Traffic Mirroring

1. What are the differences between SPAN and TAP?

   • SPAN is a more passive form of mirroring where a copy of port traffic is forwarded from one or more ports to another port to be analyzed. Because it utilizes existing infrastructure, it is limited because it can be dropped during high traffic times or can lose packets. TAP is a more active measure that uses a separate piece of hardware that can capture a copy of all traffic between two points on a network.

2. What types of network devices can support network traffic mirroring?

   • SPAN can be utilized with existing switches. TAP utilizes an additional cable that still passes the traffic through, but also routes a copy of all traffic through to an additional port for the monitoring terminal.

3. How can network traffic mirroring be used for network security?

   • It can be an unobtrusive way of monitoring what is being done on and through the network. It could be particularly useful for monitoring the activities of someone suspected of being an insider threat, or of utilizing the network in ways that violate AUP.

4. Are there any legal or ethical considerations when using network traffic mirroring?

   • Using mirroring to monitor employees or coworkers without reasonable cause would certainly be an ethical, and possibly legal issue. Policies should be created for security personnel to gain approval before deploying these methods. One person having the ability to decide and implement the tactic is not a good idea. When possible, legal council should be sought as part of the approval process.

Source: Accedian