Reading 09 - theSam1998/ops-301-Reading-Notes GitHub Wiki

Reading 09

chatGPT insertions indicated by: 🤖

Relevance Statement:

  • Todays reading centered around network traffic analysis through both a feature offered in network hardware, SPAN, and a separate piece of hardware designed for this task, a TAP. These tools are implemented in a great many networks to provide greater security and a broader scope of accounting in the event of an intrusion. It will be vital for our futures as cybersecurity professionals to not only understand how to use these tools, but how they work.

What are the differences between SPAN and TAP?

  • SPAN (Switched Port Analyzer) is a feature provided by switches that can send a copy of incoming and outgoing packets from one or more ports to another port where an analysis device is connected. It can be managed remotely or locally, and while it has some downsides too. For example, while it is low cost, flexible and easy to configure, it consumes a significant amount of CPU resources while running and some packets may be dropped, leading to incomplete logs. It can also filter out physical errors, leading to even further gaps in the logs. However, SPAN is the ONLY way to capture intra-switch traffic. On the other hand, a TAP (Terminal Access Point) is a type of hardware device that can passively capture network traffic. It can also be used to monitor traffic between two points in a network, and sends a copy of the traffic to another port for analysis, but being a physical device it works a little differently. For one, a TAP works best in networks where the connections are provided by physical cabling rather than wireless communication. Also, they are generally better for viewing traffic on a larger scale, as they cannot display intra-switch traffic which would be useful to view in a smaller network, and they will display all of the packets that SPAN drops or filters out. TAPs are not detectable on the network and will pass through traffic even if the TAP stops working, which makes them ideal for large corporate networks that need to keep functioning even in the event of a hardware failure.

🤖 Clarification on SPAN and TAP:

  • While you've correctly stated that SPAN is a feature provided by switches and TAP is a separate hardware device, it's worth noting that TAPs are typically used in situations where you need to ensure no packets are dropped, such as in high-speed networks or when monitoring critical data flows. This is because TAPs are designed to capture 100% of the traffic with no impact on the network, while SPAN sessions can sometimes drop packets if the switch is under heavy load.

What types of network devices can support network traffic mirroring?

  • port mirroring is exclusive to network switches, although a TAP provides similar functionality to SPAN as I mentioned earlier. Through all the digging I did, this seemed consistently to be true across all resources.

🤖 Additional Information on Network Devices Supporting Traffic Mirroring:

  • In addition to switches, some routers and firewalls also support traffic mirroring features. These features can be used for similar purposes as SPAN, such as network troubleshooting, performance monitoring, and security analysis.

How can network traffic mirroring be used for network security?

  • Network traffic mirroring can be used not only to create logs for reference, establishing a baseline and determining where faults may be in a network, but can also be used to literally fuel IDS/IPS systems. The data can be fed in a live stream to intrusion detection systems, which will allow for real time analysis and flag suspicious activity as potentially being a security breach. It can also be used to provide Accounting when implementing AAA, as it logs details about the data being sent back and forth that full AAA programs like freeRADIUS would likely be unable to display, or wouldn't read to begin with. By using the two in tandem, you could see suspicious login attempts at x time, followed by a successful attempt, and then go to view the logs from that time period and likely connect the data that was captured to the actions of that user.

🤖 Additional Information on Network Traffic Mirroring for Security:

  • Network traffic mirroring can also be used for threat hunting. This is a proactive security process where analysts search through network traffic to identify and isolate advanced threats that may not have been detected by automated security systems.

Are there any legal or ethical considerations when using network traffic mirroring?

  • Yes, absolutely. For one, sniffing a network's traffic without permission, or a network that is not YOURS could land you into serious trouble. IDS would likely detect your presence, and it would appear extremely suspicious: what good reason could anybody have to be sniffing around in an unsuspecting network's traffic? And on the other hand, if it is your network and you are implementing port mirroring for your own network's security, there may still be legal implications to consider: certain jurisdictions have differing laws regarding what data can and cannot be legally monitored by a company, and you will have to ensure you are compliant with your local laws. Also, as far as ethical considerations go, I can think of many: For one, is it really ok to monitor EVERY single action your employees take on the network? Is capturing the private data of your employees worth the security provided by such a broad scope of analysis? What about your clients' data? In my opinion, if there is a way to filter the data being monitored, it could be easier to navigate some of these nuanced issues, but this would bring with it a whole host of potential security issues, and would potentially be impossible to configure due to the dynamic nature of human social interactions: where is the line drawn in security between capturing data that could potentially be the work of a malicious actor and capturing data of private messages sent by employees? It's hard to answer a question about ethics without more questions, because in my view ethics are extremely dependent on context. And due to the complex and nuanced nature of these kinds of issues, the specific needs of the company and its employees as individuals would need to be considered to draw a valid, working conclusion here.

🤖 Additional Legal and Ethical Considerations:

  • It's also important to consider the ethical implications of monitoring employee activity. While network traffic mirroring can be a valuable tool for detecting and preventing unauthorized activity, it's important to balance this with respect for employee privacy. This might involve implementing policies that clearly define what types of activity are monitored, ensuring employees are aware of these policies, and using traffic mirroring data only for legitimate business purposes.

🤖 Additional Information on Privacy and Confidentiality:

  • When dealing with personal or sensitive data, it's important to consider data minimization principles. This means only collecting and retaining the minimum amount of data necessary for your network monitoring needs. This can help to reduce the risk of data breaches and ensure compliance with privacy regulations.

Things I want to know more about:

  • Port monitoring seems to be typically implemented for security and troubleshooting purposes. How can this serve as a gateway for attacks that could not have happened without port mirroring in place?
  • 🤖 While port monitoring (or SPAN) is a valuable tool for network security and troubleshooting, it can potentially be exploited by attackers if not properly secured. For example, if an attacker gains access to the switch configuration, they could set up their own SPAN session to mirror traffic to a port they control, effectively giving them a copy of all the network traffic. This could allow them to capture sensitive data or gain information about the network that could be used in further attacks. Therefore, it's crucial to secure access to your network devices and regularly review your SPAN configurations to ensure they haven't been tampered with.
  • How can SPAN or TAP be configured for the highest level of security without breaching employees/clients privacy?
  • 🤖 To configure SPAN or TAP for maximum security without breaching privacy, you should follow best practices for network monitoring. This includes only monitoring the necessary traffic for your security needs (data minimization), anonymizing or pseudonymizing data where possible, and ensuring that the data is securely stored and transmitted. Additionally, you should have clear policies in place about what data is collected, how it's used, and who has access to it, and ensure that these policies are communicated to your employees and clients. Regular audits can also help to ensure that these policies are being followed and that the data is being handled securely.
  • Both methods mention Analysis Devices being used to read the data being captured. What is an Analysis Device?
  • 🤖 An analysis device in the context of SPAN or TAP is a device that receives and analyzes the mirrored network traffic. This could be a dedicated hardware device, such as a network analyzer or intrusion detection system, or it could be a server running network analysis software. The analysis device might be used to monitor network performance, detect security threats, troubleshoot network issues, or for other network management tasks. The specific capabilities of the analysis device will depend on the software or firmware it's running.