What would be the most optimal and secure setup for capturing traffic from multiple connections?
We currently have a setup with multiple connections between different computers. Each connection belongs to some kind of different security level. We like to capture traffic for all those connections on one machine. The requirements are:
- No possibility of compromising the different levels and data flow between them.
- No introduction of an additional device which can be attacked or compromised.
- Capture and monitoring devices should be invisible on the network.
Port mirroring would be useful for multiple connections, however, in case the switch is compromised traffic from one level could be easily send to another one which is a no go. Since most of the connections are still 100Base TX we thought about simple diy passive taps, for higher bandwidth we would use optical fiber taps.
So the setup would look like this:
Taps capture traffic from the different connections. Since taps need two nics, two ports will be occupied on the switch. Since the taps are passive nothing can be send back and a potential misconfiguration on the switch would also not lead to data flowing back. Also the switch and tap would be invisible to the network. The switch aggregates the traffic and mirrors all the different connections into on port. The port is connected to a monitoring PC running wireshark.
Is there anything to look out for hard- or software wise? Any other ideas for such a setup?
