Packet capture appliance
A packet capture appliance is a standalone device that performs packet capture. Packet capture appliances may be deployed anywhere on a network, however, most commonly are placed at the entrances to the network (i.e. the internet connections) and in front of critical equipment, such as servers containing sensitive information.
In general, packet capture appliances capture and record all network packets in full (both header and payload), however, some appliances may be configured to capture a subset of a network’s traffic based on user-definable filters. For many applications, especially network forensics and incident response, it is critical to conduct full packet capture, though filtered packet capture may be used at times for specific, limited information gathering purposes.[1]
Deployment
The network data that a packet capture appliance captures depends on where and how the appliance is installed on a network. There are two options for deploying packet capture appliances on a network. One option is to connect the appliance to the SPAN port (port mirroring) on a network switch or router. A second option is to connect the appliance inline, so that network activity along a network route traverses the appliance (similar in configuration to a network tap, but the information is captured and stored by the packet capture appliance rather than passing on to another device).
When connected via a SPAN port, the packet capture appliance may receive and record all Ethernet/IP activity for all of the ports of the switch or router.
When connected inline, the packet capture appliances captures only the network traffic traveling between two points, that is, traffic that passes through the cable to which the packet capture appliance is connected.
There are two general approaches to deploying packet capture appliances: centralized and decentralized.
Centralized
With a centralized approach, one high-capacity, high-speed packet capture appliance connects to a data-aggregation point. The advantage of a centralized approach is that with one appliance you gain visibility over the network’s entire traffic. This approach, however, creates a single point of failure that is a very attractive target for hackers; additionally, one would have to re-engineer the network to bring traffic to appliance and this approach typically involves high costs.
Decentralized
With a decentralized approach you place multiple appliances around the network, starting at the point(s) of entry and proceeding downstream to deeper network segments, such as workgroups. The advantages include: no network re-configuration required; ease of deployment; multiple vantage points for incident response investigations; scalability; no single point of failure – if one fails, you have the others; if combined with electronic invisibility, this approach practically eliminates the danger of unauthorized access by hackers; low cost. Cons: potential increased maintenance of multiple appliances.
In the past, packet capture appliances were sparingly deployed, oftentimes only at the point of entry into a network. Packet capture appliances can now be deployed more effectively at various points around the network. When conducting incident response, the ability to see the network data flow from various vantage points is indispensable in reducing time to resolution and narrowing down which parts of the network ultimately were affected. By placing packet capture appliances at the entry point and in front of each work group, following the path of a particular transmission deeper into the network would be simplified and much quicker. Additionally, the appliances placed in front of the workgroups would show intranet transmissions that the appliance located at the entry point would not be able to capture.
Capacity
Packet capture appliances come with capacities ranging from 500 GB to 192 TB and more. Only a few organizations with extremely high network usage would have use for the upper ranges of capacities. Most organizations would be well served with capacities from 1 TB to 4 TB.
A good rule of thumb when choosing capacity is to allow 1 GB per day for heavy users down to 1 GB per month for regular users. For a typical office of 20 people with average usage, 1 TB would be sufficient for about 1 to 4 years.
Link speed ratio 100/0 | 100 Mbit/s | 1 Gbit/s | 10 Gbit/s | 40 Gbit/s |
---|---|---|---|---|
Data on Disc/sec | 12.5 MB | 125 MB | 1.25 GB | 5 GB |
Data on Disc/min | 750 MB | 7.5 GB | 75 GB | 300 GB |
Data on Disc/hr | 45 GB | 450 GB | 4.5 TB | 18 TB |
The ratio 100/0 means simplex traffic on real links you can have even more traffic
Features
Filtered vs. full packet capture
Full packet capture appliances capture and record all Ethernet/IP activity, while filtered packet capture appliances capture only a subset of traffic based on a set of user-definable filters; such as IP address, MAC address or protocol. Unless using the packet capture appliance for a very specific purpose covered by the filter parameters, it is generally best to use full packet capture appliances or otherwise risk missing vital data. Particularly when using a packet capture for network forensics or cybersecurity purposes, it is paramount to capture everything because any packet not captured on the spot is a packet that is gone forever. It is impossible to know ahead of time the specific characteristics of the packets or transmissions needed, especially in the case of an advanced persistent threat (APT). APTs and other hacking techniques rely for success on network administrators not knowing how they work and thus not having solutions in place to counteract them.
Intelligent Packet Capture
Intelligent packet capture uses machine learning to filter and reduce the amount of network traffic captured. Traditional filtered packet capture relies on rules and policies which are manually configured to capture all potentially malicious traffic. Intelligent packet capture uses machine learning models, including features from Cyber threat intelligence feeds, to scientifically target and capture the most threatening traffic. Machine learning techniques for network intrusion detection [2][3], traffic classification [4], and anomaly detection [5] are used to identify potentially malicious traffic for collection.
