You are here: Cookbook > Getting Started > Deploying Tap Mode to Monitor Network Traffic

Deploying Tap Mode to Monitor Network Traffic

Inline mode places a device directly in the network path, while in tap mode, the device only connects to a mirrored interface of core network. Tap device monitors or sniffs the packet information mirrored from core network gateway. Tap products tend to be resilient and transparent so as to minimize or eliminate the effect they can have on production traffic. If you just want a sensor to monitor, analyze and log network traffic, not data forwarding, it is best to choose tap mode.

In this example, a Hillstone device (T-Series Intelligent Next Generation Firewall recommended) is a network tap. Its tap interface eth0/1 directly connects to mirror interface of inline network gateway. Hillstone T-Series threat detection features to analyze mirrored data packets in search for network threats.

We present 4 threat detecting functions in this example. All the functions require respective licenses installed before they take effect.

  • Intrusion Prevention System (IPS): Requires Threat Prevention (TP) or IPS license installed.
  • Application Identification: Requires APP DB license installed. This license is issued with platform license for free. No need to purchase APP DB license individually.
  • Advanced Threat Detection (ATD): Requires StoneShield license installed.
  • Abnormal Behavior Detection (ABD): Requires StoneShield license installed.

Preparation

As shown in the topology above, you need use a RJ-45 cable to connect the mirror port eth0/4 and the tap interface eth0/1.

Configure port mirroring on gateway of core network. We take Hillstone gateway as example.

Configuring port mirroring
  1. Select Network > Interface, and double-click ethernet0/3.

 

  1. In the pop-up, click the Properties tab, under Mirror part, select the checkbox to enable traffic mirroring.
  1. Return to interface list, make sure that the mirror port ethernet0/4 is not bound to any zone.
  1. Select Network > Port Mirroring, select ethernet0/4 from drop-down menu, and click OK.

Configuring Tap Mode and Threat Detection

Configure all the following settings on tap device.

Step 1: Creating a tap mode
  1. Select Network > Zone, click New.

 

  1. In the Zone Configuration dialog, configure the following:
    Zone: tap-eth1
    Type: TAP
    Virtual Router: trust-vr
    Binding Interface: ethernet0/1
  1. Return to Network > Interface, in the interface list, check that eth0/1 is in the "tap-eth1" zone.
 
Step 2: Creating a Policy

Creating a "permit" policy on the tap device so that it can establish sessions within itself.

  1. Select Policy > Security Policy, click New.
  2. In the Policy Configuration dialog, make a "permit" rule from and to the same tap zone.
 
Step 3: Enabling IPS and viewing IPS attacks

Enabling IPS:

  1. Select Network > Zone, double-click tap-eth1.
  2. Under the Threat Prevention tab, select Enable check-box on the right of Intrusion Prevention System.
    Profile: predef_default
    Defense Direction: bidirectional

Checking detection results:

  1. Select iCenter > Threat.
  2. In the list, , items marked as "Intrusion Prevention System" under the Detected by column are IPS attacks detected by tap device.
Viewing IPS logs:
  1. Select Monitor > Log > Threat, click Filter on the top right corner.
  • Detected by: Intrusion Prevention System
  1. Click Query, and the page will show IPS logs.
 
Step 4: Enabling Application Identification and viewing APP usage statistics

Enabling APP Identification:

  1. Select Network > Zone, double-click the tap-eth1 zone.
  2. Under the Basic tab, select the Enable check-box after Application Identification.

 

Viewing App monitor results:

Select Monitor > Application.

  • Summary: Application usage statistics by user, traffic, new session or concurrent session.

 

  • Application Details: Details of every application.

  • Group Details: Application group usage details.

 
Step 5: Enabling Advanced Threat Detection (ATD) and viewing ABD attacks

Enabling ATD:

  1. Select Network > Zone, double-click the tap-eth1 zone.
  2. Under the Threat Prevention tab, select the Enable check-box after Advance Threat Detection.
Viewing ATD monitor result:
  1. Select Monitor > Threat > Summary, hover your cursor over Malware bar to show a balloon of malware attacks.
  1. Click Details after Trojan in the balloon, you can see details of this attack.
Viewing ATD logs
  1. Select Monitor > Log > Threat, and click Filter on the top right corner.
  • Detected by: Advanced Threat Detection
  1. Click Query, the page will show ATD logs.
To know more about ATD, you may refer to another case in this cookbook Finding Malware Attacks via Advanced Threat Detection.
 
Step 6: Enabling Abnormal Behavior Detection and viewing abnormal behaviors
Enabling ABD:
  1. Select Network > Zone, double-click the tap-eth1 zone.
  2. Under the Threat Prevention tab, select the Enable check-box after Abnormal Behavior Detection.

Viewing monitor results:

  1. Select Monitor > Threat > Summary.
  2. Hover you cursor over Scan or DoS bar, a balloon will show up to indicate number of Scan and DoS attacks.
Viewing ABD logs
  1. Select Monitor > Log > Threat, and click Filter on the top right corner.
  • Detected by: Abnormal Behavior Detection
  1. Click Query, ABD logs will show.
To know more about ABD, you may refer to another case in cookbook Protecting Internal Servers and Host to Defend Attack via Abnormal Behavior Detection.