Flow-Tap Architecture

The flow-tap architecture consists of one or more mediation devices that send requests to a Juniper Networks routing platform to monitor incoming data. Any packets that match specific filter criteria are forwarded to a set of one or more content destinations:

• Mediation device—A client that monitors electronic data or voice transfer over the network. The mediation device sends filter requests to the Juniper Networks routing platform using the DTCP. The clients are not identified for security reasons, but have permissions defined by a set of special login classes.
• Monitoring platform—A Juniper Networks M-series or T-series routing platform containing one or more Adaptive Services (AS) PICs, which are configured to support the flow-tap application. The monitoring platform processes the requests from the mediation devices, applies the dynamic filters, monitors incoming data flows, and sends the matched packets to the appropriate content destinations.
• Content destination—Recipient of the matched packets from the monitoring platform. Typically the matched packets are sent using an IP Security (IPSec) tunnel from the monitoring platform to another router connected to the content destination. The content destination and the mediation device can be physically located on the same host.
• Dynamic filters—The Packet Forwarding Engine automatically generates a firewall filter that is applied to all IPv4 routing instances. Each term in the filter includes a flow-tap action that is similar to the existing sample or port-mirroring actions. As long as one of the filter terms matches an incoming packet, the router copies the packet and forwards it to the AS PIC that is configured for flow-tap service. The AS PIC runs the packet through the client filters and sends a copy to each matching content destination. For security, filters installed by one client are not visible to others and the CLI configuration does not reveal the identity of the monitored target.

  Following is a sample filter configuration; note that it is dynamically generated by the router (no user configuration is required):

  filter combined_LEA_filter {

  term LEA1_filter {

  from {

  source-address 1.2.3.4;

  destination-address 3.4.5.6;

  }

  then {

  flow-tap;

  }

  }

  term LEA2_filter {

  from {

  source-address 10.1.1.1;

  source-port 23;

  }

  then {

  flow-tap;

  }

  }

  }

Figure 27 shows a sample topology that uses two mediation devices and two content destinations.

Figure 27: Flow-Tap Topology Diagram

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.