Home > Monitor Multiple Egress Points

Monitor Multiple Egress Points

Tags:  

Overview

Products is this marketplace are often called "data-access switches". 

The basic idea:    connect physical cables from multiple monitor/SPAN sessions, consolidate the data, and replicate aggregated monitor data to output ports for connect to security analysis device.    

The data sources (ie monitor/SPAN sessions) typically reside on different physical points on network and correspond to different egress points for network traffic to leave/enter network.

The consolidated monitor traffic typically connected to network security device that requires a "copy" of network traffic passing particular point in network, typically network perimeter).   Sample products to include any combination of:  IDS, DLP, web filters, traffic analyzers, and forensics tools.

Note:  
  • The term "SPAN port" is a term coined by Cisco.   The term "monitor session" has become more the industry standard for all vendors and applies to both switches and routers.

Gigamon

The GigaVUE appliance line from Gigamon can be considered the "Cadillac" -- and most mature -- devices in data-access switch marketplace.     Two primary chassis models -- GigaVUE model 420, and 2404 -- both with extensive expansion and configuration options for copper, fiber, and SPF.   In addition, GigaVUE "TAP" modules are available for in-line traffic collection that can leverage the aggregation and output features of GigaVUE platform.   Please contact DirSec sales for more information.

Gigamon Home Page


Gigamon -- CITRUS web-based GUI

In addition, Gigamon has CITRUS web-based GUI for monitor and configuration of GigaVUE appiances.

Gigamon CITRUS Web GUI

Gigamon -- Output traffic filtering

A standard feature of GigaVUE platform is ability to reduce and customize data flow to each "monitor device" connected to output.    A sample use case:   consolidate traffic from three monitor/SPAN sessions on network.   aggregated monitor traffic to be used by three monitor solutions (URL filter, traffic analyzer, and IDS).   To avoid over-load of URL filter, you can specify one aggregated port that has traffic from source subnet X, and second aggregated output from source subnet Y (output filter can apply to port number as well).   A separate URL filter would be connected to each port X and Y, respectively. 


Datacom Systems

VersaSTREAM model #VS-1062BT (multi-speed, gigabit capable, link aggregator -- 2 copper IN, 6 copper OUT). 

Datacom is direct company, but price is under $3k for model listed below (no output filtering).

VersaSTREAM model VS-1062BT

In addition,  a programmable 8-port "any-to-any" device that can be configured to your specific needs.  Example:   3 copper IN, 5 aggregated copper OUT).

VersaSTREAM model VS-1208BT


Datacom Systems -- Output Filtering

If you need output filtering (ala "Gigamon on the cheap"), DatacomSys has released a few models that have same link aggregation features detailed above with addition of filtering policy on aggregated output ports.    This allows control over amount and type of monitor data sent to monitor ports -- example:  only aggregated traffic from subnet XYZ is sent to monitor port 5.     Configuration via serial management cable (no web-based management like Gigamon Citrus - see above). 

Example:  programmable eight port any-to-any -- includes SFP port options
VersaSTREAM model FVS-1080

NetOptics

 RSS of this page