troubleshooting Question

WAN traffic cyber monitoring

Avatar of Ted James
Ted James asked on
NetworkingNetwork Analysis* SOC* Advanced Threat Protection
10 Comments1 Solution79 ViewsLast Modified:
My team of SOC analysts is looking at captured internet traffic to provide cyber defense on behalf of several of our enterprise clients.  Each client has a non-intrusive tap (usually a gigamon or something similar).  The gigamon is situated outside the enterprise perimeter router just before the enterprise's public demark.  Therefore the tap passes thru all inbound and outbound WAN traffic.  To the analysts, the tap it is sending a copy of the traffic (some filtered, as in Netflow or IPFIX, and some as full PCAP) for monitoring and analysis.  If the enterprise is connected directly to the internet via an ISP, the analysis is relatively easy, as the analysts are looking directly at the internet traffic for behaviors and signatures that would indicate an attack or malware of some kind.  This first situation is shown here.  (with a downstream feed from the gigamon to the SOC not shown here):

Enterprise LAN<----->Perimeter Router<------>gigamon tap<-------public demark<----->ISP<------>INTERNET

The question arises when a client is not directly connected to the internet via an ISP, but rather  is connected thru another provider before it gets to the internet.
This second situation is shown here where the enterprise access to the outside world is through another provider before actually hitting the internet.  This makes the monitoring of internet traffic more complicated because there is extra encapsulation.  Here is that scenario:

Enterprise LAN<----->Perimeter Router<------>gigamon tap<-------public demark<----->Service Provider (MPLS, VXLAN, SDWAN, cloud provider)<------>INTERNET

I'd like to get some detail as to how the tapped downstream data that is going to the analysts would be different.  Four different cases here:  1. cloud provider (AWS, Azure, etc.);  2. SDWAN provider; 3.  VXLAN provider;  4.  MPLS provider.  For all four cases the traffic is encapsulated with the service provider's headers,

Questions for all four cases:
1.  How does the analyst know the traffic is going through the service provider and be able to identify that (is it AWS?, is it SDWAN? is it VXLAN?etc…)?
2. With that, can the analyst still be able to identify/analyze the raw user traffic as if they are looking at the actual internet traffic?

Hope I explained this right.

Thank you!
David Johnson, CD
The More I know, the more I don't know
Join our community to see this answer!
Unlock 1 Answer and 10 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 10 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros