Network Security Monitoring with Dualcomm DCSW-1005PT

For a while now I have been looking for a cost effective solution to perform Network Security Monitoring (NSM) for small businesses. NSM basically means collecting, analyzing and escalating indications and warnings to detect advanced threats and intrusions.

One of the best ways to do this is to monitor traffic from a live line tap. A tap is a port that provides a copy of the live data on a second port so it can be recorded, and analyzed. High end switches and routers usually have a tap port for this function. You could also use an old repeater hub to get a copy of the signal. Herein lays the problem, high end switches are usually very pricey and overkill for a small business, and finding a hub has become nearly impossible and they are not as efficient (due to collisions).

Dualcomm to the rescue! John from Dualcomm recently provided me with a Dualcomm DCSW-1005PT Mini 5-Port 10/100 LAN Switch/ Sniffer for evaluation. The Dualcomm unit provides Plug & Play port mirroring, with no configuration needed. You simply plug the source data line into port one, the device you are monitoring into port 2 and you instantly get a copy of the data on port 5. That’s it, it is truly that simple.

When I first opened the box, I was surprised to see how small the DCSW-1005PT is. It is about the size of a deck of playing cards (pen used in photo for size reference). Also, the device is USB powered, so all you need is an open USB port to power it.

To test the device, I used Wireshark to capture the data from the mirrored port and save the packet data stream. I then used Netwitness Investigator to analyze the saved pcap files for threats. For the tests, I wanted to monitor the incoming line from my ISP to my firewall and secondly, monitor the data from the firewall to a specific workstation.

In both tests, placing the Dualcomm in line with the data to be monitored was quick and painless. The unit functioned flawlessly and data acquisition was very rapid.

Although I did not test it, according to the manual, the device also performs Power over Ethernet (PoE). It can expand a PoE uplink port into four downstream ports or with the port mirroring feature; you can use it to record IP phone calls to a monitoring PC.  

The size and price point of the DCSW-1005PT makes it a very attractive solution for NSM or any solution that requires a mirrored port. I am very satisfied with the Dualcomm unit, and highly recommend it.

~ by D. Dieterle on November 29, 2010.

5 Responses to “Network Security Monitoring with Dualcomm DCSW-1005PT”

  1. […] Read more from the original source: Network Security Monitoring with Dualcomm DCSW-1005PT « CYBER ARMS … […]

  2. […] View original post here: Network Security Monitoring with Dualcomm DCSW-1005PT « CYBER ARMS … […]

  3. […] Network Security Monitoring with Dualcomm DCSW-1005PT – cyberarms.wordpress.com One of the best ways to do this is to monitor traffic from a live line tap. A tap is a port that provides a copy of the live data on a second port so it can be recorded, and analyzed. […]

  4. […] and ready to use even on your small business or home system. This would work great with Dualcomm’s Network port mirroring device.  Check it […]

  5. […] CD to check it out. Running Security Onion with two network cards installed and matching it to a Dualcomm port mirroring device provides a cheap but powerful monitoring system. When two network cards are […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: