Introduction

Redborder proxy-exporter is a centralized software that collects data, processes it and forwards it to a redborder manager.

Functionality

The proxy-exporter is able to collect flow data, log data and traffic data. Before sending the traffic data safely to the manager, it can convert the traffic into netflow v5, netflow v9, ipfix or sflow. Once the proxy exporter is claimed by a redborder manager, it can be fully controlled from within the redborder manager dashboard.

1. Collecting flowdata and log data

- The proxy-exporter can forward netflow and sflow. For this a sensor can be created on the proxy-exporter from within the manager. As soon as this is done the proxy-exporter will listen to port 2055 for netflow and port 6343 for sflow.

- The proxy-exporter can forward syslog information. For this a Vault sensor (syslog) can be created on the proxy-exporter from within the manager. As soon as this is done the proxy-exporter will listen to port 514 for log information for the defined ip address of the sensor.

- This information can also be consulted after the installation process of the proxy-exporter in the terminal window.

2. Listen for traffic and convert it to flow data

- The network interfaces on the proxy-exporter can also be configured to listen for traffic, converting it into netflow5, netflow9, ipfix or sflow and forward it to a redborder manager.

3. Arp spoofing

- The proxy-exporter has the possibility to detect arp spoofing on the connected networks of its networkinterfaces. A message is generated and sent to the redborder manager using rsyslog

Configuring the proxy-exporter

1. Creating sensors in the proxy-exporter

- This can be done by clicking on the icon on the right of the sensor overview as shown on the next picture and selecting add sensor. You can refer to support page of redborder to find out more details in how to setup sensors for a proxy-exporter.

2. Configuring the exporter

- When going into edit mode of the proxy exporter you see the following information:

- Each interface, including the management interface, of the proxy-exporter can be configured to export flow data. Using the options one can select netflowv5, netflowv9, ipfix or sflow.
- If the proxy-exporter has multiple interfaces, they can be configured as static, dhcp or span ports.
- In the field of ‘destiny address’ you need to specify the destination ip address and port. The default port for netflow is 2055 and for sflow 6343.

3. Arp spoofing

- Arp spoofing detection can be activated on each of the interfaces. As soon a new devices, mac address change is detected, a log message is send to the redborder manager which claimed the proxy-exporter.

Exporter as a docker

The exporter can also be installed as a docker. Download the image from live.redborder.com and start an exporter container with following command :

docker run -ti rb-exporter /bin/bash

Once the docker is started you need to configure it and register to the manager :

rb-configure-exporter.sh <manager ip address>

You can claim the docker-exporter in the manager with the UUID returned by the docker. Once the docker-exporter is claimed, the configuring process starts.