2.7.2. Single-interface transparent mode

Single-interface transparent mode is similar to transparent mode, but both client-side and server-side traffic use the same interface. An external device — typically a firewall or a router (or a layer3 switch) — is required that actively redirects the audited traffic to PSM. To accomplish this, the external device must support advanced routing (also called policy-based routing or PBR). For details on configuring an external devices to work with PSM in single-interface transparent mode, see Appendix A, Configuring external devices.

Figure 2.9. PSM in single-interface transparent mode

PSM in single-interface transparent mode


The advantages of using the single-interface transparent mode are:

  • Totally transparent for the clients, no need to modify their configuration

  • The network topology is not changed

  • Only the audited traffic is routed to PSM, production traffic is not


The disadvantages of using the single-interface transparent mode are:

  • PSM acts as a man-in-the-middle regarding the connection between the client and the target server. Instead of a single client-server connection, there are two separate connections: the first between the client and PSM, and a second between PSM and the server. Depending on how you configure PSM, the source IP in the PSM-server connection can be the IP address of PSM, or the IP address of the client. In the latter case — when operating in transparent mode (including single-interface transparent mode) — PSM performs IP spoofing. Consult the security policy of your organization to see if it permits IP spoofing on your network.

  • Traffic must be actively routed to PSM using an external device, consequently a network administrator can disable PSM by changing routing rules.

  • When adding a new port or subnet to the list of audited connections, the configuration of the external device must be modified as well.

  • A network administrator can (intentionally or unintentionally) easily disable monitoring of the servers, therefore additional measures have to be applied to detect such activities.