Configure Lighthouse for Network Traffic Mirroring

Lighthouse can be integrated with a user's enterprise Intrusion Detection System (IDS) for real-time detection of security events in their network infrastructure. Image of Network Traffic mirrorinh

Lighthouse allows users to configure the network traffic tap feature via the command line interface. The traffic_mirroring command:

  • Mirrors all network traffic over the encrypted OpenVPN tunnel between Lighthouse and the Opengear supported appliances, and forwards all network traffic as decrypted packets to a configurable endpoint. The endpoint is expected to be a “gateway” IP address of an external device that is routable from Lighthouse.

  • Preserves the original UDP and TCP/IP header information while mirroring (so that the IDS can reassemble TCP streams and inspect the payload).

Note:  Traffic mirroring is only supported on TCP and UDP.

  • Provides an option to add a configurable VLAN tag to the Ethernet header.

  • Works with multiple instances.

Only users with sudo access on the primary Lighthouse CLI (for example, via the admin group) can enable or disable traffic mirroring.

Users must ensure that:

  • the traffic is routed to the required destination in their enterprise network.

  • their firewall rules allow traffic mirroring.

Note:  All functionality is available only via the Lighthouse CLI. There is no UI or REST API interface for network traffic mirroring feature. For detailed CLI usage see traffic_mirroring --help.

Configure Network Traffic Mirroring for Multiple Instances

You can configure network traffic mirroring for multiple instances of Lighthouse. It can mirror traffic between Lighthouses, and between a node and a dependent Lighthouse.

If new dependent Lighthouses are added to a network that is mirroring traffic, they must be re-configured for network traffic mirroring.

Note:  All CLI configuration, including enabling and disabling, must be run on the primary Lighthouse. A dependent Lighthouse can only run the --test and --status arguments.

Users can specify different settings for each Lighthouse. For example:

  • A dependent Lighthouse can have a different VLAN ID (or no VLAN ID), and a different destination IP.

  • A dependent Lighthouse can be set to only mirror node traffic, and not multi-instance traffic. This is useful because the primary is already mirroring that traffic.

  • You can enable or disable network traffic mirroring per instance.

Note:  All newly enrolled secondary Lighthouse instances have network traffic mirroring disabled by default.

Troubleshoot Network Traffic Mirroring

It is possible that there may be momentary periods of up to a few seconds where traffic is not being mirrored. For example mirroring outages of a few seconds can occur during:

  • Configuration if changes are being made to the VPN subnet or firewall.

  • The Lighthouse boot process.

To ensure that traffic monitoring is uninterrupted, avoid rapid changes to configuration and repeated reboots of Lighthouse.