Step 1: Network Sensor Location Guidelines
Deciding where to locate an Insight Network Sensor in your environment is an important first step when undertaking any network sensor deployment procedure. This article introduces the key concept of network traffic convergence to help you pick the right deployment locations, offers guidelines for multi-network sensor deployments, and covers potential duplicate data scenarios.
Deploy Network Sensors at Points of Network Traffic Convergence
To ensure that all of your network traffic is fully covered by as few network sensors as possible, you need to focus your location decisions on areas of network traffic convergence.
While all networks vary in topology, scale, and segmentation, a typical network usually consists of at least one data center tied together with a core switch. By nature, core switches are ideal network traffic convergence zones, and Rapid7 recommends a mirror port-equipped core switch for your network sensor deployment for this very reason.
If your network is too small for a mirror port-equipped core switch, you can deploy Test Access Points (TAPs) inline between your internet gateway and your switch device to create your own network traffic convergence areas for the network sensor to use.
VMware includes powerful and flexible traffic mirroring functionality that allows you to easily deploy multiple sensors and monitor either internal east west traffic, traffic across multiple ESX servers, or external SPAN traffic. For additional detail and related video tutorials, check out Virtual Traffic Sources.
Multi-Network Sensor Deployments
The following scenarios are typical cases for deploying multiple network sensors:
- If your overall network throughput figures exceed what a single network sensor can accommodate, you can deploy multiple network sensors to achieve complete coverage. The same network traffic convergence principle still applies in this scenario. However, as a general guideline, your network traffic monitoring deployment should strive to achieve full coverage with as few network sensors as possible.
- If your organization consists of several remote data centers, deploying a network sensor for each is ideal for gaining visibility on their local activity.
Duplicate Data Limitations of the Network Sensor
When deploying multiple network sensors, take care to ensure that they do not ingest and process the same network traffic more than once. However, the network sensor does feature a packet filtering tool (covered in the next section) where you can tune what kinds of traffic each network sensor can monitor, and what kinds can be ignored.
Handle Duplicate Data with the Berkeley Packet Filter (BPF)
Depending on your network configuration, sometimes the capture of duplicate data is unavoidable in a multi-network sensor environment. To mitigate against this condition, the network sensor includes a component called the Berkeley Packet Filter (BPF) that you can configure to ignore specific types of network traffic on a per-network sensor basis as needed.
After you deploy one or more network sensors, you can configure any BPF settings in the network sensor management experience of the Insight platform.