If your company has a couple of SIEMS or maybe more than one NetFlow collector, you could probably benefit from a UDP Packet Forwarding system. Here’s the reason: many syslog and flow exporting devices can only export to one or two devices but, when you have hundreds of exporters that need to be updated to send to a second device, it can be a tedious error-prone process even with automated scripts. Not to mention, some hardware can only send syslogs or flows to one location.
A UDP packet forward appliance sits in front of a SIEM or the legacy flow collector. In some cases, it assumes the IP address of the SIEM or flow collector, and the SIEM is given a new IP address. When the appliance acting as the UDP forwarder receives the syslog and flow packets, it will forward them on by modifying the destination IP address but, leaving the source IP address unchanged. This means the SIEM and legacy flow collector believe they are receiving the UDP packets directly from the source. A UDP forwarder can also multiply the UDP datagrams and forward a single UDP stream to multiple destinations as explained in the video below.
A UDP forwarding appliance provides several benefits when it is placed locally to the SIEM and flow collection systems.
- Reduces the amount of traffic on the network, especially over the WAN
- Reduces the load on routers and switches as they only have to send UDP messages to one location
- Lessens the configuration workload when hundreds or thousands of routers suddenly need to send NetFlow, sFlow, IPFIX, or syslogs to a different IP address
- Eases the burden of trying to reconfigure hardware from different vendors and helps reduce the likelihood of mistakes
- Provides management station redundancy by sending logs to multiple destinations simultaneously
- Allows both network and security administrators to receive the same log messages while maintaining separate systems.
There are several solutions on the market that act as a UDP director for forwarding UDP packets.
However, the best commercial solutions provide the following additional features:
- Detect when the destination hosts are offline and stop forwarding traffic
- Maintain counters that allow admins to identify top UDP datagram producers
- Allow the configuration of policies that will accept UDP from entire subnets and send them to the correct destinations
- Provide fault tolerance and redundancy in case of a failure
If you need to duplicate UDP datagrams try the flow replicator. It is ideal for UDP Packet Forwarding.