USB 3.0 as monitoring interface?
Muneer
I have been asked to deploy SO behind Aruba. The issue I am having is that the tap I am supposed to use does not have the aggregation feature and therefore I will need to use two nics in order for the sensor to see the full traffic flow. The box has only 2 nics... I need one for management and one for monitoring and there is no budget for a tap with aggregation capability.
The following solution has been recommended:
It is a startech USB 3.0 dual port gigabit ethernet adapter which will eliminate the need for a second nic (or even the first nic)... Will SO be able to receive data from the USB 3.0 port (effectively using the 3.0 port as the monitoring interface)? Will it be able to receive the traffic flow and aggregate the packets?
If anyone is able to please provide feedback from experience on this issue.
Thank you very much.
Kind Regards,
Muneer
Wes
Muneer,
This has come up a few times in the past:
https://groups.google.com/forum/#!searchin/security-onion/usb$20nic/security-onion/5DDzofTpz7k/Hpb-7OnCEAAJ
You can use a USB NIC as a monitoring interface, however, it will not perform nearly as well as a standard NIC. It is always recommended to use a standard NIC for monitoring--recommendations here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware#nic
I would suggest using the USB NIC as the management interface and using the other NIC as the monitoring interface.
Thanks,
Wes
Muneer
If I were to use two nics (both on board one mother board other pci) for monitoring will SO be able to aggregate the incoming and outgoing packets?
I intend to use Bro and Argus to query the net flow.
Thanks again for your help. Much appreciated.
Regards,
Muneer
Wes
Muneer,
I would suggest taking a look at the below links:
You could try bridging the two interfaces so that SO could monitor the bridge interface.
Thanks,
Wes