Expert Commentary on SPAN and RSPAN Weaknesses

It's no secret I am a fan of using taps instead of switch SPAN ports when instrumenting networks. Two excellent posts explain the weakness of using SPAN ports and RSPAN.

Both of these were written by Tim O'Neill, an independent consultant.

This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and the rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation).

Furthermore, I really liked the blog post's emphasis on SPAN configuration as a change that must be allowed by the change control board in any semi-mature IT shop. The only CCB action needed for a tap is the initial installation. Any change to a SPAN port configuration should be authorized by the CCB. This is one of the reasons why very mature (and well-funded) IT shops use matrix switches for on-demand visibility, as a mentioned last year in Notes on Net Optics Think Tank.

Comments

Anonymous said…
Richard - Thanks for adding lovemytool to your site. You have been doing a great job for network industry ! Thank you for all your contributions. Oldcommguy.
Anonymous said…
SPAN was a huge issue we dealt with on the IDS team where I used to work. We had constant issues with the SPAN going up and down. When there are network issues to deal with, the network engineers have priority to the limited SPAN ports available. Hoping they remember to reconfigure your SPAN port was a waste of time. Where we had to use SPAN ports, we had implemented a simple script that ran tcpdump, counted packets, filtering for IP traffic and if no IP traffic was found, we were alerted. Without that, we would be blind and not know it.
Anonymous said…
This comment has been removed by a blog administrator.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics