In the first part of this series of articles, we focused on monitoring ISPs and MSP traffic. Today we analyse network traffic in SMEs and home networks. The typical network layout of a home or a small business is depicted below.
The ISP provides a router for connecting to the Internet (e.g. xDSL or fibre) that usually also features an embedded access point used by phones, tablets or laptops to connect to the Internet. In order to monitor LAN traffic, the best solution is to replace the current switch with one that supports sFlow; however most people do not pay too much attention to what happens in the LAN but they rather focus on Internet traffic monitoring as this is the place where threats and slowdown happen. In order to monitor Internet traffic we need to hook a probe where this traffic flows and thus we need to make some changes to the topology as shown in red in the figure below.
- Either replace the existing switch (not advises as you need to make changes to the wiring or spend a lot of money if you have a switch with many ports) or add (better) a new switch with mirroring capabilities. Today they are very cheap (~30 Euro/35 US$) and simple to use (example see Zyxel GS1200-8 and TP-Link TL-SG105E) so the best is to add a new switch between the router and the rest of the network.
- You need to disable WiFi on the router and add an access point you connect to the network. This is required because if you leave WiFi enabled on the router, this traffic will not pass through the mirror and thus it will be invisible.
- Pick an existing PC or add a new one (even a Raspberry can be enough if you have up to a couple of Mbit of Internet bandwidth, otherwise better to use a more capable PC) for running ntopng. This PC will need two ethernet interfaces: one will be used to connect the PC to the network, and the other one (even a USB ethernet interface will work) to receive traffic from the mirror. Supposing that this interface is named eth2, you need to start “ntopng -i eth2”. That’s all.
With this solution you can monitor the traffic as well the security of the whole network with a relatively low hardware cost (< 100 Euro/US$), that we believe it is acceptable to keeping your network healthy and safe.