With a centralized approach, one high-capacity, high-speed packet capture appliance connects to a data-aggregation point.
The advantages include: no network re-configuration required; ease of deployment; multiple vantage points for incident response investigations; scalability; no single point of failure – if one fails, you have the others; if combined with electronic invisibility, this approach practically eliminates the danger of unauthorized access by hackers; low cost.
[4] In the past, packet capture appliances were sparingly deployed, oftentimes only at the point of entry into a network.
By placing packet capture appliances at the entry point and in front of each work group, following the path of a particular transmission deeper into the network would be simplified and much quicker.
It is impossible to know ahead of time the specific characteristics of the packets or transmissions needed, especially in the case of an advanced persistent threat (APT).
APTs and other hacking techniques rely for success on network administrators not knowing how they work and thus not having solutions in place to counteract them.
The peak capture speed can only be maintained for short period of time, until the appliance's buffers fill up and it starts losing packets.
In general, packet capture appliances with overwrite capabilities are useful for simple monitoring or testing purposes, for which a permanent record is not necessary.
A packet capture appliance deployed for any length of time should incorporate security features, to protect the recorded network data from access by unauthorized parties.
For example, some packet capture appliances feature “electronic invisibility”, where they have a stealthy network profile by not requiring or using IP nor MAC addresses.
This simple solution is very effective, as it is doubtful that a hacker would have an easy time gaining physical access to the appliance in order to flip a switch.
All the network security features in the world are moot if someone is simply able to steal the packet capture appliance or make a copy of it and have ready access to the data stored on it.
Encryption is one of the best ways to address this concern, though some packet capture appliances also feature tamperproof enclosures.