Port Mirroring for Advanced Threat Analytics

  • Article

The main data source used by ATA is deep packet inspection of the network traffic to and from your domain controllers. For ATA to see the network traffic, port mirroring needs to be configured. Port mirroring copies the traffic on one port, known as the source port, to another port, known as the destination port. ATA works with most solutions that can mirror traffic - if the traffic can be port mirrored to ATA, it can be used to analyze threats to your system https://technet.microsoft.com/en-us/library/mt429376.aspx.

One of the most common questions for Advanced Threat Analytics is on how to mirror ports.

I will give some references to different sites that will provide information on how to create mirrored ports.

Switches that support mirroring https://www.miarec.com/knowledge/switches-port-mirroring

Hyper-V

https://blogs.technet.com/b/networking/archive/2015/01/06/setting-up-port-mirroring-to-capture-mirrored-traffic-on-a-hyper-v-virtual-machine.aspx

Vmware

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.networking.doc%2FGUID-8D1768B0-074D-4F06-9931-2BE4777D35F8.html

https://pubs.vmware.com/vsphere-55/index.jsp\#com.vmware.vsphere.networking.doc/GUID-68B5DD45-DD3F-4E9B-A6CD-BE97026A846A.html

HP

https://h10032.www1.hp.com/ctg/Manual/c02640590

Cisco

https://supportforums.cisco.com/document/13891/how-configure-port-monitoring-span-catalyst-2940-2950-2955-2970-3550-or-3750-series

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus1000/sw/4\_2\_1\_s\_v\_2\_2\_2/system\_management/b\_Cisco\_Nexus\_1000V\_System\_Management\_Configuration\_Guide\_2\_2\_2/b\_Cisco\_Nexus\_1000V\_System\_Management\_Configuration\_Guide\_2\_2\_2\_chapter\_01010.html

 

Juniper

https://www.juniper.net/documentation/en_US/junos13.2/topics/usage-guidelines/services-configuring-port-mirroring.html

NetGear

https://www.miarec.com/knowledge/how-configure-port-mirroring-netgear-fs726t

TP-Link

https://www.miarec.com/knowledge/how-configure-port-mirroring-tp-link-tl-sl2428web

Dell

https://www.miarec.com/knowledge/how-configure-port-mirroring-dell-powerconnect-2700-series

D-Link

https://www.miarec.com/knowledge/how-configure-port-mirroring-d-link-des-3010

Most of these links points for other vendors webpages and they are the ones that can give support on their products.

To verify that the port-mirroring is working (https://technet.microsoft.com/en-us/library/dn707710.aspx), remember to use Network monitor on the ATA Gateway.

https://technet.microsoft.com/en-us/library/mt163705.aspx

Comments

  • Anonymous
    July 11, 2016
    EXCELLENT reference material, thanks!