WANGUARD 5.2 User Manual & Administrator's Guide
Choosing a method of traffic monitoring
This secton explains the available methods you can use for trafc monitoring. Reading this chapter is
strongly recommended, as it will help you understand how to deploy Sensor in your network.
The Sensor was designed to monitor the trafc from the smallest branch ofce with tens of endpoints to the
largest enterprises with hundreds of thousands of endpoints.
Depending on your network topology and confguraton, your needs and your hardware, you must choose
between the 2 types of Sensors:
●
Snifng Sensor for Port Mirroring (SPAN, Roving Analysis Port) or Network TAP or In-line deploymen
t
In switched networks only the trafc for a specifc device is sent to the device's network card. If the
Sensor system is not deployed in-line (in the main data-path) then a network TAP, or a switch or router
that ofers a "monitoring port" must be used. In this case, the network device sends a copy of data
packets traveling through a port or VLAN to the monitoring port. A Snifng Sensor inspects every packet
it receives to do the trafc analysis.
Packet snifng provides extremely fast and accurate trafc analysis and accountng results. The
downside is that it needs fast CPUs and good NICs.
●
Flow Sensor for NetFlow® (v5,v7,v9 – jFlow, NetStream, cfowd) or sFlow® (v4,v5) or IPFIX
Many routers and switches can collect IP trafc statstcs on monitored interfaces, and later export those
statstcs as fow records, towards the Flow Sensor to do the actual trafc analysis.
Because the Flow protocol already perform pre-aggregaton of trafc data, the fows of data sent to the
monitoring server are much smaller than the monitored trafc. This makes the Flow Sensor a good
opton for monitoring remote or high-trafc networks. The downsides are that computng pre-
aggregaton of trafc data requires large amounts of RAM, it has up to 5 minutes delays, and the
accuracy of trafc parameters is lower than when inspectng packets (especially when sampling is used).
Virtual Sensor
aggregates Snifng Sensors and Flow Sensors' Interfaces into a single anomaly detecton
domain. It disables the anomaly detecton features of containing Sensors, and provides anomaly detecton for the
summed up trafc data.
In high availability scenarios it's recommended to use both methods of trafc capturing. Add a new Sensor
by going to Confguraton » Components » Add Sensor.
- 42 -
Summary of Contents for Wanguard 5.2
Page 1: ......