Skip to main content

Network Sensor

Overview

Our network detection and response (NDR) sensor can be supplied as either a physical or virtual sensor.

The physical NDR sensors are high-performance hardware units that serve as hardware network sensors for the ThreatDefence platform. Our virtual sensor is suitable for smaller deployments, as well as for cloud-only environments.

Deployment

Our NDR sensor is a passive device that monitors a copy of your production traffic. Typically, the optimal deployment location is where it can monitor traffic passing through your internal firewall interface, also known as North-South traffic.

To achieve this, you typically need to configure a SPAN port on your switch or directly on your firewall.

Below is a sample deployment diagram:

Network diagram featuring a span port configuration

As an example, for configuring port mirroring on a Cisco switch to monitor traffic passing through an internal firewall connected to switch port 0/1 by mirroring it to a ThreatDefence (TD) sensor connected on port 0/2, the appropriate commands are:

monitor session 1 source interface eth0/1
monitor session 1 destination interface eth0/2

This configuration initiates a monitoring session, identified by session number 1, and specifies the source interface (the internal firewall's NIC) and the destination interface (a TD sensor's data port). Please note that the interface notation (e.g., eth0/1) may vary based on the exact model of the Cisco switch and its configuration.

To enable the sensor's HTTPS connectivity for retrieving external data such as OS updates and Threat Intelligence feeds, ensure the network is configured to allow outbound HTTPS traffic (TCP port 443) through the firewall, with any necessary proxy settings properly configured to handle SSL/TLS traffic.

HP Aruba

A mirror configuration can be created on Aruba equipment, either via the web portal or a terminal.

When adding a mirror session via the web portal, set the Session Probe Interface as the physical switchport to which traffic will be mirrored.

To configure via terminal, create a mirror session and define an exit port.

switch(config)# mirror 1 port c24

After establishing a mirror session and exit port (eg 1 and C24), configure the desired source interfaces (eg A5, B17) for monitoring by specifying a direction (in/out/both) and the mirror session number.

 switch(config)# interface a5,b17 monitor all in mirror 1

Please see the official documentation for diagrams and futher detail ArubaOS-Switch 16.07 - Mirroring configuration examples.

Related Articles: