Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1220
Views
1
Helpful
2
Replies

Can I build Flow Maps that requires MAC Address information

faulknem
Level 1
Level 1

‎06-17-2018 05:30 PM

Hi..

I have internet bound traffic from sources that goes via perimeter firewall, there is other internet bound traffic from sources that goes through a proxy server before going to the perimeter firewall.

I need to be able to create flow diagrams that can identify the separate flows, and my thought would be to separate the flow by internet traffic that has the target MAC address being the inside NIC of the proxy server versus  traffic that has the target MAC address being the inside NIC of the perimeter firewall from sources that is not the outside NIC of the proxy server..

Hope that makes sense

Regards

Mick Faulkner

Labels:
0 Helpful
2 Replies 2

brford
Cisco Employee
Cisco Employee

‎06-19-2018 06:01 AM

Building flow (or Relationship) maps using Stealthwatch is based on your defined Host Groups. Relationship Maps show the policies that Stealthwatch knows about between these groups.  Host Groups are based on IP addresses. You can define Host Groups as being 'inside' your protected network and outside.

It sounds like your Relationship Map would map one or more inside Host Groups to the Host Group serving IP addresses from the proxy, and the inside Host Groups to the IP address pool used by the Firewall.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

faulknem
Level 1
Level 1
In response to brford

‎06-19-2018 03:57 PM

Thanks for your reply

Yes.. you have confirmed my fears, the criteria I can filter against in Host Groups, can only go down as far as layer 3, even though the NETFLOW data that SteathWatch gathers contains Layer 2 information , This makes it difficult to isolate the traffic from internal hosts that take a direct route out to the internet versus those that go via the proxy, I was hoping to add target MAC to make that separation.

So from the sound of it, I will need to track based on the source IP address subnets only, unfortunately we do not dictate policy on allocate IP addressing, and there are a large number of randomized address subnets.

0 Helpful
Customers Also Viewed These Support Documents