Catch traffic from Lab network

Comments

6 comments

  • Avatar
    James Bierly

    To clarify I have the Purple using the LAN Connection to pull traffic from the Switch and I do still have a spare NIC on the Gold if this is just as simple as a wire. Additionally I have a 5 port smart swtich with nothing to do currently.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    When in simple mode, firewalla can only arp spoof the LAN it is plugged in. If your main network is different than your lab network, it will only see where where firewalla is plugged into

    0
    Comment actions Permalink
  • Avatar
    James Bierly

    So could I run a mirror port off the lab network and feed traffic to the 2nd NIC?

    0
    Comment actions Permalink
  • Avatar
    GZ

    Interesting. So you want both your purple and gold see the lab traffic?

    I am actually thinking about similar things, but since I haven't set up anything yet, I don't know if it will work. :-)

     

    EDIT: This probably doesn't work for you. In this scheme, even if the traffic technically goes through the Purple, since it doesn't allocate any of the IPs, I am not sure how functional it will be. I am not thinking of using another firewalla box for this. 

    0
    Comment actions Permalink
  • Avatar
    James Bierly

    We anticipate mostly dropping a Purple inline as some of our customers may have a different provider managing their existing Firewall. 
    But I would love to see if ingesting traffic from multiple networks is feasible. In this case the Purple would just be running ARP Spoof and collecting data to Zeek for another purpose. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    As long as the firewalla is local to the connected network, it should be able to suck traffic over via ARP spoofing. (ARP spoofing don't work across networks)

    0
    Comment actions Permalink

Please sign in to leave a comment.