Siber Güvenlik

These devices basically record a copy of network traffic and provide simultaneous analysis. They are passive devices, although they do not provide active protection, they are necessary for quick problem resolution. Data is stored in two ways: Meta and Raw. In the Meta part, there is a lot of data that can be parsed from a pcap file. These data can be kept for long periods (1-12 months), but Raw data is naturally kept for shorter periods (1-2 weeks), which are ideal values. For traffic analysis, clear text (http, ftp, smb, etc.) must be received by these devices. If encrypted traffic (https, ftps, smtps, etc.) is received, it cannot be analyzed. Therefore, it is important to capture traffic from the right place and position the devices in the network correctly. For example, if http traffic is captured behind an LTM device positioned in One-arm mode, unfortunately, the LTM IP address will be shown as the source IP in the copy. Searching for the relevant IP on Xff will be necessary, but if this is an attacker and the traffic needs to be analyzed, correlation becomes almost impossible or takes a very long time.