Whether it’s for troubleshooting or for security monitoring purposes, being able to capture network packets from inside a network at strategic points is invaluable. Think, for instance, of users reporting that a website is intermittently inaccessible. Captured network packets can be analyzed and an underlying issue can be found by looking at the interaction between the client and the webserver or a router in between.
Another example is the use of an Intrusion Detection System (IDS) that “listens” to a stream of network traffic and alerts when it identifies suspicious or malicious traffic based on known signatures or traffic anomalies. That’s where a TAP comes in.
What Is a TAP?
In order to obtain those packets, they need to be intercepted. A network TAP is either a virtual or a physical device that listens to the network traffic on its interface(s) and sends a copy of these packets to another system or stores them directly to disk.
A physical TAP can be simply a little box with mirrors (duplicating the light carried by an incoming fiber lead) or it can be a powered device, sometimes with built-in logic and software. Many professional switches have the option to assign an interface as a TAP port as well (called a SPAN port).
A virtual TAP is located within a hypervisor such as VMWare ESX or VirtualBox. It works in a similar manner by connecting to a virtual traffic flow or virtual switch. A benefit of the vTAP, though, is that it can monitor traffic between two virtual machines within the same hypervisor without the need for the traffic to leave the hardware. With the virtualization of network devices such as firewalls, switches and proxy servers, this has been a popular option in the recent years.
TAPs in the Cloud
Some cloud service (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Frank Siemons. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/pLo-0T3N9Gg/