TaoSecurity Blog

My colleagues and I are spending some time justifying the installation of network taps, instead of using SPAN ports, to gain access to network traffic. This is an old discussion. See my Dec 07 post Expert Commentary on SPAN and RSPAN Weaknesses and Net Optics' page Tap vs SPAN . For a different perspective see Scott Haugdahl's Is Spanning Bad? and Is RSPAN Bad? . I'm using the following points when discussing the situation. Taps free SPAN ports for tactical, on-demand monitoring, especially intra-switch monitoring. Many switches have only two ports capable of SPAN, and some offer only one. If you commit a SPAN port for permanent monitoring duties, and you need to reassign it for some sort of troubleshooting on a VLAN or other aspect of the traffic, you have to deny traffic to your sensor while the SPAN port is doing other work. Keep your SPAN ports free so you can do intra-switch monitoring when you need it. Taps provide strategic, persistent monitoring. Installin

How do you use taps? Specifically, do any of you use Net Optics taps? If yes, I would like to speak with you through email. I'm interested in your thoughts on any of these subjects: How did you justify buying these products? Did you encounter any installation issues? How are you using taps? What alternatives did you consider? Did taps help you learn more about any intrusions, or help you prevent or mitigate intrusions? I appreciate any feedback you might have. Please email richard at taosecurity dot com. Thank you.

Last week I attended and spoke at the latest Net Optics Think Tank . I've presented for Net Optics twice before , but this was the first event held in northern Virginia. The first half of the event consisted of two briefings. The first discussed tap technology. This was supposed to be a basic introduction but I learned quite a bit, especially with regards to fiber optics. Specifically, I learned of some cases where customers reverse cables when plugging in their taps, thereby causing lots of tough-to-troubleshoot problems. Furthermore, as customers move from Gigabit over fiber to 10 Gigabit over fiber, they are encountering cabling issues. Gigabit is much more forgiving than 10 Gig. At 10 Gig, you apparently have to pay close attention to the specifications, such as core size. I learned that Net Optics is considering ways to "tag" or "label" packets collected by their link aggregator taps. When discussing matrix switches , it occurred to me that tho

I noticed three interesting blog posts that address security instrumentation failures. First, security software developer Charles Smutz posted Flushing Out Leaky Taps : How many packets does your tapping infrastructure drop before ever reaching your network monitoring devices? How do you know? I’ve seen too many environments where tapping problems have caused network monitoring tools to provide incorrect or incomplete results. Often these issues last for months or years without being discovered, if ever... One thing to keep in mind when worrying about loss due to tapping is that you should probably solve, or at least quantify, any packet loss inside your network monitoring devices before you worry about packet loss in the taps. You need to have strong confidence in the accuracy of your network monitoring devices before you use data from them to debug loss by your taps. Remember, in most network monitoring systems there are multiple places where packet loss is reported... I’m not g

Thanks to NetOptics , I've deployed their 10/100BaseT tap as a replacement for my Finisar model. The NetOptics device is intriguing in that it ships with redundant power inputs. I use a FreeBSD-based solution documented here to combine the two tap TX outputs into a single virtual interface. Beyond the Ethernet-based products shown here, NetOptics offers a variety of alternatives , including devices for tapping multiple ports. Shortly I hope to try NetOptics new 10/100BaseT Port Aggregator Tap . This device has a single output, which removes the need for combining two TX outputs. Unlike a competitor's product, the Aggregator Tap specifically addresses the issues of combining streams which may exceed 100 Mbps: "For cases where the NIC’s capacity is exceeded – for instance, if there is a traffic burst, and the 100 Mbps NIC is now receiving 140 Mbps of traffic – port buffering is offered as an additional innovative feature to help prevent data overload. Buffered memo

While perusing the Focus-IDS mailing list I read this great thread on the use of taps for IDS , started in Dec 2001. (Did you know TAP means Test Administrative Port ?) The question of how to combine the two output streams from a tap became an issue. "Real" taps like the Finisar UTP IL/1 below or the TopLayer Fast Ethernet Copper Tap have two inputs and two outputs: With two outputs, how do you recombine the streams? Several posts mentioned the "THG", which refers to Finisar's (formerly Shomiti) Ten Hundred Gigabit system, as a means to combine the two streams sent out from tap ports A and B. Intrusion, Inc. , makes a tap with a single output: There's a problem with this setup. If the sum of the streams collected from the two inputs exceeds the capacity of the single output, packets are dropped. Whoops! TopLayer's IDS Balancer was also mentioned as a way to aggregate streams, but I'm not convinced it's appropriate for the stream re

I've written about not using taps with hubs in January 2004 and again in a prereview of Snort Cookbook . The diagram below shows why it's a bad idea to try to "combine" outputs from a traditional tap into a hub. The diagram shows a traditional two-output tap connecting to a hub. Why would someone do this? This unfortunate idea tries to give a sensor with a single sniffing interface the ability to see traffic from both tap outputs simultaneously. The proper way to address the issue is shown below. A method to bond interfaces with FreeBSD is listed here . We could avoid the interface bonding issue if we replace the dual output tap with a so-called port aggregator tap , like the one pictured at left. As long as the total aggregate bandwidth of the monitored link does not exceed 100 Mbps (for a 100 Mbps tap), then we can use it as shown below. What do we do if we have more than one sensor platform? In other words, we may have an IDS and some other device that need

I recently acquired several more specialized taps from Net Optics . I thought you might like to hear a few words about them. I plan to feature these and a few other devices in my new book Extrusion Detection , but why wait until then? I specifically requested evaluation units to meet monitoring and network access problems my clients brought to me. Perhaps you will find one or more of these products answer a monitoring question you've also been pondering. Keep in mind that I show Ethernet versions here, but a variety of optical products are offered. Also, I mention these products as they might be deployed at the perimeter, between a border router and firewall. They can certainly be used elsewhere, but for consistency here I stay with that deployment scenario. The first product I tried was the 10/100 Active Response Dual Port Aggregator Tap . The purpose of this device is to provide full duplex access to a network link to two sensor platforms. The two outputs on the left

It's no secret I am a fan of using taps instead of switch SPAN ports when instrumenting networks. Two excellent posts explain the weakness of using SPAN ports and RSPAN. Both of these were written by Tim O'Neill, an independent consultant. SPAN Port or TAP? CSO Beware RSPAN... Friend or Foe? This is the simplest way for me to compare SPAN ports to taps: a SPAN port is a girlfriend, but a tap is a wife. It takes a real level of institutional commitment to install a tap, and the rewards are long-lasting. A SPAN port is a temporary fling subject to break-up (i.e., deactivation). Furthermore, I really liked the blog post's emphasis on SPAN configuration as a change that must be allowed by the change control board in any semi-mature IT shop. The only CCB action needed for a tap is the initial installation. Any change to a SPAN port configuration should be authorized by the CCB. This is one of the reasons why very mature (and well-funded) IT shops use matrix switches for

The following is another excerpt from my upcoming book titled Extrusion Detection: Security Monitoring for Internal Intrusions . I learned yesterday that it should be available the last week in November, around the 26th. We’ve seen network taps that make copies of traffic for use by multiple monitoring systems. These copies are all exactly the same, however. There is no way using the taps just described to send port 80 TCP traffic to one sensor, and all other traffic to another sensor. Commercial solutions like the Top Layer IDS Balancer provide the capability to sit inline and copy traffic to specified output interfaces, based on rules defined by an administrator. Is there a way to perform a similar function using commodity hardware? Of course! The Pf firewall introduced in Chapter 2 offers the dup-to keyword. This function allows us to take traffic that matches a Pf rule and copy it to a specified interface. Figure 4-17 demonstrates the simplest deployment of this sort of s

I will be presenting my thoughts on pervasive network awareness as facilitated by taps at the next Net Optics Think Tank . The event will take place on 18 May 2005 in their Sunnyvale, CA headquarters. I use Net Optics taps to gain access to traffic when performing network security monitoring.

I'm a big fan of taps made by Net Optics , especially after reading advice from other manufacturers . Because I featured Net Optics taps in chapter 3 of my book, and brought one for my class network at USENIX, Net Optics published a press release on the two events today. I'd like to thank Net Optics for supporting my tap research and for giving expert advice on chapter 3. On a related note, I came across this 1996 thread discussing early tap use.

A reader asked me to explain the differences between two of my books. I decided to write a public response. If you visit the TaoSecurity Books page, you will see two different types of books. The first type involves books which list me as author or co-author. The second involves books to which I have contributed a chapter, section, or foreword. This post will only discuss books which list me as author or co-author. In July 2004 I published The Tao of Network Security Monitoring: Beyond Intrusion Detection . This book was the result of everything I had learned since 1997-98 regarding detecting and responding to intruders, primarily using network-centric means. It is the most complete examination of NSM philosophy available. I am particularly happy with the NSM history appendix. It cites and summarizes influential computer security papers over the four decade history of NSM to that point. The main problem with the Tao is that certain details of specific software versions are

I'm pleased to announce that I will be teaching  one class  at Black Hat Trainings 2014 in Potomac, MD, near DC, on 8-9 December 2014. The class is  Network Security Monitoring 101 . I taught this class in Las Vegas in July 2013 and 2014, and Seattle in December 2013. I posted  Feedback from Network Security Monitoring 101 Classes  last year as a sample of the student commentary I received. This class is the perfect jumpstart for anyone who wants to begin a network security monitoring program at their organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware. The first discounted registration deadline is 11:59 pm EDT October 31st. The second discounted registration deadline (more expensive than the first but cheaper than later) ends 11:59 pm EST December 5th. You can  register here . I recently topped the 1,000 student

I'm pleased to announce that I will be teaching one class at  Black Hat USA 2014   2-3 and 4-5 August 2014 in Las Vegas, Nevada. The class is  Network Security Monitoring 101 . I've taught this class in Las Vegas in July 2013 and Seattle in December 2013. I posted  Feedback from Network Security Monitoring 101 Classes  last year as a sample of the student commentary I received. This class is the perfect jumpstart for anyone who wants to begin a network security monitoring program at their organization. You may enter with no NSM knowledge, but when you leave you'll be able to understand, deploy, and use NSM to detect and respond to intruders, using open source software and repurposed hardware. The first discounted registration deadline is 11:59 pm EDT June 2nd. The second discounted registration deadline (more expensive than the first but cheaper than later) ends 11:59 pm EDT July 26th. You can  register here . Please note: I have no plans  to teach this class