Question

A number of security devices can be placed at appropriate places in the network architecture to address certain level of security. In reference to this context, explain how a switch can be configured to monitor traffic flowing along its ports.

Answer 1

Traffic monitoring is a vital element of network and system management. Monitoring this traffic gives important information about the operation of enterprise applications. This information is essential for activities such as cost allocation, capacity planning, quality of service analysis, fault detection and isolation and security management. Traffic monitoring used to be a relatively straightforward task. In the past large numbers of machines were connected to a shared network. (A shared network permits a single instrument connected to the network to monitor all the traffic since packets sent in one part of the network are received in all other parts of the network.) Requirements for increased bandwidth, changes in traffic patterns, and the quickly falling price of packet switching and routing devices has caused a rapid movement away from shared networks to networks which are highly segmented. Traffic is no longer visible from a single point. A switch directs packets to specific ports based on the packetís destination. Every port on the switch needs to be monitored in order to obtain a complete picture of the network traffic. The use of point-to-point links makes it difficult to attach instruments and the large number of instruments that would be required to monitor all the switch ports ensures that such an approach would not be cost effective. In addition the switches and routers themselves have complex internal architectures and the flow of packets within, and through, them is becoming an important factor in network performance.

The only realistic way to monitor traffic on switched networks is to monitor traffic within the switches themselves. In addition to the technical difficulties of the task, there are also severe price constraints. The market for switches is maturing and there is very little room to add cost or impact the performance of these devices, especially since monitoring is secondary to the primary switching function of the device.

There are three main choices for traffic monitoring :

1. RMON RMON1 (Remote MONitor) is an Internet Engineering Task Force (IETF) standard specifying a remote, promiscuous, traffic-monitoring device. An RMON device monitors and decodes every packet on the network to which it is attached, creates tables of measurements that can be later downloaded by a network management application.

2. NetFlow Cisco routers and switches, as part of their NetFlow monitoring system, send information about completed traffic flows, to a central collector. The device decodes every IP packet, maintains tables of active flows, and forwards flow records periodically or when they complete to a network management application.

3. sFlow combines accurate packet counters with a statistical sampling of the state of the routing and bridging tables used by the switch to forward randomly selected packets. The sampled information is immediately sent to a central collector for analysis.