Port Mirroring & Ubiquiti

1,200 views
Skip to first unread message

Josh Silvestro

unread,
Jan 21, 2018, 7:26:13 AM1/21/18
to security-onion
Hello fellow onions.

So normally when adding an IDS (or in this case SO) to a network, as long as their switch supports it, I've always mirrored all ports to the IDS. However, a new client has all Ubiquiti Unifi hardware, brand new, and I was surprised to learn at their price point, it appears to only allow 1 port to be mirrored per switch -_-

That being said, is/has anyone else been using Ubiquiti, if so, was there any way around this? Or a suggested setup?

At this point, my thoughts are:
- The switches are daisy chained so I really only need to monitor the ingress/egress port on each switch.
- However, the main switch has multiple items such as servers, firewall, etc going in to it. Due to that, I was going to mirror the servers via vmware vnet, and probably have to put the firewall into a small 4 port switch that supports mirroring. Seems silly :\

Open to any thoughts and suggestions! Thanks.

Mark W. Jeanmougin

unread,
Jan 21, 2018, 8:41:05 PM1/21/18
to securit...@googlegroups.com
Josh,

I've done two types of SO deployments:

For SOHO offices, I normally monitor the line going from the access switch to the firewall. I don't worry about intra-office traffic.

For Enterprise deployments, I prefer to use physical taps (as opposed to port mirrors) on the lines connecting the networks under monitor to the upstream network device. As much as I'd love to see all intra-VLAN traffic for every VLAN in the Enterprise, that usually isn't cost appropriate. :)

Having said that, at $DayJob, auditors are asking us to do that for certain VLAN's. I'll see how that goes with the next round of budget requests. :)

MJ




--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Josh Silvestro

unread,
Jan 22, 2018, 6:39:17 AM1/22/18
to securit...@googlegroups.com
Mark,

Thanks for the info! All of my experience at this point has been with SMBs and using port mirroring. Although some of my clients are growing in to the 100+ range of employees, so I'll take a peak at TAPs. Any recommendations on product? Initial search I see a lot of info related to gigamon. 

Jon Irish

unread,
Jan 22, 2018, 7:26:29 AM1/22/18
to security-onion
On Monday, January 22, 2018 at 5:39:17 AM UTC-6, Josh Silvestro wrote:
> Mark,
>
>
> Thanks for the info! All of my experience at this point has been with SMBs and using port mirroring. Although some of my clients are growing in to the 100+ range of employees, so I'll take a peak at TAPs. Any recommendations on product? Initial search I see a lot of info related to gigamon. 

Josh,
Gigamon is good but also take a look at nTAP. ActuallyNetwork Observer was bought out by Viavi, but I think it is still the same hardware, just a new label (https://www.viavisolutions.com/en-us/observer-network-taps).

Jon
Reply all
Reply to author
Forward
0 new messages