Learning how to monitor network traffic is a good idea for a number of reasons: IDS/IPS systems need to be able to observe all traffic to alert on and potentially block malicious flows. Also, from a purely network operations perspective, it's important to monitor traffic in order to track network performance over time. The ability to monitor traffic at key points on the network also serves as an invaluable troubleshooting aid.
The key to monitoring traffic is to identify key areas (or choke points) to place the network traffic appliance so you can gather the most information on traffic flowing between a source and a destination. For example: If you would like to monitor all ingress and egress traffic flowing through the enterprise network, the choke point should be set up on the inside interface of the firewall. Choke points could be a physical network tap or a span port on a switch, mirroring traffic through the port that needs to be monitored (e.g., the port connected to the inside interface of the firewall in this example).
Monitoring the inside interface of the firewall gives a good idea of all traffic entering and leaving the network after unwanted traffic has been filtered from the firewall. Another useful choke point would be at critical server segments. This would give visibility into all traffic entering or leaving the server segment. Starting with the inside firewall interface and the server segment would be a good template for monitoring traffic across the enterprise.
This was first published in February 2011