nessun commento:
Posta un commento