Encrypted vs. unencrypted storage
Some packet capture appliances encrypt the captured data before saving it to disk, while others do not. Considering the breadth of information that travels on a network or internet connection and that at least a portion of it could be considered sensitive, encryption is a good idea for most situations as a measure to keep the captured data secure. Encryption is also a critical element of authentication of data for the purposes of data/network forensics.
Sustained capture speed vs. peak capture speed
The sustained captured speed is the rate at which a packet capture appliance can capture and record packets without interruption or error over a long period of time. This is different from the peak capture rate, which is the highest speed at which a packet capture appliance can capture and record packets. The peak capture speed can only be maintained for short period of time, until the appliance’s buffers fill up and it starts losing packets. Many packet capture appliances share the same peak capture speed of 1 Gbit/s, but actual sustained speeds vary significantly from model to model.
Permanent vs. overwritable storage
A packet capture appliance with permanent storage is ideal for network forensics and permanent record-keeping purposes because the data captured cannot be overwritten, altered or deleted. The only drawback of permanent storage is that eventually the appliance becomes full and requires replacement. Packet capture appliances with overwritable storage are easier to manage because once they reach capacity they will start overwriting the oldest captured data with the new, however, network administrators run the risk of losing important capture data when it gets overwritten. In general, packet capture appliances with overwrite capabilities are useful for simple monitoring or testing purposes, for which a permanent record is not necessary. Permanent, non-overwritable recording is a must for network forensics information gathering.
GbE vs. 10 GbE
Most businesses use Gigabit Ethernet speed networks and will continue to do so for some time. If a business intends to use one centralized packet capture appliance to aggregate all network data, it would probably be necessary to use a 10 GbE packet capture appliance to handle the large volume of data coming to it from all over the network. A more effective way is to use multiple 1 Gbit/s inline packet capture appliances placed strategically around the network so that there is no need to re-engineer a gigabit network to fit a 10 GbE appliance.
Data security
Since packet capture appliances capture and store a large amount of data on network activity, including files[6] , emails and other communications, they could, in themselves, become attractive targets for hacking. A packet capture appliance deployed for any length of time should incorporate security features, to protect the recorded network data from access by unauthorized parties. If deploying a packet capture appliance introduces too many additional concerns about security, the cost of securing it may outweigh the benefits. The best approach would be for the packet capture appliance to have built-in security features. These security features may include encryption, or methods to “hide” the appliance’s presence on the network. For example, some packet capture appliances feature “electronic invisibility”, that is, have a stealthy network profile by not requiring or using IP nor MAC addresses.
Though on the face of it connecting a packet capture appliance via a SPAN port appears to make it more secure, the packet capture appliance would ultimately still have to be connected to the network in order to allow management and data retrieval. Though not accessible via the SPAN link, the appliance would be accessible via the management link.
Despite the benefits, the ability to control a packet capture appliance from a remote machine presents a security issue that could make the appliance vulnerable.[7] Packet capture appliances that allow remote access should have a robust system in place to protect it against unauthorized access. One way to accomplish this is to incorporate a manual disable, such as a switch or toggle that allows the user to physically disable remote access. This simple solution is very effective, as it is doubtful that a hacker would have an easy time gaining physical access to the appliance in order to flip a switch.
A final consideration is physical security. All the network security features in the world are moot if someone is simply able to steal the packet capture appliance or make a copy of it and have ready access to the data stored on it. Encryption is one of the best ways to address this concern, though some packet capture appliances also feature tamperproof enclosures.
See also
- Intrusion detection
- Packet capture
- Packet sniffer
References
- Sherri Davidoff. "Network Forensics: Tracking Hackers Through Cyberspace". Retrieved 2012-07-08.
- "KDD Cup 1999: Computer Network Intrusion Detection". SIGKDD. Retrieved 17 June 2019.
- Buczak, Anna; Guven, Erhan (26 October 2015). "A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection". IEEE Communications Surveys & Tutorials. 18 (2): 1153–1176. doi:10.1109/COMST.2015.2494502.
- Li, Wei; Moore, Andrew W. (24–26 October 2007). "A Machine Learning Approach for Efficient Traffic Classification". 2007 15th International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems: 310–317. CiteSeerX 10.1.1.219.6221. doi:10.1109/MASCOTS.2007.2. ISBN 978-1-4244-1853-4.
- Ahmed, Tarem; Oreshkin, Boris; Coates, Mark (April 10, 2007). "Machine Learning Approaches to Network Anomaly Detection". Second Workshop on Tackling Computer Systems Problems with Machine Learning Techniques (SysML07). Retrieved 17 June 2019.
- Erik Hjelmvik (2008). "Passive Network Security Analysis with NetworkMiner". Forensic Focus. Archived from the original on 2012-02-23. Retrieved 2012-07-08.
- Mike Pilkington (2010). "Protecting Admin Passwords During Remote Response and Forensics". SANS. Retrieved 2012-07-08.