Monitoring traffic upstream of a proxy

A natural place to put a packet sensor is around the corporate firewall / IPS device. You may want to tap the inside packets or the outside packets depending on whether or not you want to see the effects of the firewall. With this setup you are your way to become a NSM legend because you now have a record of everything with multiple ways of analyzing the past.

There is however a twist in the tale. The humble web proxy.  The traffic that hits the firewall segment is usually upstream of a proxy server like Squid (or Cisco, F5, Bluecoat) etc.  These proxies generate traffic that contain the IP address of the proxy and not of the end point. A naive NSM solution will have no way of metering or associating the end station with the traffic it generates. Everything belongs to the proxy.

Fortunately it is possible to leverage the X-Forwarding-For HTTP header to deconstruct traffic on a flow-by-flow basis. This is what Trisul Network Metering and Forensics does. Once you enable this feature, Trisul will even replace the original end points IP addresses in its packet store.

The beauty of packet based metering systems like Trisul is that it allows you to do sophisticated stuff like this.  You would not be able to get this information with simple flow based techniques like Netflow.

Here is further documentation on how you can enable this feature called XFFDeProxy.

—-

Download Trisul

Just signup and download Trisul today.  It is completely free if you are monitoring a rolling 3 day window.