# Overview ## Overview The CybrHawk Network Detection and Response (NDR) Sensor is available in two deployment options: * [Physical Sensor](/cybrhawk-docs/appliances/network-sensor/physical-sensor.md): High-performance hardware appliances designed for large enterprise or data-center environments. * [Virtual Sensor](/cybrhawk-docs/appliances/network-sensor/virtual-sensor.md): Software-based appliances suitable for smaller deployments and cloud-only environments. Both types provide passive monitoring of network traffic to deliver visibility, intrusion detection, and behavioral analytics for the CybrHawk SecOps platform. *** ## Deployment The NDR Sensor is a **passive device** that monitors a copy of production traffic.\ The recommended deployment location is where **North-South traffic** (internal ↔ external) passes through your environment, typically on the internal firewall interface. To achieve this, configure a **SPAN (port mirroring)** session on your switch or firewall to forward traffic to the NDR sensor. *** ## Deployment Diagram ![Network Sensor Deployment](/files/eBRYKVn082Iybt0ZrKcs)
*Example:* *span port configuration feeding mirrored traffic to a CybrHawk sensor.* *** ## Example: Cisco Switch Port Mirroring For a typical Cisco switch, where the internal firewall is connected on the port `eth0/1` and the CybrHawk sensor is connected to the port `eth0/2`, the configuration would be: ``` monitor session 1 source interface eth0/1 monitor session 1 destination interface eth0/2 ``` This configuration: * Creates monitoring session **1**. * Forwards traffic from the **source** interface (firewall port). * Mirrors traffic to the **destination** interface (sensor port). > **Note:** Interface notation (e.g., `eth0/1`) may vary depending on the switch model and configuration. *** ## Outbound Connectivity Requirements For the NDR Sensor to operate correctly, outbound HTTPS access is required for updates and threat intelligence feeds. * **Protocol / Port**: TCP/443 (HTTPS) * **Purpose**: OS updates, CybrHawk Threat Intelligence feeds * **Proxy Support**: Ensure proxy settings are configured to allow SSL/TLS inspection if required. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://cybrhawksoc.gitbook.io/cybrhawk-docs/appliances/network-sensor/overview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.